From 991d33e59a2a5b675d2ba4b5d6ecbb4f6060110e Mon Sep 17 00:00:00 2001
From: Stephen Waits <steve@waits.net>
Date: Mon, 11 May 2026 17:27:57 -0600
Subject: [PATCH] fix(acl): persist guest last_timestamp across reboot

---
 src/helpers/ClientACL.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/helpers/ClientACL.cpp b/src/helpers/ClientACL.cpp
index 1282382737..db2400b234 100644
--- a/src/helpers/ClientACL.cpp
+++ b/src/helpers/ClientACL.cpp
@@ -61,7 +61,11 @@ void ClientACL::save(FILESYSTEM* fs, bool (*filter)(ClientInfo*)) {
 
     for (int i = 0; i < num_clients; i++) {
       auto c = &clients[i];
-      if (c->permissions == 0 || (filter && !filter(c))) continue;    // skip deleted entries, or by filter function
+      // Persist guest entries (permissions == 0) so their last_timestamp survives
+      // reboot — otherwise a captured guest packet can be replayed once after
+      // power cycle. The explicit-delete path in applyPermissions() removes the
+      // slot entirely, so any permissions==0 entry here is a real (guest) client.
+      if (filter && !filter(c)) continue;
 
       bool success = (file.write(c->id.pub_key, 32) == 32);
       success = success && (file.write((uint8_t *) &c->permissions, 1) == 1);