v1.9.0 (#437)

* fix: Resolve database encryption atomicity issues and enhance debugging (#430)

* fix: Resolve database encryption atomicity issues and enhance debugging

This commit addresses critical data corruption issues caused by non-atomic
file writes during database encryption, and adds comprehensive diagnostic
logging to help debug encryption-related failures.

**Problem:**
Users reported "Unsupported state or unable to authenticate data" errors
when starting the application after system crashes or Docker container
restarts. The root cause was non-atomic writes of encrypted database files:

1. Encrypted data file written (step 1)
2. Metadata file written (step 2)
→ If process crashes between steps 1 and 2, files become inconsistent
→ New IV/tag in data file, old IV/tag in metadata
→ GCM authentication fails on next startup
→ User data permanently inaccessible

**Solution - Atomic Writes:**

1. Write-to-temp + atomic-rename pattern:
   - Write to temporary files (*.tmp-timestamp-pid)
   - Perform atomic rename operations
   - Clean up temp files on failure

2. Data integrity validation:
   - Add dataSize field to metadata
   - Verify file size before decryption
   - Early detection of corrupted writes

3. Enhanced error diagnostics:
   - Key fingerprints (SHA256 prefix) for verification
   - File modification timestamps
   - Detailed GCM auth failure messages
   - Automatic diagnostic info generation

**Changes:**

database-file-encryption.ts:
- Implement atomic write pattern in encryptDatabaseFromBuffer
- Implement atomic write pattern in encryptDatabaseFile
- Add dataSize field to EncryptedFileMetadata interface
- Validate file size before decryption in decryptDatabaseToBuffer
- Enhanced error messages for GCM auth failures
- Add getDiagnosticInfo() function for comprehensive debugging
- Add debug logging for all encryption/decryption operations

system-crypto.ts:
- Add detailed logging for DATABASE_KEY initialization
- Log key source (env var vs .env file)
- Add key fingerprints to all log messages
- Better error messages when key loading fails

db/index.ts:
- Automatically generate diagnostic info on decryption failure
- Log detailed debugging information to help users troubleshoot

**Debugging Info Added:**

- Key initialization: source, fingerprint, length, path
- Encryption: original size, encrypted size, IV/tag prefixes, temp paths
- Decryption: file timestamps, metadata content, key fingerprint matching
- Auth failures: .env file status, key availability, file consistency
- File diagnostics: existence, readability, size validation, mtime comparison

**Backward Compatibility:**
- dataSize field is optional (metadata.dataSize?: number)
- Old encrypted files without dataSize continue to work
- No migration required

**Testing:**
- Compiled successfully
- No breaking changes to existing APIs
- Graceful handling of legacy v1 encrypted files

Fixes data loss issues reported by users experiencing container restarts
and system crashes during database saves.

* fix: Cleanup PR

* Update src/backend/utils/database-file-encryption.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update src/backend/utils/database-file-encryption.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update src/backend/utils/database-file-encryption.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update src/backend/utils/database-file-encryption.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update src/backend/utils/database-file-encryption.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: LukeGus <bugattiguy527@gmail.com>
Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: Merge metadata and DB into 1 file

* fix: Add initial command palette

* Feature/german language support (#431)

* Update translation.json

Fixed some translation issues for German, made it more user friendly and common.

* Update translation.json

added updated block for serverStats

* Update translation.json

Added translations

* Update translation.json

Removed duplicate of "free":"Free"

* feat: Finalize command palette

* fix: Several bug fixes for terminals, server stats, and general feature improvements

* feat: Enhanced security, UI improvements, and animations (#432)

* fix: Remove empty catch blocks and add error logging

* refactor: Modularize server stats widget collectors

* feat: Add i18n support for terminal customization and login stats

- Add comprehensive terminal customization translations (60+ keys) for appearance, behavior, and advanced settings across all 4 languages
- Add SSH login statistics translations
- Update HostManagerEditor to use i18n for all terminal customization UI elements
- Update LoginStatsWidget to use i18n for all UI text
- Add missing logger imports in backend files for improved debugging

* feat: Add keyboard shortcut enhancements with Kbd component

- Add shadcn kbd component for displaying keyboard shortcuts
- Enhance file manager context menu to display shortcuts with Kbd component
- Add 5 new keyboard shortcuts to file manager:
  - Ctrl+D: Download selected files
  - Ctrl+N: Create new file
  - Ctrl+Shift+N: Create new folder
  - Ctrl+U: Upload files
  - Enter: Open/run selected file
- Add keyboard shortcut hints to command palette footer
- Create helper function to parse and render keyboard shortcuts

* feat: Add i18n support for command palette

- Add commandPalette translation section with 22 keys to all 4 languages
- Update CommandPalette component to use i18n for all UI text
- Translate search placeholder, group headings, menu items, and shortcut hints
- Support multilingual command palette interface

* feat: Add smooth transitions and animations to UI

- Add fade-in/fade-out transition to command palette (200ms)
- Add scale animation to command palette on open/close
- Add smooth popup animation to context menu (150ms)
- Add visual feedback for file selection with ring effect
- Add hover scale effect to file grid items
- Add transition-all to list view items for consistent behavior
- Zero JavaScript overhead, pure CSS transitions
- All animations under 200ms for instant feel

* feat: Add button active state and dashboard card animations

- Add active:scale-95 to all buttons for tactile click feedback
- Add hover border effect to dashboard cards (150ms transition)
- Add pulse animation to dashboard loading states
- Pure CSS transitions with zero JavaScript overhead
- Improves enterprise-level feel of UI

* feat: Add smooth macOS-style page transitions

- Add fullscreen crossfade transition for login/logout (300ms fade-out + 400ms fade-in)
- Add slide-in-from-right animation for all page switches (Dashboard, Terminal, SSH Manager, Admin, Profile)
- Fix TypeScript compilation by adding esModuleInterop to tsconfig.node.json
- Pass handleLogout from DesktopApp to LeftSidebar for consistent transition behavior

All page transitions now use Tailwind animate-in utilities with 300ms duration for smooth, native-feeling UX

* fix: Add key prop to force animation re-trigger on tab switch

Each page container now has key={currentTab} to ensure React unmounts and remounts the element on every tab switch, properly triggering the slide-in animation

* revert: Remove page transition animations

Page switching animations were not noticeable enough and felt unnecessary.
Keep only the login/logout fullscreen crossfade transitions which provide clear visual feedback for authentication state changes

* feat: Add ripple effect to login/logout transitions

Add three-layer expanding ripple animation during fadeOut phase:
- Ripples expand from screen center using primary theme color
- Each layer has staggered delay (0ms, 150ms, 300ms) for wave effect
- Ripples fade out as they expand to create elegant visual feedback
- Uses pure CSS keyframe animation, no external libraries

Total animation: 800ms ripple + 300ms screen fade

* feat: Add smooth TERMIX logo animation to transitions

Changes:
- Extend transition duration from 300ms/400ms to 800ms/600ms for more elegant feel
- Reduce ripple intensity from /20,/15,/10 to /8,/5 for subtlety
- Slow down ripple animation from 0.8s to 2s with cubic-bezier easing
- Add centered TERMIX logo with monospace font and subtitle
- Logo fades in from 80% scale, holds, then fades out at 110% scale
- Total effect: 1.2s logo animation synced with 2s ripple waves

Creates a premium, branded transition experience

* feat: Enhance transition animation with premium details

Timing adjustments:
- Extend fadeOut from 800ms to 1200ms
- Extend fadeIn from 600ms to 800ms
- Slow background fade to 700ms for elegance

Visual enhancements:
- Add 4-layer ripple waves (10%, 7%, 5%, 3% opacity) with staggered delays
- Ripple animation extended to 2.5s with refined opacity curve
- Logo blur effect: starts at 8px, sharpens to 0px, exits at 4px
- Logo glow effect: triple-layer text-shadow using primary theme color
- Increase logo size from text-6xl to text-7xl
- Subtitle delayed fade-in from bottom with smooth slide animation

Creates a cinematic, polished brand experience

* feat: Redesign login page with split-screen cinematic layout

Major redesign of authentication page:

Left Side (40% width):
- Full-height gradient background using primary theme color
- Large TERMIX logo with glow effect
- Subtitle and tagline
- Infinite animated ripple waves (3 layers)
- Hidden on mobile, shows brand identity

Right Side (60% width):
- Centered glassmorphism card with backdrop blur
- Refined tab switcher with pill-style active state
- Enlarged title with gradient text effect
- Added welcome subtitles for better UX
- Card slides in from bottom on load
- All existing functionality preserved

Visual enhancements:
- Tab navigation: segmented control style in muted container
- Active tab: white background with subtle shadow
- Smooth 200ms transitions on all interactions
- Card: rounded-2xl, shadow-xl, semi-transparent border

Creates premium, modern login experience matching transition animations

* feat: Update login page theme colors and add i18n support

- Changed login page gradient from blue to match dark theme colors
- Updated ripple effects to use theme primary color
- Added i18n translation keys for login page (auth.tagline, auth.description, auth.welcomeBack, auth.createAccount, auth.continueExternal)
- Updated all language files (en, zh, de, ru, pt-BR) with new translations
- Fixed TypeScript compilation issues by clearing build cache

* refactor: Use shadcn Tabs component and fix modal styling

- Replace custom tab navigation with shadcn Tabs component
- Restore border-2 border-dark-border for modal consistency
- Remove circular icon from login success message
- Simplify authentication success display

* refactor: Remove ripple effects and gradient from login page

- Remove animated ripple background effects
- Remove gradient background, use solid color (bg-dark-bg-darker)
- Remove text-shadow glow effect from logo
- Simplify brand showcase to clean, minimal design

* feat: Add decorative slash and remove subtitle from login page

- Add decorative slash divider with gradient lines below TERMIX logo
- Remove subtitle text (welcomeBack and createAccount)
- Simplify page title to show only the main heading

* feat: Add diagonal line pattern background to login page

- Replace decorative slash with subtle diagonal line pattern background
- Use repeating-linear-gradient at 45deg angle
- Set very low opacity (0.03) for subtle effect
- Pattern uses theme primary color

* fix: Display diagonal line pattern on login background

- Combine background color and pattern in single style attribute
- Use white semi-transparent lines (rgba 0.03 opacity)
- 45deg angle, 35px spacing, 2px width
- Remove separate overlay div to ensure pattern visibility

* security: Fix user enumeration vulnerability in login

- Unify error messages for invalid username and incorrect password
- Both return 401 status with 'Invalid username or password'
- Prevent attackers from enumerating valid usernames
- Maintain detailed logging for debugging purposes
- Changed from 404 'User not found' to generic auth failure message

* security: Add login rate limiting to prevent brute force attacks

- Implement LoginRateLimiter with IP and username-based tracking
- Block after 5 failed attempts within 15 minutes
- Lock account/IP for 15 minutes after threshold
- Automatic cleanup of expired entries every 5 minutes
- Track remaining attempts in logs for monitoring
- Return 429 status with remaining time on rate limit
- Reset counters on successful login
- Dual protection: both IP-based and username-based limits

* French translation (#434)

* Adding French Language

* Enhancements

* feat: Replace the old ssh tools system with a new dedicated sidebar

* fix: Merge zac/luke

* fix: Finalize new sidebar, improve and loading animations

* Added ability to close non-primary tabs involved in a split view (#435)

* fix: General bug fixes/small feature improvements

* feat: General UI improvements and translation updates

* fix: Command history and file manager styling issues

* feat: General bug fixes, added server stat commands, improved split screen, link accounts, etc

* fix: add Accept header for OIDC callback request (#436)

* Delete DOWNLOADS.md

* fix: add Accept header for OIDC callback request

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>

* fix: More bug fixes and QOL fixes

* fix: Server stats not respecting interval and fixed SSH toool type issues

* fix: Remove github links

* fix: Delete account spacing

* fix: Increment version

* fix: Unable to delete hosts and add nginx for terminal

* fix: Unable to delete hosts

* fix: Unable to delete hosts

* fix: Unable to delete hosts

* fix: OIDC/local account linking breaking both logins

* chore: File cleanup

* feat: Max terminal tab size and save current file manager sorting type

* fix: Terminal display issue, migrate host editor to use combobox

* feat: Add snippet folder/customization system

* fix: Fix OIDC linking and prep release

* fix: Increment version

---------

Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Max <herzmaximilian@gmail.com>
Co-authored-by: SlimGary <trash.slim@gmail.com>
Co-authored-by: jarrah31 <jarrah31@gmail.com>
Co-authored-by: Kf637 <mail@kf637.tech>

.commitlintrc.json

@@ -0,0 +1,21 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "type-enum": [
+      2,
+      "always",
+      [
+        "feat",
+        "fix",
+        "docs",
+        "style",
+        "refactor",
+        "perf",
+        "test",
+        "chore",
+        "revert"
+      ]
+    ],
+    "subject-case": [0]
+  }
+}

.dockerignore

@@ -1,29 +1,24 @@
-# Dependencies
 node_modules
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 
-# Build outputs
 dist
 build
 .next
 .nuxt
 
-# Development files
 .env.local
 .env.development.local
 .env.test.local
 .env.production.local
 
-# IDE and editor files
 .vscode
 .idea
 *.swp
 *.swo
 *~
 
-# OS generated files
 .DS_Store
 .DS_Store?
 ._*
@@ -32,98 +27,67 @@ build
 ehthumbs.db
 Thumbs.db
 
-# Git
 .git
 .gitignore
 
-# Documentation
 README.md
 README-CN.md
 CONTRIBUTING.md
 LICENSE
 
-# Docker files (avoid copying docker files into docker)
-# docker/ - commented out to allow entrypoint.sh to be copied
-
-# Repository images
 repo-images/
 
-# Uploads directory
 uploads/
 
-# Electron files (not needed for Docker)
 electron/
 electron-builder.json
 
-# Development and build artifacts
 *.log
 *.tmp
 *.temp
 
-# Font files (we'll optimize these in Dockerfile)
-# public/fonts/*.ttf
-
-# Logs
 logs
 *.log
 
-# Runtime data
 pids
 *.pid
 *.seed
 *.pid.lock
 
-# Coverage directory used by tools like istanbul
 coverage
 
-# nyc test coverage
 .nyc_output
 
-# Dependency directories
 jspm_packages/
 
-# Optional npm cache directory
 .npm
 
-# Optional eslint cache
 .eslintcache
 
-# Microbundle cache
 .rpt2_cache/
 .rts2_cache_cjs/
 .rts2_cache_es/
 .rts2_cache_umd/
 
-# Optional REPL history
 .node_repl_history
 
-# Output of 'npm pack'
 *.tgz
 
-# Yarn Integrity file
 .yarn-integrity
 
-# parcel-bundler cache (https://parceljs.org/)
 .cache
 .parcel-cache
 
-# next.js build output
 .next
 
-# nuxt.js build output
 .nuxt
 
-# vuepress build output
 .vuepress/dist
 
-# Serverless directories
 .serverless
 
-# FuseBox cache
 .fusebox/
 
-# DynamoDB Local files
 .dynamodb/
 
-# TernJS port file
-.tern-port
+.tern-port

.editorconfig

@@ -0,0 +1,14 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{js,jsx,ts,tsx,json,css,scss,md,yml,yaml}]
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false

.gitattributes

@@ -0,0 +1,31 @@
+* text=auto eol=lf
+
+*.js text eol=lf
+*.jsx text eol=lf
+*.ts text eol=lf
+*.tsx text eol=lf
+*.json text eol=lf
+*.css text eol=lf
+*.scss text eol=lf
+*.html text eol=lf
+*.md text eol=lf
+*.yaml text eol=lf
+*.yml text eol=lf
+
+*.sh text eol=lf
+*.bash text eol=lf
+
+*.bat text eol=crlf
+*.cmd text eol=crlf
+*.ps1 text eol=crlf
+
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.svg binary
+*.woff binary
+*.woff2 binary
+*.ttf binary
+*.eot binary

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,82 +0,0 @@
-name: Bug report
-description: Create a report to help Termix improve
-title: "[BUG]"
-labels: [bug]
-assignees: []
-body:
-  - type: input
-    id: title
-    attributes:
-      label: Title
-      description: Brief, descriptive title for the bug
-      placeholder: "Brief description of the bug"
-    validations:
-      required: true
-  - type: dropdown
-    id: platform
-    attributes:
-      label: Platform
-      description: How are you using Termix?
-      options:
-        - Website - Firefox
-        - Website - Safari
-        - Website - Chrome
-        - Website - Other Browser
-        - App - Windows
-        - App - Linux
-        - App - iOS
-        - App - Android
-    validations:
-      required: true
-  - type: dropdown
-    id: server-installation-method
-    attributes:
-      label: Server Installation Method
-      description: How is the Termix server installed?
-      options:
-        - Docker
-        - Manual Build
-    validations:
-      required: true
-  - type: input
-    id: version
-    attributes:
-      label: Version
-      description: Find your version in the User Profile tab
-      placeholder: "e.g., 1.7.0"
-    validations:
-      required: true
-  - type: checkboxes
-    id: troubleshooting
-    attributes:
-      label: Troubleshooting
-      description: Please check all that apply
-      options:
-        - label: I have examined logs and tried to find the issue
-        - label: I have reviewed opened and closed issues
-        - label: I have tried restarting the application
-  - type: textarea
-    id: problem-description
-    attributes:
-      label: The Problem
-      description: Describe the bug in detail. Include as much information as possible with screenshots if applicable.
-      placeholder: "Describe what went wrong..."
-    validations:
-      required: true
-  - type: textarea
-    id: reproduction-steps
-    attributes:
-      label: How to Reproduce
-      description: Use as few steps as possible to reproduce the issue
-      placeholder: |
-        1. 
-        2. 
-        3.
-    validations:
-      required: true
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional Context
-      description: Any other context about the problem
-      placeholder: "Add any other context about the problem here..."

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Support Center
+    url: https://github.com/Termix-SSH/Support/issues
+    about: Report any feature requests or bugs in the support center
+  - name: Discord
+    url: https://discord.gg/jVQGdvHDrf
+    about: Official Termix Discord server for general discussion and quick support

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,36 +0,0 @@
-name: Feature request
-description: Suggest an idea for Termix
-title: "[FEATURE]"
-labels: [enhancement]
-assignees: []
-body:
-  - type: input
-    id: title
-    attributes:
-      label: Title
-      description: Brief, descriptive title for the feature request
-      placeholder: "Brief description of the feature"
-    validations:
-      required: true
-  - type: textarea
-    id: related-issue
-    attributes:
-      label: Is it related to an issue?
-      description: Describe the problem this feature would solve
-      placeholder: "Describe what problem this feature would solve..."
-    validations:
-      required: true
-  - type: textarea
-    id: solution
-    attributes:
-      label: The Solution
-      description: Describe your proposed solution in detail
-      placeholder: "Describe how you envision this feature working..."
-    validations:
-      required: true
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional Context
-      description: Any other context or screenshots about the feature request
-      placeholder: "Add any other context about the feature request here..."

.github/pull_request_template.md

@@ -28,4 +28,4 @@ _(Optional: add before/after screenshots, GIFs, or console output)_
 
 - [ ] Code follows project style guidelines
 - [ ] Supports mobile and desktop UI/app (if applicable)
-- [ ] I have read [Contributing.md](https://github.com/LukeGus/Termix/blob/main/CONTRIBUTING.md)
+- [ ] I have read [Contributing.md](https://github.com/Termix-SSH/Termix/blob/main/CONTRIBUTING.md)

.github/workflows/docker-image.yml

@@ -1,137 +0,0 @@
-name: Build and Push Docker Image
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        description: "Custom tag name for the Docker image"
-        required: false
-        default: ""
-      registry:
-        description: "Docker registry to push to"
-        required: true
-        default: "ghcr"
-        type: choice
-        options:
-          - "ghcr"
-          - "dockerhub"
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          platforms: linux/amd64,linux/arm64
-          driver-opts: |
-            image=moby/buildkit:master
-            network=host
-
-      - name: Cache npm dependencies
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.npm
-            node_modules
-            */*/node_modules
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
-      - name: Cache Docker layers
-        uses: actions/cache@v4
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.ref_name }}-${{ hashFiles('docker/Dockerfile') }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-${{ github.ref_name }}-
-            ${{ runner.os }}-buildx-
-
-      - name: Login to GitHub Container Registry
-        if: github.event.inputs.registry != 'dockerhub'
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Docker Hub
-        if: github.event.inputs.registry == 'dockerhub'
-        uses: docker/login-action@v3
-        with:
-          username: bugattiguy527
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Determine Docker image tag
-        run: |
-          REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
-          echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV
-
-          if [ "${{ github.event.inputs.tag_name }}" != "" ]; then
-            IMAGE_TAG="${{ github.event.inputs.tag_name }}"
-          elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            IMAGE_TAG="latest"
-          elif [ "${{ github.ref }}" == "refs/heads/development" ]; then
-            IMAGE_TAG="development-latest"
-          else
-            IMAGE_TAG="${{ github.ref_name }}"
-          fi
-          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
-
-          # Determine registry and image name
-          if [ "${{ github.event.inputs.registry }}" == "dockerhub" ]; then
-            echo "REGISTRY=docker.io" >> $GITHUB_ENV
-            echo "IMAGE_NAME=bugattiguy527/termix" >> $GITHUB_ENV
-          else
-            echo "REGISTRY=ghcr.io" >> $GITHUB_ENV
-            echo "IMAGE_NAME=$REPO_OWNER/termix" >> $GITHUB_ENV
-          fi
-
-      - name: Build and Push Multi-Arch Docker Image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./docker/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-          labels: |
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-          build-args: |
-            BUILDKIT_INLINE_CACHE=1
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
-          outputs: type=registry,compression=zstd,compression-level=19
-
-      - name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-      - name: Delete all untagged image versions
-        if: success() && github.event.inputs.registry != 'dockerhub'
-        uses: quartx-analytics/ghcr-cleaner@v1
-        with:
-          owner-type: user
-          token: ${{ secrets.GHCR_TOKEN }}
-          repository-owner: ${{ github.repository_owner }}
-          delete-untagged: true
-
-      - name: Cleanup Docker Images Locally
-        if: always()
-        run: |
-          docker image prune -af
-          docker system prune -af --volumes

.github/workflows/docker.yml

@@ -0,0 +1,94 @@
+name: Build and Push Docker Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to build (e.g., 1.8.0)"
+        required: true
+      build_type:
+        description: "Build type"
+        required: true
+        default: "Development"
+        type: choice
+        options:
+          - Development
+          - Production
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Determine tags
+        id: tags
+        run: |
+          VERSION=${{ github.event.inputs.version }}
+          BUILD_TYPE=${{ github.event.inputs.build_type }}
+
+          TAGS=()
+          ALL_TAGS=()
+
+          if [ "$BUILD_TYPE" = "Production" ]; then
+            TAGS+=("release-$VERSION" "latest")
+            for tag in "${TAGS[@]}"; do
+              ALL_TAGS+=("ghcr.io/lukegus/termix:$tag")
+              ALL_TAGS+=("docker.io/bugattiguy527/termix:$tag")
+            done
+          else
+            TAGS+=("dev-$VERSION")
+            for tag in "${TAGS[@]}"; do
+              ALL_TAGS+=("ghcr.io/lukegus/termix:$tag")
+            done
+          fi
+
+          echo "ALL_TAGS=$(IFS=,; echo "${ALL_TAGS[*]}")" >> $GITHUB_ENV
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: lukegus
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Login to Docker Hub (prod only)
+        if: ${{ github.event.inputs.build_type == 'Production' }}
+        uses: docker/login-action@v3
+        with:
+          username: bugattiguy527
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          tags: ${{ env.ALL_TAGS }}
+          build-args: |
+            BUILDKIT_INLINE_CACHE=1
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ github.run_id }}
+          outputs: type=registry,compression=gzip,compression-level=9
+
+      - name: Cleanup Docker
+        if: always()
+        run: |
+          docker image prune -af
+          docker system prune -af --volumes

.github/workflows/electron-build.yml

@@ -1,93 +0,0 @@
-name: Build Electron App
-
-on:
-  workflow_dispatch:
-    inputs:
-      build_type:
-        description: "Build type to run"
-        required: true
-        default: "all"
-        type: choice
-        options:
-          - all
-          - windows
-          - linux
-
-jobs:
-  build-windows:
-    runs-on: windows-latest
-    if: github.event.inputs.build_type == 'all' || github.event.inputs.build_type == 'windows' || github.event.inputs.build_type == ''
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build Windows Portable
-        run: npm run build:win-portable
-
-      - name: Build Windows Installer
-        run: npm run build:win-installer
-
-      - name: Create Windows Portable zip
-        run: |
-          Compress-Archive -Path "release/win-unpacked/*" -DestinationPath "Termix-Windows-Portable.zip"
-
-      - name: Upload Windows Portable Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: Termix-Windows-Portable
-          path: Termix-Windows-Portable.zip
-          retention-days: 30
-
-      - name: Upload Windows Installer Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: Termix-Windows-Installer
-          path: release/*.exe
-          retention-days: 30
-
-  build-linux:
-    runs-on: ubuntu-latest
-    if: github.event.inputs.build_type == 'all' || github.event.inputs.build_type == 'linux' || github.event.inputs.build_type == ''
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build Linux Portable
-        run: npm run build:linux-portable
-
-      - name: Create Linux Portable zip
-        run: |
-          cd release/linux-unpacked
-          zip -r ../../Termix-Linux-Portable.zip *
-          cd ../..
-
-      - name: Upload Linux Portable Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: Termix-Linux-Portable
-          path: Termix-Linux-Portable.zip
-          retention-days: 30

.github/workflows/electron.yml

@@ -0,0 +1,810 @@
+name: Build and Push Electron App
+
+on:
+  workflow_dispatch:
+    inputs:
+      build_type:
+        description: "Platform to build for"
+        required: true
+        default: "all"
+        type: choice
+        options:
+          - all
+          - windows
+          - linux
+          - macos
+      artifact_destination:
+        description: "What to do with the built app"
+        required: true
+        default: "file"
+        type: choice
+        options:
+          - none
+          - file
+          - release
+          - submit
+
+jobs:
+  build-windows:
+    runs-on: windows-latest
+    if: github.event.inputs.build_type == 'all' || github.event.inputs.build_type == 'windows' || github.event.inputs.build_type == ''
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: |
+          $maxAttempts = 3
+          $attempt = 1
+          while ($attempt -le $maxAttempts) {
+            try {
+              npm ci
+              break
+            } catch {
+              if ($attempt -eq $maxAttempts) {
+                Write-Error "npm ci failed after $maxAttempts attempts"
+                exit 1
+              }
+              Start-Sleep -Seconds 10
+              $attempt++
+            }
+          }
+
+      - name: Get version
+        id: package-version
+        run: |
+          $VERSION = (Get-Content package.json | ConvertFrom-Json).version
+          echo "version=$VERSION" >> $env:GITHUB_OUTPUT
+
+      - name: Build Windows (All Architectures)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm run build && npx electron-builder --win --x64 --ia32
+
+      - name: List release files
+        run: |
+          dir release
+
+      - name: Upload Windows x64 NSIS Installer
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_windows_x64_nsis.exe') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_x64_nsis
+          path: release/termix_windows_x64_nsis.exe
+          retention-days: 30
+
+      - name: Upload Windows ia32 NSIS Installer
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_windows_ia32_nsis.exe') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_ia32_nsis
+          path: release/termix_windows_ia32_nsis.exe
+          retention-days: 30
+
+      - name: Upload Windows x64 MSI Installer
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_windows_x64_msi.msi') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_x64_msi
+          path: release/termix_windows_x64_msi.msi
+          retention-days: 30
+
+      - name: Upload Windows ia32 MSI Installer
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_windows_ia32_msi.msi') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_ia32_msi
+          path: release/termix_windows_ia32_msi.msi
+          retention-days: 30
+
+      - name: Create Windows x64 Portable zip
+        if: hashFiles('release/win-unpacked/*') != ''
+        run: |
+          Compress-Archive -Path "release\win-unpacked\*" -DestinationPath "termix_windows_x64_portable.zip"
+
+      - name: Create Windows ia32 Portable zip
+        if: hashFiles('release/win-ia32-unpacked/*') != ''
+        run: |
+          Compress-Archive -Path "release\win-ia32-unpacked\*" -DestinationPath "termix_windows_ia32_portable.zip"
+
+      - name: Upload Windows x64 Portable
+        uses: actions/upload-artifact@v4
+        if: hashFiles('termix_windows_x64_portable.zip') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_x64_portable
+          path: termix_windows_x64_portable.zip
+          retention-days: 30
+
+      - name: Upload Windows ia32 Portable
+        uses: actions/upload-artifact@v4
+        if: hashFiles('termix_windows_ia32_portable.zip') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_windows_ia32_portable
+          path: termix_windows_ia32_portable.zip
+          retention-days: 30
+
+  build-linux:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    if: github.event.inputs.build_type == 'all' || github.event.inputs.build_type == 'linux' || github.event.inputs.build_type == ''
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install system dependencies for AppImage
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libfuse2
+
+      - name: Install dependencies
+        run: |
+          for i in 1 2 3;
+          do
+            if npm ci; then
+              break
+            else
+              if [ $i -eq 3 ]; then
+                exit 1
+              fi
+              sleep 10
+            fi
+          done
+          npm install --force @rollup/rollup-linux-x64-gnu
+          npm install --force @rollup/rollup-linux-arm64-gnu
+          npm install --force @rollup/rollup-linux-arm-gnueabihf
+
+      - name: Build Linux x64
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEBUG: electron-builder
+        run: npm run build && npx electron-builder --linux --x64
+
+      - name: Build Linux arm64 and armv7l
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx electron-builder --linux --arm64 --armv7l
+
+      - name: Rename Linux artifacts for consistency
+        run: |
+          cd release
+
+          if [ -f "termix_linux_amd64_deb.deb" ]; then
+            mv "termix_linux_amd64_deb.deb" "termix_linux_x64_deb.deb"
+          fi
+
+          if [ -f "termix_linux_x86_64_appimage.AppImage" ]; then
+            mv "termix_linux_x86_64_appimage.AppImage" "termix_linux_x64_appimage.AppImage"
+          fi
+
+          cd ..
+
+      - name: List release files
+        run: |
+          ls -la release/
+
+      - name: Debug electron-builder output
+        if: always()
+        run: |
+          if [ -f "release/builder-debug.yml" ]; then
+            cat release/builder-debug.yml
+          fi
+
+      - name: Upload Linux x64 AppImage
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_x64_appimage.AppImage') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_x64_appimage
+          path: release/termix_linux_x64_appimage.AppImage
+          retention-days: 30
+
+      - name: Upload Linux arm64 AppImage
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_arm64_appimage.AppImage') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_arm64_appimage
+          path: release/termix_linux_arm64_appimage.AppImage
+          retention-days: 30
+
+      - name: Upload Linux armv7l AppImage
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_armv7l_appimage.AppImage') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_armv7l_appimage
+          path: release/termix_linux_armv7l_appimage.AppImage
+          retention-days: 30
+
+      - name: Upload Linux x64 DEB
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_x64_deb.deb') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_x64_deb
+          path: release/termix_linux_x64_deb.deb
+          retention-days: 30
+
+      - name: Upload Linux arm64 DEB
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_arm64_deb.deb') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_arm64_deb
+          path: release/termix_linux_arm64_deb.deb
+          retention-days: 30
+
+      - name: Upload Linux armv7l DEB
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_armv7l_deb.deb') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_armv7l_deb
+          path: release/termix_linux_armv7l_deb.deb
+          retention-days: 30
+
+      - name: Upload Linux x64 tar.gz
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_x64_portable.tar.gz') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_x64_portable
+          path: release/termix_linux_x64_portable.tar.gz
+          retention-days: 30
+
+      - name: Upload Linux arm64 tar.gz
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_arm64_portable.tar.gz') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_arm64_portable
+          path: release/termix_linux_arm64_portable.tar.gz
+          retention-days: 30
+
+      - name: Upload Linux armv7l tar.gz
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_linux_armv7l_portable.tar.gz') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_linux_armv7l_portable
+          path: release/termix_linux_armv7l_portable.tar.gz
+          retention-days: 30
+
+  build-macos:
+    runs-on: macos-latest
+    if: github.event.inputs.build_type == 'macos' || github.event.inputs.build_type == 'all'
+    needs: []
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: |
+          for i in 1 2 3;
+          do
+            if npm ci; then
+              break
+            else
+              if [ $i -eq 3 ]; then
+                exit 1
+              fi
+              sleep 10
+            fi
+          done
+          npm install --force @rollup/rollup-darwin-arm64
+          npm install dmg-license
+
+      - name: Check for Code Signing Certificates
+        id: check_certs
+        run: |
+          if [ -n "${{ secrets.MAC_BUILD_CERTIFICATE_BASE64 }}" ] && [ -n "${{ secrets.MAC_P12_PASSWORD }}" ]; then
+            echo "has_certs=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Import Code Signing Certificates
+        if: steps.check_certs.outputs.has_certs == 'true'
+        env:
+          MAC_BUILD_CERTIFICATE_BASE64: ${{ secrets.MAC_BUILD_CERTIFICATE_BASE64 }}
+          MAC_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.MAC_INSTALLER_CERTIFICATE_BASE64 }}
+          MAC_P12_PASSWORD: ${{ secrets.MAC_P12_PASSWORD }}
+          MAC_KEYCHAIN_PASSWORD: ${{ secrets.MAC_KEYCHAIN_PASSWORD }}
+        run: |
+          APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12
+          INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          echo -n "$MAC_BUILD_CERTIFICATE_BASE64" | base64 --decode -o $APP_CERT_PATH
+
+          if [ -n "$MAC_INSTALLER_CERTIFICATE_BASE64" ]; then
+            echo -n "$MAC_INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $INSTALLER_CERT_PATH
+          fi
+
+          security create-keychain -p "$MAC_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$MAC_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          security import $APP_CERT_PATH -P "$MAC_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+
+          if [ -f "$INSTALLER_CERT_PATH" ]; then
+            security import $INSTALLER_CERT_PATH -P "$MAC_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          fi
+
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          security find-identity -v -p codesigning $KEYCHAIN_PATH
+
+      - name: Build macOS App Store Package
+        if: steps.check_certs.outputs.has_certs == 'true'
+        env:
+          ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES: true
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CURRENT_VERSION=$(node -p "require('./package.json').version")
+          BUILD_VERSION="${{ github.run_number }}"
+
+          npm run build && npx electron-builder --mac mas --universal --config.buildVersion="$BUILD_VERSION"
+
+      - name: Clean up MAS keychain before DMG build
+        if: steps.check_certs.outputs.has_certs == 'true'
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
+
+      - name: Check for Developer ID Certificates
+        id: check_dev_id_certs
+        run: |
+          if [ -n "${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }}" ] && [ -n "${{ secrets.DEVELOPER_ID_P12_PASSWORD }}" ]; then
+            echo "has_dev_id_certs=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Import Developer ID Certificates
+        if: steps.check_dev_id_certs.outputs.has_dev_id_certs == 'true'
+        env:
+          DEVELOPER_ID_CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }}
+          DEVELOPER_ID_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_INSTALLER_CERTIFICATE_BASE64 }}
+          DEVELOPER_ID_P12_PASSWORD: ${{ secrets.DEVELOPER_ID_P12_PASSWORD }}
+          MAC_KEYCHAIN_PASSWORD: ${{ secrets.MAC_KEYCHAIN_PASSWORD }}
+        run: |
+          DEV_CERT_PATH=$RUNNER_TEMP/dev_certificate.p12
+          DEV_INSTALLER_CERT_PATH=$RUNNER_TEMP/dev_installer_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/dev-signing.keychain-db
+
+          echo -n "$DEVELOPER_ID_CERTIFICATE_BASE64" | base64 --decode -o $DEV_CERT_PATH
+
+          if [ -n "$DEVELOPER_ID_INSTALLER_CERTIFICATE_BASE64" ]; then
+            echo -n "$DEVELOPER_ID_INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $DEV_INSTALLER_CERT_PATH
+          fi
+
+          security create-keychain -p "$MAC_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$MAC_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          security import $DEV_CERT_PATH -P "$DEVELOPER_ID_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+
+          if [ -f "$DEV_INSTALLER_CERT_PATH" ]; then
+            security import $DEV_INSTALLER_CERT_PATH -P "$DEVELOPER_ID_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          fi
+
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          security find-identity -v -p codesigning $KEYCHAIN_PATH
+
+      - name: Build macOS DMG
+        env:
+          ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES: true
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          if [ "${{ steps.check_certs.outputs.has_certs }}" != "true" ]; then
+            npm run build
+          fi
+          export GH_TOKEN="${{ secrets.GITHUB_TOKEN }}"
+          npx electron-builder --mac dmg --universal --x64 --arm64 --publish never
+
+      - name: List release directory
+        if: steps.check_certs.outputs.has_certs == 'true'
+        run: |
+          ls -R release/ || echo "Release directory not found"
+
+      - name: Upload macOS MAS PKG
+        if: steps.check_certs.outputs.has_certs == 'true' && hashFiles('release/termix_macos_universal_mas.pkg') != '' && (github.event.inputs.artifact_destination == 'file' || github.event.inputs.artifact_destination == 'release' || github.event.inputs.artifact_destination == 'submit')
+        uses: actions/upload-artifact@v4
+        with:
+          name: termix_macos_universal_mas
+          path: release/termix_macos_universal_mas.pkg
+          retention-days: 30
+          if-no-files-found: warn
+
+      - name: Upload macOS Universal DMG
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_macos_universal_dmg.dmg') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_macos_universal_dmg
+          path: release/termix_macos_universal_dmg.dmg
+          retention-days: 30
+
+      - name: Upload macOS x64 DMG
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_macos_x64_dmg.dmg') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_macos_x64_dmg
+          path: release/termix_macos_x64_dmg.dmg
+          retention-days: 30
+
+      - name: Upload macOS arm64 DMG
+        uses: actions/upload-artifact@v4
+        if: hashFiles('release/termix_macos_arm64_dmg.dmg') != '' && github.event.inputs.artifact_destination != 'none'
+        with:
+          name: termix_macos_arm64_dmg
+          path: release/termix_macos_arm64_dmg.dmg
+          retention-days: 30
+
+      - name: Check for App Store Connect API credentials
+        if: steps.check_certs.outputs.has_certs == 'true'
+        id: check_asc_creds
+        run: |
+          if [ -n "${{ secrets.APPLE_KEY_ID }}" ] && [ -n "${{ secrets.APPLE_ISSUER_ID }}" ] && [ -n "${{ secrets.APPLE_KEY_CONTENT }}" ]; then
+            echo "has_credentials=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Ruby for Fastlane
+        if: steps.check_asc_creds.outputs.has_credentials == 'true' && github.event.inputs.artifact_destination == 'submit'
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.2"
+          bundler-cache: false
+
+      - name: Install Fastlane
+        if: steps.check_asc_creds.outputs.has_credentials == 'true' && github.event.inputs.artifact_destination == 'submit'
+        run: |
+          gem install fastlane -N
+
+      - name: Deploy to App Store Connect (TestFlight)
+        if: steps.check_asc_creds.outputs.has_credentials == 'true' && github.event.inputs.artifact_destination == 'submit'
+        run: |
+          PKG_FILE=$(find release -name "*.pkg" -type f | head -n 1)
+          if [ -z "$PKG_FILE" ]; then
+            exit 1
+          fi
+
+          mkdir -p ~/private_keys
+          echo "${{ secrets.APPLE_KEY_CONTENT }}" | base64 --decode > ~/private_keys/AuthKey_${{ secrets.APPLE_KEY_ID }}.p8
+
+          xcrun altool --upload-app -f "$PKG_FILE" \
+            --type macos \
+            --apiKey "${{ secrets.APPLE_KEY_ID }}" \
+            --apiIssuer "${{ secrets.APPLE_ISSUER_ID }}"
+        continue-on-error: true
+
+      - name: Clean up keychains
+        if: always()
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
+          security delete-keychain $RUNNER_TEMP/dev-signing.keychain-db || true
+
+  submit-to-chocolatey:
+    runs-on: windows-latest
+    if: github.event.inputs.artifact_destination == 'submit'
+    needs: [build-windows]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Get version from package.json
+        id: package-version
+        run: |
+          $VERSION = (Get-Content package.json | ConvertFrom-Json).version
+          echo "version=$VERSION" >> $env:GITHUB_OUTPUT
+
+      - name: Download Windows x64 MSI artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: termix_windows_x64_msi
+          path: artifact
+
+      - name: Get MSI file info
+        id: msi-info
+        run: |
+          $VERSION = "${{ steps.package-version.outputs.version }}"
+          $MSI_FILE = Get-ChildItem -Path artifact -Filter "*.msi" | Select-Object -First 1
+          $MSI_NAME = $MSI_FILE.Name
+          $CHECKSUM = (Get-FileHash -Path $MSI_FILE.FullName -Algorithm SHA256).Hash
+
+          echo "msi_name=$MSI_NAME" >> $env:GITHUB_OUTPUT
+          echo "checksum=$CHECKSUM" >> $env:GITHUB_OUTPUT
+
+      - name: Prepare Chocolatey package
+        run: |
+          $VERSION = "${{ steps.package-version.outputs.version }}"
+          $CHECKSUM = "${{ steps.msi-info.outputs.checksum }}"
+          $MSI_NAME = "${{ steps.msi-info.outputs.msi_name }}"
+
+          $DOWNLOAD_URL = "https://github.com/Termix-SSH/Termix/releases/download/release-$VERSION-tag/$MSI_NAME"
+
+          New-Item -ItemType Directory -Force -Path "choco-build"
+          Copy-Item -Path "chocolatey\*" -Destination "choco-build" -Recurse -Force
+
+          $installScript = Get-Content "choco-build\tools\chocolateyinstall.ps1" -Raw -Encoding UTF8
+          $installScript = $installScript -replace 'DOWNLOAD_URL_PLACEHOLDER', $DOWNLOAD_URL
+          $installScript = $installScript -replace 'CHECKSUM_PLACEHOLDER', $CHECKSUM
+          [System.IO.File]::WriteAllText("$PWD\choco-build\tools\chocolateyinstall.ps1", $installScript, [System.Text.UTF8Encoding]::new($false))
+
+          $nuspec = Get-Content "choco-build\termix-ssh.nuspec" -Raw -Encoding UTF8
+          $nuspec = $nuspec -replace 'VERSION_PLACEHOLDER', $VERSION
+          [System.IO.File]::WriteAllText("$PWD\choco-build\termix-ssh.nuspec", $nuspec, [System.Text.UTF8Encoding]::new($false))
+
+      - name: Install Chocolatey
+        run: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force
+          [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
+          iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+
+      - name: Pack Chocolatey package
+        run: |
+          cd choco-build
+          choco pack termix-ssh.nuspec
+
+          if ($LASTEXITCODE -ne 0) {
+            throw "Chocolatey push failed with exit code $LASTEXITCODE"
+          }
+
+      - name: Check for Chocolatey API Key
+        id: check_choco_key
+        run: |
+          if ("${{ secrets.CHOCOLATEY_API_KEY }}" -ne "") {
+            echo "has_key=true" >> $env:GITHUB_OUTPUT
+          }
+
+      - name: Push to Chocolatey
+        if: steps.check_choco_key.outputs.has_key == 'true'
+        run: |
+          $VERSION = "${{ steps.package-version.outputs.version }}"
+          cd choco-build
+          choco apikey --key "${{ secrets.CHOCOLATEY_API_KEY }}" --source https://push.chocolatey.org/
+
+          try {
+            choco push "termix-ssh.$VERSION.nupkg" --source https://push.chocolatey.org/
+            if ($LASTEXITCODE -eq 0) {
+            } else {
+              throw "Chocolatey push failed with exit code $LASTEXITCODE"
+            }
+          } catch {
+          }
+
+      - name: Upload Chocolatey package as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: chocolatey-package
+          path: choco-build/*.nupkg
+          retention-days: 30
+
+  submit-to-flatpak:
+    runs-on: ubuntu-latest
+    if: github.event.inputs.artifact_destination == 'submit'
+    needs: [build-linux]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Get version from package.json
+        id: package-version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          RELEASE_DATE=$(date +%Y-%m-%d)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "release_date=$RELEASE_DATE" >> $GITHUB_OUTPUT
+
+      - name: Download Linux x64 AppImage artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: termix_linux_x64_appimage
+          path: artifact-x64
+
+      - name: Download Linux arm64 AppImage artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: termix_linux_arm64_appimage
+          path: artifact-arm64
+
+      - name: Get AppImage file info
+        id: appimage-info
+        run: |
+          VERSION="${{ steps.package-version.outputs.version }}"
+
+          APPIMAGE_X64_FILE=$(find artifact-x64 -name "*.AppImage" -type f | head -n 1)
+          APPIMAGE_X64_NAME=$(basename "$APPIMAGE_X64_FILE")
+          CHECKSUM_X64=$(sha256sum "$APPIMAGE_X64_FILE" | awk '{print $1}')
+
+          APPIMAGE_ARM64_FILE=$(find artifact-arm64 -name "*.AppImage" -type f | head -n 1)
+          APPIMAGE_ARM64_NAME=$(basename "$APPIMAGE_ARM64_FILE")
+          CHECKSUM_ARM64=$(sha256sum "$APPIMAGE_ARM64_FILE" | awk '{print $1}')
+
+          echo "appimage_x64_name=$APPIMAGE_X64_NAME" >> $GITHUB_OUTPUT
+          echo "checksum_x64=$CHECKSUM_X64" >> $GITHUB_OUTPUT
+          echo "appimage_arm64_name=$APPIMAGE_ARM64_NAME" >> $GITHUB_OUTPUT
+          echo "checksum_arm64=$CHECKSUM_ARM64" >> $GITHUB_OUTPUT
+
+      - name: Install ImageMagick for icon generation
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y imagemagick
+
+      - name: Prepare Flatpak submission files
+        run: |
+          VERSION="${{ steps.package-version.outputs.version }}"
+          CHECKSUM_X64="${{ steps.appimage-info.outputs.checksum_x64 }}"
+          CHECKSUM_ARM64="${{ steps.appimage-info.outputs.checksum_arm64 }}"
+          RELEASE_DATE="${{ steps.package-version.outputs.release_date }}"
+          APPIMAGE_X64_NAME="${{ steps.appimage-info.outputs.appimage_x64_name }}"
+          APPIMAGE_ARM64_NAME="${{ steps.appimage-info.outputs.appimage_arm64_name }}"
+
+          mkdir -p flatpak-submission
+
+          cp flatpak/com.karmaa.termix.yml flatpak-submission/
+          cp flatpak/com.karmaa.termix.desktop flatpak-submission/
+          cp flatpak/com.karmaa.termix.metainfo.xml flatpak-submission/
+          cp flatpak/flathub.json flatpak-submission/
+
+          cp public/icon.svg flatpak-submission/com.karmaa.termix.svg
+          convert public/icon.png -resize 256x256 flatpak-submission/icon-256.png
+          convert public/icon.png -resize 128x128 flatpak-submission/icon-128.png
+
+          sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" flatpak-submission/com.karmaa.termix.yml
+          sed -i "s/CHECKSUM_X64_PLACEHOLDER/$CHECKSUM_X64/g" flatpak-submission/com.karmaa.termix.yml
+          sed -i "s/CHECKSUM_ARM64_PLACEHOLDER/$CHECKSUM_ARM64/g" flatpak-submission/com.karmaa.termix.yml
+
+          sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" flatpak-submission/com.karmaa.termix.metainfo.xml
+          sed -i "s/DATE_PLACEHOLDER/$RELEASE_DATE/g" flatpak-submission/com.karmaa.termix.metainfo.xml
+
+      - name: List submission files
+        run: |
+          ls -la flatpak-submission/
+
+      - name: Upload Flatpak submission as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: flatpak-submission
+          path: flatpak-submission/*
+          retention-days: 30
+
+  submit-to-homebrew:
+    runs-on: macos-latest
+    if: github.event.inputs.artifact_destination == 'submit'
+    needs: [build-macos]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Get version from package.json
+        id: package-version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Download macOS Universal DMG artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: termix_macos_universal_dmg
+          path: artifact
+
+      - name: Get DMG file info
+        id: dmg-info
+        run: |
+          VERSION="${{ steps.package-version.outputs.version }}"
+          DMG_FILE=$(find artifact -name "*.dmg" -type f | head -n 1)
+          DMG_NAME=$(basename "$DMG_FILE")
+          CHECKSUM=$(shasum -a 256 "$DMG_FILE" | awk '{print $1}')
+
+          echo "dmg_name=$DMG_NAME" >> $GITHUB_OUTPUT
+          echo "checksum=$CHECKSUM" >> $GITHUB_OUTPUT
+
+      - name: Prepare Homebrew submission files
+        run: |
+          VERSION="${{ steps.package-version.outputs.version }}"
+          CHECKSUM="${{ steps.dmg-info.outputs.checksum }}"
+          DMG_NAME="${{ steps.dmg-info.outputs.dmg_name }}"
+
+          mkdir -p homebrew-submission/Casks/t
+
+          cp homebrew/termix.rb homebrew-submission/Casks/t/termix.rb
+
+          sed -i '' "s/VERSION_PLACEHOLDER/$VERSION/g" homebrew-submission/Casks/t/termix.rb
+          sed -i '' "s/CHECKSUM_PLACEHOLDER/$CHECKSUM/g" homebrew-submission/Casks/t/termix.rb
+
+      - name: Verify Cask syntax
+        run: |
+          if ! command -v brew &> /dev/null; then
+            /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+          fi
+
+          ruby -c homebrew-submission/Casks/t/termix.rb
+
+      - name: List submission files
+        run: |
+          find homebrew-submission -type f
+
+      - name: Upload Homebrew submission as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: homebrew-submission
+          path: homebrew-submission/*
+          retention-days: 30
+
+  upload-to-release:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    if: github.event.inputs.artifact_destination == 'release'
+    needs: [build-windows, build-linux, build-macos]
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Get latest release tag
+        id: get_release
+        run: |
+          echo "RELEASE_TAG=$(gh release list --repo ${{ github.repository }} --limit 1 --json tagName -q '.[0].tagName')" >> $GITHUB_ENV
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Display artifact structure
+        run: |
+          ls -R artifacts/
+
+      - name: Upload artifacts to latest release
+        run: |
+          cd artifacts
+          for dir in */; do
+            cd "$dir"
+            for file in *;
+            do
+              if [ -f "$file" ]; then
+                gh release upload "$RELEASE_TAG" "$file" --repo ${{ github.repository }} --clobber
+              fi
+            done
+            cd ..
+          done
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/pr-check.yml

@@ -0,0 +1,35 @@
+name: PR Check
+
+on:
+  pull_request:
+    branches: [main, dev-*]
+
+jobs:
+  lint-and-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install dependencies
+        run: |
+          rm -rf node_modules package-lock.json
+          npm install
+
+      - name: Run ESLint
+        run: npx eslint .
+
+      - name: Run Prettier check
+        run: npx prettier --check .
+
+      - name: Type check
+        run: npx tsc --noEmit
+
+      - name: Build
+        run: npm run build

.gitignore

@@ -1,4 +1,3 @@
-# Logs
 logs
 *.log
 npm-debug.log*
@@ -12,7 +11,6 @@ dist
 dist-ssr
 *.local
 
-# Editor directories and files
 .vscode/*
 !.vscode/extensions.json
 .idea
@@ -27,3 +25,6 @@ dist-ssr
 /.claude/
 /ssl/
 .env
+/.mcp.json
+/nul
+/.vscode/

.husky/commit-msg

@@ -0,0 +1 @@
+npx --no -- commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

.nvmrc

@@ -1 +1 @@
-22
+20

.prettierignore

@@ -1,3 +1,18 @@
-# Ignore artifacts:
 build
 coverage
+dist
+dist-ssr
+release
+
+node_modules
+package-lock.json
+pnpm-lock.yaml
+yarn.lock
+
+db
+
+.env
+
+*.min.js
+*.min.css
+openapi.json

.prettierrc

@@ -1 +1,9 @@
-{}
+{
+  "semi": true,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "all",
+  "printWidth": 80,
+  "arrowParens": "always",
+  "endOfLine": "lf"
+}

CONTRIBUTING.md

@@ -10,7 +10,7 @@
 
 1. Clone the repository:
    ```sh
-   git clone https://github.com/LukeGus/Termix
+   git clone https://github.com/Termix-SSH/Termix
    ```
 2. Install the dependencies:
    ```sh
@@ -31,7 +31,7 @@ This will start the backend and the frontend Vite server. You can access Termix
 ## Contributing
 
 1. **Fork the repository**: Click the "Fork" button at the top right of
-   the [repository page](https://github.com/LukeGus/Termix).
+   the [repository page](https://github.com/Termix-SSH/Termix).
 2. **Create a new branch**:
    ```sh
    git checkout -b feature/my-new-feature
@@ -101,6 +101,6 @@ This will start the backend and the frontend Vite server. You can access Termix
 
 ## Support
 
-If you need help with Termix, you can join the [Discord](https://discord.gg/jVQGdvHDrf) server and visit the support
-channel. You can also open an issue or open a pull request on the [GitHub](https://github.com/LukeGus/Termix/issues)
-repo.
+If you need help or want to request a feature with Termix, visit the [Issues](https://github.com/Termix-SSH/Support/issues) page, log in, and press `New Issue`.
+Please be as detailed as possible in your issue, preferably written in English. You can also join the [Discord](https://discord.gg/jVQGdvHDrf) server and visit the support
+channel, however, response times may be longer.

README-CN.md

@@ -1,13 +1,13 @@
 # 仓库统计
 
 <p align="center">
-  <a href="README.md"><img src="https://flagcdn.com/us.svg" alt="English" width="24" height="16"> 英文</a> | 
+  <a href="README.md"><img src="https://flagcdn.com/us.svg" alt="English" width="24" height="16"> 英文</a> |
   <img src="https://flagcdn.com/cn.svg" alt="中文" width="24" height="16"> 中文
 </p>
 
-![GitHub Repo stars](https://img.shields.io/github/stars/LukeGus/Termix?style=flat&label=Stars)
-![GitHub forks](https://img.shields.io/github/forks/LukeGus/Termix?style=flat&label=Forks)
-![GitHub Release](https://img.shields.io/github/v/release/LukeGus/Termix?style=flat&label=Release)
+![GitHub Repo stars](https://img.shields.io/github/stars/Termix-SSH/Termix?style=flat&label=Stars)
+![GitHub forks](https://img.shields.io/github/forks/Termix-SSH/Termix?style=flat&label=Forks)
+![GitHub Release](https://img.shields.io/github/v/release/Termix-SSH/Termix?style=flat&label=Release)
 <a href="https://discord.gg/jVQGdvHDrf"><img alt="Discord" src="https://img.shields.io/discord/1347374268253470720"></a>
 
 <p align="center">
@@ -29,7 +29,7 @@
 
 <br />
 <p align="center">
-  <a href="https://github.com/LukeGus/Termix">
+  <a href="https://github.com/Termix-SSH/Termix">
     <img alt="Termix Banner" src=./repo-images/HeaderImage.png style="width: auto; height: auto;">  </a>
 </p>
 
@@ -39,34 +39,63 @@
 # 概览
 
 <p align="center">
-  <a href="https://github.com/LukeGus/Termix">
+  <a href="https://github.com/Termix-SSH/Termix">
     <img alt="Termix Banner" src=./public/icon.svg style="width: 250px; height: 250px;">  </a>
 </p>
 
 Termix 是一个开源、永久免费、自托管的一体化服务器管理平台。它提供了一个基于网页的解决方案，通过一个直观的界面管理你的服务器和基础设施。Termix
-提供 SSH 终端访问、SSH 隧道功能以及远程文件编辑，还会陆续添加更多工具。
+提供 SSH 终端访问、SSH 隧道功能以及远程文件管理，还会陆续添加更多工具。Termix 是适用于所有平台的完美免费自托管 Termius 替代品。
 
 # 功能
 
-- **SSH 终端访问** - 功能完整的终端，支持分屏（最多 4 个面板）和标签系统
-- **SSH 隧道管理** - 创建和管理 SSH 隧道，支持自动重连和健康监控
-- **远程文件编辑器** - 直接在远程服务器编辑文件，支持语法高亮和文件管理功能（上传、删除、重命名等）
-- **SSH 主机管理器** - 保存、组织和管理 SSH 连接，支持标签和文件夹
-- **服务器统计** - 查看任意 SSH 服务器的 CPU、内存和硬盘使用情况
-- **用户认证** - 安全的用户管理，支持管理员控制、OIDC 和双因素认证（TOTP）
-- **现代化界面** - 使用 React、Tailwind CSS 和 Shadcn 构建的简洁界面
-- **语言支持** - 内置中英文支持
+- **SSH 终端访问** - 功能齐全的终端，具有分屏支持（最多 4 个面板）和类似浏览器的选项卡系统。包括对自定义终端的支持，包括常见终端主题、字体和其他组件
+- **SSH 隧道管理** - 创建和管理 SSH 隧道，具有自动重新连接和健康监控功能
+- **远程文件管理器** - 直接在远程服务器上管理文件，支持查看和编辑代码、图像、音频和视频。无缝上传、下载、重命名、删除和移动文件
+- **SSH 主机管理器** - 保存、组织和管理您的 SSH 连接，支持标签和文件夹，并轻松保存可重用的登录信息，同时能够自动部署 SSH 密钥
+- **服务器统计** - 在任何 SSH 服务器上查看 CPU、内存和磁盘使用情况以及网络、正常运行时间和系统信息
+- **仪表板** - 在仪表板上一目了然地查看服务器信息
+- **用户认证** - 安全的用户管理，具有管理员控制以及 OIDC 和 2FA (TOTP) 支持。查看所有平台上的活动用户会话并撤销权限。将您的 OIDC/本地帐户链接在一起。
+- **数据库加密** - 后端存储为加密的 SQLite 数据库文件。查看[文档](https://docs.termix.site/security)了解更多信息。
+- **数据导出/导入** - 导出和导入 SSH 主机、凭据和文件管理器数据
+- **自动 SSL 设置** - 内置 SSL 证书生成和管理，支持 HTTPS 重定向
+- **现代用户界面** - 使用 React、Tailwind CSS 和 Shadcn 构建的简洁的桌面/移动设备友好界面
+- **语言** - 内置支持英语、中文、德语和葡萄牙语
+- **平台支持** - 可作为 Web 应用程序、桌面应用程序（Windows、Linux 和 macOS）以及适用于 iOS 和 Android 的专用移动/平板电脑应用程序。
+- **SSH 工具** - 创建可重用的命令片段，单击即可执行。在多个打开的终端上同时运行一个命令。
+- **命令历史** - 自动完成并查看以前运行的 SSH 命令
+- **命令面板** - 双击左 Shift 键可快速使用键盘访问 SSH 连接
+- **SSH 功能丰富** - 支持跳板机、warpgate、基于 TOTP 的连接等。
 
 # 计划功能
 
-- **增强管理员控制** - 提供更精细的用户和管理员权限控制、共享主机等功能
-- **主题定制** - 修改所有工具的主题风格
-- **增强终端支持** - 添加更多终端协议，如 VNC 和 RDP（有类似 Apache Guacamole 的 RDP 集成经验者请通过创建 issue 联系我）
-- **移动端支持** - 支持移动应用或 Termix 网站移动版，让你在手机上管理服务器
+查看 [项目](https://github.com/orgs/Termix-SSH/projects/2) 了解所有计划功能。如果你想贡献代码，请参阅 [贡献指南](https://github.com/Termix-SSH/Termix/blob/main/CONTRIBUTING.md)。
 
 # 安装
 
-访问 Termix [文档](https://docs.termix.site/install) 获取安装信息。或者可以参考以下示例 docker-compose 文件：
+支持的设备：
+
+- 网站（任何平台上的任何现代浏览器，如 Chrome、Safari 和 Firefox）
+- Windows（x64/ia32）
+  - 便携版
+  - MSI 安装程序
+  - Chocolatey 软件包管理器（即将推出）
+- Linux（x64/ia32）
+  - 便携版
+  - AppImage
+  - Deb
+  - Flatpak（即将推出）
+- macOS（x64/ia32 on v12.0+）
+  - Apple App Store（即将推出）
+  - DMG
+  - Homebrew（即将推出）
+- iOS/iPadOS（v15.1+）
+  - Apple App Store
+  - ISO
+- Android（v7.0+）
+  - Google Play 商店
+  - APK
+
+访问 Termix [文档](https://docs.termix.site/install) 了解有关如何在所有平台上安装 Termix 的更多信息。或者，在此处查看示例 Docker Compose 文件：
 
 ```yaml
 services:
@@ -88,8 +117,9 @@ volumes:
 
 # 支持
 
-如果你需要 Termix 的帮助，可以加入 [Discord](https://discord.gg/jVQGdvHDrf)
-服务器并访问支持频道。你也可以在 [GitHub](https://github.com/LukeGus/Termix/issues) 仓库提交 issue 或 pull request。
+如果你需要 Termix 的帮助或想要请求功能，请访问 [Issues](https://github.com/Termix-SSH/Support/issues) 页面，登录并点击 `New Issue`。
+请尽可能详细地描述你的问题，最好使用英语。你也可以加入 [Discord](https://discord.gg/jVQGdvHDrf) 服务器并访问支持
+频道，但响应时间可能较长。
 
 # 展示
 
@@ -99,17 +129,26 @@ volumes:
 </p>
 
 <p align="center">
-  <img src="./repo-images/Image 3.png" width="250" alt="Termix Demo 3"/>
-  <img src="./repo-images/Image 4.png" width="250" alt="Termix Demo 4"/>
-  <img src="./repo-images/Image 5.png" width="250" alt="Termix Demo 5"/>
+  <img src="./repo-images/Image 3.png" width="400" alt="Termix Demo 3"/>
+  <img src="./repo-images/Image 4.png" width="400" alt="Termix Demo 4"/>
 </p>
 
 <p align="center">
-  <video src="https://github.com/user-attachments/assets/f9caa061-10dc-4173-ae7d-c6d42f05cf56" width="800" controls>
+  <img src="./repo-images/Image 5.png" width="400" alt="Termix Demo 5"/>
+  <img src="./repo-images/Image 6.png" width="400" alt="Termix Demo 6"/>
+</p>
+
+<p align="center">
+  <img src="./repo-images/Image 7.png" width="400" alt="Termix Demo 7"/>
+</p>
+
+<p align="center">
+  <video src="https://github.com/user-attachments/assets/88936e0d-2399-4122-8eee-c255c25da48c" width="800" controls>
     你的浏览器不支持 video 标签。
   </video>
 </p>
+视频和图像可能已过时。
 
 # 许可证
 
-根据 Apache 2.0 许可证发布。更多信息请参见 LICENSE。
+根据 Apache License Version 2.0 发布。更多信息请参见 LICENSE。

README.md

@@ -5,9 +5,9 @@
   <a href="README-CN.md"><img src="https://flagcdn.com/cn.svg" alt="中文" width="24" height="16"> 中文</a>
 </p>
 
-![GitHub Repo stars](https://img.shields.io/github/stars/LukeGus/Termix?style=flat&label=Stars)
-![GitHub forks](https://img.shields.io/github/forks/LukeGus/Termix?style=flat&label=Forks)
-![GitHub Release](https://img.shields.io/github/v/release/LukeGus/Termix?style=flat&label=Release)
+![GitHub Repo stars](https://img.shields.io/github/stars/Termix-SSH/Termix?style=flat&label=Stars)
+![GitHub forks](https://img.shields.io/github/forks/Termix-SSH/Termix?style=flat&label=Forks)
+![GitHub Release](https://img.shields.io/github/v/release/Termix-SSH/Termix?style=flat&label=Release)
 <a href="https://discord.gg/jVQGdvHDrf"><img alt="Discord" src="https://img.shields.io/discord/1347374268253470720"></a>
 
 <p align="center">
@@ -29,7 +29,7 @@
 
 <br />
 <p align="center">
-  <a href="https://github.com/LukeGus/Termix">
+  <a href="https://github.com/Termix-SSH/Termix">
     <img alt="Termix Banner" src=./repo-images/HeaderImage.png style="width: auto; height: auto;">  </a>
 </p>
 
@@ -39,43 +39,63 @@ If you would like, you can support the project here!\
 # Overview
 
 <p align="center">
-  <a href="https://github.com/LukeGus/Termix">
+  <a href="https://github.com/Termix-SSH/Termix">
     <img alt="Termix Banner" src=./public/icon.svg style="width: 250px; height: 250px;">  </a>
 </p>
 
-Termix is an open-source, forever-free, self-hosted all-in-one server management platform. It provides a web-based
+Termix is an open-source, forever-free, self-hosted all-in-one server management platform. It provides a multi-platform
 solution for managing your servers and infrastructure through a single, intuitive interface. Termix offers SSH terminal
-access, SSH tunneling capabilities, and remote file management, with many more tools to come.
+access, SSH tunneling capabilities, and remote file management, with many more tools to come. Termix is the perfect
+free and self-hosted alternative to Termius available for all platforms.
 
 # Features
 
-- **SSH Terminal Access** - Full-featured terminal with split-screen support (up to 4 panels) and tab system
+- **SSH Terminal Access** - Full-featured terminal with split-screen support (up to 4 panels) with a browser-like tab system. Includes support for customizing the terminal including common terminal themes, fonts, and other components
 - **SSH Tunnel Management** - Create and manage SSH tunnels with automatic reconnection and health monitoring
-- **Remote File Manager** - Manage files directly on remote servers with support for viewing and editing code, images, audio, and video. Upload, download, rename, delete, and move files seamlessly.
-- **SSH Host Manager** - Save, organize, and manage your SSH connections with tags and folders and easily save reusable login info while being able to automate the deploying of SSH keys
-- **Server Stats** - View CPU, memory, and HDD usage on any SSH server
-- **User Authentication** - Secure user management with admin controls and OIDC and 2FA (TOTP) support
-- **Database Encryption** - SQLite database files encrypted at rest with automatic encryption/decryption
-- **Data Export/Import** - Export and import SSH hosts, credentials, and file manager data with incremental sync
+- **Remote File Manager** - Manage files directly on remote servers with support for viewing and editing code, images, audio, and video. Upload, download, rename, delete, and move files seamlessly
+- **SSH Host Manager** - Save, organize, and manage your SSH connections with tags and folders, and easily save reusable login info while being able to automate the deployment of SSH keys
+- **Server Stats** - View CPU, memory, and disk usage along with network, uptime, and system information on any SSH server
+- **Dashboard** - View server information at a glance on your dashboard
+- **User Authentication** - Secure user management with admin controls and OIDC and 2FA (TOTP) support. View active user sessions across all platforms and revoke permissions. Link your OIDC/Local accounts together.
+- **Database Encryption** - Backend stored as encrypted SQLite database files. View [docs](https://docs.termix.site/security) for more.
+- **Data Export/Import** - Export and import SSH hosts, credentials, and file manager data
 - **Automatic SSL Setup** - Built-in SSL certificate generation and management with HTTPS redirects
 - **Modern UI** - Clean desktop/mobile-friendly interface built with React, Tailwind CSS, and Shadcn
-- **Languages** - Built-in support for English, Chinese, and German
-- **Platform Support** - Available as a web app, desktop application (Windows & Linux), and dedicated mobile app for iOS and Android. macOS and iPadOS support is planned.
+- **Languages** - Built-in support for English, Chinese, German, and Portuguese
+- **Platform Support** - Available as a web app, desktop application (Windows, Linux, and macOS), and dedicated mobile/tablet app for iOS and Android.
+- **SSH Tools** - Create reusable command snippets that execute with a single click. Run one command simultaneously across multiple open terminals.
+- **Command History** - Auto-complete and view previously ran SSH commands
+- **Command Palette** - Double tap left shift to quickly access SSH connections with your keyboard
+- **SSH Feature Rich** - Supports jump hosts, warpgate, TOTP based connections, etc.
 
 # Planned Features
 
-See [Projects](https://github.com/users/LukeGus/projects/3) for all planned features. If you are looking to contribute, see [Contributing](https://github.com/LukeGus/Termix/blob/main/CONTRIBUTING.md).
+See [Projects](https://github.com/orgs/Termix-SSH/projects/2) for all planned features. If you are looking to contribute, see [Contributing](https://github.com/Termix-SSH/Termix/blob/main/CONTRIBUTING.md).
 
 # Installation
 
 Supported Devices:
 
-- Website (any modern browser like Google, Safari, and Firefox)
-- Windows (app)
-- Linux (app)
-- iOS (app)
-- Android (app)
-- iPadOS and macOS are in progress
+- Website (any modern browser on any platform like Chrome, Safari, and Firefox)
+- Windows (x64/ia32)
+  - Portable
+  - MSI Installer
+  - Chocolatey Package Manager (coming soon)
+- Linux (x64/ia32)
+  - Portable
+  - AppImage
+  - Deb
+  - Flatpak (coming soon)
+- macOS (x64/ia32 on v12.0+)
+  - Apple App Store (coming soon)
+  - DMG
+  - Homebrew (coming soon)
+- iOS/iPadOS (v15.1+)
+  - Apple App Store
+  - ISO
+- Android (v7.0+)
+  - Google Play Store
+  - APK
 
 Visit the Termix [Docs](https://docs.termix.site/install) for more information on how to install Termix on all platforms. Otherwise, view
 a sample Docker Compose file here:
@@ -100,9 +120,9 @@ volumes:
 
 # Support
 
-If you need help with Termix, you can join the [Discord](https://discord.gg/jVQGdvHDrf) server and visit the support
-channel. You can also open an issue or open a pull request on the [GitHub](https://github.com/LukeGus/Termix/issues)
-repo.
+If you need help or want to request a feature with Termix, visit the [Issues](https://github.com/Termix-SSH/Support/issues) page, log in, and press `New Issue`.
+Please be as detailed as possible in your issue, preferably written in English. You can also join the [Discord](https://discord.gg/jVQGdvHDrf) server and visit the support
+channel, however, response times may be longer.
 
 # Show-off
 
@@ -130,6 +150,7 @@ repo.
     Your browser does not support the video tag.
   </video>
 </p>
+Videos and images may be out of date.
 
 # License
 

SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Please report any vulnerabilities to [GitHub Security](https://github.com/LukeGus/Termix/security/advisories).
+Please report any vulnerabilities to [GitHub Security](https://github.com/Termix-SSH/Termix/security/advisories).

build/entitlements.mac.inherit.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
+	<true/>
+</dict>
+</plist>

build/entitlements.mac.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
+	<true/>
+</dict>
+</plist>

build/entitlements.mas.inherit.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>

build/entitlements.mas.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>

build/notarize.cjs

@@ -0,0 +1,31 @@
+const { notarize } = require('@electron/notarize');
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context;
+
+  if (electronPlatformName !== 'darwin') {
+    return;
+  }
+
+  const appleId = process.env.APPLE_ID;
+  const appleIdPassword = process.env.APPLE_ID_PASSWORD;
+  const teamId = process.env.APPLE_TEAM_ID;
+
+  if (!appleId || !appleIdPassword || !teamId) {
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+
+  try {
+    await notarize({
+      appBundleId: 'com.karmaa.termix',
+      appPath: `${appOutDir}/${appName}.app`,
+      appleId: appleId,
+      appleIdPassword: appleIdPassword,
+      teamId: teamId,
+    });
+  } catch (error) {
+    console.error('Notarization failed:', error);
+  }
+};

chocolatey/termix-ssh.nuspec

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>termix-ssh</id>
+    <version>VERSION_PLACEHOLDER</version>
+    <packageSourceUrl>https://github.com/Termix-SSH/Termix</packageSourceUrl>
+    <owners>bugattiguy527</owners>
+    <title>Termix SSH</title>
+    <authors>bugattiguy527</authors>
+    <projectUrl>https://github.com/Termix-SSH/Termix</projectUrl>
+    <iconUrl>https://raw.githubusercontent.com/Termix-SSH/Termix/main/public/icon.png</iconUrl>
+    <licenseUrl>https://raw.githubusercontent.com/Termix-SSH/Termix/refs/heads/main/LICENSE</licenseUrl>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/Termix-SSH/Termix</projectSourceUrl>
+    <docsUrl>https://docs.termix.site/install</docsUrl>
+    <bugTrackerUrl>https://github.com/Termix-SSH/Support/issues</bugTrackerUrl>
+    <tags>docker ssh self-hosted file-management ssh-tunnel termix server-management terminal</tags>
+    <summary>Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities.</summary>
+    <description>
+Termix is an open-source, forever-free, self-hosted all-in-one server management platform. It provides a web-based solution for managing your servers and infrastructure through a single, intuitive interface.
+
+Termix offers:
+- SSH terminal access
+- SSH tunneling capabilities
+- Remote file management
+- Server monitoring and management
+
+This package installs the desktop application version of Termix.
+    </description>
+    <releaseNotes>https://github.com/Termix-SSH/Termix/releases</releaseNotes>
+  </metadata>
+  <files>
+    <file src="tools\**" target="tools" />
+  </files>
+</package>

chocolatey/tools/chocolateyinstall.ps1

@@ -0,0 +1,20 @@
+$ErrorActionPreference = 'Stop'
+
+$packageName = 'termix-ssh'
+$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
+$url64 = 'DOWNLOAD_URL_PLACEHOLDER'
+$checksum64 = 'CHECKSUM_PLACEHOLDER'
+$checksumType64 = 'sha256'
+
+$packageArgs = @{
+  packageName    = $packageName
+  fileType       = 'msi'
+  url64bit       = $url64
+  softwareName   = 'Termix*'
+  checksum64     = $checksum64
+  checksumType64 = $checksumType64
+  silentArgs     = "/qn /norestart /l*v `"$($env:TEMP)\$($packageName).$($env:chocolateyPackageVersion).MsiInstall.log`""
+  validExitCodes = @(0, 3010, 1641)
+}
+
+Install-ChocolateyPackage @packageArgs

chocolatey/tools/chocolateyuninstall.ps1

@@ -0,0 +1,33 @@
+$ErrorActionPreference = 'Stop'
+
+$packageName = 'termix-ssh'
+$softwareName = 'Termix*'
+$installerType = 'msi'
+
+$silentArgs = '/qn /norestart'
+$validExitCodes = @(0, 3010, 1605, 1614, 1641)
+
+[array]$key = Get-UninstallRegistryKey -SoftwareName $softwareName
+
+if ($key.Count -eq 1) {
+  $key | % {
+    $file = "$($_.UninstallString)"
+
+    if ($installerType -eq 'msi') {
+      $silentArgs = "$($_.PSChildName) $silentArgs"
+      $file = ''
+    }
+
+    Uninstall-ChocolateyPackage -PackageName $packageName `
+                                 -FileType $installerType `
+                                 -SilentArgs "$silentArgs" `
+                                 -ValidExitCodes $validExitCodes `
+                                 -File "$file"
+  }
+} elseif ($key.Count -eq 0) {
+  Write-Warning "$packageName has already been uninstalled by other means."
+} elseif ($key.Count -gt 1) {
+  Write-Warning "$($key.Count) matches found!"
+  Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
+  $key | % {Write-Warning "- $($_.DisplayName)"}
+}

docker/Dockerfile

@@ -2,16 +2,12 @@
 FROM node:22-slim AS deps
 WORKDIR /app
 
-RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/* 
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
 
 COPY package*.json ./
 
-ENV npm_config_target_platform=linux
-ENV npm_config_target_arch=x64
-ENV npm_config_target_libc=glibc
-
 RUN rm -rf node_modules package-lock.json && \
-    npm install --force && \
+    npm install --ignore-scripts --force && \
     npm cache clean --force
 
 # Stage 2: Build frontend
@@ -31,10 +27,6 @@ WORKDIR /app
 
 COPY . .
 
-ENV npm_config_target_platform=linux
-ENV npm_config_target_arch=x64
-ENV npm_config_target_libc=glibc
-
 RUN npm rebuild better-sqlite3 --force
 
 RUN npm run build:backend
@@ -47,10 +39,6 @@ RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt
 
 COPY package*.json ./
 
-ENV npm_config_target_platform=linux
-ENV npm_config_target_arch=x64
-ENV npm_config_target_libc=glibc
-
 RUN npm ci --only=production --ignore-scripts --force && \
     npm rebuild better-sqlite3 bcryptjs --force && \
     npm cache clean --force
@@ -82,8 +70,8 @@ COPY --chown=node:node package.json ./
 
 VOLUME ["/app/data"]
 
-EXPOSE ${PORT} 30001 30002 30003 30004 30005
+EXPOSE ${PORT} 30001 30002 30003 30004 30005 30006
 
 COPY docker/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
-CMD ["/entrypoint.sh"]
+CMD ["/entrypoint.sh"]

docker/nginx-https.conf

@@ -34,7 +34,6 @@ http {
         ssl_certificate_key ${SSL_KEY_PATH};
 
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options DENY always;
         add_header X-Content-Type-Options nosniff always;
         add_header X-XSS-Protection "1; mode=block" always;
 
@@ -49,6 +48,15 @@ http {
             log_not_found off;
         }
 
+        location ~ ^/users/sessions(/.*)?$ {
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
         location ~ ^/users(/.*)?$ {
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
@@ -92,27 +100,45 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
         }
 
-        location ~ ^/database(/.*)?$ {
-            client_max_body_size 5G;
-            client_body_timeout 300s;
-            
+        location ~ ^/snippets(/.*)?$ {
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+        }
+
+        location ~ ^/terminal(/.*)?$ {
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location ~ ^/database(/.*)?$ {
+            client_max_body_size 5G;
+            client_body_timeout 300s;
+
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -120,18 +146,18 @@ http {
         location ~ ^/db(/.*)?$ {
             client_max_body_size 5G;
             client_body_timeout 300s;
-            
+
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -216,18 +242,18 @@ http {
         location /ssh/file_manager/ssh/ {
             client_max_body_size 5G;
             client_body_timeout 300s;
-            
+
             proxy_pass http://127.0.0.1:30004;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -259,9 +285,27 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
+        location ~ ^/uptime(/.*)?$ {
+            proxy_pass http://127.0.0.1:30006;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location ~ ^/activity(/.*)?$ {
+            proxy_pass http://127.0.0.1:30006;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
         error_page 500 502 503 504 /50x.html;
         location = /50x.html {
             root /usr/share/nginx/html;
         }
     }
-}
+}

docker/nginx.conf

@@ -23,13 +23,20 @@ http {
         listen ${PORT};
         server_name localhost;
 
-        add_header X-Frame-Options DENY always;
         add_header X-Content-Type-Options nosniff always;
         add_header X-XSS-Protection "1; mode=block" always;
 
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            root /usr/share/nginx/html;
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            try_files $uri =404;
+        }
+
         location / {
             root /usr/share/nginx/html;
             index index.html index.htm;
+            try_files $uri $uri/ /index.html;
         }
 
         location ~* \.map$ {
@@ -38,6 +45,15 @@ http {
             log_not_found off;
         }
 
+        location ~ ^/users/sessions(/.*)?$ {
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
         location ~ ^/users(/.*)?$ {
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
@@ -81,27 +97,45 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
         }
 
-        location ~ ^/database(/.*)?$ {
-            client_max_body_size 5G;
-            client_body_timeout 300s;
-            
+        location ~ ^/snippets(/.*)?$ {
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+        }
+
+        location ~ ^/terminal(/.*)?$ {
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location ~ ^/database(/.*)?$ {
+            client_max_body_size 5G;
+            client_body_timeout 300s;
+
+            proxy_pass http://127.0.0.1:30001;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -109,18 +143,18 @@ http {
         location ~ ^/db(/.*)?$ {
             client_max_body_size 5G;
             client_body_timeout 300s;
-            
+
             proxy_pass http://127.0.0.1:30001;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -205,18 +239,18 @@ http {
         location /ssh/file_manager/ssh/ {
             client_max_body_size 5G;
             client_body_timeout 300s;
-            
+
             proxy_pass http://127.0.0.1:30004;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 300s;
             proxy_read_timeout 300s;
-            
+
             proxy_request_buffering off;
             proxy_buffering off;
         }
@@ -248,9 +282,27 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
+        location ~ ^/uptime(/.*)?$ {
+            proxy_pass http://127.0.0.1:30006;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location ~ ^/activity(/.*)?$ {
+            proxy_pass http://127.0.0.1:30006;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
         error_page 500 502 503 504 /50x.html;
         location = /50x.html {
             root /usr/share/nginx/html;
         }
     }
-}
+}

electron-builder.json

@@ -1,6 +1,7 @@
 {
-  "appId": "com.termix.app",
+  "appId": "com.karmaa.termix",
   "productName": "Termix",
+  "publish": null,
   "directories": {
     "output": "release"
   },
@@ -21,35 +22,53 @@
   },
   "buildDependenciesFromSource": false,
   "nodeGypRebuild": false,
-  "npmRebuild": false,
+  "npmRebuild": true,
   "win": {
-    "target": "nsis",
+    "target": [
+      {
+        "target": "nsis",
+        "arch": ["x64", "ia32"]
+      },
+      {
+        "target": "msi",
+        "arch": ["x64", "ia32"]
+      }
+    ],
     "icon": "public/icon.ico",
     "executableName": "Termix"
   },
   "nsis": {
     "oneClick": false,
     "allowToChangeInstallationDirectory": true,
-    "artifactName": "${productName}-Setup-${version}.${ext}",
+    "artifactName": "termix_windows_${arch}_nsis.${ext}",
     "createDesktopShortcut": true,
     "createStartMenuShortcut": true,
     "shortcutName": "Termix",
     "uninstallDisplayName": "Termix"
   },
+  "msi": {
+    "artifactName": "termix_windows_${arch}_msi.${ext}"
+  },
   "linux": {
+    "artifactName": "termix_linux_${arch}_portable.${ext}",
     "target": [
       {
         "target": "AppImage",
-        "arch": ["x64"]
+        "arch": ["x64", "arm64", "armv7l"]
+      },
+      {
+        "target": "deb",
+        "arch": ["x64", "arm64", "armv7l"]
       },
       {
         "target": "tar.gz",
-        "arch": ["x64"]
+        "arch": ["x64", "arm64", "armv7l"]
       }
     ],
     "icon": "public/icon.png",
     "category": "Development",
     "executableName": "termix",
+    "maintainer": "Termix <mail@termix.site>",
     "desktop": {
       "entry": {
         "Name": "Termix",
@@ -58,5 +77,52 @@
         "StartupWMClass": "termix"
       }
     }
+  },
+  "appImage": {
+    "artifactName": "termix_linux_${arch}_appimage.${ext}"
+  },
+  "deb": {
+    "artifactName": "termix_linux_${arch}_deb.${ext}"
+  },
+
+  "mac": {
+    "target": [
+      {
+        "target": "mas",
+        "arch": "universal"
+      },
+      {
+        "target": "dmg",
+        "arch": ["universal", "x64", "arm64"]
+      }
+    ],
+    "icon": "public/icon.icns",
+    "category": "public.app-category.developer-tools",
+    "hardenedRuntime": true,
+    "gatekeeperAssess": false,
+    "entitlements": "build/entitlements.mac.plist",
+    "entitlementsInherit": "build/entitlements.mac.inherit.plist",
+    "type": "distribution",
+    "minimumSystemVersion": "10.15"
+  },
+  "dmg": {
+    "artifactName": "termix_macos_${arch}_dmg.${ext}",
+    "sign": true
+  },
+  "afterSign": "build/notarize.cjs",
+  "mas": {
+    "provisioningProfile": "build/Termix_Mac_App_Store.provisionprofile",
+    "entitlements": "build/entitlements.mas.plist",
+    "entitlementsInherit": "build/entitlements.mas.inherit.plist",
+    "hardenedRuntime": false,
+    "gatekeeperAssess": false,
+    "asarUnpack": ["**/*.node"],
+    "type": "distribution",
+    "category": "public.app-category.developer-tools",
+    "artifactName": "termix_macos_${arch}_mas.${ext}",
+    "extendInfo": {
+      "ITSAppUsesNonExemptEncryption": false,
+      "NSAppleEventsUsageDescription": "Termix needs access to control other applications for terminal operations."
+    }
   }
 }

electron/main.cjs

@@ -1,22 +1,34 @@
-const { app, BrowserWindow, shell, ipcMain, dialog } = require("electron");
+const {
+  app,
+  BrowserWindow,
+  shell,
+  ipcMain,
+  dialog,
+  Menu,
+} = require("electron");
 const path = require("path");
 const fs = require("fs");
 const os = require("os");
 
+if (process.platform === "linux") {
+  app.commandLine.appendSwitch("--no-sandbox");
+  app.commandLine.appendSwitch("--disable-setuid-sandbox");
+  app.commandLine.appendSwitch("--disable-dev-shm-usage");
+
+  app.disableHardwareAcceleration();
+  app.commandLine.appendSwitch("--disable-gpu");
+  app.commandLine.appendSwitch("--disable-gpu-compositing");
+}
+
 app.commandLine.appendSwitch("--ignore-certificate-errors");
 app.commandLine.appendSwitch("--ignore-ssl-errors");
 app.commandLine.appendSwitch("--ignore-certificate-errors-spki-list");
 app.commandLine.appendSwitch("--enable-features=NetworkService");
 
-if (process.platform === "linux") {
-  app.commandLine.appendSwitch("--no-sandbox");
-  app.commandLine.appendSwitch("--disable-setuid-sandbox");
-  app.commandLine.appendSwitch("--disable-dev-shm-usage");
-}
-
 let mainWindow = null;
 
 const isDev = process.env.NODE_ENV === "development" || !app.isPackaged;
+const appRoot = isDev ? process.cwd() : path.join(__dirname, "..");
 
 const gotTheLock = app.requestSingleInstanceLock();
 if (!gotTheLock) {
@@ -34,40 +46,131 @@ if (!gotTheLock) {
 }
 
 function createWindow() {
+  const appVersion = app.getVersion();
+  const electronVersion = process.versions.electron;
+  const platform =
+    process.platform === "win32"
+      ? "Windows"
+      : process.platform === "darwin"
+        ? "macOS"
+        : "Linux";
+
   mainWindow = new BrowserWindow({
     width: 1200,
     height: 800,
     minWidth: 800,
     minHeight: 600,
     title: "Termix",
-    icon: isDev
-      ? path.join(__dirname, "..", "public", "icon.png")
-      : path.join(process.resourcesPath, "public", "icon.png"),
+    icon: path.join(appRoot, "public", "icon.png"),
     webPreferences: {
       nodeIntegration: false,
       contextIsolation: true,
-      webSecurity: true,
+      webSecurity: false,
       preload: path.join(__dirname, "preload.js"),
+      partition: "persist:termix",
+      allowRunningInsecureContent: true,
+      webviewTag: true,
+      offscreen: false,
     },
-    show: false,
+    show: true,
   });
 
   if (process.platform !== "darwin") {
     mainWindow.setMenuBarVisibility(false);
   }
 
+  const customUserAgent = `Termix-Desktop/${appVersion} (${platform}; Electron/${electronVersion})`;
+  mainWindow.webContents.setUserAgent(customUserAgent);
+
+  mainWindow.webContents.session.webRequest.onBeforeSendHeaders(
+    (details, callback) => {
+      details.requestHeaders["X-Electron-App"] = "true";
+
+      details.requestHeaders["User-Agent"] = customUserAgent;
+
+      callback({ requestHeaders: details.requestHeaders });
+    },
+  );
+
   if (isDev) {
     mainWindow.loadURL("http://localhost:5173");
     mainWindow.webContents.openDevTools();
   } else {
-    const indexPath = path.join(__dirname, "..", "dist", "index.html");
-    mainWindow.loadFile(indexPath);
+    const indexPath = path.join(appRoot, "dist", "index.html");
+    mainWindow.loadFile(indexPath).catch((err) => {
+      console.error("Failed to load file:", err);
+    });
   }
 
+  mainWindow.webContents.session.webRequest.onHeadersReceived(
+    (details, callback) => {
+      const headers = details.responseHeaders;
+
+      if (headers) {
+        delete headers["x-frame-options"];
+        delete headers["X-Frame-Options"];
+
+        if (headers["content-security-policy"]) {
+          headers["content-security-policy"] = headers[
+            "content-security-policy"
+          ]
+            .map((value) => value.replace(/frame-ancestors[^;]*/gi, ""))
+            .filter((value) => value.trim().length > 0);
+
+          if (headers["content-security-policy"].length === 0) {
+            delete headers["content-security-policy"];
+          }
+        }
+        if (headers["Content-Security-Policy"]) {
+          headers["Content-Security-Policy"] = headers[
+            "Content-Security-Policy"
+          ]
+            .map((value) => value.replace(/frame-ancestors[^;]*/gi, ""))
+            .filter((value) => value.trim().length > 0);
+
+          if (headers["Content-Security-Policy"].length === 0) {
+            delete headers["Content-Security-Policy"];
+          }
+        }
+
+        if (headers["set-cookie"]) {
+          headers["set-cookie"] = headers["set-cookie"].map((cookie) => {
+            let modified = cookie.replace(
+              /;\s*SameSite=Strict/gi,
+              "; SameSite=None",
+            );
+            modified = modified.replace(
+              /;\s*SameSite=Lax/gi,
+              "; SameSite=None",
+            );
+            if (!modified.includes("SameSite=")) {
+              modified += "; SameSite=None";
+            }
+            if (
+              !modified.includes("Secure") &&
+              details.url.startsWith("https")
+            ) {
+              modified += "; Secure";
+            }
+            return modified;
+          });
+        }
+      }
+
+      callback({ responseHeaders: headers });
+    },
+  );
+
   mainWindow.once("ready-to-show", () => {
     mainWindow.show();
   });
 
+  setTimeout(() => {
+    if (mainWindow && !mainWindow.isVisible()) {
+      mainWindow.show();
+    }
+  }, 3000);
+
   mainWindow.webContents.on(
     "did-fail-load",
     (event, errorCode, errorDescription, validatedURL) => {
@@ -84,13 +187,6 @@ function createWindow() {
     console.log("Frontend loaded successfully");
   });
 
-  mainWindow.on("close", (event) => {
-    if (process.platform === "darwin") {
-      event.preventDefault();
-      mainWindow.hide();
-    }
-  });
-
   mainWindow.on("closed", () => {
     mainWindow = null;
   });
@@ -106,11 +202,11 @@ ipcMain.handle("get-app-version", () => {
 });
 
 const GITHUB_API_BASE = "https://api.github.com";
-const REPO_OWNER = "LukeGus";
+const REPO_OWNER = "Termix-SSH";
 const REPO_NAME = "Termix";
 
 const githubCache = new Map();
-const CACHE_DURATION = 30 * 60 * 1000; // 30 minutes
+const CACHE_DURATION = 30 * 60 * 1000;
 
 async function fetchGitHubAPI(endpoint, cacheKey) {
   const cached = githubCache.get(cacheKey);
@@ -299,6 +395,48 @@ ipcMain.handle("save-server-config", (event, config) => {
   }
 });
 
+ipcMain.handle("get-setting", (event, key) => {
+  try {
+    const userDataPath = app.getPath("userData");
+    const settingsPath = path.join(userDataPath, "settings.json");
+
+    if (!fs.existsSync(settingsPath)) {
+      return null;
+    }
+
+    const settingsData = fs.readFileSync(settingsPath, "utf8");
+    const settings = JSON.parse(settingsData);
+    return settings[key] !== undefined ? settings[key] : null;
+  } catch (error) {
+    console.error("Error reading setting:", error);
+    return null;
+  }
+});
+
+ipcMain.handle("set-setting", (event, key, value) => {
+  try {
+    const userDataPath = app.getPath("userData");
+    const settingsPath = path.join(userDataPath, "settings.json");
+
+    if (!fs.existsSync(userDataPath)) {
+      fs.mkdirSync(userDataPath, { recursive: true });
+    }
+
+    let settings = {};
+    if (fs.existsSync(settingsPath)) {
+      const settingsData = fs.readFileSync(settingsPath, "utf8");
+      settings = JSON.parse(settingsData);
+    }
+
+    settings[key] = value;
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+    return { success: true };
+  } catch (error) {
+    console.error("Error saving setting:", error);
+    return { success: false, error: error.message };
+  }
+});
+
 ipcMain.handle("test-server-connection", async (event, serverUrl) => {
   try {
     const https = require("https");
@@ -462,21 +600,78 @@ ipcMain.handle("test-server-connection", async (event, serverUrl) => {
   }
 });
 
+function createMenu() {
+  if (process.platform === "darwin") {
+    const template = [
+      {
+        label: app.name,
+        submenu: [
+          { role: "about" },
+          { type: "separator" },
+          { role: "services" },
+          { type: "separator" },
+          { role: "hide" },
+          { role: "hideOthers" },
+          { role: "unhide" },
+          { type: "separator" },
+          { role: "quit" },
+        ],
+      },
+      {
+        label: "Edit",
+        submenu: [
+          { role: "undo" },
+          { role: "redo" },
+          { type: "separator" },
+          { role: "cut" },
+          { role: "copy" },
+          { role: "paste" },
+          { role: "selectAll" },
+        ],
+      },
+      {
+        label: "View",
+        submenu: [
+          { role: "reload" },
+          { role: "forceReload" },
+          { role: "toggleDevTools" },
+          { type: "separator" },
+          { role: "resetZoom" },
+          { role: "zoomIn" },
+          { role: "zoomOut" },
+          { type: "separator" },
+          { role: "togglefullscreen" },
+        ],
+      },
+      {
+        label: "Window",
+        submenu: [
+          { role: "minimize" },
+          { role: "zoom" },
+          { type: "separator" },
+          { role: "front" },
+          { type: "separator" },
+          { role: "window" },
+        ],
+      },
+    ];
+    const menu = Menu.buildFromTemplate(template);
+    Menu.setApplicationMenu(menu);
+  }
+}
+
 app.whenReady().then(() => {
+  createMenu();
   createWindow();
 });
 
 app.on("window-all-closed", () => {
-  if (process.platform !== "darwin") {
-    app.quit();
-  }
+  app.quit();
 });
 
 app.on("activate", () => {
   if (BrowserWindow.getAllWindows().length === 0) {
     createWindow();
-  } else if (mainWindow) {
-    mainWindow.show();
   }
 });
 

electron/preload.js

@@ -22,6 +22,9 @@ contextBridge.exposeInMainWorld("electronAPI", {
   isElectron: true,
   isDev: process.env.NODE_ENV === "development",
 
+  getSetting: (key) => ipcRenderer.invoke("get-setting", key),
+  setSetting: (key, value) => ipcRenderer.invoke("set-setting", key, value),
+
   invoke: (channel, ...args) => ipcRenderer.invoke(channel, ...args),
 });
 

flatpak/com.karmaa.termix.desktop

@@ -0,0 +1,11 @@
+[Desktop Entry]
+Name=Termix
+Comment=Web-based server management platform with SSH terminal, tunneling, and file editing
+Exec=termix %U
+Icon=com.karmaa.termix
+Terminal=false
+Type=Application
+Categories=Development;Network;System;
+Keywords=ssh;terminal;server;management;tunnel;
+StartupWMClass=termix
+StartupNotify=true

flatpak/com.karmaa.termix.metainfo.xml

@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+  <id>com.karmaa.termix</id>
+  <name>Termix</name>
+  <summary>Web-based server management platform with SSH terminal, tunneling, and file editing</summary>
+
+  <metadata_license>CC0-1.0</metadata_license>
+  <project_license>GPL-3.0-or-later</project_license>
+
+  <developer_name>bugattiguy527</developer_name>
+
+  <description>
+    <p>
+      Termix is an open-source, forever-free, self-hosted all-in-one server management platform.
+      It provides a web-based solution for managing your servers and infrastructure through a single, intuitive interface.
+    </p>
+    <p>Features:</p>
+    <ul>
+      <li>SSH terminal access with full terminal emulation</li>
+      <li>SSH tunneling capabilities for secure port forwarding</li>
+      <li>Remote file management with editor support</li>
+      <li>Server monitoring and management tools</li>
+      <li>Self-hosted solution - keep your data private</li>
+      <li>Modern, intuitive web interface</li>
+    </ul>
+  </description>
+
+  <launchable type="desktop-id">com.karmaa.termix.desktop</launchable>
+
+  <screenshots>
+    <screenshot type="default">
+      <image>https://raw.githubusercontent.com/Termix-SSH/Termix/main/public/screenshots/terminal.png</image>
+      <caption>SSH Terminal Interface</caption>
+    </screenshot>
+  </screenshots>
+
+  <url type="homepage">https://github.com/Termix-SSH/Termix</url>
+  <url type="bugtracker">https://github.com/Termix-SSH/Support/issues</url>
+  <url type="help">https://docs.termix.site</url>
+  <url type="vcs-browser">https://github.com/Termix-SSH/Termix</url>
+
+  <content_rating type="oars-1.1">
+    <content_attribute id="social-info">moderate</content_attribute>
+  </content_rating>
+
+  <releases>
+    <release version="VERSION_PLACEHOLDER" date="DATE_PLACEHOLDER">
+      <description>
+        <p>Latest release of Termix</p>
+      </description>
+      <url>https://github.com/Termix-SSH/Termix/releases</url>
+    </release>
+  </releases>
+
+  <categories>
+    <category>Development</category>
+    <category>Network</category>
+    <category>System</category>
+  </categories>
+
+  <keywords>
+    <keyword>ssh</keyword>
+    <keyword>terminal</keyword>
+    <keyword>server</keyword>
+    <keyword>management</keyword>
+    <keyword>tunnel</keyword>
+    <keyword>file-manager</keyword>
+  </keywords>
+
+  <provides>
+    <binary>termix</binary>
+  </provides>
+
+  <requires>
+    <internet>always</internet>
+  </requires>
+</component>

flatpak/com.karmaa.termix.yml

@@ -0,0 +1,69 @@
+app-id: com.karmaa.termix
+runtime: org.freedesktop.Platform
+runtime-version: "23.08"
+sdk: org.freedesktop.Sdk
+base: org.electronjs.Electron2.BaseApp
+base-version: "23.08"
+command: termix
+separate-locales: false
+
+finish-args:
+  - --socket=x11
+  - --socket=wayland
+  - --socket=pulseaudio
+  - --share=network
+  - --share=ipc
+  - --device=dri
+  - --filesystem=home
+  - --socket=ssh-auth
+  - --talk-name=org.freedesktop.Notifications
+  - --talk-name=org.freedesktop.secrets
+
+modules:
+  - name: termix
+    buildsystem: simple
+    build-commands:
+      - chmod +x termix.AppImage
+      - ./termix.AppImage --appimage-extract
+
+      - install -Dm755 squashfs-root/termix /app/bin/termix
+      - cp -r squashfs-root/resources /app/bin/
+      - cp -r squashfs-root/locales /app/bin/ || true
+
+      - install -Dm644 com.karmaa.termix.desktop /app/share/applications/com.karmaa.termix.desktop
+
+      - install -Dm644 com.karmaa.termix.metainfo.xml /app/share/metainfo/com.karmaa.termix.metainfo.xml
+
+      - install -Dm644 com.karmaa.termix.svg /app/share/icons/hicolor/scalable/apps/com.karmaa.termix.svg
+      - install -Dm644 icon-256.png /app/share/icons/hicolor/256x256/apps/com.karmaa.termix.png || true
+      - install -Dm644 icon-128.png /app/share/icons/hicolor/128x128/apps/com.karmaa.termix.png || true
+
+    sources:
+      - type: file
+        url: https://github.com/Termix-SSH/Termix/releases/download/release-VERSION_PLACEHOLDER-tag/termix_linux_x64_VERSION_PLACEHOLDER_appimage.AppImage
+        sha256: CHECKSUM_X64_PLACEHOLDER
+        dest-filename: termix.AppImage
+        only-arches:
+          - x86_64
+
+      - type: file
+        url: https://github.com/Termix-SSH/Termix/releases/download/release-VERSION_PLACEHOLDER-tag/termix_linux_arm64_VERSION_PLACEHOLDER_appimage.AppImage
+        sha256: CHECKSUM_ARM64_PLACEHOLDER
+        dest-filename: termix.AppImage
+        only-arches:
+          - aarch64
+
+      - type: file
+        path: com.karmaa.termix.desktop
+
+      - type: file
+        path: com.karmaa.termix.metainfo.xml
+
+      - type: file
+        path: com.karmaa.termix.svg
+
+      - type: file
+        path: icon-256.png
+
+      - type: file
+        path: icon-128.png

flatpak/flathub.json

@@ -0,0 +1,5 @@
+{
+  "only-arches": ["x86_64", "aarch64"],
+  "skip-icons-check": false,
+  "skip-appstream-check": false
+}

flatpak/prepare-flatpak.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+
+VERSION="$1"
+CHECKSUM="$2"
+RELEASE_DATE="$3"
+
+if [ -z "$VERSION" ] || [ -z "$CHECKSUM" ] || [ -z "$RELEASE_DATE" ]; then
+  echo "Usage: $0 <version> <checksum> <release-date>"
+  echo "Example: $0 1.8.0 abc123... 2025-10-26"
+  exit 1
+fi
+
+echo "Preparing Flatpak submission for version $VERSION"
+
+cp public/icon.svg flatpak/com.karmaa.termix.svg
+echo "✓ Copied SVG icon"
+
+if command -v convert &> /dev/null; then
+  convert public/icon.png -resize 256x256 flatpak/icon-256.png
+  convert public/icon.png -resize 128x128 flatpak/icon-128.png
+  echo "✓ Generated PNG icons"
+else
+  cp public/icon.png flatpak/icon-256.png
+  cp public/icon.png flatpak/icon-128.png
+  echo "⚠ ImageMagick not found, using original icon"
+fi
+
+sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" flatpak/com.karmaa.termix.yml
+sed -i "s/CHECKSUM_PLACEHOLDER/$CHECKSUM/g" flatpak/com.karmaa.termix.yml
+echo "✓ Updated manifest with version $VERSION"
+
+sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" flatpak/com.karmaa.termix.metainfo.xml
+sed -i "s/DATE_PLACEHOLDER/$RELEASE_DATE/g" flatpak/com.karmaa.termix.metainfo.xml

homebrew/termix.rb

@@ -0,0 +1,24 @@
+cask "termix" do
+  version "VERSION_PLACEHOLDER"
+  sha256 "CHECKSUM_PLACEHOLDER"
+
+  url "https://github.com/Termix-SSH/Termix/releases/download/release-#{version}-tag/termix_macos_universal_#{version}_dmg.dmg"
+  name "Termix"
+  desc "Web-based server management platform with SSH terminal, tunneling, and file editing"
+  homepage "https://github.com/Termix-SSH/Termix"
+
+  livecheck do
+    url :url
+    strategy :github_latest
+  end
+
+  app "Termix.app"
+
+  zap trash: [
+    "~/Library/Application Support/termix",
+    "~/Library/Caches/com.karmaa.termix",
+    "~/Library/Caches/com.karmaa.termix.ShipIt",
+    "~/Library/Preferences/com.karmaa.termix.plist",
+    "~/Library/Saved Application State/com.karmaa.termix.savedState",
+  ]
+end

index.html

@@ -5,6 +5,36 @@
     <link rel="icon" type="image/svg+xml" href="/favicon.ico" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Termix</title>
+    <style>
+      .hide-scrollbar {
+        scrollbar-width: none;
+        -ms-overflow-style: none;
+      }
+
+      .hide-scrollbar::-webkit-scrollbar {
+        display: none;
+      }
+
+      .skinny-scrollbar {
+        scrollbar-width: thin;
+        scrollbar-color: #4a4a4a #1e1e21;
+      }
+
+      .skinny-scrollbar::-webkit-scrollbar {
+        width: 6px;
+        height: 6px;
+      }
+
+      .skinny-scrollbar::-webkit-scrollbar-track {
+        background: #1e1e21;
+      }
+
+      .skinny-scrollbar::-webkit-scrollbar-thumb {
+        background-color: #4a4a4a;
+        border-radius: 3px;
+        border: 1px solid #1e1e21;
+      }
+    </style>
   </head>
   <body>
     <div id="root"></div>

package.json

@@ -1,26 +1,30 @@
 {
   "name": "termix",
   "private": true,
-  "version": "1.7.2",
+  "version": "1.9.0",
   "description": "A web-based server management platform with SSH terminal, tunneling, and file editing capabilities",
   "author": "Karmaa",
   "main": "electron/main.cjs",
   "type": "module",
   "scripts": {
     "clean": "npx prettier . --write",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "eslint .",
+    "lint:fix": "eslint --fix .",
+    "type-check": "tsc --noEmit",
     "dev": "vite",
     "build": "vite build && tsc -p tsconfig.node.json",
     "build:backend": "tsc -p tsconfig.node.json",
     "dev:backend": "tsc -p tsconfig.node.json && node ./dist/backend/backend/starter.js",
     "preview": "vite preview",
-    "electron:dev": "concurrently \"npm run dev\" \"wait-on http://localhost:5173 && electron .\"",
+    "electron:dev": "concurrently \"npm run dev\" \"powershell -c \\\"Start-Sleep -Seconds 5\\\" && electron .\"",
     "build:win-portable": "npm run build && electron-builder --win --dir",
     "build:win-installer": "npm run build && electron-builder --win --publish=never",
     "build:linux-portable": "npm run build && electron-builder --linux --dir",
     "build:linux-appimage": "npm run build && electron-builder --linux AppImage",
     "build:linux-targz": "npm run build && electron-builder --linux tar.gz",
-    "test:encryption": "tsc -p tsconfig.node.json && node ./dist/backend/backend/utils/encryption-test.js",
-    "migrate:encryption": "tsc -p tsconfig.node.json && node ./dist/backend/backend/utils/encryption-migration.js"
+    "build:mac": "npm run build && electron-builder --mac --universal"
   },
   "dependencies": {
     "@codemirror/autocomplete": "^6.18.7",
@@ -40,11 +44,12 @@
     "@radix-ui/react-scroll-area": "^1.2.9",
     "@radix-ui/react-select": "^2.2.5",
     "@radix-ui/react-separator": "^1.1.7",
+    "@radix-ui/react-slider": "^1.3.6",
     "@radix-ui/react-slot": "^1.2.3",
     "@radix-ui/react-switch": "^1.2.5",
     "@radix-ui/react-tabs": "^1.1.12",
     "@radix-ui/react-tooltip": "^1.2.8",
-    "@tailwindcss/vite": "^4.1.11",
+    "@tailwindcss/vite": "^4.1.14",
     "@types/bcryptjs": "^2.4.6",
     "@types/cookie-parser": "^1.4.9",
     "@types/jszip": "^3.4.0",
@@ -65,6 +70,7 @@
     "chalk": "^4.1.2",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
+    "cmdk": "^1.1.1",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
     "dotenv": "^17.2.0",
@@ -95,16 +101,21 @@
     "react-simple-keyboard": "^3.8.120",
     "react-syntax-highlighter": "^15.6.6",
     "react-xtermjs": "^1.0.10",
+    "recharts": "^3.2.1",
     "remark-gfm": "^4.0.1",
     "sonner": "^2.0.7",
     "speakeasy": "^2.0.0",
     "ssh2": "^1.16.0",
     "tailwind-merge": "^3.3.1",
+    "tailwindcss": "^4.1.14",
     "wait-on": "^9.0.1",
     "ws": "^8.18.3",
     "zod": "^4.0.5"
   },
   "devDependencies": {
+    "@commitlint/cli": "^20.1.0",
+    "@commitlint/config-conventional": "^20.0.0",
+    "@electron/notarize": "^2.5.0",
     "@eslint/js": "^9.34.0",
     "@types/better-sqlite3": "^7.6.13",
     "@types/cors": "^2.8.19",
@@ -115,7 +126,7 @@
     "@types/react-dom": "^19.1.6",
     "@types/ssh2": "^1.15.5",
     "@types/ws": "^8.18.1",
-    "@vitejs/plugin-react-swc": "^3.10.2",
+    "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "electron": "^38.0.0",
     "electron-builder": "^26.0.12",
@@ -123,9 +134,19 @@
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "globals": "^16.3.0",
+    "husky": "^9.1.7",
+    "lint-staged": "^16.2.3",
     "prettier": "3.6.2",
     "typescript": "~5.9.2",
     "typescript-eslint": "^8.40.0",
     "vite": "^7.1.5"
+  },
+  "lint-staged": {
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --write"
+    ],
+    "*.{json,css,md}": [
+      "prettier --write"
+    ]
   }
 }

src/backend/dashboard.ts

@@ -0,0 +1,245 @@
+import express from "express";
+import cors from "cors";
+import cookieParser from "cookie-parser";
+import { getDb } from "./database/db/index.js";
+import { recentActivity, sshData } from "./database/db/schema.js";
+import { eq, and, desc } from "drizzle-orm";
+import { dashboardLogger } from "./utils/logger.js";
+import { SimpleDBOps } from "./utils/simple-db-ops.js";
+import { AuthManager } from "./utils/auth-manager.js";
+import type { AuthenticatedRequest } from "../types/index.js";
+
+const app = express();
+const authManager = AuthManager.getInstance();
+
+const serverStartTime = Date.now();
+
+const activityRateLimiter = new Map<string, number>();
+const RATE_LIMIT_MS = 1000; // 1 second window
+
+app.use(
+  cors({
+    origin: (origin, callback) => {
+      if (!origin) return callback(null, true);
+
+      const allowedOrigins = [
+        "http://localhost:5173",
+        "http://localhost:3000",
+        "http://127.0.0.1:5173",
+        "http://127.0.0.1:3000",
+      ];
+
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+
+      if (origin.startsWith("https://")) {
+        return callback(null, true);
+      }
+
+      if (origin.startsWith("http://")) {
+        return callback(null, true);
+      }
+
+      callback(new Error("Not allowed by CORS"));
+    },
+    credentials: true,
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    allowedHeaders: [
+      "Content-Type",
+      "Authorization",
+      "User-Agent",
+      "X-Electron-App",
+    ],
+  }),
+);
+app.use(cookieParser());
+app.use(express.json({ limit: "1mb" }));
+
+app.use(authManager.createAuthMiddleware());
+
+app.get("/uptime", async (req, res) => {
+  try {
+    const uptimeMs = Date.now() - serverStartTime;
+    const uptimeSeconds = Math.floor(uptimeMs / 1000);
+    const days = Math.floor(uptimeSeconds / 86400);
+    const hours = Math.floor((uptimeSeconds % 86400) / 3600);
+    const minutes = Math.floor((uptimeSeconds % 3600) / 60);
+
+    res.json({
+      uptimeMs,
+      uptimeSeconds,
+      formatted: `${days}d ${hours}h ${minutes}m`,
+    });
+  } catch (err) {
+    dashboardLogger.error("Failed to get uptime", err);
+    res.status(500).json({ error: "Failed to get uptime" });
+  }
+});
+
+app.get("/activity/recent", async (req, res) => {
+  try {
+    const userId = (req as AuthenticatedRequest).userId;
+
+    if (!SimpleDBOps.isUserDataUnlocked(userId)) {
+      return res.status(401).json({
+        error: "Session expired - please log in again",
+        code: "SESSION_EXPIRED",
+      });
+    }
+
+    const limit = Number(req.query.limit) || 20;
+
+    const activities = await SimpleDBOps.select(
+      getDb()
+        .select()
+        .from(recentActivity)
+        .where(eq(recentActivity.userId, userId))
+        .orderBy(desc(recentActivity.timestamp))
+        .limit(limit),
+      "recent_activity",
+      userId,
+    );
+
+    res.json(activities);
+  } catch (err) {
+    dashboardLogger.error("Failed to get recent activity", err);
+    res.status(500).json({ error: "Failed to get recent activity" });
+  }
+});
+
+app.post("/activity/log", async (req, res) => {
+  try {
+    const userId = (req as AuthenticatedRequest).userId;
+
+    if (!SimpleDBOps.isUserDataUnlocked(userId)) {
+      return res.status(401).json({
+        error: "Session expired - please log in again",
+        code: "SESSION_EXPIRED",
+      });
+    }
+
+    const { type, hostId, hostName } = req.body;
+
+    if (!type || !hostId || !hostName) {
+      return res.status(400).json({
+        error: "Missing required fields: type, hostId, hostName",
+      });
+    }
+
+    if (type !== "terminal" && type !== "file_manager") {
+      return res.status(400).json({
+        error: "Invalid activity type. Must be 'terminal' or 'file_manager'",
+      });
+    }
+
+    const rateLimitKey = `${userId}:${hostId}:${type}`;
+    const now = Date.now();
+    const lastLogged = activityRateLimiter.get(rateLimitKey);
+
+    if (lastLogged && now - lastLogged < RATE_LIMIT_MS) {
+      return res.json({
+        message: "Activity already logged recently (rate limited)",
+      });
+    }
+
+    activityRateLimiter.set(rateLimitKey, now);
+
+    if (activityRateLimiter.size > 10000) {
+      const entriesToDelete: string[] = [];
+      for (const [key, timestamp] of activityRateLimiter.entries()) {
+        if (now - timestamp > RATE_LIMIT_MS * 2) {
+          entriesToDelete.push(key);
+        }
+      }
+      entriesToDelete.forEach((key) => activityRateLimiter.delete(key));
+    }
+
+    const hosts = await SimpleDBOps.select(
+      getDb()
+        .select()
+        .from(sshData)
+        .where(and(eq(sshData.id, hostId), eq(sshData.userId, userId))),
+      "ssh_data",
+      userId,
+    );
+
+    if (hosts.length === 0) {
+      return res.status(404).json({ error: "Host not found" });
+    }
+
+    const result = (await SimpleDBOps.insert(
+      recentActivity,
+      "recent_activity",
+      {
+        userId,
+        type,
+        hostId,
+        hostName,
+      },
+      userId,
+    )) as unknown as { id: number };
+
+    const allActivities = await SimpleDBOps.select(
+      getDb()
+        .select()
+        .from(recentActivity)
+        .where(eq(recentActivity.userId, userId))
+        .orderBy(desc(recentActivity.timestamp)),
+      "recent_activity",
+      userId,
+    );
+
+    if (allActivities.length > 100) {
+      const toDelete = allActivities.slice(100);
+      for (const activity of toDelete) {
+        await SimpleDBOps.delete(recentActivity, "recent_activity", userId);
+      }
+    }
+
+    res.json({ message: "Activity logged", id: result.id });
+  } catch (err) {
+    dashboardLogger.error("Failed to log activity", err);
+    res.status(500).json({ error: "Failed to log activity" });
+  }
+});
+
+app.delete("/activity/reset", async (req, res) => {
+  try {
+    const userId = (req as AuthenticatedRequest).userId;
+
+    if (!SimpleDBOps.isUserDataUnlocked(userId)) {
+      return res.status(401).json({
+        error: "Session expired - please log in again",
+        code: "SESSION_EXPIRED",
+      });
+    }
+
+    await SimpleDBOps.delete(
+      recentActivity,
+      "recent_activity",
+      eq(recentActivity.userId, userId),
+    );
+
+    dashboardLogger.success("Recent activity cleared", {
+      operation: "reset_recent_activity",
+      userId,
+    });
+
+    res.json({ message: "Recent activity cleared" });
+  } catch (err) {
+    dashboardLogger.error("Failed to reset activity", err);
+    res.status(500).json({ error: "Failed to reset activity" });
+  }
+});
+
+const PORT = 30006;
+app.listen(PORT, async () => {
+  try {
+    await authManager.initialize();
+  } catch (err) {
+    dashboardLogger.error("Failed to initialize AuthManager", err, {
+      operation: "auth_init_error",
+    });
+  }
+});

src/backend/database/database.ts

@@ -6,6 +6,8 @@ import userRoutes from "./routes/users.js";
 import sshRoutes from "./routes/ssh.js";
 import alertRoutes from "./routes/alerts.js";
 import credentialsRoutes from "./routes/credentials.js";
+import snippetsRoutes from "./routes/snippets.js";
+import terminalRoutes from "./routes/terminal.js";
 import cors from "cors";
 import fetch from "node-fetch";
 import fs from "fs";
@@ -20,6 +22,7 @@ import { DatabaseMigration } from "../utils/database-migration.js";
 import { UserDataExport } from "../utils/user-data-export.js";
 import { AutoSSLSetup } from "../utils/auto-ssl-setup.js";
 import { eq, and } from "drizzle-orm";
+import { parseUserAgent } from "../utils/user-agent-parser.js";
 import {
   users,
   sshData,
@@ -31,6 +34,12 @@ import {
   sshCredentialUsage,
   settings,
 } from "./db/schema.js";
+import type {
+  CacheEntry,
+  GitHubRelease,
+  GitHubAPIResponse,
+  AuthenticatedRequest,
+} from "../../types/index.js";
 import { getDb } from "./db/index.js";
 import Database from "better-sqlite3";
 
@@ -53,6 +62,10 @@ app.use(
         "http://127.0.0.1:3000",
       ];
 
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+
       if (origin.startsWith("https://")) {
         return callback(null, true);
       }
@@ -61,10 +74,6 @@ app.use(
         return callback(null, true);
       }
 
-      if (allowedOrigins.includes(origin)) {
-        return callback(null, true);
-      }
-
       callback(new Error("Not allowed by CORS"));
     },
     credentials: true,
@@ -74,6 +83,8 @@ app.use(
       "Authorization",
       "User-Agent",
       "X-Electron-App",
+      "Accept",
+      "Origin",
     ],
   }),
 );
@@ -105,17 +116,11 @@ const upload = multer({
   },
 });
 
-interface CacheEntry {
-  data: any;
-  timestamp: number;
-  expiresAt: number;
-}
-
 class GitHubCache {
   private cache: Map<string, CacheEntry> = new Map();
   private readonly CACHE_DURATION = 30 * 60 * 1000;
 
-  set(key: string, data: any): void {
+  set<T>(key: string, data: T): void {
     const now = Date.now();
     this.cache.set(key, {
       data,
@@ -124,7 +129,7 @@ class GitHubCache {
     });
   }
 
-  get(key: string): any | null {
+  get<T>(key: string): T | null {
     const entry = this.cache.get(key);
     if (!entry) {
       return null;
@@ -135,44 +140,26 @@ class GitHubCache {
       return null;
     }
 
-    return entry.data;
+    return entry.data as T;
   }
 }
 
 const githubCache = new GitHubCache();
 
 const GITHUB_API_BASE = "https://api.github.com";
-const REPO_OWNER = "LukeGus";
+const REPO_OWNER = "Termix-SSH";
 const REPO_NAME = "Termix";
 
-interface GitHubRelease {
-  id: number;
-  tag_name: string;
-  name: string;
-  body: string;
-  published_at: string;
-  html_url: string;
-  assets: Array<{
-    id: number;
-    name: string;
-    size: number;
-    download_count: number;
-    browser_download_url: string;
-  }>;
-  prerelease: boolean;
-  draft: boolean;
-}
-
-async function fetchGitHubAPI(
+async function fetchGitHubAPI<T>(
   endpoint: string,
   cacheKey: string,
-): Promise<any> {
-  const cachedData = githubCache.get(cacheKey);
-  if (cachedData) {
+): Promise<GitHubAPIResponse<T>> {
+  const cachedEntry = githubCache.get<CacheEntry<T>>(cacheKey);
+  if (cachedEntry) {
     return {
-      data: cachedData,
+      data: cachedEntry.data,
       cached: true,
-      cache_age: Date.now() - cachedData.timestamp,
+      cache_age: Date.now() - cachedEntry.timestamp,
     };
   }
 
@@ -191,8 +178,13 @@ async function fetchGitHubAPI(
       );
     }
 
-    const data = await response.json();
-    githubCache.set(cacheKey, data);
+    const data = (await response.json()) as T;
+    const cacheData: CacheEntry<T> = {
+      data,
+      timestamp: Date.now(),
+      expiresAt: Date.now() + 30 * 60 * 1000,
+    };
+    githubCache.set(cacheKey, cacheData);
 
     return {
       data: data,
@@ -257,7 +249,7 @@ app.get("/version", authenticateJWT, async (req, res) => {
           localVersion = foundVersion;
           break;
         }
-      } catch (error) {
+      } catch {
         continue;
       }
     }
@@ -272,7 +264,7 @@ app.get("/version", authenticateJWT, async (req, res) => {
 
   try {
     const cacheKey = "latest_release";
-    const releaseData = await fetchGitHubAPI(
+    const releaseData = await fetchGitHubAPI<GitHubRelease>(
       `/repos/${REPO_OWNER}/${REPO_NAME}/releases/latest`,
       cacheKey,
     );
@@ -323,12 +315,12 @@ app.get("/releases/rss", authenticateJWT, async (req, res) => {
     );
     const cacheKey = `releases_rss_${page}_${per_page}`;
 
-    const releasesData = await fetchGitHubAPI(
+    const releasesData = await fetchGitHubAPI<GitHubRelease[]>(
       `/repos/${REPO_OWNER}/${REPO_NAME}/releases?page=${page}&per_page=${per_page}`,
       cacheKey,
     );
 
-    const rssItems = releasesData.data.map((release: GitHubRelease) => ({
+    const rssItems = releasesData.data.map((release) => ({
       id: release.id,
       title: release.name || release.tag_name,
       description: release.body,
@@ -372,7 +364,6 @@ app.get("/releases/rss", authenticateJWT, async (req, res) => {
 
 app.get("/encryption/status", requireAdmin, async (req, res) => {
   try {
-    const authManager = AuthManager.getInstance();
     const securityStatus = {
       initialized: true,
       system: { hasSecret: true, isValid: true },
@@ -417,8 +408,6 @@ app.post("/encryption/initialize", requireAdmin, async (req, res) => {
 
 app.post("/encryption/regenerate", requireAdmin, async (req, res) => {
   try {
-    const authManager = AuthManager.getInstance();
-
     apiLogger.warn("System JWT secret regenerated via API", {
       operation: "jwt_regenerate_api",
     });
@@ -440,8 +429,6 @@ app.post("/encryption/regenerate", requireAdmin, async (req, res) => {
 
 app.post("/encryption/regenerate-jwt", requireAdmin, async (req, res) => {
   try {
-    const authManager = AuthManager.getInstance();
-
     apiLogger.warn("JWT secret regenerated via API", {
       operation: "jwt_secret_regenerate_api",
     });
@@ -462,7 +449,7 @@ app.post("/encryption/regenerate-jwt", requireAdmin, async (req, res) => {
 
 app.post("/database/export", authenticateJWT, async (req, res) => {
   try {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { password } = req.body;
 
     if (!password) {
@@ -471,8 +458,12 @@ app.post("/database/export", authenticateJWT, async (req, res) => {
         code: "PASSWORD_REQUIRED",
       });
     }
-
-    const unlocked = await authManager.authenticateUser(userId, password);
+    const deviceInfo = parseUserAgent(req);
+    const unlocked = await authManager.authenticateUser(
+      userId,
+      password,
+      deviceInfo.type,
+    );
     if (!unlocked) {
       return res.status(401).json({ error: "Invalid password" });
     }
@@ -695,7 +686,7 @@ app.post("/database/export", authenticateJWT, async (req, res) => {
           decrypted.authType,
           decrypted.password || null,
           decrypted.key || null,
-          decrypted.keyPassword || null,
+          decrypted.key_password || null,
           decrypted.keyType || null,
           decrypted.autostartPassword || null,
           decrypted.autostartKey || null,
@@ -738,9 +729,9 @@ app.post("/database/export", authenticateJWT, async (req, res) => {
           decrypted.username,
           decrypted.password || null,
           decrypted.key || null,
-          decrypted.privateKey || null,
-          decrypted.publicKey || null,
-          decrypted.keyPassword || null,
+          decrypted.private_key || null,
+          decrypted.public_key || null,
+          decrypted.key_password || null,
           decrypted.keyType || null,
           decrypted.detectedKeyType || null,
           decrypted.usageCount || 0,
@@ -916,19 +907,48 @@ app.post(
         return res.status(400).json({ error: "No file uploaded" });
       }
 
-      const userId = (req as any).userId;
+      const userId = (req as AuthenticatedRequest).userId;
       const { password } = req.body;
+      const mainDb = getDb();
+      const deviceInfo = parseUserAgent(req);
 
-      if (!password) {
-        return res.status(400).json({
-          error: "Password required for import",
-          code: "PASSWORD_REQUIRED",
-        });
+      const userRecords = await mainDb
+        .select()
+        .from(users)
+        .where(eq(users.id, userId));
+
+      if (!userRecords || userRecords.length === 0) {
+        return res.status(404).json({ error: "User not found" });
       }
 
-      const unlocked = await authManager.authenticateUser(userId, password);
-      if (!unlocked) {
-        return res.status(401).json({ error: "Invalid password" });
+      const isOidcUser = !!userRecords[0].is_oidc;
+
+      if (!isOidcUser) {
+        if (!password) {
+          return res.status(400).json({
+            error: "Password required for import",
+            code: "PASSWORD_REQUIRED",
+          });
+        }
+
+        const unlocked = await authManager.authenticateUser(
+          userId,
+          password,
+          deviceInfo.type,
+        );
+        if (!unlocked) {
+          return res.status(401).json({ error: "Invalid password" });
+        }
+      } else if (!DataCrypto.getUserDataKey(userId)) {
+        const oidcUnlocked = await authManager.authenticateOIDCUser(
+          userId,
+          deviceInfo.type,
+        );
+        if (!oidcUnlocked) {
+          return res.status(403).json({
+            error: "Failed to unlock user data with SSO credentials",
+          });
+        }
       }
 
       apiLogger.info("Importing SQLite data", {
@@ -939,7 +959,16 @@ app.post(
         mimetype: req.file.mimetype,
       });
 
-      const userDataKey = DataCrypto.getUserDataKey(userId);
+      let userDataKey = DataCrypto.getUserDataKey(userId);
+      if (!userDataKey && isOidcUser) {
+        const oidcUnlocked = await authManager.authenticateOIDCUser(
+          userId,
+          deviceInfo.type,
+        );
+        if (oidcUnlocked) {
+          userDataKey = DataCrypto.getUserDataKey(userId);
+        }
+      }
       if (!userDataKey) {
         throw new Error("User data not unlocked");
       }
@@ -968,7 +997,7 @@ app.post(
       try {
         importDb = new Database(req.file.path, { readonly: true });
 
-        const tables = importDb
+        importDb
           .prepare("SELECT name FROM sqlite_master WHERE type='table'")
           .all();
       } catch (sqliteError) {
@@ -993,8 +1022,6 @@ app.post(
       };
 
       try {
-        const mainDb = getDb();
-
         try {
           const importedHosts = importDb
             .prepare("SELECT * FROM ssh_data")
@@ -1059,7 +1086,7 @@ app.post(
               );
             }
           }
-        } catch (tableError) {
+        } catch {
           apiLogger.info("ssh_data table not found in import file, skipping");
         }
 
@@ -1120,7 +1147,7 @@ app.post(
               );
             }
           }
-        } catch (tableError) {
+        } catch {
           apiLogger.info(
             "ssh_credentials table not found in import file, skipping",
           );
@@ -1191,7 +1218,7 @@ app.post(
                 );
               }
             }
-          } catch (tableError) {
+          } catch {
             apiLogger.info(`${table} table not found in import file, skipping`);
           }
         }
@@ -1229,7 +1256,7 @@ app.post(
               );
             }
           }
-        } catch (tableError) {
+        } catch {
           apiLogger.info(
             "dismissed_alerts table not found in import file, skipping",
           );
@@ -1270,7 +1297,7 @@ app.post(
                 );
               }
             }
-          } catch (tableError) {
+          } catch {
             apiLogger.info("settings table not found in import file, skipping");
           }
         } else {
@@ -1288,7 +1315,7 @@ app.post(
 
       try {
         fs.unlinkSync(req.file.path);
-      } catch (cleanupError) {
+      } catch {
         apiLogger.warn("Failed to clean up uploaded file", {
           operation: "file_cleanup_warning",
           filePath: req.file.path,
@@ -1314,7 +1341,7 @@ app.post(
       if (req.file?.path && fs.existsSync(req.file.path)) {
         try {
           fs.unlinkSync(req.file.path);
-        } catch (cleanupError) {
+        } catch {
           apiLogger.warn("Failed to clean up uploaded file after error", {
             operation: "file_cleanup_error",
             filePath: req.file.path,
@@ -1324,7 +1351,7 @@ app.post(
 
       apiLogger.error("SQLite import failed", error, {
         operation: "sqlite_import_api_failed",
-        userId: (req as any).userId,
+        userId: (req as AuthenticatedRequest).userId,
       });
       res.status(500).json({
         error: "Failed to import SQLite data",
@@ -1336,12 +1363,8 @@ app.post(
 
 app.post("/database/export/preview", authenticateJWT, async (req, res) => {
   try {
-    const userId = (req as any).userId;
-    const {
-      format = "encrypted",
-      scope = "user_data",
-      includeCredentials = true,
-    } = req.body;
+    const userId = (req as AuthenticatedRequest).userId;
+    const { scope = "user_data", includeCredentials = true } = req.body;
 
     const exportData = await UserDataExport.exportUserData(userId, {
       format: "encrypted",
@@ -1411,13 +1434,15 @@ app.use("/users", userRoutes);
 app.use("/ssh", sshRoutes);
 app.use("/alerts", alertRoutes);
 app.use("/credentials", credentialsRoutes);
+app.use("/snippets", snippetsRoutes);
+app.use("/terminal", terminalRoutes);
 
 app.use(
   (
     err: unknown,
     req: express.Request,
     res: express.Response,
-    next: express.NextFunction,
+    _next: express.NextFunction,
   ) => {
     apiLogger.error("Unhandled error in request", err, {
       operation: "error_handler",
@@ -1430,7 +1455,6 @@ app.use(
 );
 
 const HTTP_PORT = 30001;
-const HTTPS_PORT = process.env.SSL_PORT || 8443;
 
 async function initializeSecurity() {
   try {
@@ -1443,13 +1467,6 @@ async function initializeSecurity() {
     if (!isValid) {
       throw new Error("Security system validation failed");
     }
-
-    const securityStatus = {
-      initialized: true,
-      system: { hasSecret: true, isValid: true },
-      activeSessions: {},
-      activeSessionCount: 0,
-    };
   } catch (error) {
     databaseLogger.error("Failed to initialize security system", error, {
       operation: "security_init_error",

src/backend/database/db/index.ts

@@ -12,10 +12,6 @@ import { DatabaseSaveTrigger } from "../../utils/database-save-trigger.js";
 const dataDir = process.env.DATA_DIR || "./db/data";
 const dbDir = path.resolve(dataDir);
 if (!fs.existsSync(dbDir)) {
-  databaseLogger.info(`Creating database directory`, {
-    operation: "db_init",
-    path: dbDir,
-  });
   fs.mkdirSync(dbDir, { recursive: true });
 }
 
@@ -23,7 +19,7 @@ const enableFileEncryption = process.env.DB_FILE_ENCRYPTION !== "false";
 const dbPath = path.join(dataDir, "db.sqlite");
 const encryptedDbPath = `${dbPath}.encrypted`;
 
-let actualDbPath = ":memory:";
+const actualDbPath = ":memory:";
 let memoryDatabase: Database.Database;
 let isNewDatabase = false;
 let sqlite: Database.Database;
@@ -31,7 +27,7 @@ let sqlite: Database.Database;
 async function initializeDatabaseAsync(): Promise<void> {
   const systemCrypto = SystemCrypto.getInstance();
 
-  const dbKey = await systemCrypto.getDatabaseKey();
+  await systemCrypto.getDatabaseKey();
   if (enableFileEncryption) {
     try {
       if (DatabaseFileEncryption.isEncryptedDatabaseFile(encryptedDbPath)) {
@@ -39,6 +35,13 @@ async function initializeDatabaseAsync(): Promise<void> {
           await DatabaseFileEncryption.decryptDatabaseToBuffer(encryptedDbPath);
 
         memoryDatabase = new Database(decryptedBuffer);
+
+        try {
+          const sessionCount = memoryDatabase
+            .prepare("SELECT COUNT(*) as count FROM sessions")
+            .get() as { count: number };
+        } catch (countError) {
+        }
       } else {
         const migration = new DatabaseMigration(dataDir);
         const migrationStatus = migration.checkMigrationStatus();
@@ -92,6 +95,26 @@ async function initializeDatabaseAsync(): Promise<void> {
         databaseKeyLength: process.env.DATABASE_KEY?.length || 0,
       });
 
+      try {
+        const diagnosticInfo =
+          DatabaseFileEncryption.getDiagnosticInfo(encryptedDbPath);
+        databaseLogger.error(
+          "Database encryption diagnostic completed - check logs above for details",
+          null,
+          {
+            operation: "db_encryption_diagnostic_completed",
+            filesConsistent: diagnosticInfo.validation.filesConsistent,
+            sizeMismatch: diagnosticInfo.validation.sizeMismatch,
+          },
+        );
+      } catch (diagError) {
+        databaseLogger.warn("Failed to generate diagnostic information", {
+          operation: "db_diagnostic_failed",
+          error:
+            diagError instanceof Error ? diagError.message : "Unknown error",
+        });
+      }
+
       throw new Error(
         `Database decryption failed: ${error instanceof Error ? error.message : "Unknown error"}. This prevents data loss.`,
       );
@@ -117,6 +140,8 @@ async function initializeCompleteDatabase(): Promise<void> {
 
   sqlite = memoryDatabase;
 
+  sqlite.exec("PRAGMA foreign_keys = ON");
+
   db = drizzle(sqlite, { schema });
 
   sqlite.exec(`
@@ -145,6 +170,18 @@ async function initializeCompleteDatabase(): Promise<void> {
         value TEXT NOT NULL
     );
 
+    CREATE TABLE IF NOT EXISTS sessions (
+        id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL,
+        jwt_token TEXT NOT NULL,
+        device_type TEXT NOT NULL,
+        device_info TEXT NOT NULL,
+        created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        expires_at TEXT NOT NULL,
+        last_active_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
+    );
+
     CREATE TABLE IF NOT EXISTS ssh_data (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         user_id TEXT NOT NULL,
@@ -165,9 +202,15 @@ async function initializeCompleteDatabase(): Promise<void> {
         tunnel_connections TEXT,
         enable_file_manager INTEGER NOT NULL DEFAULT 1,
         default_path TEXT,
+        autostart_password TEXT,
+        autostart_key TEXT,
+        autostart_key_password TEXT,
+        force_keyboard_interactive TEXT,
+        stats_config TEXT,
+        terminal_config TEXT,
         created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
         updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS file_manager_recent (
@@ -177,8 +220,8 @@ async function initializeCompleteDatabase(): Promise<void> {
         name TEXT NOT NULL,
         path TEXT NOT NULL,
         last_opened TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id),
-        FOREIGN KEY (host_id) REFERENCES ssh_data (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS file_manager_pinned (
@@ -188,8 +231,8 @@ async function initializeCompleteDatabase(): Promise<void> {
         name TEXT NOT NULL,
         path TEXT NOT NULL,
         pinned_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id),
-        FOREIGN KEY (host_id) REFERENCES ssh_data (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS file_manager_shortcuts (
@@ -199,8 +242,8 @@ async function initializeCompleteDatabase(): Promise<void> {
         name TEXT NOT NULL,
         path TEXT NOT NULL,
         created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id),
-        FOREIGN KEY (host_id) REFERENCES ssh_data (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS dismissed_alerts (
@@ -208,7 +251,7 @@ async function initializeCompleteDatabase(): Promise<void> {
         user_id TEXT NOT NULL,
         alert_id TEXT NOT NULL,
         dismissed_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS ssh_credentials (
@@ -228,7 +271,7 @@ async function initializeCompleteDatabase(): Promise<void> {
         last_used TEXT,
         created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
         updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (user_id) REFERENCES users (id)
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
     );
 
     CREATE TABLE IF NOT EXISTS ssh_credential_usage (
@@ -237,13 +280,65 @@ async function initializeCompleteDatabase(): Promise<void> {
         host_id INTEGER NOT NULL,
         user_id TEXT NOT NULL,
         used_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        FOREIGN KEY (credential_id) REFERENCES ssh_credentials (id),
-        FOREIGN KEY (host_id) REFERENCES ssh_data (id),
-        FOREIGN KEY (user_id) REFERENCES users (id)
+        FOREIGN KEY (credential_id) REFERENCES ssh_credentials (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS snippets (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        name TEXT NOT NULL,
+        content TEXT NOT NULL,
+        description TEXT,
+        created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS ssh_folders (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        name TEXT NOT NULL,
+        color TEXT,
+        icon TEXT,
+        created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS recent_activity (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        type TEXT NOT NULL,
+        host_id INTEGER NOT NULL,
+        host_name TEXT,
+        timestamp TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS command_history (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id TEXT NOT NULL,
+        host_id INTEGER NOT NULL,
+        command TEXT NOT NULL,
+        executed_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+        FOREIGN KEY (host_id) REFERENCES ssh_data (id) ON DELETE CASCADE
     );
 
 `);
 
+  try {
+    sqlite.prepare("DELETE FROM sessions").run();
+  } catch (e) {
+    databaseLogger.warn("Could not clear sessions on startup", {
+      operation: "db_init_session_cleanup_failed",
+      error: e,
+    });
+  }
+
   migrateSchema();
 
   try {
@@ -263,6 +358,24 @@ async function initializeCompleteDatabase(): Promise<void> {
       error: e,
     });
   }
+
+  try {
+    const row = sqlite
+      .prepare("SELECT value FROM settings WHERE key = 'allow_password_login'")
+      .get();
+    if (!row) {
+      sqlite
+        .prepare(
+          "INSERT INTO settings (key, value) VALUES ('allow_password_login', 'true')",
+        )
+        .run();
+    }
+  } catch (e) {
+    databaseLogger.warn("Could not initialize allow_password_login setting", {
+      operation: "db_init",
+      error: e,
+    });
+  }
 }
 
 const addColumnIfNotExists = (
@@ -273,14 +386,14 @@ const addColumnIfNotExists = (
   try {
     sqlite
       .prepare(
-        `SELECT ${column}
+        `SELECT "${column}"
                         FROM ${table} LIMIT 1`,
       )
       .get();
-  } catch (e) {
+  } catch {
     try {
       sqlite.exec(`ALTER TABLE ${table}
-                ADD COLUMN ${column} ${definition};`);
+                ADD COLUMN "${column}" ${definition};`);
     } catch (alterError) {
       databaseLogger.warn(`Failed to add column ${column} to ${table}`, {
         operation: "schema_migration",
@@ -335,6 +448,7 @@ const migrateSchema = () => {
     "INTEGER NOT NULL DEFAULT 1",
   );
   addColumnIfNotExists("ssh_data", "tunnel_connections", "TEXT");
+  addColumnIfNotExists("ssh_data", "jump_hosts", "TEXT");
   addColumnIfNotExists(
     "ssh_data",
     "enable_file_manager",
@@ -351,16 +465,27 @@ const migrateSchema = () => {
     "updated_at",
     "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
   );
-
+  addColumnIfNotExists("ssh_data", "force_keyboard_interactive", "TEXT");
+  addColumnIfNotExists("ssh_data", "autostart_password", "TEXT");
+  addColumnIfNotExists("ssh_data", "autostart_key", "TEXT");
+  addColumnIfNotExists("ssh_data", "autostart_key_password", "TEXT");
   addColumnIfNotExists(
     "ssh_data",
     "credential_id",
-    "INTEGER REFERENCES ssh_credentials(id)",
+    "INTEGER REFERENCES ssh_credentials(id) ON DELETE SET NULL",
+  );
+  addColumnIfNotExists(
+    "ssh_data",
+    "override_credential_username",
+    "INTEGER",
   );
 
   addColumnIfNotExists("ssh_data", "autostart_password", "TEXT");
   addColumnIfNotExists("ssh_data", "autostart_key", "TEXT");
   addColumnIfNotExists("ssh_data", "autostart_key_password", "TEXT");
+  addColumnIfNotExists("ssh_data", "stats_config", "TEXT");
+  addColumnIfNotExists("ssh_data", "terminal_config", "TEXT");
+  addColumnIfNotExists("ssh_data", "quick_actions", "TEXT");
 
   addColumnIfNotExists("ssh_credentials", "private_key", "TEXT");
   addColumnIfNotExists("ssh_credentials", "public_key", "TEXT");
@@ -370,6 +495,62 @@ const migrateSchema = () => {
   addColumnIfNotExists("file_manager_pinned", "host_id", "INTEGER NOT NULL");
   addColumnIfNotExists("file_manager_shortcuts", "host_id", "INTEGER NOT NULL");
 
+  addColumnIfNotExists("snippets", "folder", "TEXT");
+  addColumnIfNotExists("snippets", "order", "INTEGER NOT NULL DEFAULT 0");
+
+  try {
+    sqlite
+      .prepare("SELECT id FROM snippet_folders LIMIT 1")
+      .get();
+  } catch {
+    try {
+      sqlite.exec(`
+        CREATE TABLE IF NOT EXISTS snippet_folders (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          user_id TEXT NOT NULL,
+          name TEXT NOT NULL,
+          color TEXT,
+          icon TEXT,
+          created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+          updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+          FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
+        );
+      `);
+    } catch (createError) {
+      databaseLogger.warn("Failed to create snippet_folders table", {
+        operation: "schema_migration",
+        error: createError,
+      });
+    }
+  }
+
+  try {
+    sqlite
+      .prepare("SELECT id FROM sessions LIMIT 1")
+      .get();
+  } catch {
+    try {
+      sqlite.exec(`
+        CREATE TABLE IF NOT EXISTS sessions (
+          id TEXT PRIMARY KEY,
+          user_id TEXT NOT NULL,
+          jwt_token TEXT NOT NULL,
+          device_type TEXT NOT NULL,
+          device_info TEXT NOT NULL,
+          created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+          expires_at TEXT NOT NULL,
+          last_active_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+          FOREIGN KEY (user_id) REFERENCES users (id)
+        );
+      `);
+    } catch (createError) {
+      databaseLogger.warn("Failed to create sessions table", {
+        operation: "schema_migration",
+        error: createError,
+      });
+    }
+  }
+
   databaseLogger.success("Schema migration completed", {
     operation: "schema_migration",
   });
@@ -385,6 +566,13 @@ async function saveMemoryDatabaseToFile() {
       fs.mkdirSync(dataDir, { recursive: true });
     }
 
+    try {
+      const sessionCount = memoryDatabase
+        .prepare("SELECT COUNT(*) as count FROM sessions")
+        .get() as { count: number };
+    } catch (countError) {
+    }
+
     if (enableFileEncryption) {
       await DatabaseFileEncryption.encryptDatabaseFromBuffer(
         buffer,
@@ -476,21 +664,25 @@ async function cleanupDatabase() {
       for (const file of files) {
         try {
           fs.unlinkSync(path.join(tempDir, file));
-        } catch {}
+        } catch {
+        }
       }
 
       try {
         fs.rmdirSync(tempDir);
-      } catch {}
+      } catch {
+      }
     }
-  } catch (error) {}
+  } catch {
+  }
 }
 
 process.on("exit", () => {
   if (sqlite) {
     try {
       sqlite.close();
-    } catch {}
+    } catch {
+    }
   }
 });
 

src/backend/database/db/schema.ts

@@ -30,11 +30,28 @@ export const settings = sqliteTable("settings", {
   value: text("value").notNull(),
 });
 
+export const sessions = sqliteTable("sessions", {
+  id: text("id").primaryKey(),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  jwtToken: text("jwt_token").notNull(),
+  deviceType: text("device_type").notNull(),
+  deviceInfo: text("device_info").notNull(),
+  createdAt: text("created_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+  expiresAt: text("expires_at").notNull(),
+  lastActiveAt: text("last_active_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});
+
 export const sshData = sqliteTable("ssh_data", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   name: text("name"),
   ip: text("ip").notNull(),
   port: integer("port").notNull(),
@@ -43,6 +60,7 @@ export const sshData = sqliteTable("ssh_data", {
   tags: text("tags"),
   pin: integer("pin", { mode: "boolean" }).notNull().default(false),
   authType: text("auth_type").notNull(),
+  forceKeyboardInteractive: text("force_keyboard_interactive"),
 
   password: text("password"),
   key: text("key", { length: 8192 }),
@@ -53,7 +71,10 @@ export const sshData = sqliteTable("ssh_data", {
   autostartKey: text("autostart_key", { length: 8192 }),
   autostartKeyPassword: text("autostart_key_password"),
 
-  credentialId: integer("credential_id").references(() => sshCredentials.id),
+  credentialId: integer("credential_id").references(() => sshCredentials.id, { onDelete: "set null" }),
+  overrideCredentialUsername: integer("override_credential_username", {
+    mode: "boolean",
+  }),
   enableTerminal: integer("enable_terminal", { mode: "boolean" })
     .notNull()
     .default(true),
@@ -61,10 +82,14 @@ export const sshData = sqliteTable("ssh_data", {
     .notNull()
     .default(true),
   tunnelConnections: text("tunnel_connections"),
+  jumpHosts: text("jump_hosts"),
   enableFileManager: integer("enable_file_manager", { mode: "boolean" })
     .notNull()
     .default(true),
   defaultPath: text("default_path"),
+  statsConfig: text("stats_config"),
+  terminalConfig: text("terminal_config"),
+  quickActions: text("quick_actions"),
   createdAt: text("created_at")
     .notNull()
     .default(sql`CURRENT_TIMESTAMP`),
@@ -77,10 +102,10 @@ export const fileManagerRecent = sqliteTable("file_manager_recent", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   hostId: integer("host_id")
     .notNull()
-    .references(() => sshData.id),
+    .references(() => sshData.id, { onDelete: "cascade" }),
   name: text("name").notNull(),
   path: text("path").notNull(),
   lastOpened: text("last_opened")
@@ -92,10 +117,10 @@ export const fileManagerPinned = sqliteTable("file_manager_pinned", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   hostId: integer("host_id")
     .notNull()
-    .references(() => sshData.id),
+    .references(() => sshData.id, { onDelete: "cascade" }),
   name: text("name").notNull(),
   path: text("path").notNull(),
   pinnedAt: text("pinned_at")
@@ -107,10 +132,10 @@ export const fileManagerShortcuts = sqliteTable("file_manager_shortcuts", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   hostId: integer("host_id")
     .notNull()
-    .references(() => sshData.id),
+    .references(() => sshData.id, { onDelete: "cascade" }),
   name: text("name").notNull(),
   path: text("path").notNull(),
   createdAt: text("created_at")
@@ -122,7 +147,7 @@ export const dismissedAlerts = sqliteTable("dismissed_alerts", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   alertId: text("alert_id").notNull(),
   dismissedAt: text("dismissed_at")
     .notNull()
@@ -133,7 +158,7 @@ export const sshCredentials = sqliteTable("ssh_credentials", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   name: text("name").notNull(),
   description: text("description"),
   folder: text("folder"),
@@ -161,14 +186,93 @@ export const sshCredentialUsage = sqliteTable("ssh_credential_usage", {
   id: integer("id").primaryKey({ autoIncrement: true }),
   credentialId: integer("credential_id")
     .notNull()
-    .references(() => sshCredentials.id),
+    .references(() => sshCredentials.id, { onDelete: "cascade" }),
   hostId: integer("host_id")
     .notNull()
-    .references(() => sshData.id),
+    .references(() => sshData.id, { onDelete: "cascade" }),
   userId: text("user_id")
     .notNull()
-    .references(() => users.id),
+    .references(() => users.id, { onDelete: "cascade" }),
   usedAt: text("used_at")
     .notNull()
     .default(sql`CURRENT_TIMESTAMP`),
 });
+
+export const snippets = sqliteTable("snippets", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  content: text("content").notNull(),
+  description: text("description"),
+  folder: text("folder"),
+  order: integer("order").notNull().default(0),
+  createdAt: text("created_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+  updatedAt: text("updated_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});
+
+export const snippetFolders = sqliteTable("snippet_folders", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  color: text("color"),
+  icon: text("icon"),
+  createdAt: text("created_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+  updatedAt: text("updated_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});
+
+export const sshFolders = sqliteTable("ssh_folders", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  color: text("color"),
+  icon: text("icon"),
+  createdAt: text("created_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+  updatedAt: text("updated_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});
+
+export const recentActivity = sqliteTable("recent_activity", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  type: text("type").notNull(),
+  hostId: integer("host_id")
+    .notNull()
+    .references(() => sshData.id, { onDelete: "cascade" }),
+  hostName: text("host_name"),
+  timestamp: text("timestamp")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});
+
+export const commandHistory = sqliteTable("command_history", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  hostId: integer("host_id")
+    .notNull()
+    .references(() => sshData.id, { onDelete: "cascade" }),
+  command: text("command").notNull(),
+  executedAt: text("executed_at")
+    .notNull()
+    .default(sql`CURRENT_TIMESTAMP`),
+});

src/backend/database/routes/alerts.ts

@@ -1,3 +1,8 @@
+import type {
+  AuthenticatedRequest,
+  CacheEntry,
+  TermixAlert,
+} from "../../../types/index.js";
 import express from "express";
 import { db } from "../db/index.js";
 import { dismissedAlerts } from "../db/schema.js";
@@ -6,17 +11,11 @@ import fetch from "node-fetch";
 import { authLogger } from "../../utils/logger.js";
 import { AuthManager } from "../../utils/auth-manager.js";
 
-interface CacheEntry {
-  data: any;
-  timestamp: number;
-  expiresAt: number;
-}
-
 class AlertCache {
   private cache: Map<string, CacheEntry> = new Map();
   private readonly CACHE_DURATION = 5 * 60 * 1000;
 
-  set(key: string, data: any): void {
+  set<T>(key: string, data: T): void {
     const now = Date.now();
     this.cache.set(key, {
       data,
@@ -25,7 +24,7 @@ class AlertCache {
     });
   }
 
-  get(key: string): any | null {
+  get<T>(key: string): T | null {
     const entry = this.cache.get(key);
     if (!entry) {
       return null;
@@ -36,31 +35,20 @@ class AlertCache {
       return null;
     }
 
-    return entry.data;
+    return entry.data as T;
   }
 }
 
 const alertCache = new AlertCache();
 
 const GITHUB_RAW_BASE = "https://raw.githubusercontent.com";
-const REPO_OWNER = "LukeGus";
-const REPO_NAME = "Termix-Docs";
+const REPO_OWNER = "Termix-SSH";
+const REPO_NAME = "Docs";
 const ALERTS_FILE = "main/termix-alerts.json";
 
-interface TermixAlert {
-  id: string;
-  title: string;
-  message: string;
-  expiresAt: string;
-  priority?: "low" | "medium" | "high" | "critical";
-  type?: "info" | "warning" | "error" | "success";
-  actionUrl?: string;
-  actionText?: string;
-}
-
 async function fetchAlertsFromGitHub(): Promise<TermixAlert[]> {
   const cacheKey = "termix_alerts";
-  const cachedData = alertCache.get(cacheKey);
+  const cachedData = alertCache.get<TermixAlert[]>(cacheKey);
   if (cachedData) {
     return cachedData;
   }
@@ -115,7 +103,7 @@ const authenticateJWT = authManager.createAuthMiddleware();
 // GET /alerts
 router.get("/", authenticateJWT, async (req, res) => {
   try {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     const allAlerts = await fetchAlertsFromGitHub();
 
@@ -148,7 +136,7 @@ router.get("/", authenticateJWT, async (req, res) => {
 router.post("/dismiss", authenticateJWT, async (req, res) => {
   try {
     const { alertId } = req.body;
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!alertId) {
       authLogger.warn("Missing alertId in dismiss request", { userId });
@@ -170,7 +158,7 @@ router.post("/dismiss", authenticateJWT, async (req, res) => {
       return res.status(409).json({ error: "Alert already dismissed" });
     }
 
-    const result = await db.insert(dismissedAlerts).values({
+    await db.insert(dismissedAlerts).values({
       userId,
       alertId,
     });
@@ -186,7 +174,7 @@ router.post("/dismiss", authenticateJWT, async (req, res) => {
 // GET /alerts/dismissed/:userId
 router.get("/dismissed", authenticateJWT, async (req, res) => {
   try {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     const dismissedAlertRecords = await db
       .select({
@@ -211,7 +199,7 @@ router.get("/dismissed", authenticateJWT, async (req, res) => {
 router.delete("/dismiss", authenticateJWT, async (req, res) => {
   try {
     const { alertId } = req.body;
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!alertId) {
       return res.status(400).json({ error: "Alert ID is required" });

src/backend/database/routes/credentials.ts

@@ -1,16 +1,15 @@
+import type { AuthenticatedRequest } from "../../../types/index.js";
 import express from "express";
 import { db } from "../db/index.js";
 import { sshCredentials, sshCredentialUsage, sshData } from "../db/schema.js";
 import { eq, and, desc, sql } from "drizzle-orm";
-import type { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
+import type { Request, Response } from "express";
 import { authLogger } from "../../utils/logger.js";
 import { SimpleDBOps } from "../../utils/simple-db-ops.js";
 import { AuthManager } from "../../utils/auth-manager.js";
 import {
   parseSSHKey,
   parsePublicKey,
-  detectKeyType,
   validateKeyPair,
 } from "../../utils/ssh-key-utils.js";
 import crypto from "crypto";
@@ -29,7 +28,11 @@ function generateSSHKeyPair(
 } {
   try {
     let ssh2Type = keyType;
-    const options: any = {};
+    const options: {
+      bits?: number;
+      passphrase?: string;
+      cipher?: string;
+    } = {};
 
     if (keyType === "ssh-rsa") {
       ssh2Type = "rsa";
@@ -46,6 +49,7 @@ function generateSSHKeyPair(
       options.cipher = "aes128-cbc";
     }
 
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const keyPair = ssh2Utils.generateKeyPairSync(ssh2Type as any, options);
 
     return {
@@ -64,7 +68,7 @@ function generateSSHKeyPair(
 
 const router = express.Router();
 
-function isNonEmptyString(val: any): val is string {
+function isNonEmptyString(val: unknown): val is string {
   return typeof val === "string" && val.trim().length > 0;
 }
 
@@ -79,7 +83,7 @@ router.post(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const {
       name,
       description,
@@ -226,7 +230,7 @@ router.get(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!isNonEmptyString(userId)) {
       authLogger.warn("Invalid userId for credential fetch");
@@ -259,7 +263,7 @@ router.get(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!isNonEmptyString(userId)) {
       authLogger.warn("Invalid userId for credential folder fetch");
@@ -297,7 +301,7 @@ router.get(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { id } = req.params;
 
     if (!isNonEmptyString(userId) || !id) {
@@ -328,19 +332,19 @@ router.get(
       const output = formatCredentialOutput(credential);
 
       if (credential.password) {
-        (output as any).password = credential.password;
+        output.password = credential.password;
       }
       if (credential.key) {
-        (output as any).key = credential.key;
+        output.key = credential.key;
       }
       if (credential.private_key) {
-        (output as any).privateKey = credential.private_key;
+        output.privateKey = credential.private_key;
       }
       if (credential.public_key) {
-        (output as any).publicKey = credential.public_key;
+        output.publicKey = credential.public_key;
       }
       if (credential.key_password) {
-        (output as any).keyPassword = credential.key_password;
+        output.keyPassword = credential.key_password;
       }
 
       res.json(output);
@@ -361,7 +365,7 @@ router.put(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { id } = req.params;
     const updateData = req.body;
 
@@ -385,7 +389,7 @@ router.put(
         return res.status(404).json({ error: "Credential not found" });
       }
 
-      const updateFields: any = {};
+      const updateFields: Record<string, string | null | undefined> = {};
 
       if (updateData.name !== undefined)
         updateFields.name = updateData.name.trim();
@@ -497,7 +501,7 @@ router.delete(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { id } = req.params;
 
     if (!isNonEmptyString(userId) || !id) {
@@ -520,6 +524,8 @@ router.delete(
         return res.status(404).json({ error: "Credential not found" });
       }
 
+      // Update hosts using this credential to set credentialId to null
+      // This prevents orphaned references before deletion
       const hostsUsingCredential = await db
         .select()
         .from(sshData)
@@ -548,14 +554,8 @@ router.delete(
           );
       }
 
-      await db
-        .delete(sshCredentialUsage)
-        .where(
-          and(
-            eq(sshCredentialUsage.credentialId, parseInt(id)),
-            eq(sshCredentialUsage.userId, userId),
-          ),
-        );
+      // sshCredentialUsage will be automatically deleted by ON DELETE CASCADE
+      // No need for manual deletion
 
       await db
         .delete(sshCredentials)
@@ -596,7 +596,7 @@ router.post(
   "/:id/apply-to-host/:hostId",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { id: credentialId, hostId } = req.params;
 
     if (!isNonEmptyString(userId) || !credentialId || !hostId) {
@@ -629,8 +629,8 @@ router.post(
         .update(sshData)
         .set({
           credentialId: parseInt(credentialId),
-          username: credential.username,
-          authType: credential.auth_type || credential.authType,
+          username: credential.username as string,
+          authType: (credential.auth_type || credential.authType) as string,
           password: null,
           key: null,
           key_password: null,
@@ -675,7 +675,7 @@ router.get(
   "/:id/hosts",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { id: credentialId } = req.params;
 
     if (!isNonEmptyString(userId) || !credentialId) {
@@ -707,7 +707,9 @@ router.get(
   },
 );
 
-function formatCredentialOutput(credential: any): any {
+function formatCredentialOutput(
+  credential: Record<string, unknown>,
+): Record<string, unknown> {
   return {
     id: credential.id,
     name: credential.name,
@@ -731,7 +733,9 @@ function formatCredentialOutput(credential: any): any {
   };
 }
 
-function formatSSHHostOutput(host: any): any {
+function formatSSHHostOutput(
+  host: Record<string, unknown>,
+): Record<string, unknown> {
   return {
     id: host.id,
     userId: host.userId,
@@ -751,7 +755,7 @@ function formatSSHHostOutput(host: any): any {
     enableTerminal: !!host.enableTerminal,
     enableTunnel: !!host.enableTunnel,
     tunnelConnections: host.tunnelConnections
-      ? JSON.parse(host.tunnelConnections)
+      ? JSON.parse(host.tunnelConnections as string)
       : [],
     enableFileManager: !!host.enableFileManager,
     defaultPath: host.defaultPath,
@@ -766,7 +770,7 @@ router.put(
   "/folders/rename",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { oldName, newName } = req.body;
 
     if (!isNonEmptyString(oldName) || !isNonEmptyString(newName)) {
@@ -970,7 +974,7 @@ router.post(
 
     try {
       let privateKeyObj;
-      let parseAttempts = [];
+      const parseAttempts = [];
 
       try {
         privateKeyObj = crypto.createPrivateKey({
@@ -1093,7 +1097,9 @@ router.post(
           finalPublicKey = `${keyType} ${base64Data}`;
           formatType = "ssh";
         }
-      } catch (sshError) {}
+      } catch {
+        // Ignore validation errors
+      }
 
       const response = {
         success: true,
@@ -1117,15 +1123,15 @@ router.post(
 );
 
 async function deploySSHKeyToHost(
-  hostConfig: any,
+  hostConfig: Record<string, unknown>,
   publicKey: string,
-  credentialData: any,
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  _credentialData: Record<string, unknown>,
 ): Promise<{ success: boolean; message?: string; error?: string }> {
   return new Promise((resolve) => {
     const conn = new Client();
-    let connectionTimeout: NodeJS.Timeout;
 
-    connectionTimeout = setTimeout(() => {
+    const connectionTimeout = setTimeout(() => {
       conn.destroy();
       resolve({ success: false, error: "Connection timeout" });
     }, 120000);
@@ -1158,7 +1164,9 @@ async function deploySSHKeyToHost(
                 }
               });
 
-              stream.on("data", (data) => {});
+              stream.on("data", () => {
+                // Ignore output
+              });
             },
           );
         });
@@ -1175,7 +1183,9 @@ async function deploySSHKeyToHost(
               if (parsed.data) {
                 actualPublicKey = parsed.data;
               }
-            } catch (e) {}
+            } catch {
+              // Ignore parse errors
+            }
 
             const keyParts = actualPublicKey.trim().split(" ");
             if (keyParts.length < 2) {
@@ -1202,7 +1212,7 @@ async function deploySSHKeyToHost(
                   output += data.toString();
                 });
 
-                stream.on("close", (code) => {
+                stream.on("close", () => {
                   clearTimeout(checkTimeout);
                   const exists = output.trim() === "0";
                   resolveCheck(exists);
@@ -1229,7 +1239,9 @@ async function deploySSHKeyToHost(
             if (parsed.data) {
               actualPublicKey = parsed.data;
             }
-          } catch (e) {}
+          } catch {
+            // Ignore parse errors
+          }
 
           const escapedKey = actualPublicKey
             .replace(/\\/g, "\\\\")
@@ -1243,6 +1255,10 @@ async function deploySSHKeyToHost(
                 return rejectAdd(err);
               }
 
+              stream.on("data", () => {
+                // Consume output
+              });
+
               stream.on("close", (code) => {
                 clearTimeout(addTimeout);
                 if (code === 0) {
@@ -1269,7 +1285,9 @@ async function deploySSHKeyToHost(
               if (parsed.data) {
                 actualPublicKey = parsed.data;
               }
-            } catch (e) {}
+            } catch {
+              // Ignore parse errors
+            }
 
             const keyParts = actualPublicKey.trim().split(" ");
             if (keyParts.length < 2) {
@@ -1295,7 +1313,7 @@ async function deploySSHKeyToHost(
                   output += data.toString();
                 });
 
-                stream.on("close", (code) => {
+                stream.on("close", () => {
                   clearTimeout(verifyTimeout);
                   const verified = output.trim() === "0";
                   resolveVerify(verified);
@@ -1356,7 +1374,7 @@ async function deploySSHKeyToHost(
     });
 
     try {
-      const connectionConfig: any = {
+      const connectionConfig: Record<string, unknown> = {
         host: hostConfig.ip,
         port: hostConfig.port || 22,
         username: hostConfig.username,
@@ -1403,14 +1421,15 @@ async function deploySSHKeyToHost(
         connectionConfig.password = hostConfig.password;
       } else if (hostConfig.authType === "key" && hostConfig.privateKey) {
         try {
+          const privateKey = hostConfig.privateKey as string;
           if (
-            !hostConfig.privateKey.includes("-----BEGIN") ||
-            !hostConfig.privateKey.includes("-----END")
+            !privateKey.includes("-----BEGIN") ||
+            !privateKey.includes("-----END")
           ) {
             throw new Error("Invalid private key format");
           }
 
-          const cleanKey = hostConfig.privateKey
+          const cleanKey = privateKey
             .trim()
             .replace(/\r\n/g, "\n")
             .replace(/\r/g, "\n");
@@ -1465,7 +1484,7 @@ router.post(
     }
 
     try {
-      const userId = (req as any).userId;
+      const userId = (req as AuthenticatedRequest).userId;
       if (!userId) {
         return res.status(401).json({
           success: false,
@@ -1500,7 +1519,8 @@ router.post(
         });
       }
 
-      if (!credData.publicKey) {
+      const publicKey = credData.public_key || credData.publicKey;
+      if (!publicKey) {
         return res.status(400).json({
           success: false,
           error: "Public key is required for deployment",
@@ -1521,7 +1541,7 @@ router.post(
 
       const hostData = targetHost[0];
 
-      let hostConfig = {
+      const hostConfig = {
         ip: hostData.ip,
         port: hostData.port,
         username: hostData.username,
@@ -1532,7 +1552,7 @@ router.post(
       };
 
       if (hostData.authType === "credential" && hostData.credentialId) {
-        const userId = (req as any).userId;
+        const userId = (req as AuthenticatedRequest).userId;
         if (!userId) {
           return res.status(400).json({
             success: false,
@@ -1546,7 +1566,7 @@ router.post(
             db
               .select()
               .from(sshCredentials)
-              .where(eq(sshCredentials.id, hostData.credentialId))
+              .where(eq(sshCredentials.id, hostData.credentialId as number))
               .limit(1),
             "ssh_credentials",
             userId,
@@ -1571,7 +1591,7 @@ router.post(
               error: "Host credential not found",
             });
           }
-        } catch (error) {
+        } catch {
           return res.status(500).json({
             success: false,
             error: "Failed to resolve host credentials",
@@ -1581,7 +1601,7 @@ router.post(
 
       const deployResult = await deploySSHKeyToHost(
         hostConfig,
-        credData.publicKey,
+        publicKey as string,
         credData,
       );
 

src/backend/database/routes/snippets.ts

@@ -0,0 +1,935 @@
+import type { AuthenticatedRequest } from "../../../types/index.js";
+import express from "express";
+import { db } from "../db/index.js";
+import { snippets, snippetFolders } from "../db/schema.js";
+import { eq, and, desc, asc, sql } from "drizzle-orm";
+import type { Request, Response } from "express";
+import { authLogger } from "../../utils/logger.js";
+import { AuthManager } from "../../utils/auth-manager.js";
+
+const router = express.Router();
+
+function isNonEmptyString(val: unknown): val is string {
+  return typeof val === "string" && val.trim().length > 0;
+}
+
+const authManager = AuthManager.getInstance();
+const authenticateJWT = authManager.createAuthMiddleware();
+const requireDataAccess = authManager.createDataAccessMiddleware();
+
+// Get all snippet folders
+// GET /snippets/folders
+router.get(
+  "/folders",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+
+    if (!isNonEmptyString(userId)) {
+      authLogger.warn("Invalid userId for snippet folders fetch");
+      return res.status(400).json({ error: "Invalid userId" });
+    }
+
+    try {
+      const result = await db
+        .select()
+        .from(snippetFolders)
+        .where(eq(snippetFolders.userId, userId))
+        .orderBy(asc(snippetFolders.name));
+
+      res.json(result);
+    } catch (err) {
+      authLogger.error("Failed to fetch snippet folders", err);
+      res.status(500).json({ error: "Failed to fetch snippet folders" });
+    }
+  },
+);
+
+// Create a new snippet folder
+// POST /snippets/folders
+router.post(
+  "/folders",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { name, color, icon } = req.body;
+
+    if (!isNonEmptyString(userId) || !isNonEmptyString(name)) {
+      authLogger.warn("Invalid snippet folder creation data", {
+        operation: "snippet_folder_create",
+        userId,
+        hasName: !!name,
+      });
+      return res.status(400).json({ error: "Folder name is required" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(snippetFolders)
+        .where(
+          and(eq(snippetFolders.userId, userId), eq(snippetFolders.name, name)),
+        );
+
+      if (existing.length > 0) {
+        return res
+          .status(409)
+          .json({ error: "Folder with this name already exists" });
+      }
+
+      const insertData = {
+        userId,
+        name: name.trim(),
+        color: color?.trim() || null,
+        icon: icon?.trim() || null,
+      };
+
+      const result = await db
+        .insert(snippetFolders)
+        .values(insertData)
+        .returning();
+
+      authLogger.success(`Snippet folder created: ${name} by user ${userId}`, {
+        operation: "snippet_folder_create_success",
+        userId,
+        name,
+      });
+
+      res.status(201).json(result[0]);
+    } catch (err) {
+      authLogger.error("Failed to create snippet folder", err);
+      res.status(500).json({
+        error:
+          err instanceof Error
+            ? err.message
+            : "Failed to create snippet folder",
+      });
+    }
+  },
+);
+
+// Update snippet folder metadata (color, icon)
+// PUT /snippets/folders/:name/metadata
+router.put(
+  "/folders/:name/metadata",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { name } = req.params;
+    const { color, icon } = req.body;
+
+    if (!isNonEmptyString(userId) || !name) {
+      authLogger.warn("Invalid request for snippet folder metadata update");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(snippetFolders)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, decodeURIComponent(name)),
+          ),
+        );
+
+      if (existing.length === 0) {
+        return res.status(404).json({ error: "Folder not found" });
+      }
+
+      const updateFields: Partial<{
+        color: string | null;
+        icon: string | null;
+        updatedAt: ReturnType<typeof sql.raw>;
+      }> = {
+        updatedAt: sql`CURRENT_TIMESTAMP`,
+      };
+
+      if (color !== undefined) updateFields.color = color?.trim() || null;
+      if (icon !== undefined) updateFields.icon = icon?.trim() || null;
+
+      await db
+        .update(snippetFolders)
+        .set(updateFields)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, decodeURIComponent(name)),
+          ),
+        );
+
+      const updated = await db
+        .select()
+        .from(snippetFolders)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, decodeURIComponent(name)),
+          ),
+        );
+
+      authLogger.success(
+        `Snippet folder metadata updated: ${name} by user ${userId}`,
+        {
+          operation: "snippet_folder_metadata_update_success",
+          userId,
+          name,
+        },
+      );
+
+      res.json(updated[0]);
+    } catch (err) {
+      authLogger.error("Failed to update snippet folder metadata", err);
+      res.status(500).json({
+        error:
+          err instanceof Error
+            ? err.message
+            : "Failed to update snippet folder metadata",
+      });
+    }
+  },
+);
+
+// Rename snippet folder
+// PUT /snippets/folders/rename
+router.put(
+  "/folders/rename",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { oldName, newName } = req.body;
+
+    if (
+      !isNonEmptyString(userId) ||
+      !isNonEmptyString(oldName) ||
+      !isNonEmptyString(newName)
+    ) {
+      authLogger.warn("Invalid request for snippet folder rename");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(snippetFolders)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, oldName),
+          ),
+        );
+
+      if (existing.length === 0) {
+        return res.status(404).json({ error: "Folder not found" });
+      }
+
+      const nameExists = await db
+        .select()
+        .from(snippetFolders)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, newName),
+          ),
+        );
+
+      if (nameExists.length > 0) {
+        return res
+          .status(409)
+          .json({ error: "Folder with new name already exists" });
+      }
+
+      await db
+        .update(snippetFolders)
+        .set({ name: newName, updatedAt: sql`CURRENT_TIMESTAMP` })
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, oldName),
+          ),
+        );
+
+      await db
+        .update(snippets)
+        .set({ folder: newName })
+        .where(and(eq(snippets.userId, userId), eq(snippets.folder, oldName)));
+
+      authLogger.success(
+        `Snippet folder renamed: ${oldName} -> ${newName} by user ${userId}`,
+        {
+          operation: "snippet_folder_rename_success",
+          userId,
+          oldName,
+          newName,
+        },
+      );
+
+      res.json({ success: true, oldName, newName });
+    } catch (err) {
+      authLogger.error("Failed to rename snippet folder", err);
+      res.status(500).json({
+        error:
+          err instanceof Error
+            ? err.message
+            : "Failed to rename snippet folder",
+      });
+    }
+  },
+);
+
+// Delete snippet folder
+// DELETE /snippets/folders/:name
+router.delete(
+  "/folders/:name",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { name } = req.params;
+
+    if (!isNonEmptyString(userId) || !name) {
+      authLogger.warn("Invalid request for snippet folder delete");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      const folderName = decodeURIComponent(name);
+
+      await db
+        .update(snippets)
+        .set({ folder: null })
+        .where(
+          and(eq(snippets.userId, userId), eq(snippets.folder, folderName)),
+        );
+
+      await db
+        .delete(snippetFolders)
+        .where(
+          and(
+            eq(snippetFolders.userId, userId),
+            eq(snippetFolders.name, folderName),
+          ),
+        );
+
+      authLogger.success(
+        `Snippet folder deleted: ${folderName} by user ${userId}`,
+        {
+          operation: "snippet_folder_delete_success",
+          userId,
+          name: folderName,
+        },
+      );
+
+      res.json({ success: true });
+    } catch (err) {
+      authLogger.error("Failed to delete snippet folder", err);
+      res.status(500).json({
+        error:
+          err instanceof Error
+            ? err.message
+            : "Failed to delete snippet folder",
+      });
+    }
+  },
+);
+
+// Reorder snippets (bulk update)
+// PUT /snippets/reorder
+router.put(
+  "/reorder",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { snippets: snippetUpdates } = req.body;
+
+    if (!isNonEmptyString(userId)) {
+      authLogger.warn("Invalid userId for snippet reorder");
+      return res.status(400).json({ error: "Invalid userId" });
+    }
+
+    if (!Array.isArray(snippetUpdates) || snippetUpdates.length === 0) {
+      authLogger.warn("Invalid snippet reorder data", {
+        operation: "snippet_reorder",
+        userId,
+      });
+      return res
+        .status(400)
+        .json({ error: "snippets array is required and must not be empty" });
+    }
+
+    try {
+      for (const update of snippetUpdates) {
+        const { id, order, folder } = update;
+
+        if (!id || order === undefined) {
+          continue;
+        }
+
+        const updateFields: Partial<{
+          order: number;
+          folder: string | null;
+        }> = {
+          order,
+        };
+
+        if (folder !== undefined) {
+          updateFields.folder = folder?.trim() || null;
+        }
+
+        await db
+          .update(snippets)
+          .set(updateFields)
+          .where(and(eq(snippets.id, id), eq(snippets.userId, userId)));
+      }
+
+      authLogger.success(`Snippets reordered by user ${userId}`, {
+        operation: "snippet_reorder_success",
+        userId,
+        count: snippetUpdates.length,
+      });
+
+      res.json({ success: true, updated: snippetUpdates.length });
+    } catch (err) {
+      authLogger.error("Failed to reorder snippets", err);
+      res.status(500).json({
+        error:
+          err instanceof Error ? err.message : "Failed to reorder snippets",
+      });
+    }
+  },
+);
+
+// Execute a snippet on a host
+// POST /snippets/execute
+router.post(
+  "/execute",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { snippetId, hostId } = req.body;
+
+    if (!isNonEmptyString(userId) || !snippetId || !hostId) {
+      authLogger.warn("Invalid snippet execution request", {
+        userId,
+        snippetId,
+        hostId,
+      });
+      return res
+        .status(400)
+        .json({ error: "Snippet ID and Host ID are required" });
+    }
+
+    try {
+      const snippetResult = await db
+        .select()
+        .from(snippets)
+        .where(
+          and(
+            eq(snippets.id, parseInt(snippetId)),
+            eq(snippets.userId, userId),
+          ),
+        );
+
+      if (snippetResult.length === 0) {
+        return res.status(404).json({ error: "Snippet not found" });
+      }
+
+      const snippet = snippetResult[0];
+
+      const { Client } = await import("ssh2");
+      const { sshData, sshCredentials } = await import("../db/schema.js");
+
+      const { SimpleDBOps } = await import("../../utils/simple-db-ops.js");
+
+      const hostResult = await SimpleDBOps.select(
+        db
+          .select()
+          .from(sshData)
+          .where(
+            and(eq(sshData.id, parseInt(hostId)), eq(sshData.userId, userId)),
+          ),
+        "ssh_data",
+        userId,
+      );
+
+      if (hostResult.length === 0) {
+        return res.status(404).json({ error: "Host not found" });
+      }
+
+      const host = hostResult[0];
+
+      let password = host.password;
+      let privateKey = host.key;
+      let passphrase = host.key_password;
+      let authType = host.authType;
+
+      if (host.credentialId) {
+        const credResult = await SimpleDBOps.select(
+          db
+            .select()
+            .from(sshCredentials)
+            .where(
+              and(
+                eq(sshCredentials.id, host.credentialId as number),
+                eq(sshCredentials.userId, userId),
+              ),
+            ),
+          "ssh_credentials",
+          userId,
+        );
+
+        if (credResult.length > 0) {
+          const cred = credResult[0];
+          authType = (cred.auth_type || cred.authType || authType) as string;
+          password = (cred.password || undefined) as string | undefined;
+          privateKey = (cred.private_key || cred.key || undefined) as
+            | string
+            | undefined;
+          passphrase = (cred.key_password || undefined) as string | undefined;
+        }
+      }
+
+      const conn = new Client();
+      let output = "";
+      let errorOutput = "";
+
+      const executePromise = new Promise<{
+        success: boolean;
+        output: string;
+        error?: string;
+      }>((resolve, reject) => {
+        const timeout = setTimeout(() => {
+          conn.end();
+          reject(new Error("Command execution timeout (30s)"));
+        }, 30000);
+
+        conn.on("ready", () => {
+          conn.exec(snippet.content, (err, stream) => {
+            if (err) {
+              clearTimeout(timeout);
+              conn.end();
+              return reject(err);
+            }
+
+            stream.on("close", () => {
+              clearTimeout(timeout);
+              conn.end();
+              if (errorOutput) {
+                resolve({ success: false, output, error: errorOutput });
+              } else {
+                resolve({ success: true, output });
+              }
+            });
+
+            stream.on("data", (data: Buffer) => {
+              output += data.toString();
+            });
+
+            stream.stderr.on("data", (data: Buffer) => {
+              errorOutput += data.toString();
+            });
+          });
+        });
+
+        conn.on("error", (err) => {
+          clearTimeout(timeout);
+          reject(err);
+        });
+
+        const config: any = {
+          host: host.ip,
+          port: host.port,
+          username: host.username,
+          tryKeyboard: true,
+          keepaliveInterval: 30000,
+          keepaliveCountMax: 3,
+          readyTimeout: 30000,
+          tcpKeepAlive: true,
+          tcpKeepAliveInitialDelay: 30000,
+          timeout: 30000,
+          env: {
+            TERM: "xterm-256color",
+            LANG: "en_US.UTF-8",
+            LC_ALL: "en_US.UTF-8",
+            LC_CTYPE: "en_US.UTF-8",
+            LC_MESSAGES: "en_US.UTF-8",
+            LC_MONETARY: "en_US.UTF-8",
+            LC_NUMERIC: "en_US.UTF-8",
+            LC_TIME: "en_US.UTF-8",
+            LC_COLLATE: "en_US.UTF-8",
+            COLORTERM: "truecolor",
+          },
+          algorithms: {
+            kex: [
+              "curve25519-sha256",
+              "curve25519-sha256@libssh.org",
+              "ecdh-sha2-nistp521",
+              "ecdh-sha2-nistp384",
+              "ecdh-sha2-nistp256",
+              "diffie-hellman-group-exchange-sha256",
+              "diffie-hellman-group14-sha256",
+              "diffie-hellman-group14-sha1",
+              "diffie-hellman-group-exchange-sha1",
+              "diffie-hellman-group1-sha1",
+            ],
+            serverHostKey: [
+              "ssh-ed25519",
+              "ecdsa-sha2-nistp521",
+              "ecdsa-sha2-nistp384",
+              "ecdsa-sha2-nistp256",
+              "rsa-sha2-512",
+              "rsa-sha2-256",
+              "ssh-rsa",
+              "ssh-dss",
+            ],
+            cipher: [
+              "chacha20-poly1305@openssh.com",
+              "aes256-gcm@openssh.com",
+              "aes128-gcm@openssh.com",
+              "aes256-ctr",
+              "aes192-ctr",
+              "aes128-ctr",
+              "aes256-cbc",
+              "aes192-cbc",
+              "aes128-cbc",
+              "3des-cbc",
+            ],
+            hmac: [
+              "hmac-sha2-512-etm@openssh.com",
+              "hmac-sha2-256-etm@openssh.com",
+              "hmac-sha2-512",
+              "hmac-sha2-256",
+              "hmac-sha1",
+              "hmac-md5",
+            ],
+            compress: ["none", "zlib@openssh.com", "zlib"],
+          },
+        };
+
+        if (authType === "password" && password) {
+          config.password = password;
+        } else if (authType === "key" && privateKey) {
+          const cleanKey = (privateKey as string)
+            .trim()
+            .replace(/\r\n/g, "\n")
+            .replace(/\r/g, "\n");
+          config.privateKey = Buffer.from(cleanKey, "utf8");
+          if (passphrase) {
+            config.passphrase = passphrase;
+          }
+        } else if (password) {
+          config.password = password;
+        } else if (privateKey) {
+          const cleanKey = (privateKey as string)
+            .trim()
+            .replace(/\r\n/g, "\n")
+            .replace(/\r/g, "\n");
+          config.privateKey = Buffer.from(cleanKey, "utf8");
+          if (passphrase) {
+            config.passphrase = passphrase;
+          }
+        }
+
+        conn.connect(config);
+      });
+
+      const result = await executePromise;
+
+      authLogger.success(
+        `Snippet executed: ${snippet.name} on host ${hostId}`,
+        {
+          operation: "snippet_execute_success",
+          userId,
+          snippetId,
+          hostId,
+        },
+      );
+
+      res.json(result);
+    } catch (err) {
+      authLogger.error("Failed to execute snippet", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to execute snippet",
+      });
+    }
+  },
+);
+
+// Get all snippets for the authenticated user
+// GET /snippets
+router.get(
+  "/",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+
+    if (!isNonEmptyString(userId)) {
+      authLogger.warn("Invalid userId for snippets fetch");
+      return res.status(400).json({ error: "Invalid userId" });
+    }
+
+    try {
+      const result = await db
+        .select()
+        .from(snippets)
+        .where(eq(snippets.userId, userId))
+        .orderBy(
+          sql`CASE WHEN ${snippets.folder} IS NULL OR ${snippets.folder} = '' THEN 0 ELSE 1 END`,
+          asc(snippets.folder),
+          asc(snippets.order),
+          desc(snippets.updatedAt),
+        );
+
+      res.json(result);
+    } catch (err) {
+      authLogger.error("Failed to fetch snippets", err);
+      res.status(500).json({ error: "Failed to fetch snippets" });
+    }
+  },
+);
+
+// Get a specific snippet by ID
+// GET /snippets/:id
+router.get(
+  "/:id",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { id } = req.params;
+    const snippetId = parseInt(id, 10);
+
+    if (!isNonEmptyString(userId) || isNaN(snippetId)) {
+      authLogger.warn("Invalid request for snippet fetch: invalid ID", {
+        userId,
+        id,
+      });
+      return res.status(400).json({ error: "Invalid request parameters" });
+    }
+
+    try {
+      const result = await db
+        .select()
+        .from(snippets)
+        .where(and(eq(snippets.id, parseInt(id)), eq(snippets.userId, userId)));
+
+      if (result.length === 0) {
+        return res.status(404).json({ error: "Snippet not found" });
+      }
+
+      res.json(result[0]);
+    } catch (err) {
+      authLogger.error("Failed to fetch snippet", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to fetch snippet",
+      });
+    }
+  },
+);
+
+// Create a new snippet
+// POST /snippets
+router.post(
+  "/",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { name, content, description, folder, order } = req.body;
+
+    if (
+      !isNonEmptyString(userId) ||
+      !isNonEmptyString(name) ||
+      !isNonEmptyString(content)
+    ) {
+      authLogger.warn("Invalid snippet creation data validation failed", {
+        operation: "snippet_create",
+        userId,
+        hasName: !!name,
+        hasContent: !!content,
+      });
+      return res.status(400).json({ error: "Name and content are required" });
+    }
+
+    try {
+      let snippetOrder = order;
+      if (snippetOrder === undefined || snippetOrder === null) {
+        const folderValue = folder?.trim() || "";
+        const maxOrderResult = await db
+          .select({ maxOrder: sql<number>`MAX(${snippets.order})` })
+          .from(snippets)
+          .where(
+            and(
+              eq(snippets.userId, userId),
+              folderValue
+                ? eq(snippets.folder, folderValue)
+                : sql`(${snippets.folder} IS NULL OR ${snippets.folder} = '')`,
+            ),
+          );
+        const maxOrder = maxOrderResult[0]?.maxOrder ?? -1;
+        snippetOrder = maxOrder + 1;
+      }
+
+      const insertData = {
+        userId,
+        name: name.trim(),
+        content: content.trim(),
+        description: description?.trim() || null,
+        folder: folder?.trim() || null,
+        order: snippetOrder,
+      };
+
+      const result = await db.insert(snippets).values(insertData).returning();
+
+      authLogger.success(`Snippet created: ${name} by user ${userId}`, {
+        operation: "snippet_create_success",
+        userId,
+        snippetId: result[0].id,
+        name,
+      });
+
+      res.status(201).json(result[0]);
+    } catch (err) {
+      authLogger.error("Failed to create snippet", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to create snippet",
+      });
+    }
+  },
+);
+
+// Update a snippet
+// PUT /snippets/:id
+router.put(
+  "/:id",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { id } = req.params;
+    const updateData = req.body;
+
+    if (!isNonEmptyString(userId) || !id) {
+      authLogger.warn("Invalid request for snippet update");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(snippets)
+        .where(and(eq(snippets.id, parseInt(id)), eq(snippets.userId, userId)));
+
+      if (existing.length === 0) {
+        return res.status(404).json({ error: "Snippet not found" });
+      }
+
+      const updateFields: Partial<{
+        updatedAt: ReturnType<typeof sql.raw>;
+        name: string;
+        content: string;
+        description: string | null;
+        folder: string | null;
+        order: number;
+      }> = {
+        updatedAt: sql`CURRENT_TIMESTAMP`,
+      };
+
+      if (updateData.name !== undefined)
+        updateFields.name = updateData.name.trim();
+      if (updateData.content !== undefined)
+        updateFields.content = updateData.content.trim();
+      if (updateData.description !== undefined)
+        updateFields.description = updateData.description?.trim() || null;
+      if (updateData.folder !== undefined)
+        updateFields.folder = updateData.folder?.trim() || null;
+      if (updateData.order !== undefined) updateFields.order = updateData.order;
+
+      await db
+        .update(snippets)
+        .set(updateFields)
+        .where(and(eq(snippets.id, parseInt(id)), eq(snippets.userId, userId)));
+
+      const updated = await db
+        .select()
+        .from(snippets)
+        .where(eq(snippets.id, parseInt(id)));
+
+      authLogger.success(
+        `Snippet updated: ${updated[0].name} by user ${userId}`,
+        {
+          operation: "snippet_update_success",
+          userId,
+          snippetId: parseInt(id),
+          name: updated[0].name,
+        },
+      );
+
+      res.json(updated[0]);
+    } catch (err) {
+      authLogger.error("Failed to update snippet", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to update snippet",
+      });
+    }
+  },
+);
+
+// Delete a snippet
+// DELETE /snippets/:id
+router.delete(
+  "/:id",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { id } = req.params;
+
+    if (!isNonEmptyString(userId) || !id) {
+      authLogger.warn("Invalid request for snippet delete");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(snippets)
+        .where(and(eq(snippets.id, parseInt(id)), eq(snippets.userId, userId)));
+
+      if (existing.length === 0) {
+        return res.status(404).json({ error: "Snippet not found" });
+      }
+
+      await db
+        .delete(snippets)
+        .where(and(eq(snippets.id, parseInt(id)), eq(snippets.userId, userId)));
+
+      authLogger.success(
+        `Snippet deleted: ${existing[0].name} by user ${userId}`,
+        {
+          operation: "snippet_delete_success",
+          userId,
+          snippetId: parseInt(id),
+          name: existing[0].name,
+        },
+      );
+
+      res.json({ success: true });
+    } catch (err) {
+      authLogger.error("Failed to delete snippet", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to delete snippet",
+      });
+    }
+  },
+);
+
+export default router;

src/backend/database/routes/ssh.ts

@@ -1,3 +1,4 @@
+import type { AuthenticatedRequest } from "../../../types/index.js";
 import express from "express";
 import { db } from "../db/index.js";
 import {
@@ -7,10 +8,12 @@ import {
   fileManagerRecent,
   fileManagerPinned,
   fileManagerShortcuts,
+  sshFolders,
+  commandHistory,
+  recentActivity,
 } from "../db/schema.js";
 import { eq, and, desc, isNotNull, or } from "drizzle-orm";
-import type { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
+import type { Request, Response } from "express";
 import multer from "multer";
 import { sshLogger } from "../../utils/logger.js";
 import { SimpleDBOps } from "../../utils/simple-db-ops.js";
@@ -23,11 +26,11 @@ const router = express.Router();
 
 const upload = multer({ storage: multer.memoryStorage() });
 
-function isNonEmptyString(value: any): value is string {
+function isNonEmptyString(value: unknown): value is string {
   return typeof value === "string" && value.trim().length > 0;
 }
 
-function isValidPort(port: any): port is number {
+function isValidPort(port: unknown): port is number {
   return typeof port === "number" && port > 0 && port <= 65535;
 }
 
@@ -75,7 +78,7 @@ router.get("/db/host/internal", async (req: Request, res: Response) => {
           : [];
 
         const hasAutoStartTunnels = tunnelConnections.some(
-          (tunnel: any) => tunnel.autoStart,
+          (tunnel: Record<string, unknown>) => tunnel.autoStart,
         );
 
         if (!hasAutoStartTunnels) {
@@ -100,7 +103,7 @@ router.get("/db/host/internal", async (req: Request, res: Response) => {
           credentialId: host.credentialId,
           enableTunnel: true,
           tunnelConnections: tunnelConnections.filter(
-            (tunnel: any) => tunnel.autoStart,
+            (tunnel: Record<string, unknown>) => tunnel.autoStart,
           ),
           pin: !!host.pin,
           enableTerminal: !!host.enableTerminal,
@@ -184,8 +187,8 @@ router.post(
   requireDataAccess,
   upload.single("key"),
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
-    let hostData: any;
+    const userId = (req as AuthenticatedRequest).userId;
+    let hostData: Record<string, unknown>;
 
     if (req.headers["content-type"]?.includes("multipart/form-data")) {
       if (req.body.data) {
@@ -234,6 +237,11 @@ router.post(
       enableFileManager,
       defaultPath,
       tunnelConnections,
+      jumpHosts,
+      quickActions,
+      statsConfig,
+      terminalConfig,
+      forceKeyboardInteractive,
     } = hostData;
     if (
       !isNonEmptyString(userId) ||
@@ -251,7 +259,7 @@ router.post(
     }
 
     const effectiveAuthType = authType || authMethod;
-    const sshDataObj: any = {
+    const sshDataObj: Record<string, unknown> = {
       userId: userId,
       name,
       folder: folder || null,
@@ -267,8 +275,15 @@ router.post(
       tunnelConnections: Array.isArray(tunnelConnections)
         ? JSON.stringify(tunnelConnections)
         : null,
+      jumpHosts: Array.isArray(jumpHosts) ? JSON.stringify(jumpHosts) : null,
+      quickActions: Array.isArray(quickActions)
+        ? JSON.stringify(quickActions)
+        : null,
       enableFileManager: enableFileManager ? 1 : 0,
       defaultPath: defaultPath || null,
+      statsConfig: statsConfig ? JSON.stringify(statsConfig) : null,
+      terminalConfig: terminalConfig ? JSON.stringify(terminalConfig) : null,
+      forceKeyboardInteractive: forceKeyboardInteractive ? "true" : "false",
     };
 
     if (effectiveAuthType === "password") {
@@ -320,9 +335,15 @@ router.post(
         enableTerminal: !!createdHost.enableTerminal,
         enableTunnel: !!createdHost.enableTunnel,
         tunnelConnections: createdHost.tunnelConnections
-          ? JSON.parse(createdHost.tunnelConnections)
+          ? JSON.parse(createdHost.tunnelConnections as string)
+          : [],
+        jumpHosts: createdHost.jumpHosts
+          ? JSON.parse(createdHost.jumpHosts as string)
           : [],
         enableFileManager: !!createdHost.enableFileManager,
+        statsConfig: createdHost.statsConfig
+          ? JSON.parse(createdHost.statsConfig as string)
+          : undefined,
       };
 
       const resolvedHost = (await resolveHostCredentials(baseHost)) || baseHost;
@@ -332,7 +353,7 @@ router.post(
         {
           operation: "host_create_success",
           userId,
-          hostId: createdHost.id,
+          hostId: createdHost.id as number,
           name,
           ip,
           port,
@@ -340,6 +361,28 @@ router.post(
         },
       );
 
+      try {
+        const axios = (await import("axios")).default;
+        const statsPort = process.env.STATS_PORT || 30005;
+        await axios.post(
+          `http://localhost:${statsPort}/host-updated`,
+          { hostId: createdHost.id },
+          {
+            headers: {
+              Authorization: req.headers.authorization || "",
+              Cookie: req.headers.cookie || "",
+            },
+            timeout: 5000,
+          },
+        );
+      } catch (err) {
+        sshLogger.warn("Failed to notify stats server of new host", {
+          operation: "host_create",
+          hostId: createdHost.id as number,
+          error: err instanceof Error ? err.message : String(err),
+        });
+      }
+
       res.json(resolvedHost);
     } catch (err) {
       sshLogger.error("Failed to save SSH host to database", err, {
@@ -360,11 +403,12 @@ router.post(
 router.put(
   "/db/host/:id",
   authenticateJWT,
+  requireDataAccess,
   upload.single("key"),
   async (req: Request, res: Response) => {
     const hostId = req.params.id;
-    const userId = (req as any).userId;
-    let hostData: any;
+    const userId = (req as AuthenticatedRequest).userId;
+    let hostData: Record<string, unknown>;
 
     if (req.headers["content-type"]?.includes("multipart/form-data")) {
       if (req.body.data) {
@@ -415,6 +459,11 @@ router.put(
       enableFileManager,
       defaultPath,
       tunnelConnections,
+      jumpHosts,
+      quickActions,
+      statsConfig,
+      terminalConfig,
+      forceKeyboardInteractive,
     } = hostData;
     if (
       !isNonEmptyString(userId) ||
@@ -434,7 +483,7 @@ router.put(
     }
 
     const effectiveAuthType = authType || authMethod;
-    const sshDataObj: any = {
+    const sshDataObj: Record<string, unknown> = {
       name,
       folder,
       tags: Array.isArray(tags) ? tags.join(",") : tags || "",
@@ -449,8 +498,15 @@ router.put(
       tunnelConnections: Array.isArray(tunnelConnections)
         ? JSON.stringify(tunnelConnections)
         : null,
+      jumpHosts: Array.isArray(jumpHosts) ? JSON.stringify(jumpHosts) : null,
+      quickActions: Array.isArray(quickActions)
+        ? JSON.stringify(quickActions)
+        : null,
       enableFileManager: enableFileManager ? 1 : 0,
       defaultPath: defaultPath || null,
+      statsConfig: statsConfig ? JSON.stringify(statsConfig) : null,
+      terminalConfig: terminalConfig ? JSON.stringify(terminalConfig) : null,
+      forceKeyboardInteractive: forceKeyboardInteractive ? "true" : "false",
     };
 
     if (effectiveAuthType === "password") {
@@ -520,9 +576,15 @@ router.put(
         enableTerminal: !!updatedHost.enableTerminal,
         enableTunnel: !!updatedHost.enableTunnel,
         tunnelConnections: updatedHost.tunnelConnections
-          ? JSON.parse(updatedHost.tunnelConnections)
+          ? JSON.parse(updatedHost.tunnelConnections as string)
+          : [],
+        jumpHosts: updatedHost.jumpHosts
+          ? JSON.parse(updatedHost.jumpHosts as string)
           : [],
         enableFileManager: !!updatedHost.enableFileManager,
+        statsConfig: updatedHost.statsConfig
+          ? JSON.parse(updatedHost.statsConfig as string)
+          : undefined,
       };
 
       const resolvedHost = (await resolveHostCredentials(baseHost)) || baseHost;
@@ -540,6 +602,28 @@ router.put(
         },
       );
 
+      try {
+        const axios = (await import("axios")).default;
+        const statsPort = process.env.STATS_PORT || 30005;
+        await axios.post(
+          `http://localhost:${statsPort}/host-updated`,
+          { hostId: parseInt(hostId) },
+          {
+            headers: {
+              Authorization: req.headers.authorization || "",
+              Cookie: req.headers.cookie || "",
+            },
+            timeout: 5000,
+          },
+        );
+      } catch (err) {
+        sshLogger.warn("Failed to notify stats server of host update", {
+          operation: "host_update",
+          hostId: parseInt(hostId),
+          error: err instanceof Error ? err.message : String(err),
+        });
+      }
+
       res.json(resolvedHost);
     } catch (err) {
       sshLogger.error("Failed to update SSH host in database", err, {
@@ -558,63 +642,80 @@ router.put(
 
 // Route: Get SSH data for the authenticated user (requires JWT)
 // GET /ssh/host
-router.get("/db/host", authenticateJWT, async (req: Request, res: Response) => {
-  const userId = (req as any).userId;
-  if (!isNonEmptyString(userId)) {
-    sshLogger.warn("Invalid userId for SSH data fetch", {
-      operation: "host_fetch",
-      userId,
-    });
-    return res.status(400).json({ error: "Invalid userId" });
-  }
-  try {
-    const data = await SimpleDBOps.select(
-      db.select().from(sshData).where(eq(sshData.userId, userId)),
-      "ssh_data",
-      userId,
-    );
+router.get(
+  "/db/host",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    if (!isNonEmptyString(userId)) {
+      sshLogger.warn("Invalid userId for SSH data fetch", {
+        operation: "host_fetch",
+        userId,
+      });
+      return res.status(400).json({ error: "Invalid userId" });
+    }
+    try {
+      const data = await SimpleDBOps.select(
+        db.select().from(sshData).where(eq(sshData.userId, userId)),
+        "ssh_data",
+        userId,
+      );
 
-    const result = await Promise.all(
-      data.map(async (row: any) => {
-        const baseHost = {
-          ...row,
-          tags:
-            typeof row.tags === "string"
-              ? row.tags
-                ? row.tags.split(",").filter(Boolean)
-                : []
+      const result = await Promise.all(
+        data.map(async (row: Record<string, unknown>) => {
+          const baseHost = {
+            ...row,
+            tags:
+              typeof row.tags === "string"
+                ? row.tags
+                  ? row.tags.split(",").filter(Boolean)
+                  : []
+                : [],
+            pin: !!row.pin,
+            enableTerminal: !!row.enableTerminal,
+            enableTunnel: !!row.enableTunnel,
+            tunnelConnections: row.tunnelConnections
+              ? JSON.parse(row.tunnelConnections as string)
               : [],
-          pin: !!row.pin,
-          enableTerminal: !!row.enableTerminal,
-          enableTunnel: !!row.enableTunnel,
-          tunnelConnections: row.tunnelConnections
-            ? JSON.parse(row.tunnelConnections)
-            : [],
-          enableFileManager: !!row.enableFileManager,
-        };
+            jumpHosts: row.jumpHosts ? JSON.parse(row.jumpHosts as string) : [],
+            quickActions: row.quickActions
+              ? JSON.parse(row.quickActions as string)
+              : [],
+            enableFileManager: !!row.enableFileManager,
+            statsConfig: row.statsConfig
+              ? JSON.parse(row.statsConfig as string)
+              : undefined,
+            terminalConfig: row.terminalConfig
+              ? JSON.parse(row.terminalConfig as string)
+              : undefined,
+            forceKeyboardInteractive: row.forceKeyboardInteractive === "true",
+          };
 
-        return (await resolveHostCredentials(baseHost)) || baseHost;
-      }),
-    );
+          return (await resolveHostCredentials(baseHost)) || baseHost;
+        }),
+      );
 
-    res.json(result);
-  } catch (err) {
-    sshLogger.error("Failed to fetch SSH hosts from database", err, {
-      operation: "host_fetch",
-      userId,
-    });
-    res.status(500).json({ error: "Failed to fetch SSH data" });
-  }
-});
+      res.json(result);
+    } catch (err) {
+      sshLogger.error("Failed to fetch SSH hosts from database", err, {
+        operation: "host_fetch",
+        userId,
+      });
+      res.status(500).json({ error: "Failed to fetch SSH data" });
+    }
+  },
+);
 
 // Route: Get SSH host by ID (requires JWT)
 // GET /ssh/host/:id
 router.get(
   "/db/host/:id",
   authenticateJWT,
+  requireDataAccess,
   async (req: Request, res: Response) => {
     const hostId = req.params.id;
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!isNonEmptyString(userId) || !hostId) {
       sshLogger.warn("Invalid userId or hostId for SSH host fetch by ID", {
@@ -654,7 +755,16 @@ router.get(
         tunnelConnections: host.tunnelConnections
           ? JSON.parse(host.tunnelConnections)
           : [],
+        jumpHosts: host.jumpHosts ? JSON.parse(host.jumpHosts) : [],
+        quickActions: host.quickActions ? JSON.parse(host.quickActions) : [],
         enableFileManager: !!host.enableFileManager,
+        statsConfig: host.statsConfig
+          ? JSON.parse(host.statsConfig)
+          : undefined,
+        terminalConfig: host.terminalConfig
+          ? JSON.parse(host.terminalConfig)
+          : undefined,
+        forceKeyboardInteractive: host.forceKeyboardInteractive === "true",
       };
 
       res.json((await resolveHostCredentials(result)) || result);
@@ -677,7 +787,7 @@ router.get(
   requireDataAccess,
   async (req: Request, res: Response) => {
     const hostId = req.params.id;
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     if (!isNonEmptyString(userId) || !hostId) {
       return res.status(400).json({ error: "Invalid userId or hostId" });
@@ -711,7 +821,7 @@ router.get(
         authType: resolvedHost.authType,
         password: resolvedHost.password || null,
         key: resolvedHost.key || null,
-        keyPassword: resolvedHost.keyPassword || null,
+        keyPassword: resolvedHost.key_password || null,
         keyType: resolvedHost.keyType || null,
         folder: resolvedHost.folder,
         tags:
@@ -724,7 +834,7 @@ router.get(
         enableFileManager: !!resolvedHost.enableFileManager,
         defaultPath: resolvedHost.defaultPath,
         tunnelConnections: resolvedHost.tunnelConnections
-          ? JSON.parse(resolvedHost.tunnelConnections)
+          ? JSON.parse(resolvedHost.tunnelConnections as string)
           : [],
       };
 
@@ -751,8 +861,9 @@ router.get(
 router.delete(
   "/db/host/:id",
   authenticateJWT,
+  requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const hostId = req.params.id;
 
     if (!isNonEmptyString(userId) || !hostId) {
@@ -784,8 +895,8 @@ router.delete(
         .delete(fileManagerRecent)
         .where(
           and(
-            eq(fileManagerRecent.userId, userId),
             eq(fileManagerRecent.hostId, numericHostId),
+            eq(fileManagerRecent.userId, userId),
           ),
         );
 
@@ -793,8 +904,8 @@ router.delete(
         .delete(fileManagerPinned)
         .where(
           and(
-            eq(fileManagerPinned.userId, userId),
             eq(fileManagerPinned.hostId, numericHostId),
+            eq(fileManagerPinned.userId, userId),
           ),
         );
 
@@ -802,8 +913,17 @@ router.delete(
         .delete(fileManagerShortcuts)
         .where(
           and(
-            eq(fileManagerShortcuts.userId, userId),
             eq(fileManagerShortcuts.hostId, numericHostId),
+            eq(fileManagerShortcuts.userId, userId),
+          ),
+        );
+
+      await db
+        .delete(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.hostId, numericHostId),
+            eq(commandHistory.userId, userId),
           ),
         );
 
@@ -811,12 +931,21 @@ router.delete(
         .delete(sshCredentialUsage)
         .where(
           and(
-            eq(sshCredentialUsage.userId, userId),
             eq(sshCredentialUsage.hostId, numericHostId),
+            eq(sshCredentialUsage.userId, userId),
           ),
         );
 
-      const result = await db
+      await db
+        .delete(recentActivity)
+        .where(
+          and(
+            eq(recentActivity.hostId, numericHostId),
+            eq(recentActivity.userId, userId),
+          ),
+        );
+
+      await db
         .delete(sshData)
         .where(and(eq(sshData.id, numericHostId), eq(sshData.userId, userId)));
 
@@ -833,6 +962,28 @@ router.delete(
         },
       );
 
+      try {
+        const axios = (await import("axios")).default;
+        const statsPort = process.env.STATS_PORT || 30005;
+        await axios.post(
+          `http://localhost:${statsPort}/host-deleted`,
+          { hostId: numericHostId },
+          {
+            headers: {
+              Authorization: req.headers.authorization || "",
+              Cookie: req.headers.cookie || "",
+            },
+            timeout: 5000,
+          },
+        );
+      } catch (err) {
+        sshLogger.warn("Failed to notify stats server of host deletion", {
+          operation: "host_delete",
+          hostId: numericHostId,
+          error: err instanceof Error ? err.message : String(err),
+        });
+      }
+
       res.json({ message: "SSH host deleted" });
     } catch (err) {
       sshLogger.error("Failed to delete SSH host from database", err, {
@@ -851,7 +1002,7 @@ router.get(
   "/file_manager/recent",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const hostId = req.query.hostId
       ? parseInt(req.query.hostId as string)
       : null;
@@ -893,7 +1044,7 @@ router.post(
   "/file_manager/recent",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { hostId, path, name } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
@@ -942,8 +1093,8 @@ router.delete(
   "/file_manager/recent",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
-    const { hostId, path, name } = req.body;
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, path } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
       sshLogger.warn("Invalid data for recent file deletion");
@@ -975,7 +1126,7 @@ router.get(
   "/file_manager/pinned",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const hostId = req.query.hostId
       ? parseInt(req.query.hostId as string)
       : null;
@@ -1016,7 +1167,7 @@ router.post(
   "/file_manager/pinned",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { hostId, path, name } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
@@ -1062,8 +1213,8 @@ router.delete(
   "/file_manager/pinned",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
-    const { hostId, path, name } = req.body;
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, path } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
       sshLogger.warn("Invalid data for pinned file deletion");
@@ -1095,7 +1246,7 @@ router.get(
   "/file_manager/shortcuts",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const hostId = req.query.hostId
       ? parseInt(req.query.hostId as string)
       : null;
@@ -1136,7 +1287,7 @@ router.post(
   "/file_manager/shortcuts",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { hostId, path, name } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
@@ -1182,8 +1333,8 @@ router.delete(
   "/file_manager/shortcuts",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
-    const { hostId, path, name } = req.body;
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, path } = req.body;
 
     if (!isNonEmptyString(userId) || !hostId || !path) {
       sshLogger.warn("Invalid data for shortcut deletion");
@@ -1209,21 +1360,114 @@ router.delete(
   },
 );
 
-async function resolveHostCredentials(host: any): Promise<any> {
+// Route: Get command history for a host
+// GET /ssh/command-history/:hostId
+router.get(
+  "/command-history/:hostId",
+  authenticateJWT,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const hostId = parseInt(req.params.hostId, 10);
+
+    if (!isNonEmptyString(userId) || !hostId) {
+      sshLogger.warn("Invalid userId or hostId for command history fetch", {
+        operation: "command_history_fetch",
+        hostId,
+        userId,
+      });
+      return res.status(400).json({ error: "Invalid userId or hostId" });
+    }
+
+    try {
+      const history = await db
+        .select({
+          id: commandHistory.id,
+          command: commandHistory.command,
+        })
+        .from(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.userId, userId),
+            eq(commandHistory.hostId, hostId),
+          ),
+        )
+        .orderBy(desc(commandHistory.executedAt))
+        .limit(200);
+
+      res.json(history.map((h) => h.command));
+    } catch (err) {
+      sshLogger.error("Failed to fetch command history from database", err, {
+        operation: "command_history_fetch",
+        hostId,
+        userId,
+      });
+      res.status(500).json({ error: "Failed to fetch command history" });
+    }
+  },
+);
+
+// Route: Delete command from history
+// DELETE /ssh/command-history
+router.delete(
+  "/command-history",
+  authenticateJWT,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, command } = req.body;
+
+    if (!isNonEmptyString(userId) || !hostId || !command) {
+      sshLogger.warn("Invalid data for command history deletion", {
+        operation: "command_history_delete",
+        hostId,
+        userId,
+      });
+      return res.status(400).json({ error: "Invalid data" });
+    }
+
+    try {
+      await db
+        .delete(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.userId, userId),
+            eq(commandHistory.hostId, hostId),
+            eq(commandHistory.command, command),
+          ),
+        );
+
+      res.json({ message: "Command deleted from history" });
+    } catch (err) {
+      sshLogger.error("Failed to delete command from history", err, {
+        operation: "command_history_delete",
+        hostId,
+        userId,
+        command,
+      });
+      res.status(500).json({ error: "Failed to delete command" });
+    }
+  },
+);
+
+async function resolveHostCredentials(
+  host: Record<string, unknown>,
+): Promise<Record<string, unknown>> {
   try {
     if (host.credentialId && host.userId) {
+      const credentialId = host.credentialId as number;
+      const userId = host.userId as string;
+
       const credentials = await SimpleDBOps.select(
         db
           .select()
           .from(sshCredentials)
           .where(
             and(
-              eq(sshCredentials.id, host.credentialId),
-              eq(sshCredentials.userId, host.userId),
+              eq(sshCredentials.id, credentialId),
+              eq(sshCredentials.userId, userId),
             ),
           ),
         "ssh_credentials",
-        host.userId,
+        userId,
       );
 
       if (credentials.length > 0) {
@@ -1239,6 +1483,7 @@ async function resolveHostCredentials(host: any): Promise<any> {
         };
       }
     }
+
     const result = { ...host };
     if (host.key_password !== undefined) {
       if (result.keyPassword === undefined) {
@@ -1261,7 +1506,7 @@ router.put(
   "/folders/rename",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { oldName, newName } = req.body;
 
     if (!isNonEmptyString(userId) || !oldName || !newName) {
@@ -1303,6 +1548,16 @@ router.put(
 
       DatabaseSaveTrigger.triggerSave("folder_rename");
 
+      await db
+        .update(sshFolders)
+        .set({
+          name: newName,
+          updatedAt: new Date().toISOString(),
+        })
+        .where(
+          and(eq(sshFolders.userId, userId), eq(sshFolders.name, oldName)),
+        );
+
       res.json({
         message: "Folder renamed successfully",
         updatedHosts: updatedHosts.length,
@@ -1320,13 +1575,177 @@ router.put(
   },
 );
 
+// Route: Get all folders with metadata (requires JWT)
+// GET /ssh/db/folders
+router.get("/folders", authenticateJWT, async (req: Request, res: Response) => {
+  const userId = (req as AuthenticatedRequest).userId;
+
+  if (!isNonEmptyString(userId)) {
+    return res.status(400).json({ error: "Invalid user ID" });
+  }
+
+  try {
+    const folders = await db
+      .select()
+      .from(sshFolders)
+      .where(eq(sshFolders.userId, userId));
+
+    res.json(folders);
+  } catch (err) {
+    sshLogger.error("Failed to fetch folders", err, {
+      operation: "fetch_folders",
+      userId,
+    });
+    res.status(500).json({ error: "Failed to fetch folders" });
+  }
+});
+
+// Route: Update folder metadata (requires JWT)
+// PUT /ssh/db/folders/metadata
+router.put(
+  "/folders/metadata",
+  authenticateJWT,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { name, color, icon } = req.body;
+
+    if (!isNonEmptyString(userId) || !name) {
+      return res.status(400).json({ error: "Folder name is required" });
+    }
+
+    try {
+      const existing = await db
+        .select()
+        .from(sshFolders)
+        .where(and(eq(sshFolders.userId, userId), eq(sshFolders.name, name)))
+        .limit(1);
+
+      if (existing.length > 0) {
+        await db
+          .update(sshFolders)
+          .set({
+            color,
+            icon,
+            updatedAt: new Date().toISOString(),
+          })
+          .where(and(eq(sshFolders.userId, userId), eq(sshFolders.name, name)));
+      } else {
+        await db.insert(sshFolders).values({
+          userId,
+          name,
+          color,
+          icon,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        });
+      }
+
+      DatabaseSaveTrigger.triggerSave("folder_metadata_update");
+
+      res.json({ message: "Folder metadata updated successfully" });
+    } catch (err) {
+      sshLogger.error("Failed to update folder metadata", err, {
+        operation: "update_folder_metadata",
+        userId,
+        name,
+      });
+      res.status(500).json({ error: "Failed to update folder metadata" });
+    }
+  },
+);
+
+// Route: Delete all hosts in folder (requires JWT)
+// DELETE /ssh/db/folders/:name/hosts
+router.delete(
+  "/folders/:name/hosts",
+  authenticateJWT,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const folderName = req.params.name;
+
+    if (!isNonEmptyString(userId) || !folderName) {
+      return res.status(400).json({ error: "Invalid folder name" });
+    }
+
+    try {
+      const hostsToDelete = await db
+        .select()
+        .from(sshData)
+        .where(and(eq(sshData.userId, userId), eq(sshData.folder, folderName)));
+
+      if (hostsToDelete.length === 0) {
+        return res.json({
+          message: "No hosts found in folder",
+          deletedCount: 0,
+        });
+      }
+
+      await db
+        .delete(sshData)
+        .where(and(eq(sshData.userId, userId), eq(sshData.folder, folderName)));
+
+      await db
+        .delete(sshFolders)
+        .where(
+          and(eq(sshFolders.userId, userId), eq(sshFolders.name, folderName)),
+        );
+
+      DatabaseSaveTrigger.triggerSave("folder_hosts_delete");
+
+      try {
+        const axios = (await import("axios")).default;
+        const statsPort = process.env.STATS_PORT || 30005;
+        for (const host of hostsToDelete) {
+          try {
+            await axios.post(
+              `http://localhost:${statsPort}/host-deleted`,
+              { hostId: host.id },
+              {
+                headers: {
+                  Authorization: req.headers.authorization || "",
+                  Cookie: req.headers.cookie || "",
+                },
+                timeout: 5000,
+              },
+            );
+          } catch (err) {
+            sshLogger.warn("Failed to notify stats server of host deletion", {
+              operation: "folder_hosts_delete",
+              hostId: host.id,
+              error: err instanceof Error ? err.message : String(err),
+            });
+          }
+        }
+      } catch (err) {
+        sshLogger.warn("Failed to notify stats server of folder deletion", {
+          operation: "folder_hosts_delete",
+          folderName,
+          error: err instanceof Error ? err.message : String(err),
+        });
+      }
+
+      res.json({
+        message: "All hosts in folder deleted successfully",
+        deletedCount: hostsToDelete.length,
+      });
+    } catch (err) {
+      sshLogger.error("Failed to delete hosts in folder", err, {
+        operation: "delete_folder_hosts",
+        userId,
+        folderName,
+      });
+      res.status(500).json({ error: "Failed to delete hosts in folder" });
+    }
+  },
+);
+
 // Route: Bulk import SSH hosts (requires JWT)
 // POST /ssh/bulk-import
 router.post(
   "/bulk-import",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { hosts } = req.body;
 
     if (!Array.isArray(hosts) || hosts.length === 0) {
@@ -1398,7 +1817,7 @@ router.post(
           continue;
         }
 
-        const sshDataObj: any = {
+        const sshDataObj: Record<string, unknown> = {
           userId: userId,
           name: hostData.name || `${hostData.username}@${hostData.ip}`,
           folder: hostData.folder || "Default",
@@ -1411,7 +1830,7 @@ router.post(
           credentialId:
             hostData.authType === "credential" ? hostData.credentialId : null,
           key: hostData.authType === "key" ? hostData.key : null,
-          key_password:
+          keyPassword:
             hostData.authType === "key"
               ? hostData.keyPassword || hostData.key_password || null
               : null,
@@ -1425,6 +1844,9 @@ router.post(
           tunnelConnections: hostData.tunnelConnections
             ? JSON.stringify(hostData.tunnelConnections)
             : "[]",
+          statsConfig: hostData.statsConfig
+            ? JSON.stringify(hostData.statsConfig)
+            : null,
           createdAt: new Date().toISOString(),
           updatedAt: new Date().toISOString(),
         };
@@ -1455,7 +1877,7 @@ router.post(
   authenticateJWT,
   requireDataAccess,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { sshConfigId } = req.body;
 
     if (!sshConfigId || typeof sshConfigId !== "number") {
@@ -1519,7 +1941,7 @@ router.post(
           const tunnelConnections = JSON.parse(config.tunnelConnections);
 
           const resolvedConnections = await Promise.all(
-            tunnelConnections.map(async (tunnel: any) => {
+            tunnelConnections.map(async (tunnel: Record<string, unknown>) => {
               if (
                 tunnel.autoStart &&
                 tunnel.endpointHost &&
@@ -1567,7 +1989,7 @@ router.post(
         }
       }
 
-      const updateResult = await db
+      await db
         .update(sshData)
         .set({
           autostartPassword: decryptedConfig.password || null,
@@ -1608,7 +2030,7 @@ router.delete(
   "/autostart/disable",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
     const { sshConfigId } = req.body;
 
     if (!sshConfigId || typeof sshConfigId !== "number") {
@@ -1624,7 +2046,7 @@ router.delete(
     }
 
     try {
-      const result = await db
+      await db
         .update(sshData)
         .set({
           autostartPassword: null,
@@ -1654,7 +2076,7 @@ router.get(
   "/autostart/status",
   authenticateJWT,
   async (req: Request, res: Response) => {
-    const userId = (req as any).userId;
+    const userId = (req as AuthenticatedRequest).userId;
 
     try {
       const autostartConfigs = await db

src/backend/database/routes/terminal.ts

@@ -0,0 +1,195 @@
+import type { AuthenticatedRequest } from "../../../types/index.js";
+import express from "express";
+import { db } from "../db/index.js";
+import { commandHistory } from "../db/schema.js";
+import { eq, and, desc, sql } from "drizzle-orm";
+import type { Request, Response } from "express";
+import { authLogger } from "../../utils/logger.js";
+import { AuthManager } from "../../utils/auth-manager.js";
+
+const router = express.Router();
+
+function isNonEmptyString(val: unknown): val is string {
+  return typeof val === "string" && val.trim().length > 0;
+}
+
+const authManager = AuthManager.getInstance();
+const authenticateJWT = authManager.createAuthMiddleware();
+const requireDataAccess = authManager.createDataAccessMiddleware();
+
+// Save command to history
+// POST /terminal/command_history
+router.post(
+  "/command_history",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, command } = req.body;
+
+    if (!isNonEmptyString(userId) || !hostId || !isNonEmptyString(command)) {
+      authLogger.warn("Invalid command history save request", {
+        operation: "command_history_save",
+        userId,
+        hasHostId: !!hostId,
+        hasCommand: !!command,
+      });
+      return res.status(400).json({ error: "Missing required parameters" });
+    }
+
+    try {
+      const insertData = {
+        userId,
+        hostId: parseInt(hostId, 10),
+        command: command.trim(),
+      };
+
+      const result = await db
+        .insert(commandHistory)
+        .values(insertData)
+        .returning();
+
+      res.status(201).json(result[0]);
+    } catch (err) {
+      authLogger.error("Failed to save command to history", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to save command",
+      });
+    }
+  },
+);
+
+// Get command history for a specific host
+// GET /terminal/command_history/:hostId
+router.get(
+  "/command_history/:hostId",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId } = req.params;
+    const hostIdNum = parseInt(hostId, 10);
+
+    if (!isNonEmptyString(userId) || isNaN(hostIdNum)) {
+      authLogger.warn("Invalid command history fetch request", {
+        userId,
+        hostId: hostIdNum,
+      });
+      return res.status(400).json({ error: "Invalid request parameters" });
+    }
+
+    try {
+      const result = await db
+        .select({
+          command: commandHistory.command,
+          maxExecutedAt: sql<number>`MAX(${commandHistory.executedAt})`,
+        })
+        .from(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.userId, userId),
+            eq(commandHistory.hostId, hostIdNum),
+          ),
+        )
+        .groupBy(commandHistory.command)
+        .orderBy(desc(sql`MAX(${commandHistory.executedAt})`))
+        .limit(500);
+
+      const uniqueCommands = result.map((r) => r.command);
+
+      res.json(uniqueCommands);
+    } catch (err) {
+      authLogger.error("Failed to fetch command history", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to fetch history",
+      });
+    }
+  },
+);
+
+// Delete a specific command from history
+// POST /terminal/command_history/delete
+router.post(
+  "/command_history/delete",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId, command } = req.body;
+
+    if (!isNonEmptyString(userId) || !hostId || !isNonEmptyString(command)) {
+      authLogger.warn("Invalid command delete request", {
+        operation: "command_history_delete",
+        userId,
+        hasHostId: !!hostId,
+        hasCommand: !!command,
+      });
+      return res.status(400).json({ error: "Missing required parameters" });
+    }
+
+    try {
+      const hostIdNum = parseInt(hostId, 10);
+
+      await db
+        .delete(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.userId, userId),
+            eq(commandHistory.hostId, hostIdNum),
+            eq(commandHistory.command, command.trim()),
+          ),
+        );
+
+      res.json({ success: true });
+    } catch (err) {
+      authLogger.error("Failed to delete command from history", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to delete command",
+      });
+    }
+  },
+);
+
+// Clear command history for a specific host (optional feature)
+// DELETE /terminal/command_history/:hostId
+router.delete(
+  "/command_history/:hostId",
+  authenticateJWT,
+  requireDataAccess,
+  async (req: Request, res: Response) => {
+    const userId = (req as AuthenticatedRequest).userId;
+    const { hostId } = req.params;
+    const hostIdNum = parseInt(hostId, 10);
+
+    if (!isNonEmptyString(userId) || isNaN(hostIdNum)) {
+      authLogger.warn("Invalid command history clear request");
+      return res.status(400).json({ error: "Invalid request" });
+    }
+
+    try {
+      await db
+        .delete(commandHistory)
+        .where(
+          and(
+            eq(commandHistory.userId, userId),
+            eq(commandHistory.hostId, hostIdNum),
+          ),
+        );
+
+      authLogger.success(`Command history cleared for host ${hostId}`, {
+        operation: "command_history_clear_success",
+        userId,
+        hostId: hostIdNum,
+      });
+
+      res.json({ success: true });
+    } catch (err) {
+      authLogger.error("Failed to clear command history", err);
+      res.status(500).json({
+        error: err instanceof Error ? err.message : "Failed to clear history",
+      });
+    }
+  },
+);
+
+export default router;

src/backend/ssh/tunnel.ts

@@ -15,7 +15,7 @@ import type {
   ErrorType,
 } from "../../types/index.js";
 import { CONNECTION_STATES } from "../../types/index.js";
-import { tunnelLogger } from "../utils/logger.js";
+import { tunnelLogger, sshLogger } from "../utils/logger.js";
 import { SystemCrypto } from "../utils/system-crypto.js";
 import { SimpleDBOps } from "../utils/simple-db-ops.js";
 import { DataCrypto } from "../utils/data-crypto.js";
@@ -33,6 +33,10 @@ app.use(
         "http://127.0.0.1:3000",
       ];
 
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+
       if (origin.startsWith("https://")) {
         return callback(null, true);
       }
@@ -41,10 +45,6 @@ app.use(
         return callback(null, true);
       }
 
-      if (allowedOrigins.includes(origin)) {
-        return callback(null, true);
-      }
-
       callback(new Error("Not allowed by CORS"));
     },
     credentials: true,
@@ -217,7 +217,7 @@ function cleanupTunnelResources(
     if (verification?.timeout) clearTimeout(verification.timeout);
     try {
       verification?.conn.end();
-    } catch (e) {}
+    } catch (error) {}
     tunnelVerifications.delete(tunnelName);
   }
 
@@ -282,7 +282,7 @@ function handleDisconnect(
       const verification = tunnelVerifications.get(tunnelName);
       if (verification?.timeout) clearTimeout(verification.timeout);
       verification?.conn.end();
-    } catch (e) {}
+    } catch (error) {}
     tunnelVerifications.delete(tunnelName);
   }
 
@@ -511,16 +511,19 @@ async function connectSSHTunnel(
         if (credentials.length > 0) {
           const credential = credentials[0];
           resolvedSourceCredentials = {
-            password: credential.password,
-            sshKey:
-              credential.private_key || credential.privateKey || credential.key,
-            keyPassword: credential.key_password || credential.keyPassword,
-            keyType: credential.key_type || credential.keyType,
-            authMethod: credential.auth_type || credential.authType,
+            password: credential.password as string | undefined,
+            sshKey: (credential.private_key ||
+              credential.privateKey ||
+              credential.key) as string | undefined,
+            keyPassword: (credential.key_password || credential.keyPassword) as
+              | string
+              | undefined,
+            keyType: (credential.key_type || credential.keyType) as
+              | string
+              | undefined,
+            authMethod: (credential.auth_type || credential.authType) as string,
           };
-        } else {
         }
-      } else {
       }
     } catch (error) {
       tunnelLogger.warn("Failed to resolve source credentials from database", {
@@ -591,12 +594,17 @@ async function connectSSHTunnel(
         if (credentials.length > 0) {
           const credential = credentials[0];
           resolvedEndpointCredentials = {
-            password: credential.password,
-            sshKey:
-              credential.private_key || credential.privateKey || credential.key,
-            keyPassword: credential.key_password || credential.keyPassword,
-            keyType: credential.key_type || credential.keyType,
-            authMethod: credential.auth_type || credential.authType,
+            password: credential.password as string | undefined,
+            sshKey: (credential.private_key ||
+              credential.privateKey ||
+              credential.key) as string | undefined,
+            keyPassword: (credential.key_password || credential.keyPassword) as
+              | string
+              | undefined,
+            keyType: (credential.key_type || credential.keyType) as
+              | string
+              | undefined,
+            authMethod: (credential.auth_type || credential.authType) as string,
           };
         } else {
           tunnelLogger.warn("No endpoint credentials found in database", {
@@ -605,7 +613,6 @@ async function connectSSHTunnel(
             credentialId: tunnelConfig.endpointCredentialId,
           });
         }
-      } else {
       }
     } catch (error) {
       tunnelLogger.warn(
@@ -631,7 +638,7 @@ async function connectSSHTunnel(
 
       try {
         conn.end();
-      } catch (e) {}
+      } catch (error) {}
 
       activeTunnels.delete(tunnelName);
 
@@ -771,7 +778,7 @@ async function connectSSHTunnel(
             const verification = tunnelVerifications.get(tunnelName);
             if (verification?.timeout) clearTimeout(verification.timeout);
             verification?.conn.end();
-          } catch (e) {}
+          } catch (error) {}
           tunnelVerifications.delete(tunnelName);
         }
 
@@ -822,13 +829,9 @@ async function connectSSHTunnel(
         }
       });
 
-      stream.stdout?.on("data", (data: Buffer) => {
-        const output = data.toString().trim();
-        if (output) {
-        }
-      });
+      stream.stdout?.on("data", () => {});
 
-      stream.on("error", (err: Error) => {});
+      stream.on("error", () => {});
 
       stream.stderr.on("data", (data) => {
         const errorMsg = data.toString().trim();
@@ -888,42 +891,68 @@ async function connectSSHTunnel(
     });
   });
 
-  const connOptions: any = {
+  const connOptions: Record<string, unknown> = {
     host: tunnelConfig.sourceIP,
     port: tunnelConfig.sourceSSHPort,
     username: tunnelConfig.sourceUsername,
+    tryKeyboard: true,
     keepaliveInterval: 30000,
     keepaliveCountMax: 3,
     readyTimeout: 60000,
     tcpKeepAlive: true,
-    tcpKeepAliveInitialDelay: 15000,
+    tcpKeepAliveInitialDelay: 30000,
+    env: {
+      TERM: "xterm-256color",
+      LANG: "en_US.UTF-8",
+      LC_ALL: "en_US.UTF-8",
+      LC_CTYPE: "en_US.UTF-8",
+      LC_MESSAGES: "en_US.UTF-8",
+      LC_MONETARY: "en_US.UTF-8",
+      LC_NUMERIC: "en_US.UTF-8",
+      LC_TIME: "en_US.UTF-8",
+      LC_COLLATE: "en_US.UTF-8",
+      COLORTERM: "truecolor",
+    },
     algorithms: {
       kex: [
+        "curve25519-sha256",
+        "curve25519-sha256@libssh.org",
+        "ecdh-sha2-nistp521",
+        "ecdh-sha2-nistp384",
+        "ecdh-sha2-nistp256",
+        "diffie-hellman-group-exchange-sha256",
         "diffie-hellman-group14-sha256",
         "diffie-hellman-group14-sha1",
-        "diffie-hellman-group1-sha1",
-        "diffie-hellman-group-exchange-sha256",
         "diffie-hellman-group-exchange-sha1",
-        "ecdh-sha2-nistp256",
-        "ecdh-sha2-nistp384",
-        "ecdh-sha2-nistp521",
+        "diffie-hellman-group1-sha1",
+      ],
+      serverHostKey: [
+        "ssh-ed25519",
+        "ecdsa-sha2-nistp521",
+        "ecdsa-sha2-nistp384",
+        "ecdsa-sha2-nistp256",
+        "rsa-sha2-512",
+        "rsa-sha2-256",
+        "ssh-rsa",
+        "ssh-dss",
       ],
       cipher: [
-        "aes128-ctr",
-        "aes192-ctr",
-        "aes256-ctr",
-        "aes128-gcm@openssh.com",
+        "chacha20-poly1305@openssh.com",
         "aes256-gcm@openssh.com",
-        "aes128-cbc",
-        "aes192-cbc",
+        "aes128-gcm@openssh.com",
+        "aes256-ctr",
+        "aes192-ctr",
+        "aes128-ctr",
         "aes256-cbc",
+        "aes192-cbc",
+        "aes128-cbc",
         "3des-cbc",
       ],
       hmac: [
-        "hmac-sha2-256-etm@openssh.com",
         "hmac-sha2-512-etm@openssh.com",
-        "hmac-sha2-256",
+        "hmac-sha2-256-etm@openssh.com",
         "hmac-sha2-512",
+        "hmac-sha2-256",
         "hmac-sha1",
         "hmac-md5",
       ],
@@ -1026,15 +1055,19 @@ async function killRemoteTunnelByMarker(
         if (credentials.length > 0) {
           const credential = credentials[0];
           resolvedSourceCredentials = {
-            password: credential.password,
-            sshKey:
-              credential.private_key || credential.privateKey || credential.key,
-            keyPassword: credential.key_password || credential.keyPassword,
-            keyType: credential.key_type || credential.keyType,
-            authMethod: credential.auth_type || credential.authType,
+            password: credential.password as string | undefined,
+            sshKey: (credential.private_key ||
+              credential.privateKey ||
+              credential.key) as string | undefined,
+            keyPassword: (credential.key_password || credential.keyPassword) as
+              | string
+              | undefined,
+            keyType: (credential.key_type || credential.keyType) as
+              | string
+              | undefined,
+            authMethod: (credential.auth_type || credential.authType) as string,
           };
         }
-      } else {
       }
     } catch (error) {
       tunnelLogger.warn("Failed to resolve source credentials for cleanup", {
@@ -1046,7 +1079,7 @@ async function killRemoteTunnelByMarker(
   }
 
   const conn = new Client();
-  const connOptions: any = {
+  const connOptions: Record<string, unknown> = {
     host: tunnelConfig.sourceIP,
     port: tunnelConfig.sourceSSHPort,
     username: tunnelConfig.sourceUsername,
@@ -1122,7 +1155,7 @@ async function killRemoteTunnelByMarker(
   conn.on("ready", () => {
     const checkCmd = `ps aux | grep -E '(${tunnelMarker}|ssh.*-R.*${tunnelConfig.endpointPort}:localhost:${tunnelConfig.sourcePort}.*${tunnelConfig.endpointUsername}@${tunnelConfig.endpointIP}|sshpass.*ssh.*-R.*${tunnelConfig.endpointPort})' | grep -v grep`;
 
-    conn.exec(checkCmd, (err, stream) => {
+    conn.exec(checkCmd, (_err, stream) => {
       let foundProcesses = false;
 
       stream.on("data", (data) => {
@@ -1150,7 +1183,7 @@ async function killRemoteTunnelByMarker(
 
         function executeNextKillCommand() {
           if (commandIndex >= killCmds.length) {
-            conn.exec(checkCmd, (err, verifyStream) => {
+            conn.exec(checkCmd, (_err, verifyStream) => {
               let stillRunning = false;
 
               verifyStream.on("data", (data) => {
@@ -1183,19 +1216,14 @@ async function killRemoteTunnelByMarker(
               tunnelLogger.warn(
                 `Kill command ${commandIndex + 1} failed for '${tunnelName}': ${err.message}`,
               );
-            } else {
             }
 
-            stream.on("close", (code) => {
+            stream.on("close", () => {
               commandIndex++;
               executeNextKillCommand();
             });
 
-            stream.on("data", (data) => {
-              const output = data.toString().trim();
-              if (output) {
-              }
-            });
+            stream.on("data", () => {});
 
             stream.stderr.on("data", (data) => {
               const output = data.toString().trim();
@@ -1381,7 +1409,11 @@ async function initializeAutoStartTunnels(): Promise<void> {
 
             if (endpointHost) {
               const tunnelConfig: TunnelConfig = {
-                name: `${host.name || `${host.username}@${host.ip}`}_${tunnelConnection.sourcePort}_${tunnelConnection.endpointPort}`,
+                name: `${host.name || `${host.username}@${host.ip}`}_${
+                  tunnelConnection.sourcePort
+                }_${tunnelConnection.endpointHost}_${
+                  tunnelConnection.endpointPort
+                }`,
                 hostName: host.name || `${host.username}@${host.ip}`,
                 sourceIP: host.ip,
                 sourceSSHPort: host.port,
@@ -1423,14 +1455,6 @@ async function initializeAutoStartTunnels(): Promise<void> {
                 isPinned: host.pin,
               };
 
-              const hasSourcePassword = host.autostartPassword;
-              const hasSourceKey = host.autostartKey;
-              const hasEndpointPassword =
-                tunnelConnection.endpointPassword ||
-                endpointHost.autostartPassword;
-              const hasEndpointKey =
-                tunnelConnection.endpointKey || endpointHost.autostartKey;
-
               autoStartTunnels.push(tunnelConfig);
             } else {
               tunnelLogger.error(
@@ -1453,10 +1477,10 @@ async function initializeAutoStartTunnels(): Promise<void> {
         });
       }, 1000);
     }
-  } catch (error: any) {
+  } catch (error) {
     tunnelLogger.error(
       "Failed to initialize auto-start tunnels:",
-      error.message,
+      error instanceof Error ? error.message : "Unknown error",
     );
   }
 }

src/backend/ssh/widgets/common-utils.ts

@@ -0,0 +1,42 @@
+import type { Client } from "ssh2";
+
+export function execCommand(
+  client: Client,
+  command: string,
+): Promise<{
+  stdout: string;
+  stderr: string;
+  code: number | null;
+}> {
+  return new Promise((resolve, reject) => {
+    client.exec(command, { pty: false }, (err, stream) => {
+      if (err) return reject(err);
+      let stdout = "";
+      let stderr = "";
+      let exitCode: number | null = null;
+      stream
+        .on("close", (code: number | undefined) => {
+          exitCode = typeof code === "number" ? code : null;
+          resolve({ stdout, stderr, code: exitCode });
+        })
+        .on("data", (data: Buffer) => {
+          stdout += data.toString("utf8");
+        })
+        .stderr.on("data", (data: Buffer) => {
+          stderr += data.toString("utf8");
+        });
+    });
+  });
+}
+
+export function toFixedNum(
+  n: number | null | undefined,
+  digits = 2,
+): number | null {
+  if (typeof n !== "number" || !Number.isFinite(n)) return null;
+  return Number(n.toFixed(digits));
+}
+
+export function kibToGiB(kib: number): number {
+  return kib / (1024 * 1024);
+}

src/backend/ssh/widgets/cpu-collector.ts

@@ -0,0 +1,83 @@
+import type { Client } from "ssh2";
+import { execCommand, toFixedNum } from "./common-utils.js";
+
+function parseCpuLine(
+  cpuLine: string,
+): { total: number; idle: number } | undefined {
+  const parts = cpuLine.trim().split(/\s+/);
+  if (parts[0] !== "cpu") return undefined;
+  const nums = parts
+    .slice(1)
+    .map((n) => Number(n))
+    .filter((n) => Number.isFinite(n));
+  if (nums.length < 4) return undefined;
+  const idle = (nums[3] ?? 0) + (nums[4] ?? 0);
+  const total = nums.reduce((a, b) => a + b, 0);
+  return { total, idle };
+}
+
+export async function collectCpuMetrics(client: Client): Promise<{
+  percent: number | null;
+  cores: number | null;
+  load: [number, number, number] | null;
+}> {
+  let cpuPercent: number | null = null;
+  let cores: number | null = null;
+  let loadTriplet: [number, number, number] | null = null;
+
+  try {
+    const [stat1, loadAvgOut, coresOut] = await Promise.all([
+      execCommand(client, "cat /proc/stat"),
+      execCommand(client, "cat /proc/loadavg"),
+      execCommand(
+        client,
+        "nproc 2>/dev/null || grep -c ^processor /proc/cpuinfo",
+      ),
+    ]);
+
+    await new Promise((r) => setTimeout(r, 500));
+    const stat2 = await execCommand(client, "cat /proc/stat");
+
+    const cpuLine1 = (
+      stat1.stdout.split("\n").find((l) => l.startsWith("cpu ")) || ""
+    ).trim();
+    const cpuLine2 = (
+      stat2.stdout.split("\n").find((l) => l.startsWith("cpu ")) || ""
+    ).trim();
+    const a = parseCpuLine(cpuLine1);
+    const b = parseCpuLine(cpuLine2);
+    if (a && b) {
+      const totalDiff = b.total - a.total;
+      const idleDiff = b.idle - a.idle;
+      const used = totalDiff - idleDiff;
+      if (totalDiff > 0)
+        cpuPercent = Math.max(0, Math.min(100, (used / totalDiff) * 100));
+    }
+
+    const laParts = loadAvgOut.stdout.trim().split(/\s+/);
+    if (laParts.length >= 3) {
+      loadTriplet = [
+        Number(laParts[0]),
+        Number(laParts[1]),
+        Number(laParts[2]),
+      ].map((v) => (Number.isFinite(v) ? Number(v) : 0)) as [
+        number,
+        number,
+        number,
+      ];
+    }
+
+    const coresNum = Number((coresOut.stdout || "").trim());
+    cores = Number.isFinite(coresNum) && coresNum > 0 ? coresNum : null;
+  } catch (e) {
+    cpuPercent = null;
+    cores = null;
+    loadTriplet = null;
+  }
+
+  return {
+    percent: toFixedNum(cpuPercent, 0),
+    cores,
+    load: loadTriplet,
+  };
+}

src/backend/ssh/widgets/disk-collector.ts

@@ -0,0 +1,67 @@
+import type { Client } from "ssh2";
+import { execCommand, toFixedNum } from "./common-utils.js";
+
+export async function collectDiskMetrics(client: Client): Promise<{
+  percent: number | null;
+  usedHuman: string | null;
+  totalHuman: string | null;
+  availableHuman: string | null;
+}> {
+  let diskPercent: number | null = null;
+  let usedHuman: string | null = null;
+  let totalHuman: string | null = null;
+  let availableHuman: string | null = null;
+
+  try {
+    const [diskOutHuman, diskOutBytes] = await Promise.all([
+      execCommand(client, "df -h -P / | tail -n +2"),
+      execCommand(client, "df -B1 -P / | tail -n +2"),
+    ]);
+
+    const humanLine =
+      diskOutHuman.stdout
+        .split("\n")
+        .map((l) => l.trim())
+        .filter(Boolean)[0] || "";
+    const bytesLine =
+      diskOutBytes.stdout
+        .split("\n")
+        .map((l) => l.trim())
+        .filter(Boolean)[0] || "";
+
+    const humanParts = humanLine.split(/\s+/);
+    const bytesParts = bytesLine.split(/\s+/);
+
+    if (humanParts.length >= 6 && bytesParts.length >= 6) {
+      totalHuman = humanParts[1] || null;
+      usedHuman = humanParts[2] || null;
+      availableHuman = humanParts[3] || null;
+
+      const totalBytes = Number(bytesParts[1]);
+      const usedBytes = Number(bytesParts[2]);
+
+      if (
+        Number.isFinite(totalBytes) &&
+        Number.isFinite(usedBytes) &&
+        totalBytes > 0
+      ) {
+        diskPercent = Math.max(
+          0,
+          Math.min(100, (usedBytes / totalBytes) * 100),
+        );
+      }
+    }
+  } catch (e) {
+    diskPercent = null;
+    usedHuman = null;
+    totalHuman = null;
+    availableHuman = null;
+  }
+
+  return {
+    percent: toFixedNum(diskPercent, 0),
+    usedHuman,
+    totalHuman,
+    availableHuman,
+  };
+}

src/backend/ssh/widgets/login-stats-collector.ts

@@ -0,0 +1,122 @@
+import type { Client } from "ssh2";
+import { execCommand } from "./common-utils.js";
+
+export interface LoginRecord {
+  user: string;
+  ip: string;
+  time: string;
+  status: "success" | "failed";
+}
+
+export interface LoginStats {
+  recentLogins: LoginRecord[];
+  failedLogins: LoginRecord[];
+  totalLogins: number;
+  uniqueIPs: number;
+}
+
+export async function collectLoginStats(client: Client): Promise<LoginStats> {
+  const recentLogins: LoginRecord[] = [];
+  const failedLogins: LoginRecord[] = [];
+  const ipSet = new Set<string>();
+
+  try {
+    const lastOut = await execCommand(
+      client,
+      "last -n 20 -F -w | grep -v 'reboot' | grep -v 'wtmp' | head -20",
+    );
+
+    const lastLines = lastOut.stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter(Boolean);
+
+    for (const line of lastLines) {
+      const parts = line.split(/\s+/);
+      if (parts.length >= 10) {
+        const user = parts[0];
+        const tty = parts[1];
+        const ip =
+          parts[2] === ":" || parts[2].startsWith(":") ? "local" : parts[2];
+
+        const timeStart = parts.indexOf(
+          parts.find((p) => /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)/.test(p)) || "",
+        );
+        if (timeStart > 0 && parts.length > timeStart + 4) {
+          const timeStr = parts.slice(timeStart, timeStart + 5).join(" ");
+
+          if (user && user !== "wtmp" && tty !== "system") {
+            recentLogins.push({
+              user,
+              ip,
+              time: new Date(timeStr).toISOString(),
+              status: "success",
+            });
+            if (ip !== "local") {
+              ipSet.add(ip);
+            }
+          }
+        }
+      }
+    }
+  } catch (e) {
+    // Ignore errors
+  }
+
+  try {
+    const failedOut = await execCommand(
+      client,
+      "grep 'Failed password' /var/log/auth.log 2>/dev/null | tail -10 || grep 'authentication failure' /var/log/secure 2>/dev/null | tail -10 || echo ''",
+    );
+
+    const failedLines = failedOut.stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter(Boolean);
+
+    for (const line of failedLines) {
+      let user = "unknown";
+      let ip = "unknown";
+      let timeStr = "";
+
+      const userMatch = line.match(/for (?:invalid user )?(\S+)/);
+      if (userMatch) {
+        user = userMatch[1];
+      }
+
+      const ipMatch = line.match(/from (\d+\.\d+\.\d+\.\d+)/);
+      if (ipMatch) {
+        ip = ipMatch[1];
+      }
+
+      const dateMatch = line.match(/^(\w+\s+\d+\s+\d+:\d+:\d+)/);
+      if (dateMatch) {
+        const currentYear = new Date().getFullYear();
+        timeStr = `${currentYear} ${dateMatch[1]}`;
+      }
+
+      if (user && ip) {
+        failedLogins.push({
+          user,
+          ip,
+          time: timeStr
+            ? new Date(timeStr).toISOString()
+            : new Date().toISOString(),
+          status: "failed",
+        });
+        if (ip !== "unknown") {
+          ipSet.add(ip);
+        }
+      }
+    }
+  } catch (e) {
+    // Ignore errors
+  }
+
+  return {
+    recentLogins: recentLogins.slice(0, 10),
+    failedLogins: failedLogins.slice(0, 10),
+    totalLogins: recentLogins.length,
+    uniqueIPs: ipSet.size,
+  };
+}

src/backend/ssh/widgets/memory-collector.ts

@@ -0,0 +1,41 @@
+import type { Client } from "ssh2";
+import { execCommand, toFixedNum, kibToGiB } from "./common-utils.js";
+
+export async function collectMemoryMetrics(client: Client): Promise<{
+  percent: number | null;
+  usedGiB: number | null;
+  totalGiB: number | null;
+}> {
+  let memPercent: number | null = null;
+  let usedGiB: number | null = null;
+  let totalGiB: number | null = null;
+
+  try {
+    const memInfo = await execCommand(client, "cat /proc/meminfo");
+    const lines = memInfo.stdout.split("\n");
+    const getVal = (key: string) => {
+      const line = lines.find((l) => l.startsWith(key));
+      if (!line) return null;
+      const m = line.match(/\d+/);
+      return m ? Number(m[0]) : null;
+    };
+    const totalKb = getVal("MemTotal:");
+    const availKb = getVal("MemAvailable:");
+    if (totalKb && availKb && totalKb > 0) {
+      const usedKb = totalKb - availKb;
+      memPercent = Math.max(0, Math.min(100, (usedKb / totalKb) * 100));
+      usedGiB = kibToGiB(usedKb);
+      totalGiB = kibToGiB(totalKb);
+    }
+  } catch (e) {
+    memPercent = null;
+    usedGiB = null;
+    totalGiB = null;
+  }
+
+  return {
+    percent: toFixedNum(memPercent, 0),
+    usedGiB: usedGiB ? toFixedNum(usedGiB, 2) : null,
+    totalGiB: totalGiB ? toFixedNum(totalGiB, 2) : null,
+  };
+}

src/backend/ssh/widgets/network-collector.ts

@@ -0,0 +1,79 @@
+import type { Client } from "ssh2";
+import { execCommand } from "./common-utils.js";
+import { statsLogger } from "../../utils/logger.js";
+
+export async function collectNetworkMetrics(client: Client): Promise<{
+  interfaces: Array<{
+    name: string;
+    ip: string;
+    state: string;
+    rxBytes: string | null;
+    txBytes: string | null;
+  }>;
+}> {
+  const interfaces: Array<{
+    name: string;
+    ip: string;
+    state: string;
+    rxBytes: string | null;
+    txBytes: string | null;
+  }> = [];
+
+  try {
+    const ifconfigOut = await execCommand(
+      client,
+      "ip -o addr show | awk '{print $2,$4}' | grep -v '^lo'",
+    );
+    const netStatOut = await execCommand(
+      client,
+      "ip -o link show | awk '{gsub(/:/, \"\", $2); print $2,$9}'",
+    );
+
+    const addrs = ifconfigOut.stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter(Boolean);
+    const states = netStatOut.stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter(Boolean);
+
+    const ifMap = new Map<string, { ip: string; state: string }>();
+    for (const line of addrs) {
+      const parts = line.split(/\s+/);
+      if (parts.length >= 2) {
+        const name = parts[0];
+        const ip = parts[1].split("/")[0];
+        if (!ifMap.has(name)) ifMap.set(name, { ip, state: "UNKNOWN" });
+      }
+    }
+    for (const line of states) {
+      const parts = line.split(/\s+/);
+      if (parts.length >= 2) {
+        const name = parts[0];
+        const state = parts[1];
+        const existing = ifMap.get(name);
+        if (existing) {
+          existing.state = state;
+        }
+      }
+    }
+
+    for (const [name, data] of ifMap.entries()) {
+      interfaces.push({
+        name,
+        ip: data.ip,
+        state: data.state,
+        rxBytes: null,
+        txBytes: null,
+      });
+    }
+  } catch (e) {
+    statsLogger.debug("Failed to collect network interface stats", {
+      operation: "network_stats_failed",
+      error: e instanceof Error ? e.message : String(e),
+    });
+  }
+
+  return { interfaces };
+}

src/backend/ssh/widgets/processes-collector.ts

@@ -0,0 +1,63 @@
+import type { Client } from "ssh2";
+import { execCommand } from "./common-utils.js";
+import { statsLogger } from "../../utils/logger.js";
+
+export async function collectProcessesMetrics(client: Client): Promise<{
+  total: number | null;
+  running: number | null;
+  top: Array<{
+    pid: string;
+    user: string;
+    cpu: string;
+    mem: string;
+    command: string;
+  }>;
+}> {
+  let totalProcesses: number | null = null;
+  let runningProcesses: number | null = null;
+  const topProcesses: Array<{
+    pid: string;
+    user: string;
+    cpu: string;
+    mem: string;
+    command: string;
+  }> = [];
+
+  try {
+    const psOut = await execCommand(client, "ps aux --sort=-%cpu | head -n 11");
+    const psLines = psOut.stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter(Boolean);
+    if (psLines.length > 1) {
+      for (let i = 1; i < Math.min(psLines.length, 11); i++) {
+        const parts = psLines[i].split(/\s+/);
+        if (parts.length >= 11) {
+          topProcesses.push({
+            pid: parts[1],
+            user: parts[0],
+            cpu: parts[2],
+            mem: parts[3],
+            command: parts.slice(10).join(" ").substring(0, 50),
+          });
+        }
+      }
+    }
+
+    const procCount = await execCommand(client, "ps aux | wc -l");
+    const runningCount = await execCommand(client, "ps aux | grep -c ' R '");
+    totalProcesses = Number(procCount.stdout.trim()) - 1;
+    runningProcesses = Number(runningCount.stdout.trim());
+  } catch (e) {
+    statsLogger.debug("Failed to collect process stats", {
+      operation: "process_stats_failed",
+      error: e instanceof Error ? e.message : String(e),
+    });
+  }
+
+  return {
+    total: totalProcesses,
+    running: runningProcesses,
+    top: topProcesses,
+  };
+}

src/backend/ssh/widgets/system-collector.ts

@@ -0,0 +1,37 @@
+import type { Client } from "ssh2";
+import { execCommand } from "./common-utils.js";
+import { statsLogger } from "../../utils/logger.js";
+
+export async function collectSystemMetrics(client: Client): Promise<{
+  hostname: string | null;
+  kernel: string | null;
+  os: string | null;
+}> {
+  let hostname: string | null = null;
+  let kernel: string | null = null;
+  let os: string | null = null;
+
+  try {
+    const hostnameOut = await execCommand(client, "hostname");
+    const kernelOut = await execCommand(client, "uname -r");
+    const osOut = await execCommand(
+      client,
+      "cat /etc/os-release | grep '^PRETTY_NAME=' | cut -d'\"' -f2",
+    );
+
+    hostname = hostnameOut.stdout.trim() || null;
+    kernel = kernelOut.stdout.trim() || null;
+    os = osOut.stdout.trim() || null;
+  } catch (e) {
+    statsLogger.debug("Failed to collect system info", {
+      operation: "system_info_failed",
+      error: e instanceof Error ? e.message : String(e),
+    });
+  }
+
+  return {
+    hostname,
+    kernel,
+    os,
+  };
+}

src/backend/ssh/widgets/uptime-collector.ts

@@ -0,0 +1,35 @@
+import type { Client } from "ssh2";
+import { execCommand } from "./common-utils.js";
+import { statsLogger } from "../../utils/logger.js";
+
+export async function collectUptimeMetrics(client: Client): Promise<{
+  seconds: number | null;
+  formatted: string | null;
+}> {
+  let uptimeSeconds: number | null = null;
+  let uptimeFormatted: string | null = null;
+
+  try {
+    const uptimeOut = await execCommand(client, "cat /proc/uptime");
+    const uptimeParts = uptimeOut.stdout.trim().split(/\s+/);
+    if (uptimeParts.length >= 1) {
+      uptimeSeconds = Number(uptimeParts[0]);
+      if (Number.isFinite(uptimeSeconds)) {
+        const days = Math.floor(uptimeSeconds / 86400);
+        const hours = Math.floor((uptimeSeconds % 86400) / 3600);
+        const minutes = Math.floor((uptimeSeconds % 3600) / 60);
+        uptimeFormatted = `${days}d ${hours}h ${minutes}m`;
+      }
+    }
+  } catch (e) {
+    statsLogger.debug("Failed to collect uptime", {
+      operation: "uptime_failed",
+      error: e instanceof Error ? e.message : String(e),
+    });
+  }
+
+  return {
+    seconds: uptimeSeconds,
+    formatted: uptimeFormatted,
+  };
+}

src/backend/starter.ts

@@ -21,7 +21,7 @@ import { systemLogger, versionLogger } from "./utils/logger.js";
       if (persistentConfig.parsed) {
         Object.assign(process.env, persistentConfig.parsed);
       }
-    } catch {}
+    } catch (error) {}
 
     let version = "unknown";
 
@@ -73,7 +73,7 @@ import { systemLogger, versionLogger } from "./utils/logger.js";
           version = foundVersion;
           break;
         }
-      } catch (error) {
+      } catch {
         continue;
       }
     }
@@ -102,6 +102,7 @@ import { systemLogger, versionLogger } from "./utils/logger.js";
     await import("./ssh/tunnel.js");
     await import("./ssh/file-manager.js");
     await import("./ssh/server-stats.js");
+    await import("./dashboard.js");
 
     process.on("SIGINT", () => {
       systemLogger.info(
@@ -126,7 +127,7 @@ import { systemLogger, versionLogger } from "./utils/logger.js";
       process.exit(1);
     });
 
-    process.on("unhandledRejection", (reason, promise) => {
+    process.on("unhandledRejection", (reason) => {
       systemLogger.error("Unhandled promise rejection", reason, {
         operation: "error_handling",
       });

src/backend/utils/auth-manager.ts

@@ -4,6 +4,11 @@ import { SystemCrypto } from "./system-crypto.js";
 import { DataCrypto } from "./data-crypto.js";
 import { databaseLogger } from "./logger.js";
 import type { Request, Response, NextFunction } from "express";
+import { db } from "../database/db/index.js";
+import { sessions } from "../database/db/schema.js";
+import { eq, and, sql } from "drizzle-orm";
+import { nanoid } from "nanoid";
+import type { DeviceType } from "./user-agent-parser.js";
 
 interface AuthenticationResult {
   success: boolean;
@@ -18,16 +23,28 @@ interface AuthenticationResult {
 
 interface JWTPayload {
   userId: string;
+  sessionId?: string;
   pendingTOTP?: boolean;
   iat?: number;
   exp?: number;
 }
 
+interface AuthenticatedRequest extends Request {
+  userId?: string;
+  pendingTOTP?: boolean;
+  dataKey?: Buffer;
+}
+
+interface RequestWithHeaders extends Request {
+  headers: Request["headers"] & {
+    "x-forwarded-proto"?: string;
+  };
+}
+
 class AuthManager {
   private static instance: AuthManager;
   private systemCrypto: SystemCrypto;
   private userCrypto: UserCrypto;
-  private invalidatedTokens: Set<string> = new Set();
 
   private constructor() {
     this.systemCrypto = SystemCrypto.getInstance();
@@ -36,6 +53,21 @@ class AuthManager {
     this.userCrypto.setSessionExpiredCallback((userId: string) => {
       this.invalidateUserTokens(userId);
     });
+
+    setInterval(
+      () => {
+        this.cleanupExpiredSessions().catch((error) => {
+          databaseLogger.error(
+            "Failed to run periodic session cleanup",
+            error,
+            {
+              operation: "session_cleanup_periodic",
+            },
+          );
+        });
+      },
+      5 * 60 * 1000,
+    );
   }
 
   static getInstance(): AuthManager {
@@ -53,24 +85,25 @@ class AuthManager {
     await this.userCrypto.setupUserEncryption(userId, password);
   }
 
-  async registerOIDCUser(userId: string): Promise<void> {
-    await this.userCrypto.setupOIDCUserEncryption(userId);
+  async registerOIDCUser(
+    userId: string,
+    sessionDurationMs: number,
+  ): Promise<void> {
+    await this.userCrypto.setupOIDCUserEncryption(userId, sessionDurationMs);
   }
 
-  async authenticateOIDCUser(userId: string): Promise<boolean> {
-    const authenticated = await this.userCrypto.authenticateOIDCUser(userId);
+  async authenticateOIDCUser(
+    userId: string,
+    deviceType?: DeviceType,
+  ): Promise<boolean> {
+    const sessionDurationMs =
+      deviceType === "desktop" || deviceType === "mobile"
+        ? 30 * 24 * 60 * 60 * 1000
+        : 7 * 24 * 60 * 60 * 1000;
 
-    if (authenticated) {
-      await this.performLazyEncryptionMigration(userId);
-    }
-
-    return authenticated;
-  }
-
-  async authenticateUser(userId: string, password: string): Promise<boolean> {
-    const authenticated = await this.userCrypto.authenticateUser(
+    const authenticated = await this.userCrypto.authenticateOIDCUser(
       userId,
-      password,
+      sessionDurationMs,
     );
 
     if (authenticated) {
@@ -80,6 +113,33 @@ class AuthManager {
     return authenticated;
   }
 
+  async authenticateUser(
+    userId: string,
+    password: string,
+    deviceType?: DeviceType,
+  ): Promise<boolean> {
+    const sessionDurationMs =
+      deviceType === "desktop" || deviceType === "mobile"
+        ? 30 * 24 * 60 * 60 * 1000
+        : 7 * 24 * 60 * 60 * 1000;
+
+    const authenticated = await this.userCrypto.authenticateUser(
+      userId,
+      password,
+      sessionDurationMs,
+    );
+
+    if (authenticated) {
+      await this.performLazyEncryptionMigration(userId);
+    }
+
+    return authenticated;
+  }
+
+  async convertToOIDCEncryption(userId: string): Promise<void> {
+    await this.userCrypto.convertToOIDCEncryption(userId);
+  }
+
   private async performLazyEncryptionMigration(userId: string): Promise<void> {
     try {
       const userDataKey = this.getUserDataKey(userId);
@@ -108,7 +168,6 @@ class AuthManager {
 
       if (migrationResult.migrated) {
         await saveMemoryDatabaseToFile();
-      } else {
       }
     } catch (error) {
       databaseLogger.error("Lazy encryption migration failed", error, {
@@ -121,50 +180,323 @@ class AuthManager {
 
   async generateJWTToken(
     userId: string,
-    options: { expiresIn?: string; pendingTOTP?: boolean } = {},
+    options: {
+      expiresIn?: string;
+      pendingTOTP?: boolean;
+      deviceType?: DeviceType;
+      deviceInfo?: string;
+    } = {},
   ): Promise<string> {
     const jwtSecret = await this.systemCrypto.getJWTSecret();
 
+    let expiresIn = options.expiresIn;
+    if (!expiresIn && !options.pendingTOTP) {
+      if (options.deviceType === "desktop" || options.deviceType === "mobile") {
+        expiresIn = "30d";
+      } else {
+        expiresIn = "7d";
+      }
+    } else if (!expiresIn) {
+      expiresIn = "7d";
+    }
+
     const payload: JWTPayload = { userId };
     if (options.pendingTOTP) {
       payload.pendingTOTP = true;
     }
 
-    return jwt.sign(payload, jwtSecret, {
-      expiresIn: options.expiresIn || "24h",
-    } as jwt.SignOptions);
+    if (!options.pendingTOTP && options.deviceType && options.deviceInfo) {
+      const sessionId = nanoid();
+      payload.sessionId = sessionId;
+
+      const token = jwt.sign(payload, jwtSecret, {
+        expiresIn,
+      } as jwt.SignOptions);
+
+      const expirationMs = this.parseExpiresIn(expiresIn);
+      const now = new Date();
+      const expiresAt = new Date(now.getTime() + expirationMs).toISOString();
+      const createdAt = now.toISOString();
+
+      try {
+        await db.insert(sessions).values({
+          id: sessionId,
+          userId,
+          jwtToken: token,
+          deviceType: options.deviceType,
+          deviceInfo: options.deviceInfo,
+          createdAt,
+          expiresAt,
+          lastActiveAt: createdAt,
+        });
+
+        try {
+          const { saveMemoryDatabaseToFile } = await import(
+            "../database/db/index.js"
+          );
+          await saveMemoryDatabaseToFile();
+        } catch (saveError) {
+          databaseLogger.error(
+            "Failed to save database after session creation",
+            saveError,
+            {
+              operation: "session_create_db_save_failed",
+              sessionId,
+            },
+          );
+        }
+      } catch (error) {
+        databaseLogger.error("Failed to create session", error, {
+          operation: "session_create_failed",
+          userId,
+          sessionId,
+        });
+      }
+
+      return token;
+    }
+
+    return jwt.sign(payload, jwtSecret, { expiresIn } as jwt.SignOptions);
+  }
+
+  private parseExpiresIn(expiresIn: string): number {
+    const match = expiresIn.match(/^(\d+)([smhd])$/);
+    if (!match) return 7 * 24 * 60 * 60 * 1000;
+
+    const value = parseInt(match[1]);
+    const unit = match[2];
+
+    switch (unit) {
+      case "s":
+        return value * 1000;
+      case "m":
+        return value * 60 * 1000;
+      case "h":
+        return value * 60 * 60 * 1000;
+      case "d":
+        return value * 24 * 60 * 60 * 1000;
+      default:
+        return 7 * 24 * 60 * 60 * 1000;
+    }
   }
 
   async verifyJWTToken(token: string): Promise<JWTPayload | null> {
     try {
-      if (this.invalidatedTokens.has(token)) {
-        return null;
-      }
-
       const jwtSecret = await this.systemCrypto.getJWTSecret();
+
       const payload = jwt.verify(token, jwtSecret) as JWTPayload;
+
+      if (payload.sessionId) {
+        try {
+          const sessionRecords = await db
+            .select()
+            .from(sessions)
+            .where(eq(sessions.id, payload.sessionId))
+            .limit(1);
+
+          if (sessionRecords.length === 0) {
+            databaseLogger.warn("Session not found during JWT verification", {
+              operation: "jwt_verify_session_not_found",
+              sessionId: payload.sessionId,
+              userId: payload.userId,
+            });
+            return null;
+          }
+        } catch (dbError) {
+          databaseLogger.error(
+            "Failed to check session in database during JWT verification",
+            dbError,
+            {
+              operation: "jwt_verify_session_check_failed",
+              sessionId: payload.sessionId,
+            },
+          );
+          return null;
+        }
+      }
       return payload;
     } catch (error) {
       databaseLogger.warn("JWT verification failed", {
         operation: "jwt_verify_failed",
         error: error instanceof Error ? error.message : "Unknown error",
+        errorName: error instanceof Error ? error.name : "Unknown",
       });
       return null;
     }
   }
 
-  invalidateJWTToken(token: string): void {
-    this.invalidatedTokens.add(token);
+  invalidateJWTToken(token: string): void {}
+
+  invalidateUserTokens(userId: string): void {}
+
+  async revokeSession(sessionId: string): Promise<boolean> {
+    try {
+      await db.delete(sessions).where(eq(sessions.id, sessionId));
+
+      try {
+        const { saveMemoryDatabaseToFile } = await import(
+          "../database/db/index.js"
+        );
+        await saveMemoryDatabaseToFile();
+      } catch (saveError) {
+        databaseLogger.error(
+          "Failed to save database after session revocation",
+          saveError,
+          {
+            operation: "session_revoke_db_save_failed",
+            sessionId,
+          },
+        );
+      }
+
+      return true;
+    } catch (error) {
+      databaseLogger.error("Failed to delete session", error, {
+        operation: "session_delete_failed",
+        sessionId,
+      });
+      return false;
+    }
   }
 
-  invalidateUserTokens(userId: string): void {
-    databaseLogger.info("User tokens invalidated due to data lock", {
-      operation: "user_tokens_invalidate",
-      userId,
-    });
+  async revokeAllUserSessions(
+    userId: string,
+    exceptSessionId?: string,
+  ): Promise<number> {
+    try {
+      const userSessions = await db
+        .select()
+        .from(sessions)
+        .where(eq(sessions.userId, userId));
+
+      const deletedCount = userSessions.filter(
+        (s) => !exceptSessionId || s.id !== exceptSessionId,
+      ).length;
+
+      if (exceptSessionId) {
+        await db
+          .delete(sessions)
+          .where(
+            and(
+              eq(sessions.userId, userId),
+              sql`${sessions.id} != ${exceptSessionId}`,
+            ),
+          );
+      } else {
+        await db.delete(sessions).where(eq(sessions.userId, userId));
+      }
+
+      try {
+        const { saveMemoryDatabaseToFile } = await import(
+          "../database/db/index.js"
+        );
+        await saveMemoryDatabaseToFile();
+      } catch (saveError) {
+        databaseLogger.error(
+          "Failed to save database after revoking all user sessions",
+          saveError,
+          {
+            operation: "user_sessions_revoke_db_save_failed",
+            userId,
+          },
+        );
+      }
+
+      return deletedCount;
+    } catch (error) {
+      databaseLogger.error("Failed to delete user sessions", error, {
+        operation: "user_sessions_delete_failed",
+        userId,
+      });
+      return 0;
+    }
   }
 
-  getSecureCookieOptions(req: any, maxAge: number = 24 * 60 * 60 * 1000) {
+  async cleanupExpiredSessions(): Promise<number> {
+    try {
+      const expiredSessions = await db
+        .select()
+        .from(sessions)
+        .where(sql`${sessions.expiresAt} < datetime('now')`);
+
+      const expiredCount = expiredSessions.length;
+
+      if (expiredCount === 0) {
+        return 0;
+      }
+
+      await db
+        .delete(sessions)
+        .where(sql`${sessions.expiresAt} < datetime('now')`);
+
+      try {
+        const { saveMemoryDatabaseToFile } = await import(
+          "../database/db/index.js"
+        );
+        await saveMemoryDatabaseToFile();
+      } catch (saveError) {
+        databaseLogger.error(
+          "Failed to save database after cleaning up expired sessions",
+          saveError,
+          {
+            operation: "sessions_cleanup_db_save_failed",
+          },
+        );
+      }
+
+      const affectedUsers = new Set(expiredSessions.map((s) => s.userId));
+      for (const userId of affectedUsers) {
+        const remainingSessions = await db
+          .select()
+          .from(sessions)
+          .where(eq(sessions.userId, userId));
+
+        if (remainingSessions.length === 0) {
+          this.userCrypto.logoutUser(userId);
+        }
+      }
+
+      return expiredCount;
+    } catch (error) {
+      databaseLogger.error("Failed to cleanup expired sessions", error, {
+        operation: "sessions_cleanup_failed",
+      });
+      return 0;
+    }
+  }
+
+  async getAllSessions(): Promise<any[]> {
+    try {
+      const allSessions = await db.select().from(sessions);
+      return allSessions;
+    } catch (error) {
+      databaseLogger.error("Failed to get all sessions", error, {
+        operation: "sessions_get_all_failed",
+      });
+      return [];
+    }
+  }
+
+  async getUserSessions(userId: string): Promise<any[]> {
+    try {
+      const userSessions = await db
+        .select()
+        .from(sessions)
+        .where(eq(sessions.userId, userId));
+      return userSessions;
+    } catch (error) {
+      databaseLogger.error("Failed to get user sessions", error, {
+        operation: "sessions_get_user_failed",
+        userId,
+      });
+      return [];
+    }
+  }
+
+  getSecureCookieOptions(
+    req: RequestWithHeaders,
+    maxAge: number = 7 * 24 * 60 * 60 * 1000,
+  ) {
     return {
       httpOnly: false,
       secure: req.secure || req.headers["x-forwarded-proto"] === "https",
@@ -176,10 +508,11 @@ class AuthManager {
 
   createAuthMiddleware() {
     return async (req: Request, res: Response, next: NextFunction) => {
-      let token = req.cookies?.jwt;
+      const authReq = req as AuthenticatedRequest;
+      let token = authReq.cookies?.jwt;
 
       if (!token) {
-        const authHeader = req.headers["authorization"];
+        const authHeader = authReq.headers["authorization"];
         if (authHeader?.startsWith("Bearer ")) {
           token = authHeader.split(" ")[1];
         }
@@ -195,40 +528,142 @@ class AuthManager {
         return res.status(401).json({ error: "Invalid token" });
       }
 
-      (req as any).userId = payload.userId;
-      (req as any).pendingTOTP = payload.pendingTOTP;
+      if (payload.sessionId) {
+        try {
+          const sessionRecords = await db
+            .select()
+            .from(sessions)
+            .where(eq(sessions.id, payload.sessionId))
+            .limit(1);
+
+          if (sessionRecords.length === 0) {
+            databaseLogger.warn("Session not found in middleware", {
+              operation: "middleware_session_not_found",
+              sessionId: payload.sessionId,
+              userId: payload.userId,
+            });
+            return res.status(401).json({
+              error: "Session not found",
+              code: "SESSION_NOT_FOUND",
+            });
+          }
+
+          const session = sessionRecords[0];
+
+          const sessionExpiryTime = new Date(session.expiresAt).getTime();
+          const currentTime = Date.now();
+          const isExpired = sessionExpiryTime < currentTime;
+
+          if (isExpired) {
+            databaseLogger.warn("Session has expired", {
+              operation: "session_expired",
+              sessionId: payload.sessionId,
+              expiresAt: session.expiresAt,
+              expiryTime: sessionExpiryTime,
+              currentTime: currentTime,
+              difference: currentTime - sessionExpiryTime,
+            });
+
+            db.delete(sessions)
+              .where(eq(sessions.id, payload.sessionId))
+              .then(async () => {
+                try {
+                  const { saveMemoryDatabaseToFile } = await import(
+                    "../database/db/index.js"
+                  );
+                  await saveMemoryDatabaseToFile();
+
+                  const remainingSessions = await db
+                    .select()
+                    .from(sessions)
+                    .where(eq(sessions.userId, payload.userId));
+
+                  if (remainingSessions.length === 0) {
+                    this.userCrypto.logoutUser(payload.userId);
+                  }
+                } catch (cleanupError) {
+                  databaseLogger.error(
+                    "Failed to cleanup after expired session",
+                    cleanupError,
+                    {
+                      operation: "expired_session_cleanup_failed",
+                      sessionId: payload.sessionId,
+                    },
+                  );
+                }
+              })
+              .catch((error) => {
+                databaseLogger.error(
+                  "Failed to delete expired session",
+                  error,
+                  {
+                    operation: "expired_session_delete_failed",
+                    sessionId: payload.sessionId,
+                  },
+                );
+              });
+
+            return res.status(401).json({
+              error: "Session has expired",
+              code: "SESSION_EXPIRED",
+            });
+          }
+
+          db.update(sessions)
+            .set({ lastActiveAt: new Date().toISOString() })
+            .where(eq(sessions.id, payload.sessionId))
+            .then(() => {})
+            .catch((error) => {
+              databaseLogger.warn("Failed to update session lastActiveAt", {
+                operation: "session_update_last_active",
+                sessionId: payload.sessionId,
+                error: error instanceof Error ? error.message : "Unknown error",
+              });
+            });
+        } catch (error) {
+          databaseLogger.error("Session check failed in middleware", error, {
+            operation: "middleware_session_check_failed",
+            sessionId: payload.sessionId,
+          });
+          return res.status(500).json({ error: "Session check failed" });
+        }
+      }
+
+      authReq.userId = payload.userId;
+      authReq.pendingTOTP = payload.pendingTOTP;
       next();
     };
   }
 
   createDataAccessMiddleware() {
     return async (req: Request, res: Response, next: NextFunction) => {
-      const userId = (req as any).userId;
+      const authReq = req as AuthenticatedRequest;
+      const userId = authReq.userId;
       if (!userId) {
         return res.status(401).json({ error: "Authentication required" });
       }
 
       const dataKey = this.userCrypto.getUserDataKey(userId);
-      if (!dataKey) {
-        return res.status(401).json({
-          error: "Session expired - please log in again",
-          code: "SESSION_EXPIRED",
-        });
-      }
-
-      (req as any).dataKey = dataKey;
+      authReq.dataKey = dataKey || undefined;
       next();
     };
   }
 
   createAdminMiddleware() {
     return async (req: Request, res: Response, next: NextFunction) => {
-      const authHeader = req.headers["authorization"];
-      if (!authHeader?.startsWith("Bearer ")) {
-        return res.status(401).json({ error: "Missing Authorization header" });
+      let token = req.cookies?.jwt;
+
+      if (!token) {
+        const authHeader = req.headers["authorization"];
+        if (authHeader?.startsWith("Bearer ")) {
+          token = authHeader.split(" ")[1];
+        }
+      }
+
+      if (!token) {
+        return res.status(401).json({ error: "Missing authentication token" });
       }
 
-      const token = authHeader.split(" ")[1];
       const payload = await this.verifyJWTToken(token);
 
       if (!payload) {
@@ -257,8 +692,9 @@ class AuthManager {
           return res.status(403).json({ error: "Admin access required" });
         }
 
-        (req as any).userId = payload.userId;
-        (req as any).pendingTOTP = payload.pendingTOTP;
+        const authReq = req as AuthenticatedRequest;
+        authReq.userId = payload.userId;
+        authReq.pendingTOTP = payload.pendingTOTP;
         next();
       } catch (error) {
         databaseLogger.error("Failed to verify admin privileges", error, {
@@ -272,8 +708,47 @@ class AuthManager {
     };
   }
 
-  logoutUser(userId: string): void {
-    this.userCrypto.logoutUser(userId);
+  async logoutUser(userId: string, sessionId?: string): Promise<void> {
+    if (sessionId) {
+      try {
+        await db.delete(sessions).where(eq(sessions.id, sessionId));
+
+        try {
+          const { saveMemoryDatabaseToFile } = await import(
+            "../database/db/index.js"
+          );
+          await saveMemoryDatabaseToFile();
+        } catch (saveError) {
+          databaseLogger.error(
+            "Failed to save database after logout",
+            saveError,
+            {
+              operation: "logout_db_save_failed",
+              userId,
+              sessionId,
+            },
+          );
+        }
+
+        const remainingSessions = await db
+          .select()
+          .from(sessions)
+          .where(eq(sessions.userId, userId));
+
+        if (remainingSessions.length === 0) {
+          this.userCrypto.logoutUser(userId);
+        } else {
+        }
+      } catch (error) {
+        databaseLogger.error("Failed to delete session on logout", error, {
+          operation: "session_delete_logout_failed",
+          userId,
+          sessionId,
+        });
+      }
+    } else {
+      this.userCrypto.logoutUser(userId);
+    }
   }
 
   getUserDataKey(userId: string): Buffer | null {

src/backend/utils/auto-ssl-setup.ts

@@ -1,7 +1,6 @@
 import { execSync } from "child_process";
 import { promises as fs } from "fs";
 import path from "path";
-import crypto from "crypto";
 import { systemLogger } from "./logger.js";
 
 export class AutoSSLSetup {
@@ -102,7 +101,7 @@ export class AutoSSLSetup {
     try {
       try {
         execSync("openssl version", { stdio: "pipe" });
-      } catch (error) {
+      } catch {
         throw new Error(
           "OpenSSL is not installed or not available in PATH. Please install OpenSSL to enable SSL certificate generation.",
         );
@@ -234,7 +233,7 @@ IP.3 = 0.0.0.0
     let envContent = "";
     try {
       envContent = await fs.readFile(this.ENV_FILE, "utf8");
-    } catch {}
+    } catch (error) {}
 
     let updatedContent = envContent;
     let hasChanges = false;

src/backend/utils/data-crypto.ts

@@ -3,6 +3,19 @@ import { LazyFieldEncryption } from "./lazy-field-encryption.js";
 import { UserCrypto } from "./user-crypto.js";
 import { databaseLogger } from "./logger.js";
 
+interface DatabaseInstance {
+  prepare: (sql: string) => {
+    all: (param?: unknown) => DatabaseRecord[];
+    get: (param?: unknown) => DatabaseRecord;
+    run: (...params: unknown[]) => unknown;
+  };
+}
+
+interface DatabaseRecord {
+  id: number | string;
+  [key: string]: unknown;
+}
+
 class DataCrypto {
   private static userCrypto: UserCrypto;
 
@@ -10,13 +23,13 @@ class DataCrypto {
     this.userCrypto = UserCrypto.getInstance();
   }
 
-  static encryptRecord(
+  static encryptRecord<T extends Record<string, unknown>>(
     tableName: string,
-    record: any,
+    record: T,
     userId: string,
     userDataKey: Buffer,
-  ): any {
-    const encryptedRecord = { ...record };
+  ): T {
+    const encryptedRecord: Record<string, unknown> = { ...record };
     const recordId = record.id || "temp-" + Date.now();
 
     for (const [fieldName, value] of Object.entries(record)) {
@@ -24,24 +37,24 @@ class DataCrypto {
         encryptedRecord[fieldName] = FieldCrypto.encryptField(
           value as string,
           userDataKey,
-          recordId,
+          recordId as string,
           fieldName,
         );
       }
     }
 
-    return encryptedRecord;
+    return encryptedRecord as T;
   }
 
-  static decryptRecord(
+  static decryptRecord<T extends Record<string, unknown>>(
     tableName: string,
-    record: any,
+    record: T,
     userId: string,
     userDataKey: Buffer,
-  ): any {
+  ): T {
     if (!record) return record;
 
-    const decryptedRecord = { ...record };
+    const decryptedRecord: Record<string, unknown> = { ...record };
     const recordId = record.id;
 
     for (const [fieldName, value] of Object.entries(record)) {
@@ -49,21 +62,21 @@ class DataCrypto {
         decryptedRecord[fieldName] = LazyFieldEncryption.safeGetFieldValue(
           value as string,
           userDataKey,
-          recordId,
+          recordId as string,
           fieldName,
         );
       }
     }
 
-    return decryptedRecord;
+    return decryptedRecord as T;
   }
 
-  static decryptRecords(
+  static decryptRecords<T extends Record<string, unknown>>(
     tableName: string,
-    records: any[],
+    records: T[],
     userId: string,
     userDataKey: Buffer,
-  ): any[] {
+  ): T[] {
     if (!Array.isArray(records)) return records;
     return records.map((record) =>
       this.decryptRecord(tableName, record, userId, userDataKey),
@@ -73,7 +86,7 @@ class DataCrypto {
   static async migrateUserSensitiveFields(
     userId: string,
     userDataKey: Buffer,
-    db: any,
+    db: DatabaseInstance,
   ): Promise<{
     migrated: boolean;
     migratedTables: string[];
@@ -84,7 +97,7 @@ class DataCrypto {
     let migratedFieldsCount = 0;
 
     try {
-      const { needsMigration, plaintextFields } =
+      const { needsMigration } =
         await LazyFieldEncryption.checkUserNeedsMigration(
           userId,
           userDataKey,
@@ -97,7 +110,7 @@ class DataCrypto {
 
       const sshDataRecords = db
         .prepare("SELECT * FROM ssh_data WHERE user_id = ?")
-        .all(userId);
+        .all(userId) as DatabaseRecord[];
       for (const record of sshDataRecords) {
         const sensitiveFields =
           LazyFieldEncryption.getSensitiveFieldsForTable("ssh_data");
@@ -112,13 +125,17 @@ class DataCrypto {
         if (needsUpdate) {
           const updateQuery = `
             UPDATE ssh_data
-            SET password = ?, key = ?, key_password = ?, updated_at = CURRENT_TIMESTAMP
+            SET password = ?, key = ?, key_password = ?, key_type = ?, autostart_password = ?, autostart_key = ?, autostart_key_password = ?, updated_at = CURRENT_TIMESTAMP
             WHERE id = ?
           `;
           db.prepare(updateQuery).run(
             updatedRecord.password || null,
             updatedRecord.key || null,
-            updatedRecord.key_password || null,
+            updatedRecord.key_password || updatedRecord.keyPassword || null,
+            updatedRecord.keyType || null,
+            updatedRecord.autostartPassword || null,
+            updatedRecord.autostartKey || null,
+            updatedRecord.autostartKeyPassword || null,
             record.id,
           );
 
@@ -132,7 +149,7 @@ class DataCrypto {
 
       const sshCredentialsRecords = db
         .prepare("SELECT * FROM ssh_credentials WHERE user_id = ?")
-        .all(userId);
+        .all(userId) as DatabaseRecord[];
       for (const record of sshCredentialsRecords) {
         const sensitiveFields =
           LazyFieldEncryption.getSensitiveFieldsForTable("ssh_credentials");
@@ -147,15 +164,16 @@ class DataCrypto {
         if (needsUpdate) {
           const updateQuery = `
             UPDATE ssh_credentials
-            SET password = ?, key = ?, key_password = ?, private_key = ?, public_key = ?, updated_at = CURRENT_TIMESTAMP
+            SET password = ?, key = ?, key_password = ?, private_key = ?, public_key = ?, key_type = ?, updated_at = CURRENT_TIMESTAMP
             WHERE id = ?
           `;
           db.prepare(updateQuery).run(
             updatedRecord.password || null,
             updatedRecord.key || null,
-            updatedRecord.key_password || null,
-            updatedRecord.private_key || null,
-            updatedRecord.public_key || null,
+            updatedRecord.key_password || updatedRecord.keyPassword || null,
+            updatedRecord.private_key || updatedRecord.privateKey || null,
+            updatedRecord.public_key || updatedRecord.publicKey || null,
+            updatedRecord.keyType || null,
             record.id,
           );
 
@@ -169,7 +187,7 @@ class DataCrypto {
 
       const userRecord = db
         .prepare("SELECT * FROM users WHERE id = ?")
-        .get(userId);
+        .get(userId) as DatabaseRecord | undefined;
       if (userRecord) {
         const sensitiveFields =
           LazyFieldEncryption.getSensitiveFieldsForTable("users");
@@ -184,12 +202,18 @@ class DataCrypto {
         if (needsUpdate) {
           const updateQuery = `
             UPDATE users
-            SET totp_secret = ?, totp_backup_codes = ?
+            SET totp_secret = ?, totp_backup_codes = ?, client_secret = ?, oidc_identifier = ?
             WHERE id = ?
           `;
           db.prepare(updateQuery).run(
-            updatedRecord.totp_secret || null,
-            updatedRecord.totp_backup_codes || null,
+            updatedRecord.totp_secret || updatedRecord.totpSecret || null,
+            updatedRecord.totp_backup_codes ||
+              updatedRecord.totpBackupCodes ||
+              null,
+            updatedRecord.client_secret || updatedRecord.clientSecret || null,
+            updatedRecord.oidc_identifier ||
+              updatedRecord.oidcIdentifier ||
+              null,
             userId,
           );
 
@@ -220,7 +244,7 @@ class DataCrypto {
   static async reencryptUserDataAfterPasswordReset(
     userId: string,
     newUserDataKey: Buffer,
-    db: any,
+    db: DatabaseInstance,
   ): Promise<{
     success: boolean;
     reencryptedTables: string[];
@@ -236,24 +260,44 @@ class DataCrypto {
 
     try {
       const tablesToReencrypt = [
-        { table: "ssh_data", fields: ["password", "key", "key_password"] },
+        {
+          table: "ssh_data",
+          fields: [
+            "password",
+            "key",
+            "key_password",
+            "keyPassword",
+            "keyType",
+            "autostartPassword",
+            "autostartKey",
+            "autostartKeyPassword",
+          ],
+        },
         {
           table: "ssh_credentials",
           fields: [
             "password",
             "private_key",
+            "privateKey",
             "key_password",
+            "keyPassword",
             "key",
             "public_key",
+            "publicKey",
+            "keyType",
           ],
         },
         {
           table: "users",
           fields: [
             "client_secret",
+            "clientSecret",
             "totp_secret",
+            "totpSecret",
             "totp_backup_codes",
+            "totpBackupCodes",
             "oidc_identifier",
+            "oidcIdentifier",
           ],
         },
       ];
@@ -262,17 +306,21 @@ class DataCrypto {
         try {
           const records = db
             .prepare(`SELECT * FROM ${table} WHERE user_id = ?`)
-            .all(userId);
+            .all(userId) as DatabaseRecord[];
 
           for (const record of records) {
             const recordId = record.id.toString();
+            const updatedRecord: DatabaseRecord = { ...record };
             let needsUpdate = false;
-            const updatedRecord = { ...record };
 
             for (const fieldName of fields) {
               const fieldValue = record[fieldName];
 
-              if (fieldValue && fieldValue.trim() !== "") {
+              if (
+                fieldValue &&
+                typeof fieldValue === "string" &&
+                fieldValue.trim() !== ""
+              ) {
                 try {
                   const reencryptedValue = FieldCrypto.encryptField(
                     fieldValue,
@@ -345,18 +393,6 @@ class DataCrypto {
 
       result.success = result.errors.length === 0;
 
-      databaseLogger.info(
-        "User data re-encryption completed after password reset",
-        {
-          operation: "password_reset_reencrypt_completed",
-          userId,
-          success: result.success,
-          reencryptedTables: result.reencryptedTables,
-          reencryptedFieldsCount: result.reencryptedFieldsCount,
-          errorsCount: result.errors.length,
-        },
-      );
-
       return result;
     } catch (error) {
       databaseLogger.error(
@@ -384,29 +420,29 @@ class DataCrypto {
     return userDataKey;
   }
 
-  static encryptRecordForUser(
+  static encryptRecordForUser<T extends Record<string, unknown>>(
     tableName: string,
-    record: any,
+    record: T,
     userId: string,
-  ): any {
+  ): T {
     const userDataKey = this.validateUserAccess(userId);
     return this.encryptRecord(tableName, record, userId, userDataKey);
   }
 
-  static decryptRecordForUser(
+  static decryptRecordForUser<T extends Record<string, unknown>>(
     tableName: string,
-    record: any,
+    record: T,
     userId: string,
-  ): any {
+  ): T {
     const userDataKey = this.validateUserAccess(userId);
     return this.decryptRecord(tableName, record, userId, userDataKey);
   }
 
-  static decryptRecordsForUser(
+  static decryptRecordsForUser<T extends Record<string, unknown>>(
     tableName: string,
-    records: any[],
+    records: T[],
     userId: string,
-  ): any[] {
+  ): T[] {
     const userDataKey = this.validateUserAccess(userId);
     return this.decryptRecords(tableName, records, userId, userDataKey);
   }
@@ -435,7 +471,7 @@ class DataCrypto {
       );
 
       return decrypted === testData;
-    } catch (error) {
+    } catch {
       return false;
     }
   }

src/backend/utils/database-file-encryption.ts

@@ -12,6 +12,7 @@ interface EncryptedFileMetadata {
   algorithm: string;
   keySource?: string;
   salt?: string;
+  dataSize?: number;
 }
 
 class DatabaseFileEncryption {
@@ -25,12 +26,17 @@ class DatabaseFileEncryption {
     buffer: Buffer,
     targetPath: string,
   ): Promise<string> {
+    const tmpPath = `${targetPath}.tmp-${Date.now()}-${process.pid}`;
+    const metadataPath = `${targetPath}${this.METADATA_FILE_SUFFIX}`;
+
     try {
       const key = await this.systemCrypto.getDatabaseKey();
-
       const iv = crypto.randomBytes(16);
-
-      const cipher = crypto.createCipheriv(this.ALGORITHM, key, iv) as any;
+      const cipher = crypto.createCipheriv(
+        this.ALGORITHM,
+        key,
+        iv,
+      ) as crypto.CipherGCM;
       const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
       const tag = cipher.getAuthTag();
 
@@ -41,14 +47,55 @@ class DatabaseFileEncryption {
         fingerprint: "termix-v2-systemcrypto",
         algorithm: this.ALGORITHM,
         keySource: "SystemCrypto",
+        dataSize: encrypted.length,
       };
 
-      const metadataPath = `${targetPath}${this.METADATA_FILE_SUFFIX}`;
-      fs.writeFileSync(targetPath, encrypted);
-      fs.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2));
+      const metadataJson = JSON.stringify(metadata, null, 2);
+      const metadataBuffer = Buffer.from(metadataJson, "utf8");
+      const metadataLengthBuffer = Buffer.alloc(4);
+      metadataLengthBuffer.writeUInt32BE(metadataBuffer.length, 0);
+
+      const finalBuffer = Buffer.concat([
+        metadataLengthBuffer,
+        metadataBuffer,
+        encrypted,
+      ]);
+
+      fs.writeFileSync(tmpPath, finalBuffer);
+      fs.renameSync(tmpPath, targetPath);
+
+      try {
+        if (fs.existsSync(metadataPath)) {
+          fs.unlinkSync(metadataPath);
+        }
+      } catch (cleanupError) {
+        databaseLogger.warn("Failed to cleanup old metadata file", {
+          operation: "old_meta_cleanup_failed",
+          path: metadataPath,
+          error:
+            cleanupError instanceof Error
+              ? cleanupError.message
+              : "Unknown error",
+        });
+      }
 
       return targetPath;
     } catch (error) {
+      try {
+        if (fs.existsSync(tmpPath)) {
+          fs.unlinkSync(tmpPath);
+        }
+      } catch (cleanupError) {
+        databaseLogger.warn("Failed to cleanup temporary files", {
+          operation: "temp_file_cleanup_failed",
+          tmpPath,
+          error:
+            cleanupError instanceof Error
+              ? cleanupError.message
+              : "Unknown error",
+        });
+      }
+
       databaseLogger.error("Failed to encrypt database buffer", error, {
         operation: "database_buffer_encryption_failed",
         targetPath,
@@ -70,6 +117,8 @@ class DatabaseFileEncryption {
     const encryptedPath =
       targetPath || `${sourcePath}${this.ENCRYPTED_FILE_SUFFIX}`;
     const metadataPath = `${encryptedPath}${this.METADATA_FILE_SUFFIX}`;
+    const tmpPath = `${encryptedPath}.tmp-${Date.now()}-${process.pid}`;
+    const tmpMetadataPath = `${tmpPath}${this.METADATA_FILE_SUFFIX}`;
 
     try {
       const sourceData = fs.readFileSync(sourcePath);
@@ -78,13 +127,23 @@ class DatabaseFileEncryption {
 
       const iv = crypto.randomBytes(16);
 
-      const cipher = crypto.createCipheriv(this.ALGORITHM, key, iv) as any;
+      const cipher = crypto.createCipheriv(
+        this.ALGORITHM,
+        key,
+        iv,
+      ) as crypto.CipherGCM;
       const encrypted = Buffer.concat([
         cipher.update(sourceData),
         cipher.final(),
       ]);
       const tag = cipher.getAuthTag();
 
+      const keyFingerprint = crypto
+        .createHash("sha256")
+        .update(key)
+        .digest("hex")
+        .substring(0, 16);
+
       const metadata: EncryptedFileMetadata = {
         iv: iv.toString("hex"),
         tag: tag.toString("hex"),
@@ -92,10 +151,14 @@ class DatabaseFileEncryption {
         fingerprint: "termix-v2-systemcrypto",
         algorithm: this.ALGORITHM,
         keySource: "SystemCrypto",
+        dataSize: encrypted.length,
       };
 
-      fs.writeFileSync(encryptedPath, encrypted);
-      fs.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2));
+      fs.writeFileSync(tmpPath, encrypted);
+      fs.writeFileSync(tmpMetadataPath, JSON.stringify(metadata, null, 2));
+
+      fs.renameSync(tmpPath, encryptedPath);
+      fs.renameSync(tmpMetadataPath, metadataPath);
 
       databaseLogger.info("Database file encrypted successfully", {
         operation: "database_file_encryption",
@@ -103,11 +166,30 @@ class DatabaseFileEncryption {
         encryptedPath,
         fileSize: sourceData.length,
         encryptedSize: encrypted.length,
+        keyFingerprint,
         fingerprintPrefix: metadata.fingerprint,
       });
 
       return encryptedPath;
     } catch (error) {
+      try {
+        if (fs.existsSync(tmpPath)) {
+          fs.unlinkSync(tmpPath);
+        }
+        if (fs.existsSync(tmpMetadataPath)) {
+          fs.unlinkSync(tmpMetadataPath);
+        }
+      } catch (cleanupError) {
+        databaseLogger.warn("Failed to cleanup temporary files", {
+          operation: "temp_file_cleanup_failed",
+          tmpPath,
+          error:
+            cleanupError instanceof Error
+              ? cleanupError.message
+              : "Unknown error",
+        });
+      }
+
       databaseLogger.error("Failed to encrypt database file", error, {
         operation: "database_file_encryption_failed",
         sourcePath,
@@ -126,16 +208,69 @@ class DatabaseFileEncryption {
       );
     }
 
-    const metadataPath = `${encryptedPath}${this.METADATA_FILE_SUFFIX}`;
-    if (!fs.existsSync(metadataPath)) {
-      throw new Error(`Metadata file does not exist: ${metadataPath}`);
+    let metadata: EncryptedFileMetadata;
+    let encryptedData: Buffer;
+
+    const fileBuffer = fs.readFileSync(encryptedPath);
+
+    try {
+      const metadataLength = fileBuffer.readUInt32BE(0);
+      const metadataEnd = 4 + metadataLength;
+
+      if (
+        metadataLength <= 0 ||
+        metadataEnd > fileBuffer.length ||
+        metadataEnd <= 4
+      ) {
+        throw new Error("Invalid metadata length in single-file format");
+      }
+
+      const metadataJson = fileBuffer.slice(4, metadataEnd).toString("utf8");
+      metadata = JSON.parse(metadataJson);
+      encryptedData = fileBuffer.slice(metadataEnd);
+
+      if (!metadata.iv || !metadata.tag || !metadata.version) {
+        throw new Error("Invalid metadata structure in single-file format");
+      }
+    } catch (singleFileError) {
+      const metadataPath = `${encryptedPath}${this.METADATA_FILE_SUFFIX}`;
+      if (!fs.existsSync(metadataPath)) {
+        throw new Error(
+          `Could not read database: Not a valid single-file format and metadata file is missing: ${metadataPath}. Error: ${singleFileError.message}`,
+        );
+      }
+
+      try {
+        const metadataContent = fs.readFileSync(metadataPath, "utf8");
+        metadata = JSON.parse(metadataContent);
+        encryptedData = fileBuffer;
+      } catch (twoFileError) {
+        throw new Error(
+          `Failed to read database using both single-file and two-file formats. Error: ${twoFileError.message}`,
+        );
+      }
     }
 
     try {
-      const metadataContent = fs.readFileSync(metadataPath, "utf8");
-      const metadata: EncryptedFileMetadata = JSON.parse(metadataContent);
-
-      const encryptedData = fs.readFileSync(encryptedPath);
+      if (
+        metadata.dataSize !== undefined &&
+        encryptedData.length !== metadata.dataSize
+      ) {
+        databaseLogger.error(
+          "Encrypted file size mismatch - possible corrupted write or mismatched metadata",
+          null,
+          {
+            operation: "database_file_size_mismatch",
+            encryptedPath,
+            actualSize: encryptedData.length,
+            expectedSize: metadata.dataSize,
+          },
+        );
+        throw new Error(
+          `Encrypted file size mismatch: expected ${metadata.dataSize} bytes but got ${encryptedData.length} bytes. ` +
+            `This indicates corrupted files or interrupted write operation.`,
+        );
+      }
 
       let key: Buffer;
       if (metadata.version === "v2") {
@@ -163,7 +298,7 @@ class DatabaseFileEncryption {
         metadata.algorithm,
         key,
         Buffer.from(metadata.iv, "hex"),
-      ) as any;
+      ) as crypto.DecipherGCM;
       decipher.setAuthTag(Buffer.from(metadata.tag, "hex"));
 
       const decryptedBuffer = Buffer.concat([
@@ -173,13 +308,67 @@ class DatabaseFileEncryption {
 
       return decryptedBuffer;
     } catch (error) {
+      const errorMessage =
+        error instanceof Error ? error.message : "Unknown error";
+      const isAuthError =
+        errorMessage.includes("Unsupported state") ||
+        errorMessage.includes("authenticate data") ||
+        errorMessage.includes("auth");
+
+      if (isAuthError) {
+        const dataDir = process.env.DATA_DIR || "./db/data";
+        const envPath = path.join(dataDir, ".env");
+
+        let envFileExists = false;
+        let envFileReadable = false;
+        try {
+          envFileExists = fs.existsSync(envPath);
+          if (envFileExists) {
+            fs.accessSync(envPath, fs.constants.R_OK);
+            envFileReadable = true;
+          }
+        } catch (error) {
+          databaseLogger.debug("Operation failed, continuing", {
+            error: error instanceof Error ? error.message : String(error),
+          });
+        }
+
+        databaseLogger.error(
+          "Database decryption authentication failed - possible causes: wrong DATABASE_KEY, corrupted files, or interrupted write",
+          error,
+          {
+            operation: "database_buffer_decryption_auth_failed",
+            encryptedPath,
+            dataDir,
+            envPath,
+            envFileExists,
+            envFileReadable,
+            hasEnvKey: !!process.env.DATABASE_KEY,
+            envKeyLength: process.env.DATABASE_KEY?.length || 0,
+            suggestion:
+              "Check if DATABASE_KEY in .env matches the key used for encryption",
+          },
+        );
+        throw new Error(
+          `Database decryption authentication failed. This usually means:\n` +
+            `1. DATABASE_KEY has changed or is missing from ${dataDir}/.env\n` +
+            `2. Encrypted file was corrupted during write (system crash/restart)\n` +
+            `3. Metadata file does not match encrypted data\n` +
+            `\nDebug info:\n` +
+            `- DATA_DIR: ${dataDir}\n` +
+            `- .env file exists: ${envFileExists}\n` +
+            `- .env file readable: ${envFileReadable}\n` +
+            `- DATABASE_KEY in environment: ${!!process.env.DATABASE_KEY}\n` +
+            `Original error: ${errorMessage}`,
+        );
+      }
+
       databaseLogger.error("Failed to decrypt database to buffer", error, {
         operation: "database_buffer_decryption_failed",
         encryptedPath,
+        errorMessage,
       });
-      throw new Error(
-        `Database buffer decryption failed: ${error instanceof Error ? error.message : "Unknown error"}`,
-      );
+      throw new Error(`Database buffer decryption failed: ${errorMessage}`);
     }
   }
 
@@ -207,6 +396,26 @@ class DatabaseFileEncryption {
 
       const encryptedData = fs.readFileSync(encryptedPath);
 
+      if (
+        metadata.dataSize !== undefined &&
+        encryptedData.length !== metadata.dataSize
+      ) {
+        databaseLogger.error(
+          "Encrypted file size mismatch - possible corrupted write or mismatched metadata",
+          null,
+          {
+            operation: "database_file_size_mismatch",
+            encryptedPath,
+            actualSize: encryptedData.length,
+            expectedSize: metadata.dataSize,
+          },
+        );
+        throw new Error(
+          `Encrypted file size mismatch: expected ${metadata.dataSize} bytes but got ${encryptedData.length} bytes. ` +
+            `This indicates corrupted files or interrupted write operation.`,
+        );
+      }
+
       let key: Buffer;
       if (metadata.version === "v2") {
         key = await this.systemCrypto.getDatabaseKey();
@@ -233,7 +442,7 @@ class DatabaseFileEncryption {
         metadata.algorithm,
         key,
         Buffer.from(metadata.iv, "hex"),
-      ) as any;
+      ) as crypto.DecipherGCM;
       decipher.setAuthTag(Buffer.from(metadata.tag, "hex"));
 
       const decrypted = Buffer.concat([
@@ -266,18 +475,43 @@ class DatabaseFileEncryption {
   }
 
   static isEncryptedDatabaseFile(filePath: string): boolean {
-    const metadataPath = `${filePath}${this.METADATA_FILE_SUFFIX}`;
-
-    if (!fs.existsSync(filePath) || !fs.existsSync(metadataPath)) {
+    if (!fs.existsSync(filePath)) {
       return false;
     }
 
+    const metadataPath = `${filePath}${this.METADATA_FILE_SUFFIX}`;
+    if (fs.existsSync(metadataPath)) {
+      try {
+        const metadataContent = fs.readFileSync(metadataPath, "utf8");
+        const metadata: EncryptedFileMetadata = JSON.parse(metadataContent);
+        return (
+          metadata.version === this.VERSION &&
+          metadata.algorithm === this.ALGORITHM
+        );
+      } catch {
+        return false;
+      }
+    }
+
     try {
-      const metadataContent = fs.readFileSync(metadataPath, "utf8");
-      const metadata: EncryptedFileMetadata = JSON.parse(metadataContent);
+      const fileBuffer = fs.readFileSync(filePath);
+      if (fileBuffer.length < 4) return false;
+
+      const metadataLength = fileBuffer.readUInt32BE(0);
+      const metadataEnd = 4 + metadataLength;
+
+      if (metadataLength <= 0 || metadataEnd > fileBuffer.length) {
+        return false;
+      }
+
+      const metadataJson = fileBuffer.slice(4, metadataEnd).toString("utf8");
+      const metadata: EncryptedFileMetadata = JSON.parse(metadataJson);
+
       return (
         metadata.version === this.VERSION &&
-        metadata.algorithm === this.ALGORITHM
+        metadata.algorithm === this.ALGORITHM &&
+        !!metadata.iv &&
+        !!metadata.tag
       );
     } catch {
       return false;
@@ -301,7 +535,6 @@ class DatabaseFileEncryption {
       const metadata: EncryptedFileMetadata = JSON.parse(metadataContent);
 
       const fileStats = fs.statSync(encryptedPath);
-      const currentFingerprint = "termix-v1-file";
 
       return {
         version: metadata.version,
@@ -315,6 +548,125 @@ class DatabaseFileEncryption {
     }
   }
 
+  static getDiagnosticInfo(encryptedPath: string): {
+    dataFile: {
+      exists: boolean;
+      size?: number;
+      mtime?: string;
+      readable?: boolean;
+    };
+    metadataFile: {
+      exists: boolean;
+      size?: number;
+      mtime?: string;
+      readable?: boolean;
+      content?: EncryptedFileMetadata;
+    };
+    environment: {
+      dataDir: string;
+      envPath: string;
+      envFileExists: boolean;
+      envFileReadable: boolean;
+      hasEnvKey: boolean;
+      envKeyLength: number;
+    };
+    validation: {
+      filesConsistent: boolean;
+      sizeMismatch?: boolean;
+      expectedSize?: number;
+      actualSize?: number;
+    };
+  } {
+    const metadataPath = `${encryptedPath}${this.METADATA_FILE_SUFFIX}`;
+    const dataDir = process.env.DATA_DIR || "./db/data";
+    const envPath = path.join(dataDir, ".env");
+
+    const result: ReturnType<typeof this.getDiagnosticInfo> = {
+      dataFile: { exists: false },
+      metadataFile: { exists: false },
+      environment: {
+        dataDir,
+        envPath,
+        envFileExists: false,
+        envFileReadable: false,
+        hasEnvKey: !!process.env.DATABASE_KEY,
+        envKeyLength: process.env.DATABASE_KEY?.length || 0,
+      },
+      validation: {
+        filesConsistent: false,
+      },
+    };
+
+    try {
+      result.dataFile.exists = fs.existsSync(encryptedPath);
+      if (result.dataFile.exists) {
+        try {
+          fs.accessSync(encryptedPath, fs.constants.R_OK);
+          result.dataFile.readable = true;
+          const stats = fs.statSync(encryptedPath);
+          result.dataFile.size = stats.size;
+          result.dataFile.mtime = stats.mtime.toISOString();
+        } catch {
+          result.dataFile.readable = false;
+        }
+      }
+
+      result.metadataFile.exists = fs.existsSync(metadataPath);
+      if (result.metadataFile.exists) {
+        try {
+          fs.accessSync(metadataPath, fs.constants.R_OK);
+          result.metadataFile.readable = true;
+          const stats = fs.statSync(metadataPath);
+          result.metadataFile.size = stats.size;
+          result.metadataFile.mtime = stats.mtime.toISOString();
+
+          const content = fs.readFileSync(metadataPath, "utf8");
+          result.metadataFile.content = JSON.parse(content);
+        } catch {
+          result.metadataFile.readable = false;
+        }
+      }
+
+      result.environment.envFileExists = fs.existsSync(envPath);
+      if (result.environment.envFileExists) {
+        try {
+          fs.accessSync(envPath, fs.constants.R_OK);
+          result.environment.envFileReadable = true;
+        } catch (error) {}
+      }
+
+      if (
+        result.dataFile.exists &&
+        result.metadataFile.exists &&
+        result.metadataFile.content
+      ) {
+        result.validation.filesConsistent = true;
+
+        if (result.metadataFile.content.dataSize !== undefined) {
+          result.validation.expectedSize = result.metadataFile.content.dataSize;
+          result.validation.actualSize = result.dataFile.size;
+          result.validation.sizeMismatch =
+            result.metadataFile.content.dataSize !== result.dataFile.size;
+          if (result.validation.sizeMismatch) {
+            result.validation.filesConsistent = false;
+          }
+        }
+      }
+    } catch (error) {
+      databaseLogger.error("Failed to generate diagnostic info", error, {
+        operation: "diagnostic_info_failed",
+        encryptedPath,
+      });
+    }
+
+    databaseLogger.info("Database encryption diagnostic info", {
+      operation: "diagnostic_info_generated",
+      ...result,
+    });
+
+    return result;
+  }
+
   static async createEncryptedBackup(
     databasePath: string,
     backupDir: string,

src/backend/utils/database-migration.ts

@@ -55,7 +55,6 @@ export class DatabaseMigration {
 
     if (hasEncryptedDb && hasUnencryptedDb) {
       const unencryptedSize = fs.statSync(this.unencryptedDbPath).size;
-      const encryptedSize = fs.statSync(this.encryptedDbPath).size;
 
       if (unencryptedSize === 0) {
         needsMigration = false;
@@ -63,10 +62,6 @@ export class DatabaseMigration {
           "Empty unencrypted database found alongside encrypted database. Removing empty file.";
         try {
           fs.unlinkSync(this.unencryptedDbPath);
-          databaseLogger.info("Removed empty unencrypted database file", {
-            operation: "migration_cleanup_empty",
-            path: this.unencryptedDbPath,
-          });
         } catch (error) {
           databaseLogger.warn("Failed to remove empty unencrypted database", {
             operation: "migration_cleanup_empty_failed",
@@ -168,9 +163,6 @@ export class DatabaseMigration {
         return false;
       }
 
-      let totalOriginalRows = 0;
-      let totalMemoryRows = 0;
-
       for (const table of originalTables) {
         const originalCount = originalDb
           .prepare(`SELECT COUNT(*) as count FROM ${table.name}`)
@@ -179,9 +171,6 @@ export class DatabaseMigration {
           .prepare(`SELECT COUNT(*) as count FROM ${table.name}`)
           .get() as { count: number };
 
-        totalOriginalRows += originalCount.count;
-        totalMemoryRows += memoryCount.count;
-
         if (originalCount.count !== memoryCount.count) {
           databaseLogger.error(
             "Row count mismatch for table during migration verification",
@@ -241,7 +230,9 @@ export class DatabaseMigration {
         memoryDb.exec("PRAGMA foreign_keys = OFF");
 
         for (const table of tables) {
-          const rows = originalDb.prepare(`SELECT * FROM ${table.name}`).all();
+          const rows = originalDb
+            .prepare(`SELECT * FROM ${table.name}`)
+            .all() as Record<string, unknown>[];
 
           if (rows.length > 0) {
             const columns = Object.keys(rows[0]);
@@ -251,7 +242,7 @@ export class DatabaseMigration {
             );
 
             const insertTransaction = memoryDb.transaction(
-              (dataRows: any[]) => {
+              (dataRows: Record<string, unknown>[]) => {
                 for (const row of dataRows) {
                   const values = columns.map((col) => row[col]);
                   insertStmt.run(values);

src/backend/utils/database-save-trigger.ts

@@ -71,11 +71,6 @@ export class DatabaseSaveTrigger {
     this.pendingSave = true;
 
     try {
-      databaseLogger.info("Force saving database", {
-        operation: "db_save_trigger_force_start",
-        reason,
-      });
-
       await this.saveFunction();
     } catch (error) {
       databaseLogger.error("Database force save failed", error, {
@@ -110,9 +105,5 @@ export class DatabaseSaveTrigger {
     this.pendingSave = false;
     this.isInitialized = false;
     this.saveFunction = null;
-
-    databaseLogger.info("Database save trigger cleaned up", {
-      operation: "db_save_trigger_cleanup",
-    });
   }
 }

src/backend/utils/field-crypto.ts

@@ -17,18 +17,36 @@ class FieldCrypto {
   private static readonly ENCRYPTED_FIELDS = {
     users: new Set([
       "password_hash",
+      "passwordHash",
       "client_secret",
+      "clientSecret",
       "totp_secret",
+      "totpSecret",
       "totp_backup_codes",
+      "totpBackupCodes",
       "oidc_identifier",
+      "oidcIdentifier",
+    ]),
+    ssh_data: new Set([
+      "password",
+      "key",
+      "key_password",
+      "keyPassword",
+      "keyType",
+      "autostartPassword",
+      "autostartKey",
+      "autostartKeyPassword",
     ]),
-    ssh_data: new Set(["password", "key", "key_password"]),
     ssh_credentials: new Set([
       "password",
       "private_key",
+      "privateKey",
       "key_password",
+      "keyPassword",
       "key",
       "public_key",
+      "publicKey",
+      "keyType",
     ]),
   };
 
@@ -47,7 +65,11 @@ class FieldCrypto {
     );
 
     const iv = crypto.randomBytes(this.IV_LENGTH);
-    const cipher = crypto.createCipheriv(this.ALGORITHM, fieldKey, iv) as any;
+    const cipher = crypto.createCipheriv(
+      this.ALGORITHM,
+      fieldKey,
+      iv,
+    ) as crypto.CipherGCM;
 
     let encrypted = cipher.update(plaintext, "utf8", "hex");
     encrypted += cipher.final("hex");
@@ -89,7 +111,7 @@ class FieldCrypto {
       this.ALGORITHM,
       fieldKey,
       Buffer.from(encrypted.iv, "hex"),
-    ) as any;
+    ) as crypto.DecipherGCM;
     decipher.setAuthTag(Buffer.from(encrypted.tag, "hex"));
 
     let decrypted = decipher.update(encrypted.data, "hex", "utf8");

src/backend/utils/lazy-field-encryption.ts

@@ -1,6 +1,14 @@
 import { FieldCrypto } from "./field-crypto.js";
 import { databaseLogger } from "./logger.js";
 
+interface DatabaseInstance {
+  prepare: (sql: string) => {
+    all: (param?: unknown) => unknown[];
+    get: (param?: unknown) => unknown;
+    run: (...params: unknown[]) => unknown;
+  };
+}
+
 export class LazyFieldEncryption {
   private static readonly LEGACY_FIELD_NAME_MAP: Record<string, string> = {
     key_password: "keyPassword",
@@ -39,7 +47,7 @@ export class LazyFieldEncryption {
         return false;
       }
       return true;
-    } catch (jsonError) {
+    } catch {
       return true;
     }
   }
@@ -74,7 +82,7 @@ export class LazyFieldEncryption {
               legacyFieldName,
             );
             return decrypted;
-          } catch (legacyError) {}
+          } catch (error) {}
         }
 
         const sensitiveFields = [
@@ -145,7 +153,7 @@ export class LazyFieldEncryption {
           wasPlaintext: false,
           wasLegacyEncryption: false,
         };
-      } catch (error) {
+      } catch {
         const legacyFieldName = this.LEGACY_FIELD_NAME_MAP[fieldName];
         if (legacyFieldName) {
           try {
@@ -166,7 +174,7 @@ export class LazyFieldEncryption {
               wasPlaintext: false,
               wasLegacyEncryption: true,
             };
-          } catch (legacyError) {}
+          } catch (error) {}
         }
         return {
           encrypted: fieldValue,
@@ -178,12 +186,12 @@ export class LazyFieldEncryption {
   }
 
   static migrateRecordSensitiveFields(
-    record: any,
+    record: Record<string, unknown>,
     sensitiveFields: string[],
     userKEK: Buffer,
     recordId: string,
   ): {
-    updatedRecord: any;
+    updatedRecord: Record<string, unknown>;
     migratedFields: string[];
     needsUpdate: boolean;
   } {
@@ -198,7 +206,7 @@ export class LazyFieldEncryption {
         try {
           const { encrypted, wasPlaintext, wasLegacyEncryption } =
             this.migrateFieldToEncrypted(
-              fieldValue,
+              fieldValue as string,
               userKEK,
               recordId,
               fieldName,
@@ -253,7 +261,7 @@ export class LazyFieldEncryption {
     try {
       FieldCrypto.decryptField(fieldValue, userKEK, recordId, fieldName);
       return false;
-    } catch (error) {
+    } catch {
       const legacyFieldName = this.LEGACY_FIELD_NAME_MAP[fieldName];
       if (legacyFieldName) {
         try {
@@ -264,7 +272,7 @@ export class LazyFieldEncryption {
             legacyFieldName,
           );
           return true;
-        } catch (legacyError) {
+        } catch {
           return false;
         }
       }
@@ -275,7 +283,7 @@ export class LazyFieldEncryption {
   static async checkUserNeedsMigration(
     userId: string,
     userKEK: Buffer,
-    db: any,
+    db: DatabaseInstance,
   ): Promise<{
     needsMigration: boolean;
     plaintextFields: Array<{
@@ -294,7 +302,9 @@ export class LazyFieldEncryption {
     try {
       const sshHosts = db
         .prepare("SELECT * FROM ssh_data WHERE user_id = ?")
-        .all(userId);
+        .all(userId) as Array<
+        Record<string, unknown> & { id: string | number }
+      >;
       for (const host of sshHosts) {
         const sensitiveFields = this.getSensitiveFieldsForTable("ssh_data");
         const hostPlaintextFields: string[] = [];
@@ -303,7 +313,7 @@ export class LazyFieldEncryption {
           if (
             host[field] &&
             this.fieldNeedsMigration(
-              host[field],
+              host[field] as string,
               userKEK,
               host.id.toString(),
               field,
@@ -325,7 +335,9 @@ export class LazyFieldEncryption {
 
       const sshCredentials = db
         .prepare("SELECT * FROM ssh_credentials WHERE user_id = ?")
-        .all(userId);
+        .all(userId) as Array<
+        Record<string, unknown> & { id: string | number }
+      >;
       for (const credential of sshCredentials) {
         const sensitiveFields =
           this.getSensitiveFieldsForTable("ssh_credentials");
@@ -335,7 +347,7 @@ export class LazyFieldEncryption {
           if (
             credential[field] &&
             this.fieldNeedsMigration(
-              credential[field],
+              credential[field] as string,
               userKEK,
               credential.id.toString(),
               field,

src/backend/utils/logger.ts

@@ -11,7 +11,7 @@ export interface LogContext {
   sessionId?: string;
   requestId?: string;
   duration?: number;
-  [key: string]: any;
+  [key: string]: unknown;
 }
 
 const SENSITIVE_FIELDS = [
@@ -253,5 +253,6 @@ export const apiLogger = new Logger("API", "🌐", "#3b82f6");
 export const authLogger = new Logger("AUTH", "🔐", "#ef4444");
 export const systemLogger = new Logger("SYSTEM", "🚀", "#14b8a6");
 export const versionLogger = new Logger("VERSION", "📦", "#8b5cf6");
+export const dashboardLogger = new Logger("DASHBOARD", "📊", "#ec4899");
 
 export const logger = systemLogger;

src/backend/utils/login-rate-limiter.ts

@@ -0,0 +1,146 @@
+interface LoginAttempt {
+  count: number;
+  firstAttempt: number;
+  lockedUntil?: number;
+}
+
+class LoginRateLimiter {
+  private ipAttempts = new Map<string, LoginAttempt>();
+  private usernameAttempts = new Map<string, LoginAttempt>();
+
+  private readonly MAX_ATTEMPTS = 5;
+  private readonly WINDOW_MS = 10 * 60 * 1000;
+  private readonly LOCKOUT_MS = 10 * 60 * 1000;
+
+  constructor() {
+    setInterval(() => this.cleanup(), 5 * 60 * 1000);
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+
+    for (const [ip, attempt] of this.ipAttempts.entries()) {
+      if (attempt.lockedUntil && attempt.lockedUntil < now) {
+        this.ipAttempts.delete(ip);
+      } else if (
+        !attempt.lockedUntil &&
+        now - attempt.firstAttempt > this.WINDOW_MS
+      ) {
+        this.ipAttempts.delete(ip);
+      }
+    }
+
+    for (const [username, attempt] of this.usernameAttempts.entries()) {
+      if (attempt.lockedUntil && attempt.lockedUntil < now) {
+        this.usernameAttempts.delete(username);
+      } else if (
+        !attempt.lockedUntil &&
+        now - attempt.firstAttempt > this.WINDOW_MS
+      ) {
+        this.usernameAttempts.delete(username);
+      }
+    }
+  }
+
+  recordFailedAttempt(ip: string, username?: string): void {
+    const now = Date.now();
+
+    const ipAttempt = this.ipAttempts.get(ip);
+    if (!ipAttempt) {
+      this.ipAttempts.set(ip, {
+        count: 1,
+        firstAttempt: now,
+      });
+    } else if (now - ipAttempt.firstAttempt > this.WINDOW_MS) {
+      this.ipAttempts.set(ip, {
+        count: 1,
+        firstAttempt: now,
+      });
+    } else {
+      ipAttempt.count++;
+      if (ipAttempt.count >= this.MAX_ATTEMPTS) {
+        ipAttempt.lockedUntil = now + this.LOCKOUT_MS;
+      }
+    }
+
+    if (username) {
+      const userAttempt = this.usernameAttempts.get(username);
+      if (!userAttempt) {
+        this.usernameAttempts.set(username, {
+          count: 1,
+          firstAttempt: now,
+        });
+      } else if (now - userAttempt.firstAttempt > this.WINDOW_MS) {
+        this.usernameAttempts.set(username, {
+          count: 1,
+          firstAttempt: now,
+        });
+      } else {
+        userAttempt.count++;
+        if (userAttempt.count >= this.MAX_ATTEMPTS) {
+          userAttempt.lockedUntil = now + this.LOCKOUT_MS;
+        }
+      }
+    }
+  }
+
+  resetAttempts(ip: string, username?: string): void {
+    this.ipAttempts.delete(ip);
+    if (username) {
+      this.usernameAttempts.delete(username);
+    }
+  }
+
+  isLocked(
+    ip: string,
+    username?: string,
+  ): { locked: boolean; remainingTime?: number } {
+    const now = Date.now();
+
+    const ipAttempt = this.ipAttempts.get(ip);
+    if (ipAttempt?.lockedUntil && ipAttempt.lockedUntil > now) {
+      return {
+        locked: true,
+        remainingTime: Math.ceil((ipAttempt.lockedUntil - now) / 1000),
+      };
+    }
+
+    if (username) {
+      const userAttempt = this.usernameAttempts.get(username);
+      if (userAttempt?.lockedUntil && userAttempt.lockedUntil > now) {
+        return {
+          locked: true,
+          remainingTime: Math.ceil((userAttempt.lockedUntil - now) / 1000),
+        };
+      }
+    }
+
+    return { locked: false };
+  }
+
+  getRemainingAttempts(ip: string, username?: string): number {
+    const now = Date.now();
+    let minRemaining = this.MAX_ATTEMPTS;
+
+    const ipAttempt = this.ipAttempts.get(ip);
+    if (ipAttempt && now - ipAttempt.firstAttempt <= this.WINDOW_MS) {
+      const ipRemaining = Math.max(0, this.MAX_ATTEMPTS - ipAttempt.count);
+      minRemaining = Math.min(minRemaining, ipRemaining);
+    }
+
+    if (username) {
+      const userAttempt = this.usernameAttempts.get(username);
+      if (userAttempt && now - userAttempt.firstAttempt <= this.WINDOW_MS) {
+        const userRemaining = Math.max(
+          0,
+          this.MAX_ATTEMPTS - userAttempt.count,
+        );
+        minRemaining = Math.min(minRemaining, userRemaining);
+      }
+    }
+
+    return minRemaining;
+  }
+}
+
+export const loginRateLimiter = new LoginRateLimiter();

src/backend/utils/simple-db-ops.ts

@@ -2,10 +2,10 @@ import { getDb, DatabaseSaveTrigger } from "../database/db/index.js";
 import { DataCrypto } from "./data-crypto.js";
 import type { SQLiteTable } from "drizzle-orm/sqlite-core";
 
-type TableName = "users" | "ssh_data" | "ssh_credentials";
+type TableName = "users" | "ssh_data" | "ssh_credentials" | "recent_activity";
 
 class SimpleDBOps {
-  static async insert<T extends Record<string, any>>(
+  static async insert<T extends Record<string, unknown>>(
     table: SQLiteTable<any>,
     tableName: TableName,
     data: T,
@@ -44,8 +44,8 @@ class SimpleDBOps {
     return decryptedResult as T;
   }
 
-  static async select<T extends Record<string, any>>(
-    query: any,
+  static async select<T extends Record<string, unknown>>(
+    query: unknown,
     tableName: TableName,
     userId: string,
   ): Promise<T[]> {
@@ -56,9 +56,9 @@ class SimpleDBOps {
 
     const results = await query;
 
-    const decryptedResults = DataCrypto.decryptRecords(
+    const decryptedResults = DataCrypto.decryptRecords<T>(
       tableName,
-      results,
+      results as T[],
       userId,
       userDataKey,
     );
@@ -66,8 +66,8 @@ class SimpleDBOps {
     return decryptedResults;
   }
 
-  static async selectOne<T extends Record<string, any>>(
-    query: any,
+  static async selectOne<T extends Record<string, unknown>>(
+    query: unknown,
     tableName: TableName,
     userId: string,
   ): Promise<T | undefined> {
@@ -79,9 +79,9 @@ class SimpleDBOps {
     const result = await query;
     if (!result) return undefined;
 
-    const decryptedResult = DataCrypto.decryptRecord(
+    const decryptedResult = DataCrypto.decryptRecord<T>(
       tableName,
-      result,
+      result as T,
       userId,
       userDataKey,
     );
@@ -89,10 +89,10 @@ class SimpleDBOps {
     return decryptedResult;
   }
 
-  static async update<T extends Record<string, any>>(
+  static async update<T extends Record<string, unknown>>(
     table: SQLiteTable<any>,
     tableName: TableName,
-    where: any,
+    where: unknown,
     data: Partial<T>,
     userId: string,
   ): Promise<T[]> {
@@ -108,7 +108,7 @@ class SimpleDBOps {
     const result = await getDb()
       .update(table)
       .set(encryptedData)
-      .where(where)
+      .where(where as any)
       .returning();
 
     DatabaseSaveTrigger.triggerSave(`update_${tableName}`);
@@ -126,10 +126,12 @@ class SimpleDBOps {
   static async delete(
     table: SQLiteTable<any>,
     tableName: TableName,
-    where: any,
-    userId: string,
-  ): Promise<any[]> {
-    const result = await getDb().delete(table).where(where).returning();
+    where: unknown,
+  ): Promise<unknown[]> {
+    const result = await getDb()
+      .delete(table)
+      .where(where as any)
+      .returning();
 
     DatabaseSaveTrigger.triggerSave(`delete_${tableName}`);
 
@@ -144,13 +146,10 @@ class SimpleDBOps {
     return DataCrypto.getUserDataKey(userId) !== null;
   }
 
-  static async selectEncrypted(
-    query: any,
-    tableName: TableName,
-  ): Promise<any[]> {
+  static async selectEncrypted(query: unknown): Promise<unknown[]> {
     const results = await query;
 
-    return results;
+    return results as unknown[];
   }
 }
 

src/backend/utils/ssh-key-utils.ts

@@ -1,4 +1,5 @@
 import ssh2Pkg from "ssh2";
+import { sshLogger } from "./logger.js";
 const ssh2Utils = ssh2Pkg.utils;
 
 function detectKeyTypeFromContent(keyContent: string): string {
@@ -49,7 +50,7 @@ function detectKeyTypeFromContent(keyContent: string): string {
       }
 
       return "ssh-rsa";
-    } catch (error) {
+    } catch {
       return "ssh-rsa";
     }
   }
@@ -236,7 +237,7 @@ export function parseSSHKey(
             } else {
               publicKey = "";
             }
-          } catch (error) {
+          } catch {
             publicKey = "";
           }
 
@@ -268,7 +269,7 @@ export function parseSSHKey(
           success: true,
         };
       }
-    } catch (fallbackError) {}
+    } catch (error) {}
 
     return {
       privateKey: privateKeyData,
@@ -310,7 +311,7 @@ export function detectKeyType(privateKeyData: string): string {
       return "unknown";
     }
     return parsedKey.type || "unknown";
-  } catch (error) {
+  } catch {
     return "unknown";
   }
 }

src/backend/utils/system-crypto.ts

@@ -35,9 +35,23 @@ class SystemCrypto {
         if (jwtMatch && jwtMatch[1] && jwtMatch[1].length >= 64) {
           this.jwtSecret = jwtMatch[1];
           process.env.JWT_SECRET = jwtMatch[1];
+          databaseLogger.success("JWT secret loaded from .env file", {
+            operation: "jwt_init_from_file_success",
+            secretLength: jwtMatch[1].length,
+            secretPrefix: jwtMatch[1].substring(0, 8) + "...",
+          });
           return;
+        } else {
+          databaseLogger.warn(
+            "JWT_SECRET in .env file is invalid or too short",
+            {
+              operation: "jwt_init_invalid_secret",
+              hasMatch: !!jwtMatch,
+              secretLength: jwtMatch?.[1]?.length || 0,
+            },
+          );
         }
-      } catch {}
+      } catch (fileError) {}
 
       await this.generateAndGuideUser();
     } catch (error) {
@@ -57,29 +71,44 @@ class SystemCrypto {
 
   async initializeDatabaseKey(): Promise<void> {
     try {
+      const dataDir = process.env.DATA_DIR || "./db/data";
+      const envPath = path.join(dataDir, ".env");
+
       const envKey = process.env.DATABASE_KEY;
       if (envKey && envKey.length >= 64) {
         this.databaseKey = Buffer.from(envKey, "hex");
+        const keyFingerprint = crypto
+          .createHash("sha256")
+          .update(this.databaseKey)
+          .digest("hex")
+          .substring(0, 16);
+
         return;
       }
 
-      const dataDir = process.env.DATA_DIR || "./db/data";
-      const envPath = path.join(dataDir, ".env");
-
       try {
         const envContent = await fs.readFile(envPath, "utf8");
         const dbKeyMatch = envContent.match(/^DATABASE_KEY=(.+)$/m);
         if (dbKeyMatch && dbKeyMatch[1] && dbKeyMatch[1].length >= 64) {
           this.databaseKey = Buffer.from(dbKeyMatch[1], "hex");
           process.env.DATABASE_KEY = dbKeyMatch[1];
+
+          const keyFingerprint = crypto
+            .createHash("sha256")
+            .update(this.databaseKey)
+            .digest("hex")
+            .substring(0, 16);
+
           return;
+        } else {
         }
-      } catch {}
+      } catch (fileError) {}
 
       await this.generateAndGuideDatabaseKey();
     } catch (error) {
       databaseLogger.error("Failed to initialize database key", error, {
         operation: "db_key_init_failed",
+        dataDir: process.env.DATA_DIR || "./db/data",
       });
       throw new Error("Database key initialization failed");
     }
@@ -111,7 +140,7 @@ class SystemCrypto {
           process.env.INTERNAL_AUTH_TOKEN = tokenMatch[1];
           return;
         }
-      } catch {}
+      } catch (error) {}
 
       await this.generateAndGuideInternalAuthToken();
     } catch (error) {

src/backend/utils/user-agent-parser.ts

@@ -0,0 +1,239 @@
+import type { Request } from "express";
+
+export type DeviceType = "web" | "desktop" | "mobile";
+
+export interface DeviceInfo {
+  type: DeviceType;
+  browser: string;
+  version: string;
+  os: string;
+  deviceInfo: string;
+}
+
+export function detectPlatform(req: Request): DeviceType {
+  const userAgent = req.headers["user-agent"] || "";
+  const electronHeader = req.headers["x-electron-app"];
+
+  if (electronHeader === "true" || userAgent.includes("Termix-Desktop")) {
+    return "desktop";
+  }
+
+  if (userAgent.includes("Termix-Mobile")) {
+    return "mobile";
+  }
+
+  if (userAgent.includes("Android")) {
+    return "mobile";
+  }
+
+  return "web";
+}
+
+export function parseUserAgent(req: Request): DeviceInfo {
+  const userAgent = req.headers["user-agent"] || "Unknown";
+  const platform = detectPlatform(req);
+
+  if (platform === "desktop") {
+    return parseElectronUserAgent(userAgent);
+  }
+
+  if (platform === "mobile") {
+    return parseMobileUserAgent(userAgent);
+  }
+
+  return parseWebUserAgent(userAgent);
+}
+
+function parseElectronUserAgent(userAgent: string): DeviceInfo {
+  let os = "Unknown OS";
+  let version = "Unknown";
+
+  const termixMatch = userAgent.match(/Termix-Desktop\/([\d.]+)\s*\(([^;)]+)/);
+  if (termixMatch) {
+    version = termixMatch[1];
+    os = termixMatch[2].trim();
+  } else {
+    if (userAgent.includes("Windows")) {
+      os = parseWindowsVersion(userAgent);
+    } else if (userAgent.includes("Mac OS X")) {
+      os = parseMacVersion(userAgent);
+    } else if (userAgent.includes("macOS")) {
+      os = "macOS";
+    } else if (userAgent.includes("Linux")) {
+      os = "Linux";
+    }
+
+    const electronMatch = userAgent.match(/Electron\/([\d.]+)/);
+    if (electronMatch) {
+      version = electronMatch[1];
+    }
+  }
+
+  return {
+    type: "desktop",
+    browser: "Termix Desktop",
+    version,
+    os,
+    deviceInfo: `Termix Desktop on ${os}`,
+  };
+}
+
+function parseMobileUserAgent(userAgent: string): DeviceInfo {
+  let os = "Unknown OS";
+  let version = "Unknown";
+
+  const termixPlatformMatch = userAgent.match(/Termix-Mobile\/(Android|iOS)/i);
+  if (termixPlatformMatch) {
+    const platform = termixPlatformMatch[1];
+    if (platform.toLowerCase() === "android") {
+      const androidMatch = userAgent.match(/Android ([\d.]+)/);
+      os = androidMatch ? `Android ${androidMatch[1]}` : "Android";
+    } else if (platform.toLowerCase() === "ios") {
+      const iosMatch = userAgent.match(/OS ([\d_]+)/);
+      if (iosMatch) {
+        const iosVersion = iosMatch[1].replace(/_/g, ".");
+        os = `iOS ${iosVersion}`;
+      } else {
+        os = "iOS";
+      }
+    }
+  } else {
+    if (userAgent.includes("Android")) {
+      const androidMatch = userAgent.match(/Android ([\d.]+)/);
+      os = androidMatch ? `Android ${androidMatch[1]}` : "Android";
+    } else if (
+      userAgent.includes("iOS") ||
+      userAgent.includes("iPhone") ||
+      userAgent.includes("iPad")
+    ) {
+      const iosMatch = userAgent.match(/OS ([\d_]+)/);
+      if (iosMatch) {
+        const iosVersion = iosMatch[1].replace(/_/g, ".");
+        os = `iOS ${iosVersion}`;
+      } else {
+        os = "iOS";
+      }
+    }
+  }
+
+  const versionMatch = userAgent.match(
+    /Termix-Mobile\/(?:Android|iOS|)([\d.]+)/i,
+  );
+  if (versionMatch) {
+    version = versionMatch[1];
+  }
+
+  return {
+    type: "mobile",
+    browser: "Termix Mobile",
+    version,
+    os,
+    deviceInfo: `Termix Mobile on ${os}`,
+  };
+}
+
+function parseWebUserAgent(userAgent: string): DeviceInfo {
+  let browser = "Unknown Browser";
+  let version = "Unknown";
+  let os = "Unknown OS";
+
+  if (userAgent.includes("Edg/")) {
+    const match = userAgent.match(/Edg\/([\d.]+)/);
+    browser = "Edge";
+    version = match ? match[1] : "Unknown";
+  } else if (userAgent.includes("Chrome/") && !userAgent.includes("Edg")) {
+    const match = userAgent.match(/Chrome\/([\d.]+)/);
+    browser = "Chrome";
+    version = match ? match[1] : "Unknown";
+  } else if (userAgent.includes("Firefox/")) {
+    const match = userAgent.match(/Firefox\/([\d.]+)/);
+    browser = "Firefox";
+    version = match ? match[1] : "Unknown";
+  } else if (userAgent.includes("Safari/") && !userAgent.includes("Chrome")) {
+    const match = userAgent.match(/Version\/([\d.]+)/);
+    browser = "Safari";
+    version = match ? match[1] : "Unknown";
+  } else if (userAgent.includes("Opera/") || userAgent.includes("OPR/")) {
+    const match = userAgent.match(/(?:Opera|OPR)\/([\d.]+)/);
+    browser = "Opera";
+    version = match ? match[1] : "Unknown";
+  }
+
+  if (userAgent.includes("Windows")) {
+    os = parseWindowsVersion(userAgent);
+  } else if (userAgent.includes("Android")) {
+    const match = userAgent.match(/Android ([\d.]+)/);
+    os = match ? `Android ${match[1]}` : "Android";
+  } else if (
+    userAgent.includes("iOS") ||
+    userAgent.includes("iPhone") ||
+    userAgent.includes("iPad")
+  ) {
+    const match = userAgent.match(/OS ([\d_]+)/);
+    if (match) {
+      const iosVersion = match[1].replace(/_/g, ".");
+      os = `iOS ${iosVersion}`;
+    } else {
+      os = "iOS";
+    }
+  } else if (userAgent.includes("Mac OS X")) {
+    os = parseMacVersion(userAgent);
+  } else if (userAgent.includes("Linux")) {
+    os = "Linux";
+  }
+
+  if (version !== "Unknown") {
+    const versionParts = version.split(".");
+    version = versionParts.slice(0, 2).join(".");
+  }
+
+  return {
+    type: "web",
+    browser,
+    version,
+    os,
+    deviceInfo: `${browser} ${version} on ${os}`,
+  };
+}
+
+function parseWindowsVersion(userAgent: string): string {
+  if (userAgent.includes("Windows NT 10.0")) {
+    return "Windows 10/11";
+  } else if (userAgent.includes("Windows NT 6.3")) {
+    return "Windows 8.1";
+  } else if (userAgent.includes("Windows NT 6.2")) {
+    return "Windows 8";
+  } else if (userAgent.includes("Windows NT 6.1")) {
+    return "Windows 7";
+  } else if (userAgent.includes("Windows NT 6.0")) {
+    return "Windows Vista";
+  } else if (
+    userAgent.includes("Windows NT 5.1") ||
+    userAgent.includes("Windows NT 5.2")
+  ) {
+    return "Windows XP";
+  }
+  return "Windows";
+}
+
+function parseMacVersion(userAgent: string): string {
+  const match = userAgent.match(/Mac OS X ([\d_]+)/);
+  if (match) {
+    const version = match[1].replace(/_/g, ".");
+    const parts = version.split(".");
+    const major = parseInt(parts[0]);
+    const minor = parseInt(parts[1]);
+
+    if (major === 10) {
+      if (minor >= 15) return `macOS ${major}.${minor}`;
+      if (minor === 14) return "macOS Mojave";
+      if (minor === 13) return "macOS High Sierra";
+      if (minor === 12) return "macOS Sierra";
+    } else if (major >= 11) {
+      return `macOS ${major}`;
+    }
+
+    return `macOS ${version}`;
+  }
+  return "macOS";
+}

src/backend/utils/user-crypto.ts

@@ -21,8 +21,8 @@ interface EncryptedDEK {
 
 interface UserSession {
   dataKey: Buffer;
-  lastActivity: number;
   expiresAt: number;
+  lastActivity?: number;
 }
 
 class UserCrypto {
@@ -33,8 +33,6 @@ class UserCrypto {
   private static readonly PBKDF2_ITERATIONS = 100000;
   private static readonly KEK_LENGTH = 32;
   private static readonly DEK_LENGTH = 32;
-  private static readonly SESSION_DURATION = 24 * 60 * 60 * 1000;
-  private static readonly MAX_INACTIVITY = 6 * 60 * 60 * 1000;
 
   private constructor() {
     setInterval(
@@ -69,7 +67,10 @@ class UserCrypto {
     DEK.fill(0);
   }
 
-  async setupOIDCUserEncryption(userId: string): Promise<void> {
+  async setupOIDCUserEncryption(
+    userId: string,
+    sessionDurationMs: number,
+  ): Promise<void> {
     const existingEncryptedDEK = await this.getEncryptedDEK(userId);
 
     let DEK: Buffer;
@@ -104,14 +105,17 @@ class UserCrypto {
     const now = Date.now();
     this.userSessions.set(userId, {
       dataKey: Buffer.from(DEK),
-      lastActivity: now,
-      expiresAt: now + UserCrypto.SESSION_DURATION,
+      expiresAt: now + sessionDurationMs,
     });
 
     DEK.fill(0);
   }
 
-  async authenticateUser(userId: string, password: string): Promise<boolean> {
+  async authenticateUser(
+    userId: string,
+    password: string,
+    sessionDurationMs: number,
+  ): Promise<boolean> {
     try {
       const kekSalt = await this.getKEKSalt(userId);
       if (!kekSalt) return false;
@@ -144,8 +148,7 @@ class UserCrypto {
 
       this.userSessions.set(userId, {
         dataKey: Buffer.from(DEK),
-        lastActivity: now,
-        expiresAt: now + UserCrypto.SESSION_DURATION,
+        expiresAt: now + sessionDurationMs,
       });
 
       DEK.fill(0);
@@ -161,12 +164,49 @@ class UserCrypto {
     }
   }
 
-  async authenticateOIDCUser(userId: string): Promise<boolean> {
+  async authenticateOIDCUser(
+    userId: string,
+    sessionDurationMs: number,
+  ): Promise<boolean> {
     try {
+      const oidcEncryptedDEK = await this.getOIDCEncryptedDEK(userId);
+
+      if (oidcEncryptedDEK) {
+        const systemKey = this.deriveOIDCSystemKey(userId);
+        const DEK = this.decryptDEK(oidcEncryptedDEK, systemKey);
+        systemKey.fill(0);
+
+        if (!DEK || DEK.length === 0) {
+          databaseLogger.error(
+            "Failed to decrypt OIDC DEK for dual-auth user",
+            {
+              operation: "oidc_auth_dual_decrypt_failed",
+              userId,
+            },
+          );
+          return false;
+        }
+
+        const now = Date.now();
+        const oldSession = this.userSessions.get(userId);
+        if (oldSession) {
+          oldSession.dataKey.fill(0);
+        }
+
+        this.userSessions.set(userId, {
+          dataKey: Buffer.from(DEK),
+          expiresAt: now + sessionDurationMs,
+        });
+
+        DEK.fill(0);
+        return true;
+      }
+
+      const kekSalt = await this.getKEKSalt(userId);
       const encryptedDEK = await this.getEncryptedDEK(userId);
 
-      if (!encryptedDEK) {
-        await this.setupOIDCUserEncryption(userId);
+      if (!kekSalt || !encryptedDEK) {
+        await this.setupOIDCUserEncryption(userId, sessionDurationMs);
         return true;
       }
 
@@ -175,7 +215,7 @@ class UserCrypto {
       systemKey.fill(0);
 
       if (!DEK || DEK.length === 0) {
-        await this.setupOIDCUserEncryption(userId);
+        await this.setupOIDCUserEncryption(userId, sessionDurationMs);
         return true;
       }
 
@@ -188,15 +228,19 @@ class UserCrypto {
 
       this.userSessions.set(userId, {
         dataKey: Buffer.from(DEK),
-        lastActivity: now,
-        expiresAt: now + UserCrypto.SESSION_DURATION,
+        expiresAt: now + sessionDurationMs,
       });
 
       DEK.fill(0);
 
       return true;
     } catch (error) {
-      await this.setupOIDCUserEncryption(userId);
+      databaseLogger.error("OIDC authentication failed", error, {
+        operation: "oidc_auth_error",
+        userId,
+        error: error instanceof Error ? error.message : "Unknown",
+      });
+      await this.setupOIDCUserEncryption(userId, sessionDurationMs);
       return true;
     }
   }
@@ -218,16 +262,6 @@ class UserCrypto {
       return null;
     }
 
-    if (now - session.lastActivity > UserCrypto.MAX_INACTIVITY) {
-      this.userSessions.delete(userId);
-      session.dataKey.fill(0);
-      if (this.sessionExpiredCallback) {
-        this.sessionExpiredCallback(userId);
-      }
-      return null;
-    }
-
-    session.lastActivity = now;
     return session.dataKey;
   }
 
@@ -276,21 +310,6 @@ class UserCrypto {
 
       oldKEK.fill(0);
       newKEK.fill(0);
-
-      const dekCopy = Buffer.from(DEK);
-
-      const now = Date.now();
-      const oldSession = this.userSessions.get(userId);
-      if (oldSession) {
-        oldSession.dataKey.fill(0);
-      }
-
-      this.userSessions.set(userId, {
-        dataKey: dekCopy,
-        lastActivity: now,
-        expiresAt: now + UserCrypto.SESSION_DURATION,
-      });
-
       DEK.fill(0);
 
       return true;
@@ -345,6 +364,83 @@ class UserCrypto {
     }
   }
 
+  /**
+   * Convert a password-based user's encryption to DUAL-AUTH encryption.
+   * This is used when linking an OIDC account to a password account for dual-auth.
+   *
+   * IMPORTANT: This does NOT delete the password-based KEK salt!
+   * The user needs to maintain BOTH password and OIDC authentication methods.
+   * We keep the password KEK salt so password login still works.
+   * We also store the DEK encrypted with OIDC system key for OIDC login.
+   */
+  async convertToOIDCEncryption(userId: string): Promise<void> {
+    try {
+      const existingEncryptedDEK = await this.getEncryptedDEK(userId);
+      const existingKEKSalt = await this.getKEKSalt(userId);
+
+      if (!existingEncryptedDEK && !existingKEKSalt) {
+        databaseLogger.warn("No existing encryption to convert for user", {
+          operation: "convert_to_oidc_encryption_skip",
+          userId,
+        });
+        return;
+      }
+
+      const existingDEK = this.getUserDataKey(userId);
+
+      if (!existingDEK) {
+        throw new Error(
+          "Cannot convert to OIDC encryption - user session not active. Please log in with password first.",
+        );
+      }
+
+      const systemKey = this.deriveOIDCSystemKey(userId);
+      const oidcEncryptedDEK = this.encryptDEK(existingDEK, systemKey);
+      systemKey.fill(0);
+
+      const key = `user_encrypted_dek_oidc_${userId}`;
+      const value = JSON.stringify(oidcEncryptedDEK);
+
+      const { getDb } = await import("../database/db/index.js");
+      const { settings } = await import("../database/db/schema.js");
+      const { eq } = await import("drizzle-orm");
+
+      const existing = await getDb()
+        .select()
+        .from(settings)
+        .where(eq(settings.key, key));
+
+      if (existing.length > 0) {
+        await getDb()
+          .update(settings)
+          .set({ value })
+          .where(eq(settings.key, key));
+      } else {
+        await getDb().insert(settings).values({ key, value });
+      }
+
+      databaseLogger.info(
+        "Converted user encryption to dual-auth (password + OIDC)",
+        {
+          operation: "convert_to_oidc_encryption_preserved",
+          userId,
+        },
+      );
+
+      const { saveMemoryDatabaseToFile } = await import(
+        "../database/db/index.js"
+      );
+      await saveMemoryDatabaseToFile();
+    } catch (error) {
+      databaseLogger.error("Failed to convert to OIDC encryption", error, {
+        operation: "convert_to_oidc_encryption_error",
+        userId,
+        error: error instanceof Error ? error.message : "Unknown error",
+      });
+      throw error;
+    }
+  }
+
   private async validatePassword(
     userId: string,
     password: string,
@@ -363,7 +459,7 @@ class UserCrypto {
       DEK.fill(0);
 
       return true;
-    } catch (error) {
+    } catch {
       return false;
     }
   }
@@ -373,10 +469,7 @@ class UserCrypto {
     const expiredUsers: string[] = [];
 
     for (const [userId, session] of this.userSessions.entries()) {
-      if (
-        now > session.expiresAt ||
-        now - session.lastActivity > UserCrypto.MAX_INACTIVITY
-      ) {
+      if (now > session.expiresAt) {
         session.dataKey.fill(0);
         expiredUsers.push(userId);
       }
@@ -482,7 +575,7 @@ class UserCrypto {
       }
 
       return JSON.parse(result[0].value);
-    } catch (error) {
+    } catch {
       return null;
     }
   }
@@ -522,7 +615,27 @@ class UserCrypto {
       }
 
       return JSON.parse(result[0].value);
-    } catch (error) {
+    } catch {
+      return null;
+    }
+  }
+
+  private async getOIDCEncryptedDEK(
+    userId: string,
+  ): Promise<EncryptedDEK | null> {
+    try {
+      const key = `user_encrypted_dek_oidc_${userId}`;
+      const result = await getDb()
+        .select()
+        .from(settings)
+        .where(eq(settings.key, key));
+
+      if (result.length === 0) {
+        return null;
+      }
+
+      return JSON.parse(result[0].value);
+    } catch {
       return null;
     }
   }

src/backend/utils/user-data-export.ts

@@ -18,14 +18,14 @@ interface UserExportData {
   userId: string;
   username: string;
   userData: {
-    sshHosts: any[];
-    sshCredentials: any[];
+    sshHosts: unknown[];
+    sshCredentials: unknown[];
     fileManagerData: {
-      recent: any[];
-      pinned: any[];
-      shortcuts: any[];
+      recent: unknown[];
+      pinned: unknown[];
+      shortcuts: unknown[];
     };
-    dismissedAlerts: any[];
+    dismissedAlerts: unknown[];
   };
   metadata: {
     totalRecords: number;
@@ -83,7 +83,7 @@ class UserDataExport {
             )
           : sshHosts;
 
-      let sshCredentialsData: any[] = [];
+      let sshCredentialsData: unknown[] = [];
       if (includeCredentials) {
         const credentials = await getDb()
           .select()
@@ -185,7 +185,10 @@ class UserDataExport {
     return JSON.stringify(exportData, null, pretty ? 2 : 0);
   }
 
-  static validateExportData(data: any): { valid: boolean; errors: string[] } {
+  static validateExportData(data: unknown): {
+    valid: boolean;
+    errors: string[];
+  } {
     const errors: string[] = [];
 
     if (!data || typeof data !== "object") {
@@ -193,23 +196,26 @@ class UserDataExport {
       return { valid: false, errors };
     }
 
-    if (!data.version) {
+    const dataObj = data as Record<string, unknown>;
+
+    if (!dataObj.version) {
       errors.push("Missing version field");
     }
 
-    if (!data.userId) {
+    if (!dataObj.userId) {
       errors.push("Missing userId field");
     }
 
-    if (!data.userData || typeof data.userData !== "object") {
+    if (!dataObj.userData || typeof dataObj.userData !== "object") {
       errors.push("Missing or invalid userData field");
     }
 
-    if (!data.metadata || typeof data.metadata !== "object") {
+    if (!dataObj.metadata || typeof dataObj.metadata !== "object") {
       errors.push("Missing or invalid metadata field");
     }
 
-    if (data.userData) {
+    if (dataObj.userData) {
+      const userData = dataObj.userData as Record<string, unknown>;
       const requiredFields = [
         "sshHosts",
         "sshCredentials",
@@ -218,23 +224,24 @@ class UserDataExport {
       ];
       for (const field of requiredFields) {
         if (
-          !Array.isArray(data.userData[field]) &&
-          !(
-            field === "fileManagerData" &&
-            typeof data.userData[field] === "object"
-          )
+          !Array.isArray(userData[field]) &&
+          !(field === "fileManagerData" && typeof userData[field] === "object")
         ) {
           errors.push(`Missing or invalid userData.${field} field`);
         }
       }
 
       if (
-        data.userData.fileManagerData &&
-        typeof data.userData.fileManagerData === "object"
+        userData.fileManagerData &&
+        typeof userData.fileManagerData === "object"
       ) {
+        const fileManagerData = userData.fileManagerData as Record<
+          string,
+          unknown
+        >;
         const fmFields = ["recent", "pinned", "shortcuts"];
         for (const field of fmFields) {
-          if (!Array.isArray(data.userData.fileManagerData[field])) {
+          if (!Array.isArray(fileManagerData[field])) {
             errors.push(
               `Missing or invalid userData.fileManagerData.${field} field`,
             );

src/backend/utils/user-data-import.ts

@@ -12,7 +12,6 @@ import { eq, and } from "drizzle-orm";
 import { DataCrypto } from "./data-crypto.js";
 import { UserDataExport, type UserExportData } from "./user-data-export.js";
 import { databaseLogger } from "./logger.js";
-import { nanoid } from "nanoid";
 
 interface ImportOptions {
   replaceExisting?: boolean;
@@ -90,7 +89,7 @@ class UserDataImport {
       ) {
         const importStats = await this.importSshHosts(
           targetUserId,
-          exportData.userData.sshHosts,
+          exportData.userData.sshHosts as Record<string, unknown>[],
           { replaceExisting, dryRun, userDataKey },
         );
         result.summary.sshHostsImported = importStats.imported;
@@ -105,7 +104,7 @@ class UserDataImport {
       ) {
         const importStats = await this.importSshCredentials(
           targetUserId,
-          exportData.userData.sshCredentials,
+          exportData.userData.sshCredentials as Record<string, unknown>[],
           { replaceExisting, dryRun, userDataKey },
         );
         result.summary.sshCredentialsImported = importStats.imported;
@@ -130,7 +129,7 @@ class UserDataImport {
       ) {
         const importStats = await this.importDismissedAlerts(
           targetUserId,
-          exportData.userData.dismissedAlerts,
+          exportData.userData.dismissedAlerts as Record<string, unknown>[],
           { replaceExisting, dryRun },
         );
         result.summary.dismissedAlertsImported = importStats.imported;
@@ -160,7 +159,7 @@ class UserDataImport {
 
   private static async importSshHosts(
     targetUserId: string,
-    sshHosts: any[],
+    sshHosts: Record<string, unknown>[],
     options: {
       replaceExisting: boolean;
       dryRun: boolean;
@@ -199,7 +198,9 @@ class UserDataImport {
 
         delete processedHostData.id;
 
-        await getDb().insert(sshData).values(processedHostData);
+        await getDb()
+          .insert(sshData)
+          .values(processedHostData as unknown as typeof sshData.$inferInsert);
         imported++;
       } catch (error) {
         errors.push(
@@ -214,7 +215,7 @@ class UserDataImport {
 
   private static async importSshCredentials(
     targetUserId: string,
-    credentials: any[],
+    credentials: Record<string, unknown>[],
     options: {
       replaceExisting: boolean;
       dryRun: boolean;
@@ -255,7 +256,11 @@ class UserDataImport {
 
         delete processedCredentialData.id;
 
-        await getDb().insert(sshCredentials).values(processedCredentialData);
+        await getDb()
+          .insert(sshCredentials)
+          .values(
+            processedCredentialData as unknown as typeof sshCredentials.$inferInsert,
+          );
         imported++;
       } catch (error) {
         errors.push(
@@ -270,7 +275,7 @@ class UserDataImport {
 
   private static async importFileManagerData(
     targetUserId: string,
-    fileManagerData: any,
+    fileManagerData: Record<string, unknown>,
     options: { replaceExisting: boolean; dryRun: boolean },
   ) {
     let imported = 0;
@@ -357,7 +362,7 @@ class UserDataImport {
 
   private static async importDismissedAlerts(
     targetUserId: string,
-    alerts: any[],
+    alerts: Record<string, unknown>[],
     options: { replaceExisting: boolean; dryRun: boolean },
   ) {
     let imported = 0;
@@ -377,7 +382,7 @@ class UserDataImport {
           .where(
             and(
               eq(dismissedAlerts.userId, targetUserId),
-              eq(dismissedAlerts.alertId, alert.alertId),
+              eq(dismissedAlerts.alertId, alert.alertId as string),
             ),
           );
 
@@ -396,10 +401,12 @@ class UserDataImport {
         if (existing.length > 0 && options.replaceExisting) {
           await getDb()
             .update(dismissedAlerts)
-            .set(newAlert)
+            .set(newAlert as typeof dismissedAlerts.$inferInsert)
             .where(eq(dismissedAlerts.id, existing[0].id));
         } else {
-          await getDb().insert(dismissedAlerts).values(newAlert);
+          await getDb()
+            .insert(dismissedAlerts)
+            .values(newAlert as typeof dismissedAlerts.$inferInsert);
         }
 
         imported++;

src/components/theme-provider.tsx

@@ -1,3 +1,4 @@
+/* eslint-disable react-refresh/only-export-components */
 import { createContext, useContext, useEffect, useState } from "react";
 
 type Theme = "dark" | "light" | "system";

src/components/ui/badge.tsx

@@ -1,3 +1,4 @@
+/* eslint-disable react-refresh/only-export-components */
 import * as React from "react";
 import { Slot } from "@radix-ui/react-slot";
 import { cva, type VariantProps } from "class-variance-authority";

src/components/ui/button.tsx

@@ -1,3 +1,4 @@
+/* eslint-disable react-refresh/only-export-components */
 import * as React from "react";
 import { Slot } from "@radix-ui/react-slot";
 import { cva, type VariantProps } from "class-variance-authority";
@@ -5,7 +6,7 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@/lib/utils";
 
 const buttonVariants = cva(
-  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all duration-100 disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive active:scale-95",
   {
     variants: {
       variant: {

src/components/ui/chart.tsx

@@ -0,0 +1,24 @@
+import * as React from "react";
+import * as RechartsPrimitive from "recharts";
+
+import { cn } from "@/lib/utils";
+
+// Chart Container
+const ChartContainer = React.forwardRef<
+  HTMLDivElement,
+  React.HTMLAttributes<HTMLDivElement>
+>(({ className, ...props }, ref) => {
+  return (
+    <div
+      ref={ref}
+      className={cn(
+        "flex aspect-video justify-center text-xs [&_.recharts-cartesian-axis-tick_text]:fill-muted-foreground [&_.recharts-cartesian-grid_line[stroke='#ccc']]:stroke-border/50 [&_.recharts-curve.recharts-tooltip-cursor]:stroke-border [&_.recharts-dot[stroke='#fff']]:stroke-transparent [&_.recharts-layer]:outline-none [&_.recharts-polar-grid_[stroke='#ccc']]:stroke-border [&_.recharts-radial-bar-background-sector]:fill-muted [&_.recharts-rectangle.recharts-tooltip-cursor]:fill-muted [&_.recharts-reference-line_[stroke='#ccc']]:stroke-border [&_.recharts-sector[stroke='#fff']]:stroke-transparent [&_.recharts-sector]:outline-none [&_.recharts-surface]:outline-none",
+        className,
+      )}
+      {...props}
+    />
+  );
+});
+ChartContainer.displayName = "ChartContainer";
+
+export { ChartContainer, RechartsPrimitive };