The --extra-small baseline omits unixsocketidentity, but without it the
localapi cannot verify a request came over the trusted unix socket, so
PermitRead/PermitWrite are always false and every CLI call (status, up,
set, ...) returns 'access denied' (tailscale/tailscale#17873). Add it to
the opt-in allowlist. Negligible size cost (~3.55 MB unchanged); the CLI
is non-functional without it.
README shrinks to a repo intro with pointers. Separate the three
audiences:
- docs/USAGE.md deploy the prebuilt image on RouterOS + operate it
- docs/DEVELOPMENT.md build, local test, version bump, cut releases
- docs/DESIGN.md size optimizations, feature allowlist, why the
updater and netmap disk-cache are removed, flash-wear
protection, versioning/release architecture, the
overlayfs layer-duplication gotcha, dependency pinning
Lumpiasty
