Merge pull request #1321 from jokob-sk/main

sync
BE: restore previous version retrieval as a test #1320
2025-12-07 09:36:05 -08:00 · 2025-11-30 00:23:45 +00:00 · 2025-11-30 11:21:24 +11:00 · 2025-11-30 11:15:25 +11:00 · 2025-11-30 11:15:19 +11:00 · 2025-11-30 11:14:45 +11:00
405 changed files with 23086 additions and 10136 deletions
--- a/.coverage
+++ b/.coverage
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh
+# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh

 # ---/Dockerfile---
 # The NetAlertX Dockerfile has 3 stages:
@@ -35,7 +35,7 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o
 # Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
 # into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
 # together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+RUN pip install --no-cache-dir -r /tmp/requirements.txt && \
    chmod -R u-rwx,g-rwx /opt

 # second stage is the main runtime stage with just the minimum required to run the application
@@ -46,14 +46,16 @@ ARG INSTALL_DIR=/app

 # NetAlertX app directories
 ENV NETALERTX_APP=${INSTALL_DIR}
-ENV NETALERTX_CONFIG=${NETALERTX_APP}/config
+ENV NETALERTX_DATA=/data
+ENV NETALERTX_CONFIG=${NETALERTX_DATA}/config
 ENV NETALERTX_FRONT=${NETALERTX_APP}/front
+ENV NETALERTX_PLUGINS=${NETALERTX_FRONT}/plugins
 ENV NETALERTX_SERVER=${NETALERTX_APP}/server
-ENV NETALERTX_API=${NETALERTX_APP}/api
-ENV NETALERTX_DB=${NETALERTX_APP}/db
+ENV NETALERTX_API=/tmp/api
+ENV NETALERTX_DB=${NETALERTX_DATA}/db
 ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db
 ENV NETALERTX_BACK=${NETALERTX_APP}/back
-ENV NETALERTX_LOG=${NETALERTX_APP}/log
+ENV NETALERTX_LOG=/tmp/log
 ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins
 ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf

@@ -69,32 +71,37 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
+ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log

 # System Services configuration files
+ENV ENTRYPOINT_CHECKS=/entrypoint.d
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
-ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINX_CONFIG}/nginx.conf
+ENV SYSTEM_NGINX_CONFIG_TEMPLATE=${SYSTEM_NGINX_CONFIG}/netalertx.conf.template
+ENV SYSTEM_SERVICES_CONFIG_CRON=${SYSTEM_SERVICES_CONFIG}/cron
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=/tmp/nginx/active-config
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG_FILE=${SYSTEM_SERVICES_ACTIVE_CONFIG}/nginx.conf
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
-ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
-ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run
+ENV SYSTEM_SERVICES_RUN=/tmp/run
 ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 ENV READ_ONLY_FOLDERS="${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} \
-                       ${SYSTEM_SERVICES_CONFIG}"
-ENV READ_WRITE_FOLDERS="${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} \
-                       ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} \
-                       ${SYSTEM_SERVICES_RUN_LOG}"
+                       ${SYSTEM_SERVICES_CONFIG} ${ENTRYPOINT_CHECKS}"
+ENV READ_WRITE_FOLDERS="${NETALERTX_DATA} ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} \
+                       ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} \
+                       ${SYSTEM_SERVICES_RUN_TMP} ${SYSTEM_SERVICES_RUN_LOG} \
+                       ${SYSTEM_SERVICES_ACTIVE_CONFIG}"

 #Python environment
 ENV PYTHONUNBUFFERED=1 
 ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
-ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${VIRTUAL_ENV}/lib/python3.12/site-packages
+ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${NETALERTX_PLUGINS}:${VIRTUAL_ENV}/lib/python3.12/site-packages
 ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" 

 # App Environment
@@ -102,8 +109,7 @@ ENV LISTEN_ADDR=0.0.0.0
 ENV PORT=20211
 ENV NETALERTX_DEBUG=0
 ENV VENDORSPATH=/app/back/ieee-oui.txt
-ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
-ENV PYTHONPATHPATH="${NETALERTX_APP}:${VIRTUAL_ENV}/bin:${PATH}"
+ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt
 ENV ENVIRONMENT=alpine
 ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly
 ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx
@@ -113,7 +119,7 @@ ENV LANG=C.UTF-8
 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx shadow && \
+    nginx supercronic shadow && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
    addgroup -g 20211 ${NETALERTX_GROUP} && \
@@ -127,11 +133,15 @@ COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} install/production-filesystem/
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 back ${NETALERTX_BACK}
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 front ${NETALERTX_FRONT}
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 server ${NETALERTX_SERVER}
-RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 755 ${NETALERTX_API}  \
-    ${NETALERTX_LOG} ${SYSTEM_SERVICES_RUN_TMP} ${SYSTEM_SERVICES_RUN_LOG} && \
+
+# Create required folders with correct ownership and permissions
+RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
    sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \
    -exec chmod 750 {} \;"

+# Copy version information into the image
+COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION
+
 # Copy the virtualenv from the builder stage
 COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}

@@ -140,19 +150,26 @@ COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN apk add libcap && \
+RUN if [ -f '.VERSION' ]; then \
+        cp '.VERSION' "${NETALERTX_APP}/.VERSION"; \
+    else \
+        echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/.VERSION"; \
+    fi && \
+    chown 20212:20212 "${NETALERTX_APP}/.VERSION" && \
+    apk add --no-cache libcap && \
    setcap cap_net_raw+ep /bin/busybox && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
    setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip ${VIRTUAL_ENV_BIN}/scapy && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
    /bin/sh /build/init-nginx.sh && \
    /bin/sh /build/init-php-fpm.sh && \
-    /bin/sh /build/init-crond.sh && \
+    /bin/sh /build/init-cron.sh && \
    /bin/sh /build/init-backend.sh && \
    rm -rf /build && \
-    apk del libcap
+    apk del libcap && \
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"


 ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
@@ -169,13 +186,15 @@ ENV UMASK=0077
 # AI may claim this is stupid, but it's actually least possible permissions as 
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \
+    adduser -u 20212 -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"


 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 004 ${READ_ONLY_FOLDERS} && \
    find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
@@ -184,14 +203,17 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 600 ${READ_WRITE_FOLDERS} && \
    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
+    for dir in ${READ_WRITE_FOLDERS}; do \
+        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
+    done && \
    apk del apk-tools && \
    rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
    /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
    /srv /media && \
    sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
    sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo

 USER netalertx

@@ -206,11 +228,15 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
 #   .devcontainer/scripts/generate-configs.sh
 # The generator appends this stage to produce .devcontainer/Dockerfile.
 # Prefer to place dev-only setup here; use setup.sh only for runtime fixes.
+# Permissions in devcontainer should be of a brutalist nature. They will be
+# Open and wide to avoid permission issues during development allowing max
+# flexibility.

+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app

-ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
+ENV PYTHONPATH=${PYTHONPATH}:/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/usr/lib/python3.12/site-packages
 ENV PATH=/services:${PATH}
 ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d
 ENV LISTEN_ADDR=0.0.0.0
@@ -218,19 +244,37 @@ ENV PORT=20211
 ENV NETALERTX_DEBUG=1
 ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
-
+USER root
 # Install common tools, create user, and set up sudo
-RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt sudo
+
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
+    pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
+    docker-cli-compose shellcheck
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint

 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
    cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
    echo "${NETALERTX_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-# Install debugpy in the virtualenv if present, otherwise into system python3
-RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' && \
-    mkdir /workspaces && \
-    install -d -o netalertx -g netalertx -m 777 /services/run/logs && \
-    install -d -o netalertx -g netalertx -m 777 /app/run/tmp/client_body && \
-    sed -i -e 's|:/app:|:/workspaces:|' /etc/passwd && \
-    python -m pip install -U pytest pytest-cov
+ENV SHELL=/bin/zsh

+RUN mkdir -p /workspaces && \
+    install -d -m 777 /data /data/config /data/db && \
+    install -d -m 777 /tmp/log /tmp/log/plugins /tmp/api /tmp/run /tmp/nginx && \
+    install -d -m 777 /tmp/nginx/active-config /tmp/nginx/client_body /tmp/nginx/config && \
+    install -d -m 777 /tmp/nginx/fastcgi /tmp/nginx/proxy /tmp/nginx/scgi /tmp/nginx/uwsgi && \
+    install -d -m 777 /tmp/run/tmp /tmp/run/logs && \
+    chmod 777 /workspaces && \
+    chown -R netalertx:netalertx /data && \
+    chmod 666 /data/config/app.conf /data/db/app.db && \
+    chmod 1777 /tmp && \
+    install -d -o root -g root -m 1777 /tmp/.X11-unix && \
+    mkdir -p /home/netalertx && \
+    chown netalertx:netalertx /home/netalertx && \
+    sed -i -e 's#/app:#/workspaces:#' /etc/passwd && \
+    find /opt/venv -type d -exec chmod o+rwx {} \;
+    
+USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
--- a/.devcontainer/NetAlertX.code-workspace
+++ b/.devcontainer/NetAlertX.code-workspace
@@ -0,0 +1,37 @@
+{
+	"folders": [
+		{
+			"name": "NetAlertX Source",
+			"path": "/workspaces/NetAlertX"
+		},
+		{
+			"name": "💾 NetAlertX Data",
+			"path": "/data"
+		},
+		{
+			"name": "🔍 Active NetAlertX log",
+			"path": "/tmp/log"
+		},
+		{
+			"name": "🌐 Active NetAlertX nginx",
+			"path": "/tmp/nginx"
+		},
+		{
+			"name": "📊 Active NetAlertX api",
+			"path": "/tmp/api"
+		},
+		{
+			"name": "⚙️ Active NetAlertX run",
+			"path": "/tmp/run"
+		}
+	],
+	"settings": {
+		"terminal.integrated.suggest.enabled": true,
+		"terminal.integrated.defaultProfile.linux": "zsh",
+		"terminal.integrated.profiles.linux": {
+			"zsh": {
+				"path": "/usr/bin/fish"
+			}
+		}
+	}
+}
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -19,6 +19,17 @@ Common workflows (F1->Tasks: Run Task)
  - Backend (GraphQL/Flask): `.devcontainer/scripts/restart-backend.sh` starts it under debugpy and logs to `/app/log/app.log`
  - Frontend (nginx + PHP-FPM): Started via setup.sh; can be restarted by the task "Start Frontend (nginx and PHP-FPM)".

+Production Container Evaulation
+1. F1 → Tasks: Shutdown services ([Dev Container] Stop Frontend & Backend Services)
+2. F1 → Tasks: Docker system and build prune ([Any] Docker system and build Prune)
+3. F1 → Remote: Close Unused Forwarded Ports (VS Code command)
+4. F1 → Tasks: Build & Launch Production (Build & Launch Prodcution Docker 
+5. visit http://localhost:20211
+
+Unit tests
+1. F1 → Tasks: Rebuild test container ([Any] Build Unit Test Docker image)
+2. F1 → Test: Run all tests
+
 Testing
 - pytest is installed via Alpine packages (py3-pytest, py3-pytest-cov).
 - PYTHONPATH includes workspace and venv site-packages so tests can import `server/*` modules and third-party libs.
--- a/.devcontainer/WORKSPACE.md
+++ b/.devcontainer/WORKSPACE.md
@@ -0,0 +1,26 @@
+# NetAlertX Multi-Folder Workspace
+
+This repository uses a multi-folder workspace configuration to provide easy access to runtime directories.
+
+## Opening the Multi-Folder Workspace
+
+After the devcontainer builds, open the workspace file to access all folders:
+
+1. **File** → **Open Workspace from File**
+2. Select `NetAlertX.code-workspace`
+
+Or use Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
+- Type: `Workspaces: Open Workspace from File`
+- Select `NetAlertX.code-workspace`
+
+## Workspace Folders
+
+The workspace includes:
+- **NetAlertX** - Main source code
+- **/tmp** - Runtime temporary files
+- **/tmp/api** - API response cache (JSON files)
+- **/tmp/log** - Application and plugin logs
+
+## Testing Configuration
+
+Pytest is configured to only discover tests in the main `test/` directory, not in `/tmp` folders.
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,6 +2,8 @@
  "name": "NetAlertX DevContainer",
  "remoteUser": "netalertx",
  "workspaceFolder": "/workspaces/NetAlertX",
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspaces/NetAlertX,type=bind,consistency=cached",
+  "onCreateCommand": "mkdir -p /tmp/api /tmp/log",
  "build": {
    "dockerfile": "./Dockerfile", // Dockerfile generated by script
    "context": "../", // Context is the root of the repository
@@ -23,6 +25,9 @@
    // even within this container and connect to them as needed.
    // "--network=host",
  ],
+  "mounts": [ 
+    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" //used for testing various conditions in docker
+  ],
  // ATTENTION: If running with --network=host, COMMENT `forwardPorts` OR ELSE THERE WILL BE NO WEBUI!
  "forwardPorts": [20211, 20212, 5678],
  "portsAttributes": { // the ports we care about
@@ -40,8 +45,14 @@
    }
  },

-  "postStartCommand": "${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
-
+  "postCreateCommand": {
+      "Install Pip Requirements": "/opt/venv/bin/pip3 install pytest docker debugpy",
+      "Workspace Instructions": "printf '\n\n<> DevContainer Ready!\n\n📁 To access /tmp folders in the workspace:\n   File → Open Workspace from File → NetAlertX.code-workspace\n\n📖 See .devcontainer/WORKSPACE.md for details\n\n'"
+  },
+  "postStartCommand": {
+      "Start Environment":"${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
+      "Build test-container":"echo building netalertx-test container in background. check /tmp/build.log for progress. && setsid docker buildx build -t netalertx-test . > /tmp/build.log 2>&1 &"
+  },
  "customizations": {
    "vscode": {
      "extensions": [
@@ -62,15 +73,27 @@
        "esbenp.prettier-vscode",
        "eamodio.gitlens",
        "alexcvzz.vscode-sqlite",
-        "yzhang.markdown-all-in-one",
-        "mkhl.shfmt"
+        "mkhl.shfmt",
+        "charliermarsh.ruff",
+        "ms-python.flake8",
+        "exiasr.hadolint",
+        "timonwong.shellcheck"
      ],
      "settings": {
        "terminal.integrated.cwd": "${containerWorkspaceFolder}",
+        "terminal.integrated.profiles.linux": {
+          "zsh": {
+            "path": "/bin/zsh",
+            "args": ["-l"]
+          }
+        },
+        "terminal.integrated.defaultProfile.linux": "zsh",
+        
        // Python testing configuration
        "python.testing.pytestEnabled": true,
        "python.testing.unittestEnabled": false,
        "python.testing.pytestArgs": ["test"],
+        "python.testing.cwd": "${containerWorkspaceFolder}",
        // Make sure we discover tests and import server correctly
        "python.analysis.extraPaths": [
          "/workspaces/NetAlertX",
--- a/.devcontainer/resources/devcontainer-Dockerfile
+++ b/.devcontainer/resources/devcontainer-Dockerfile
@@ -3,11 +3,15 @@
 #   .devcontainer/scripts/generate-configs.sh
 # The generator appends this stage to produce .devcontainer/Dockerfile.
 # Prefer to place dev-only setup here; use setup.sh only for runtime fixes.
+# Permissions in devcontainer should be of a brutalist nature. They will be
+# Open and wide to avoid permission issues during development allowing max
+# flexibility.

+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app

-ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
+ENV PYTHONPATH=${PYTHONPATH}:/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/usr/lib/python3.12/site-packages
 ENV PATH=/services:${PATH}
 ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d
 ENV LISTEN_ADDR=0.0.0.0
@@ -15,19 +19,37 @@ ENV PORT=20211
 ENV NETALERTX_DEBUG=1
 ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
-
+USER root
 # Install common tools, create user, and set up sudo
-RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt github-cli
+
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
+    pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
+    docker-cli-compose shellcheck
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint

 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
    cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
    echo "${NETALERTX_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-# Install debugpy in the virtualenv if present, otherwise into system python3
-RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' && \
-    mkdir /workspaces && \
-    install -d -o netalertx -g netalertx -m 777 /services/run/logs && \
-    install -d -o netalertx -g netalertx -m 777 /app/run/tmp/client_body && \
-    sed -i -e 's|:/app:|:/workspaces:|' /etc/passwd && \
-    python -m pip install -U pytest pytest-cov
+ENV SHELL=/bin/zsh

+RUN mkdir -p /workspaces && \
+    install -d -m 777 /data /data/config /data/db && \
+    install -d -m 777 /tmp/log /tmp/log/plugins /tmp/api /tmp/run /tmp/nginx && \
+    install -d -m 777 /tmp/nginx/active-config /tmp/nginx/client_body /tmp/nginx/config && \
+    install -d -m 777 /tmp/nginx/fastcgi /tmp/nginx/proxy /tmp/nginx/scgi /tmp/nginx/uwsgi && \
+    install -d -m 777 /tmp/run/tmp /tmp/run/logs && \
+    chmod 777 /workspaces && \
+    chown -R netalertx:netalertx /data && \
+    chmod 666 /data/config/app.conf /data/db/app.db && \
+    chmod 1777 /tmp && \
+    install -d -o root -g root -m 1777 /tmp/.X11-unix && \
+    mkdir -p /home/netalertx && \
+    chown netalertx:netalertx /home/netalertx && \
+    sed -i -e 's#/app:#/workspaces:#' /etc/passwd && \
+    find /opt/venv -type d -exec chmod o+rwx {} \;
+    
+USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
--- a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template
+++ b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template
@@ -1,118 +0,0 @@
-# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh
-# Generated from: install/production-filesystem/services/config/nginx/netalertx.conf.template
-
-# Set number of worker processes automatically based on number of CPU cores.
-worker_processes auto;
-
-# Enables the use of JIT for regular expressions to speed-up their processing.
-pcre_jit on;
-
-# Configures default error logger.
-error_log /app/log/nginx-error.log warn;
-
-events {
-	# The maximum number of simultaneous connections that can be opened by
-	# a worker process.
-	worker_connections 1024;
-}
-
-http {
-
-	# Mapping of temp paths for various nginx modules.
-    client_body_temp_path /services/run/tmp/client_body;
-    proxy_temp_path /services/run/tmp/proxy;
-	fastcgi_temp_path /services/run/tmp/fastcgi;
-	uwsgi_temp_path /services/run/tmp/uwsgi;
-	scgi_temp_path /services/run/tmp/scgi;
-	
-	# Includes mapping of file name extensions to MIME types of responses
-	# and defines the default type.
-	include /services/config/nginx/mime.types;
-	default_type application/octet-stream;
-
-	# Name servers used to resolve names of upstream servers into addresses.
-	# It's also needed when using tcpsocket and udpsocket in Lua modules.
-	#resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
-
-	# Don't tell nginx version to the clients. Default is 'on'.
-	server_tokens off;
-
-	# Specifies the maximum accepted body size of a client request, as
-	# indicated by the request header Content-Length. If the stated content
-	# length is greater than this size, then the client receives the HTTP
-	# error code 413. Set to 0 to disable. Default is '1m'.
-	client_max_body_size 1m;
-
-	# Sendfile copies data between one FD and other from within the kernel,
-	# which is more efficient than read() + write(). Default is off.
-	sendfile on;
-
-	# Causes nginx to attempt to send its HTTP response head in one packet,
-	# instead of using partial frames. Default is 'off'.
-	tcp_nopush on;
-
-
-	# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
-	# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
-	ssl_protocols TLSv1.2 TLSv1.3;
-
-	# Path of the file with Diffie-Hellman parameters for EDH ciphers.
-	# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
-	#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
-
-	# Specifies that our cipher suits should be preferred over client ciphers.
-	# Default is 'off'.
-	ssl_prefer_server_ciphers on;
-
-	# Enables a shared SSL cache with size that can hold around 8000 sessions.
-	# Default is 'none'.
-	ssl_session_cache shared:SSL:2m;
-
-	# Specifies a time during which a client may reuse the session parameters.
-	# Default is '5m'.
-	ssl_session_timeout 1h;
-
-	# Disable TLS session tickets (they are insecure). Default is 'on'.
-	ssl_session_tickets off;
-
-
-	# Enable gzipping of responses.
-	gzip on;
-
-	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
-	gzip_vary on;
-
-
-    # Specifies the main log format.
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-	    '$status $body_bytes_sent "$http_referer" '
-	    '"$http_user_agent" "$http_x_forwarded_for"';
-
-	# Sets the path, format, and configuration for a buffered log write.
-	access_log /app/log/nginx-access.log main;
-
-
-	# Virtual host config
-    server {
-        listen 0.0.0.0:20211 default_server;
-		large_client_header_buffers 4 16k;
-        root /app/front;
-        index index.php;
-        add_header X-Forwarded-Prefix "/app" always;
-
-
-        location ~* \.php$ {
-            # Set Cache-Control header to prevent caching on the first load
-            add_header Cache-Control "no-store";
-            fastcgi_pass unix:/services/run/php.sock;
-            include /services/config/nginx/fastcgi_params;
-			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-			fastcgi_param SCRIPT_NAME $fastcgi_script_name;
-
-            fastcgi_param PHP_VALUE "xdebug.remote_enable=1";
-            fastcgi_connect_timeout 75;
-            fastcgi_send_timeout 600;
-            fastcgi_read_timeout 600;
-        }
-    }
-}
--- a/.devcontainer/resources/devcontainer-overlay/workspaces/.zshrc
+++ b/.devcontainer/resources/devcontainer-overlay/workspaces/.zshrc
@@ -0,0 +1,47 @@
+# NetAlertX devcontainer zsh configuration
+# Keep this lightweight and deterministic so shells behave consistently.
+
+export PATH="$HOME/.local/bin:$PATH"
+export EDITOR=vim
+export SHELL=/bin/zsh
+
+# Start inside the workspace if it exists
+if [ -d "/workspaces/NetAlertX" ]; then
+  cd /workspaces/NetAlertX
+fi
+
+# Enable basic completion and prompt helpers
+autoload -Uz compinit promptinit colors
+colors
+compinit -u
+promptinit
+
+# Friendly prompt with virtualenv awareness
+setopt PROMPT_SUBST
+
+_venv_segment() {
+  if [ -n "$VIRTUAL_ENV" ]; then
+    printf '(%s) ' "${VIRTUAL_ENV:t}"
+  fi
+}
+
+PROMPT='%F{green}$(_venv_segment)%f%F{cyan}%n@%m%f %F{yellow}%~%f %# '
+RPROMPT='%F{magenta}$(git rev-parse --abbrev-ref HEAD 2>/dev/null)%f'
+
+# Sensible defaults
+setopt autocd
+setopt correct
+setopt extendedglob
+HISTFILE="$HOME/.zsh_history"
+HISTSIZE=5000
+SAVEHIST=5000
+
+alias ll='ls -alF'
+alias la='ls -A'
+alias gs='git status -sb'
+alias gp='git pull --ff-only'
+
+# Ensure pyenv/virtualenv activate hooks adjust the prompt cleanly
+if [ -f "$HOME/.zshrc.local" ]; then
+  source "$HOME/.zshrc.local"
+fi
--- a/.devcontainer/scripts/confirm-docker-prune.sh
+++ b/.devcontainer/scripts/confirm-docker-prune.sh
@@ -1,7 +1,11 @@
 #!/bin/bash
 set -euo pipefail

-read -r -p "Are you sure you want to destroy your host docker containers and images? Type YES to continue: " reply
+if [[ -n "${CONFIRM_PRUNE:-}" && "${CONFIRM_PRUNE}" == "YES" ]]; then
+  reply="YES"
+else
+  read -r -p "Are you sure you want to destroy your host docker containers and images? Type YES to continue: " reply
+fi

 if [[ "${reply}" == "YES" ]]; then
  docker system prune -af
--- a/.devcontainer/scripts/generate-configs.sh
+++ b/.devcontainer/scripts/generate-configs.sh
@@ -7,56 +7,28 @@
 # the final .devcontainer/Dockerfile used by the devcontainer.

 echo "Generating .devcontainer/Dockerfile"
-SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+SCRIPT_PATH=$(set -- "$0"; dirname -- "$1")
+SCRIPT_DIR=$(cd "$SCRIPT_PATH" && pwd -P)
 DEVCONTAINER_DIR="${SCRIPT_DIR%/scripts}"
 ROOT_DIR="${DEVCONTAINER_DIR%/.devcontainer}"

 OUT_FILE="${DEVCONTAINER_DIR}/Dockerfile"

-echo "Adding base Dockerfile from $ROOT_DIR..." 
+echo "Adding base Dockerfile from $ROOT_DIR and merging to devcontainer-Dockerfile" 
+{

-echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh" > "$OUT_FILE"
-echo "" >> "$OUT_FILE"
-echo "# ---/Dockerfile---" >> "$OUT_FILE"
+echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh"
+echo ""
+echo "# ---/Dockerfile---" 

-cat "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE"
+cat "${ROOT_DIR}/Dockerfile" 

-echo "" >> "$OUT_FILE"
-echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE"
-echo "" >> "$OUT_FILE"
+echo ""
+echo "# ---/resources/devcontainer-Dockerfile---"
+echo ""
+cat "${DEVCONTAINER_DIR}/resources/devcontainer-Dockerfile"
+} > "$OUT_FILE"

-echo "Adding devcontainer-Dockerfile from $DEVCONTAINER_DIR/resources..."
-cat "${DEVCONTAINER_DIR}/resources/devcontainer-Dockerfile" >> "$OUT_FILE"
-
-echo "Generated $OUT_FILE using root dir $ROOT_DIR" >&2
-
-# Generate devcontainer nginx config from production template
-echo "Generating devcontainer nginx config"
-NGINX_TEMPLATE="${ROOT_DIR}/install/production-filesystem/services/config/nginx/netalertx.conf.template"
-NGINX_OUT="${DEVCONTAINER_DIR}/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template"
-
-# Create output directory if it doesn't exist
-mkdir -p "$(dirname "$NGINX_OUT")"
-
-# Start with header comment
-cat > "$NGINX_OUT" << 'EOF'
-# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh
-# Generated from: install/production-filesystem/services/config/nginx/netalertx.conf.template
-
-EOF
-
-# Process the template: replace listen directive and inject Xdebug params
-sed 's/${LISTEN_ADDR}:${PORT}/0.0.0.0:20211/g' "$NGINX_TEMPLATE" | \
-awk '
-/fastcgi_param SCRIPT_NAME \$fastcgi_script_name;/ {
-    print $0
-	print ""
-    print "            fastcgi_param PHP_VALUE \"xdebug.remote_enable=1\";"
-    next
-}
-{ print }
-' >> "$NGINX_OUT"
-
-echo "Generated $NGINX_OUT from $NGINX_TEMPLATE" >&2
+echo "Generated $OUT_FILE using root dir $ROOT_DIR"

 echo "Done."
--- a/.devcontainer/scripts/setup.sh
+++ b/.devcontainer/scripts/setup.sh
@@ -1,137 +1,104 @@
 #!/bin/bash
-# Runtime setup for devcontainer (executed after container starts).
-# Prefer building setup into resources/devcontainer-Dockerfile when possible.
-# Use this script for runtime-only adjustments (permissions, sockets, ownership,
-# and services managed without init) that are difficult at build time.
-id
-
-# Define variables (paths, ports, environment)
-
-export APP_DIR="/app"
-export APP_COMMAND="/workspaces/NetAlertX/.devcontainer/scripts/restart-backend.sh"
-export PHP_FPM_BIN="/usr/sbin/php-fpm83"
-export CROND_BIN="/usr/sbin/crond -f"
+# NetAlertX Devcontainer Setup Script
+#
+# This script forcefully resets all runtime state for a single-user devcontainer.
+# It is intentionally idempotent: every run wipes and recreates all relevant folders,
+# symlinks, and files, so the environment is always fresh and predictable.
+#
+# - No conditional logic: everything is (re)created, overwritten, or reset unconditionally.
+# - No security hardening: this is for disposable, local dev use only.
+# - No checks for existing files, mounts, or processes—just do the work.
+#
+# If you add new runtime files or folders, add them to the creation/reset section below.
+#
+# Do not add if-then logic or error handling for missing/existing files. Simplicity is the goal.


-export ALWAYS_FRESH_INSTALL=false
-export INSTALL_DIR=/app
-export LOGS_LOCATION=/app/logs
-export CONF_FILE="app.conf"
-export DB_FILE="app.db"
-export FULL_FILEDB_PATH="${INSTALL_DIR}/db/${DB_FILE}"
-export OUI_FILE="/usr/share/arp-scan/ieee-oui.txt" # Define the path to ieee-oui.txt and ieee-iab.txt
-export TZ=Europe/Paris
-export PORT=20211
-export SOURCE_DIR="/workspaces/NetAlertX"
+SOURCE_DIR=${SOURCE_DIR:-/workspaces/NetAlertX}
+PY_SITE_PACKAGES="${VIRTUAL_ENV:-/opt/venv}/lib/python3.12/site-packages"

+LOG_FILES=(
+  LOG_APP
+  LOG_APP_FRONT
+  LOG_STDOUT
+  LOG_STDERR
+  LOG_EXECUTION_QUEUE
+  LOG_APP_PHP_ERRORS
+  LOG_IP_CHANGES
+  LOG_CRON
+  LOG_REPORT_OUTPUT_TXT
+  LOG_REPORT_OUTPUT_HTML
+  LOG_REPORT_OUTPUT_JSON
+  LOG_DB_IS_LOCKED
+  LOG_NGINX_ERROR
+)

-main() {
-    echo "=== NetAlertX Development Container Setup ==="
-    killall php-fpm83 nginx crond python3 2>/dev/null
-    sleep 1
-    echo "Setting up ${SOURCE_DIR}..."
-    sudo chown $(id -u):$(id -g) /workspaces
-    sudo chmod 755 /workspaces
-    configure_source
-    
-    echo "--- Starting Development Services ---"
-    configure_php
+sudo chmod 666 /var/run/docker.sock 2>/dev/null || true
+sudo chown "$(id -u)":"$(id -g)" /workspaces
+sudo chmod 755 /workspaces

+killall php-fpm83 nginx crond python3 2>/dev/null || true

-    start_services
-}
+# Mount ramdisks for volatile data
+sudo mount -t tmpfs -o size=100m,mode=0777 tmpfs /tmp/log 2>/dev/null || true
+sudo mount -t tmpfs -o size=50m,mode=0777 tmpfs /tmp/api 2>/dev/null || true
+sudo mount -t tmpfs -o size=50m,mode=0777 tmpfs /tmp/run 2>/dev/null || true
+sudo mount -t tmpfs -o size=50m,mode=0777 tmpfs /tmp/nginx 2>/dev/null || true

-isRamDisk() {
-  if [ -z "$1" ] || [ ! -d "$1" ]; then
-    echo "Usage: isRamDisk <directory>" >&2
-    return 2
-  fi
-
-  local fstype
-  fstype=$(df -T "$1" | awk 'NR==2 {print $2}')
-
-  if [ "$fstype" = "tmpfs" ] || [ "$fstype" = "ramfs" ]; then
-    return 0 # Success (is a ramdisk)
-  else
-    return 1 # Failure (is not a ramdisk)
-  fi
-}
-
-# Setup source directory
-configure_source() {
-    echo "[1/4] Configuring System..."
-    echo "      -> Setting up /services permissions"
-    sudo chown -R netalertx /services
-
-    echo "[2/4] Configuring Source..."
-    echo "      -> Cleaning up previous instances"
-
-    test -e ${NETALERTX_LOG} && sudo umount "${NETALERTX_LOG}" 2>/dev/null || true
-    test -e ${NETALERTX_API} && sudo umount "${NETALERTX_API}" 2>/dev/null || true
-    test -e ${NETALERTX_APP} && sudo rm -Rf ${NETALERTX_APP}/
-
-    echo "      -> Linking source to ${NETALERTX_APP}"
-    sudo ln -s ${SOURCE_DIR}/ ${NETALERTX_APP}
-
-    echo "      -> Mounting ramdisks for /log and /api"
-    mkdir -p ${NETALERTX_LOG} ${NETALERTX_API}
-    sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_LOG}"
-    sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_API}"
-    mkdir -p ${NETALERTX_PLUGINS_LOG}
-    touch ${NETALERTX_PLUGINS_LOG}/.dockerignore ${NETALERTX_API}/.dockerignore
-    # tmpfs mounts configured with netalertx ownership and 775 permissions above
-
-    touch /app/log/nginx_error.log
-    echo "      -> Empty log"|tee ${INSTALL_DIR}/log/app.log \
-        ${INSTALL_DIR}/log/app_front.log \
-        ${INSTALL_DIR}/log/stdout.log
-    touch ${INSTALL_DIR}/log/stderr.log \
-        ${INSTALL_DIR}/log/execution_queue.log
-    echo 0 > ${INSTALL_DIR}/log/db_is_locked.log
-    for f in ${INSTALL_DIR}/log/*.log; do
-        sudo chown netalertx:www-data $f
-        sudo chmod 664 $f
-        echo "" > $f
-    done
-
-    mkdir -p /app/log/plugins
-    sudo chown -R netalertx:www-data ${INSTALL_DIR}
-
-    
-    while ps ax | grep -v grep | grep python3 > /dev/null; do
-        killall python3 &>/dev/null
-        sleep 0.2
-    done
-    
-}
-
-# configure_php: configure PHP-FPM and enable dev debug options
-configure_php() {
-    echo "[3/4] Configuring PHP-FPM..."
-    sudo chown -R netalertx:netalertx  ${SYSTEM_SERVICES_RUN} 2>/dev/null || true
-
-}
-
-# start_services: start crond, PHP-FPM, nginx and the application
-start_services() {
-    echo "[4/4] Starting services"
-
-    sudo chmod +x /entrypoint.sh
-    setsid bash /entrypoint.sh&
-    sleep 1
-}
-
-
-sudo chmod 755 /app/
-echo "Development $(git rev-parse --short=8 HEAD)"| sudo tee /app/.VERSION
-# Run the main function
-main
-
-# create a services readme file
-echo "This folder is auto-generated by the container and devcontainer setup.sh script." > /services/README.md
-echo "Any changes here will be lost on rebuild. To make permanent changes, edit files in .devcontainer or production filesystem and rebuild the container." >> /services/README.md
-echo "Only make temporary/test changes in this folder, then perform a rebuild to reset." >> /services/README.md
+sudo chmod 777 /tmp/log /tmp/api /tmp/run /tmp/nginx



+sudo rm -rf /entrypoint.d
+sudo ln -s "${SOURCE_DIR}/install/production-filesystem/entrypoint.d" /entrypoint.d
+
+sudo rm -rf "${NETALERTX_APP}"
+sudo ln -s "${SOURCE_DIR}/" "${NETALERTX_APP}"
+
+for dir in "${NETALERTX_DATA}" "${NETALERTX_CONFIG}" "${NETALERTX_DB}"; do
+  sudo install -d -m 777 "${dir}"
+done
+
+for dir in \
+  "${SYSTEM_SERVICES_RUN_LOG}" \
+  "${SYSTEM_SERVICES_ACTIVE_CONFIG}" \
+  "${NETALERTX_PLUGINS_LOG}" \
+  "${SYSTEM_SERVICES_RUN_TMP}" \
+  "/tmp/nginx/client_body" \
+  "/tmp/nginx/proxy" \
+  "/tmp/nginx/fastcgi" \
+  "/tmp/nginx/uwsgi" \
+  "/tmp/nginx/scgi"; do
+  sudo install -d -m 777 "${dir}"
+done
+
+
+for var in "${LOG_FILES[@]}"; do
+  path=${!var}
+  dir=$(dirname "${path}")
+  sudo install -d -m 777 "${dir}"
+  touch "${path}"
+done
+
+printf '0\n' | sudo tee "${LOG_DB_IS_LOCKED}" >/dev/null
+sudo chmod 777 "${LOG_DB_IS_LOCKED}"
+
+sudo pkill -f python3 2>/dev/null || true
+
+sudo chmod 777 "${PY_SITE_PACKAGES}" "${NETALERTX_DATA}" "${NETALERTX_DATA}"/* 2>/dev/null || true
+
+sudo chmod 005 "${PY_SITE_PACKAGES}" 2>/dev/null || true
+
+sudo chown -R "${NETALERTX_USER}:${NETALERTX_GROUP}" "${NETALERTX_APP}"
+date +%s | sudo tee "${NETALERTX_FRONT}/buildtimestamp.txt" >/dev/null
+
+sudo chmod 755 "${NETALERTX_APP}"
+
+sudo chmod +x /entrypoint.sh
+setsid bash /entrypoint.sh &
+sleep 1
+
+echo "Development $(git rev-parse --short=8 HEAD)" | sudo tee "${NETALERTX_APP}/.VERSION" >/dev/null
+
+

--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 .dockerignore
+**/.dockerignore
 .env
 .git
 .github
--- a/.flake8
+++ b/.flake8
@@ -0,0 +1,3 @@
+[flake8]
+max-line-length = 180
+ignore = E221,E222,E251,E203
--- a/.github/ISSUE_TEMPLATE/i-have-an-issue.yml
+++ b/.github/ISSUE_TEMPLATE/i-have-an-issue.yml
@@ -44,9 +44,9 @@ body:
    required: false
 - type: textarea
  attributes:
-    label: app.conf
+    label: Relevant `app.conf` settings 
    description: |
-      Paste your `app.conf` (remove personal info)    
+      Paste relevant `app.conf`settings (remove sensitive info)    
    render: python
  validations:
    required: false
@@ -55,7 +55,7 @@ body:
    label: docker-compose.yml
    description: |
      Paste your `docker-compose.yml`    
-    render: python
+    render: yaml
  validations:
    required: false
 - type: dropdown
@@ -70,21 +70,37 @@ body:
      - Bare-metal (community only support - Check Discord)
  validations:
    required: true
+- type: checkboxes
+  attributes:
+    label: Debug or Trace enabled
+    description: I confirm I set `LOG_LEVEL` to `debug` or `trace`
+    options:
+    - label: I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.
+      required: true
 - type: textarea
  attributes:
-    label: app.log
+    label: Relevant `app.log` section
+    value: |
+        ```
+          PASTE LOG HERE. Using the triple backticks preserves format. 
+        ```
    description: |
      Logs with debug enabled (https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md) ⚠
      ***Generally speaking, all bug reports should have logs provided.***
      Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
      Additionally, any additional info? Screenshots? References? Anything that will give us more context about the issue you are encountering!
-      You can use `tail -100 /app/log/app.log` in the container if you have trouble getting to the log files. 
+      You can use `tail -100 /app/log/app.log` in the container if you have trouble getting to the log files or send them to netalertx@gmail.com with the issue number.
  validations:
    required: false
- type: checkboxes
+- type: textarea
  attributes:
-    label: Debug enabled
-    description: I confirm I enabled `debug`
-    options:
-    - label: I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.
-      required: true
+    label: Docker Logs
+    description: |
+     You can retrieve the logs from Portainer -> Containers -> your NetAlertX container -> Logs or by running `sudo docker logs netalertx`.
+    value: |
+        ```
+          PASTE DOCKER LOG HERE. Using the triple backticks preserves format. 
+        ```
+  validations:
+    required: true
+
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -18,7 +18,7 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 ## Plugin patterns that matter
 - Manifest lives at `front/plugins/<code_name>/config.json`; `code_name` == folder, `unique_prefix` drives settings and filenames (e.g., `ARPSCAN`).
 - Control via settings: `<PREF>_RUN` (phase), `<PREF>_RUN_SCHD` (cron-like), `<PREF>_CMD` (script path), `<PREF>_RUN_TIMEOUT`, `<PREF>_WATCH` (diff columns).
- Data contract: scripts write `/app/log/plugins/last_result.<PREF>.log` (pipe‑delimited: 9 required cols + optional 4). Use `front/plugins/plugin_helper.py`’s `Plugin_Objects` to sanitize text and normalize MACs, then `write_result_file()`.
+- Data contract: scripts write `/tmp/log/plugins/last_result.<PREF>.log` (pipe‑delimited: 9 required cols + optional 4). Use `front/plugins/plugin_helper.py`’s `Plugin_Objects` to sanitize text and normalize MACs, then `write_result_file()`.
 - Device import: define `database_column_definitions` when creating/updating devices; watched fields trigger notifications.

 ### Standard Plugin Formats
@@ -30,6 +30,7 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 * other: Miscellaneous plugins. Runs at various times. Data source: self / Template.

 ### Plugin logging & outputs
+- Always check relevant logs first.
 - Use logging as shown in other plugins.
 - Collect results with `Plugin_Objects.add_object(...)` during processing and call `plugin_objects.write_result_file()` exactly once at the end of the script.
 - Prefer to log a brief summary before writing (e.g., total objects added) to aid troubleshooting; keep logs concise at `info` level and use `verbose` or `debug` for extra context.
@@ -42,22 +43,32 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 ## Conventions & helpers to reuse
 - Settings: add/modify via `ccd()` in `server/initialise.py` or per‑plugin manifest. Never hardcode ports or secrets; use `get_setting_value()`.
 - Logging: use `logger.mylog(level, [message])`; levels: none/minimal/verbose/debug/trace.
- Time/MAC/strings: `helper.py` (`timeNowTZ`, `normalize_mac`, sanitizers). Validate MACs before DB writes.
+- Time/MAC/strings: `helper.py` (`timeNowDB`, `normalize_mac`, sanitizers). Validate MACs before DB writes.
 - DB helpers: prefer `server/db/db_helper.py` functions (e.g., `get_table_json`, device condition helpers) over raw SQL in new paths.

 ## Dev workflow (devcontainer)
+- **Devcontainer philosophy: brutal simplicity.** One user, everything writable, completely idempotent. No permission checks, no conditional logic, no sudo needed. If something doesn't work, tear down the wall and rebuild - don't patch. We unit test permissions in the hardened build.
+- **Permissions:** Never `chmod` or `chown` during operations. Everything is already writable. If you need permissions, the devcontainer setup is broken - fix `.devcontainer/scripts/setup.sh` or `.devcontainer/resources/devcontainer-Dockerfile` instead.
+- **Files & Paths:** Use environment variables (`NETALERTX_DB`, `NETALERTX_LOG`, etc.) everywhere. `/data` for persistent config/db, `/tmp` for runtime logs/api/nginx state. Never hardcode `/data/db` or relative paths.
+- **Database reset:** Use the `[Dev Container] Wipe and Regenerate Database` task. Kills backend, deletes `/data/{db,config}/*`, runs first-time setup scripts. Clean slate, no questions.
 - Services: use tasks to (re)start backend and nginx/PHP-FPM. Backend runs with debugpy on 5678; attach a Python debugger if needed.
 - Run a plugin manually: `python3 front/plugins/<code_name>/script.py` (ensure `sys.path` includes `/app/front/plugins` and `/app/server` like the template).
 - Testing: pytest available via Alpine packages. Tests live in `test/`; app code is under `server/`. PYTHONPATH is preconfigured to include workspace and `/opt/venv` site‑packages.
+- **Subprocess calls:** ALWAYS set explicit timeouts. Default to 60s minimum unless plugin config specifies otherwise. Nested subprocess calls (e.g., plugins calling external tools) need their own timeout - outer plugin timeout won't save you.

 ## What “done right” looks like
- When adding a plugin, start from `front/plugins/__template`, implement with `plugin_helper`, define manifest settings, and wire phase via `<PREF>_RUN`. Verify logs in `/app/log/plugins/` and data in `api/*.json`.
+- When adding a plugin, start from `front/plugins/__template`, implement with `plugin_helper`, define manifest settings, and wire phase via `<PREF>_RUN`. Verify logs in `/tmp/log/plugins/` and data in `api/*.json`.
 - When introducing new config, define it once (core `ccd()` or plugin manifest) and read it via helpers everywhere.
 - When exposing new server functionality, add endpoints in `server/api_server/*` and keep authorization consistent; update UI by reading/writing JSON cache rather than bypassing the pipeline.

 ## Useful references
 - Docs: `docs/PLUGINS_DEV.md`, `docs/SETTINGS_SYSTEM.md`, `docs/API_*.md`, `docs/DEBUG_*.md`
- Logs: backend `/app/log/app.log`, plugin logs under `/app/log/plugins/`, nginx/php logs under `/var/log/*`
+- Logs: All logs are under `/tmp/log/`. Plugin logs are very shortly under `/tmp/log/plugins/` until picked up by the server.
+    - plugin logs: `/tmp/log/app.log`
+	- backend logs: `/tmp/log/stdout.log` and `/tmp/log/stderr.log`
+	- frontend commands logs: `/tmp/log/app_front.log`
+	- php errors: `/tmp/log/app.php_errors.log`
+	- nginx logs: `/tmp/log/nginx-access.log` and `/tmp/log/nginx-error.log`

 ## Assistant expectations:
 - Be concise, opinionated, and biased toward security and simplicity.
@@ -72,3 +83,9 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 - Be sure to offer choices when appropriate.
 - Always understand the intent of the user's request and undo/redo as needed.
 - Above all, use the simplest possible code that meets the need so it can be easily audited and maintained.
+- Always leave logging enabled. If there is a possiblity it will be difficult to debug with current logging, add more logging.
+- Always run the testFailure tool before executing any tests to gather current failure information and avoid redundant runs.
+- Always prioritize using the appropriate tools in the environment first. As an example if a test is failing use `testFailure` then `runTests`. Never `runTests` first. 
+- Docker tests take an extremely long time to run.  Avoid changes to docker or tests until you've examined the exisiting testFailures and runTests results.
+- Environment tools are designed specifically for your use in this project and running them in this order will give you the best results. 
+
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -21,7 +21,8 @@ jobs:
        run: |
          echo "🔍 Checking for incorrect absolute '/php/' URLs (should be 'php/' or './php/')..."

-          MATCHES=$(grep -rE "['\"]\/php\/" --include=\*.{js,php,html} ./front | grep -E "\.get|\.post|\.ajax|fetch|url\s*:") || true
+          MATCHES=$(grep -rE "['\"]/php/" --include=\*.{js,php,html} ./front \
+            | grep -E "\.get|\.post|\.ajax|fetch|url\s*:") || true

          if [ -n "$MATCHES" ]; then
            echo "$MATCHES"
@@ -39,3 +40,60 @@ jobs:
          echo "🔍 Checking Python syntax..."
          find . -name "*.py" -print0 | xargs -0 -n1 python3 -m py_compile

+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install linting tools
+        run: |
+          # Python linting
+          pip install flake8
+          # Docker linting
+          wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
+          chmod +x /tmp/hadolint
+          # PHP and shellcheck for syntax checking
+          sudo apt-get update && sudo apt-get install -y php-cli shellcheck
+
+      - name: Shell check
+        continue-on-error: true
+        run: |
+          echo "🔍 Checking shell scripts..."
+          find . -name "*.sh" -exec shellcheck {} \;
+
+      - name: Python lint
+        continue-on-error: true
+        run: |
+          echo "🔍 Linting Python code..."
+          flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+          flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+
+      - name: PHP check
+        continue-on-error: true
+        run: |
+          echo "🔍 Checking PHP syntax..."
+          find . -name "*.php" -exec php -l {} \;
+
+      - name: Docker lint
+        continue-on-error: true
+        run: |
+          echo "🔍 Linting Dockerfiles..."
+          /tmp/hadolint --config .hadolint.yaml Dockerfile* || true
+
+  docker-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Docker-based tests
+        run: |
+          echo "🐳 Running Docker-based tests..."
+          chmod +x ./test/docker_tests/run_docker_tests.sh
+          ./test/docker_tests/run_docker_tests.sh
--- a/.github/workflows/docker_dev.yml
+++ b/.github/workflows/docker_dev.yml
@@ -10,7 +10,7 @@ on:
    branches:
      - main

-jobs: 
+jobs:
  docker_dev:
    runs-on: ubuntu-latest
    timeout-minutes: 30
@@ -19,7 +19,8 @@ jobs:
      packages: write
    if: >
      contains(github.event.head_commit.message, 'PUSHPROD') != 'True' &&
-      github.repository == 'jokob-sk/NetAlertX'  
+      github.repository == 'jokob-sk/NetAlertX'
+
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -30,26 +31,36 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      # --- Generate timestamped dev version
+      - name: Generate timestamp version
+        id: timestamp
+        run: |
+          ts=$(date -u +'%Y%m%d-%H%M%S')
+          echo "version=dev-${ts}" >> $GITHUB_OUTPUT
+          echo "Generated version: dev-${ts}"
+
      - name: Set up dynamic build ARGs
-        id: getargs        
+        id: getargs
        run: echo "version=$(cat ./stable/VERSION)" >> $GITHUB_OUTPUT

      - name: Get release version
        id: get_version
        run: echo "version=Dev" >> $GITHUB_OUTPUT

+      # --- Write the timestamped version to .VERSION file
      - name: Create .VERSION file
-        run: echo "${{ steps.get_version.outputs.version }}" >> .VERSION
+        run: echo "${{ steps.timestamp.outputs.version }}" > .VERSION

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/jokob-sk/netalertx-dev
            jokobsk/netalertx-dev
          tags: |
            type=raw,value=latest
+            type=raw,value=${{ steps.timestamp.outputs.version }}
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
@@ -72,7 +83,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
--- a/.github/workflows/docker_prod.yml
+++ b/.github/workflows/docker_prod.yml
@@ -6,7 +6,6 @@
 # GitHub recommends pinning actions to a commit SHA.
 # To get a newer version, you will need to update the SHA.
 # You can also reference a tag or branch, but the action may change without warning.
-
 name: Publish Docker image

 on:
@@ -14,6 +13,7 @@ on:
    types: [published]
    tags:
      - '*.[1-9]+[0-9]?.[1-9]+*'
+
 jobs:
  docker:
    runs-on: ubuntu-latest
@@ -21,6 +21,7 @@ jobs:
    permissions:
      contents: read
      packages: write
+
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@@ -31,42 +32,51 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      # --- Previous approach Get release version from tag
      - name: Set up dynamic build ARGs
-        id: getargs        
+        id: getargs
        run: echo "version=$(cat ./stable/VERSION)" >> $GITHUB_OUTPUT

      - name: Get release version
-        id: get_version
+        id: get_version_prev
        run: echo "::set-output name=version::${GITHUB_REF#refs/tags/}"

      - name: Create .VERSION file
-        run: echo "${{ steps.get_version.outputs.version }}" >> .VERSION
+        run: echo "${{ steps.get_version.outputs.version }}" >> .VERSION_PREV

+      # --- Get release version from tag
+      - name: Get release version
+        id: get_version
+        run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      # --- Write version to .VERSION file
+      - name: Create .VERSION file
+        run: echo "${{ steps.get_version.outputs.version }}" > .VERSION
+
+      # --- Generate Docker metadata and tags
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
-          # list of Docker images to use as base name for tags
          images: |
            ghcr.io/jokob-sk/netalertx
-            jokobsk/netalertx  
-          # generate Docker tags based on the following events/attributes
+            jokobsk/netalertx
          tags: |
-            type=semver,pattern={{version}},value=${{ inputs.version }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ inputs.version }}
-            type=semver,pattern={{major}},value=${{ inputs.version }}
+            type=semver,pattern={{version}},value=${{ steps.get_version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.get_version.outputs.version }}
+            type=semver,pattern={{major}},value=${{ steps.get_version.outputs.version }}
            type=ref,event=branch,suffix=-{{ sha }}
            type=ref,event=pr
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}

-      - name: Log in to Github Container registry
+      - name: Log in to Github Container Registry (GHCR)
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: jokob-sk
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Login to DockerHub
+      - name: Log in to DockerHub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
@@ -74,13 +84,12 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          # # ⚠ disable cache if build is failing to download debian packages
          # cache-from: type=registry,ref=ghcr.io/jokob-sk/netalertx:buildcache
          # cache-to: type=registry,ref=ghcr.io/jokob-sk/netalertx:buildcache,mode=max
--- a/.github/workflows/docker_rewrite.yml
+++ b/.github/workflows/docker_rewrite.yml
@@ -43,7 +43,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/jokob-sk/netalertx-dev-rewrite
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.coverage
 .vscode
 .dotnet
 .vscode-server
@@ -10,6 +11,7 @@ nohup.out
 config/*
 .ash_history
 .VERSION
+.VERSION_PREV
 config/pialert.conf
 config/app.conf
 db/*
--- a/.hadolint.yaml
+++ b/.hadolint.yaml
@@ -0,0 +1,2 @@
+ignored:
+  - DL3018
--- a/.venv_import_check.py
+++ b/.venv_import_check.py
@@ -1,23 +0,0 @@
-import sys, importlib
-mods = [
-    'json', 'simplejson',
-    'httplib', 'http.client',
-    'urllib2', 'urllib.request',
-    'Queue', 'queue',
-    'cStringIO', 'StringIO', 'io',
-    'md5', 'hashlib',
-    'ssl'
-]
-print('PYTHON_EXE:' + sys.executable)
-print('PYTHON_VER:' + sys.version.replace('\n', ' '))
-for m in mods:
-    try:
-        mod = importlib.import_module(m)
-        ver = getattr(mod, '__version__', None)
-        if ver is None:
-            # try common attributes
-            ver = getattr(mod, 'version', None)
-        info = (' version=' + str(ver)) if ver is not None else ''
-        print('OK %s%s' % (m, info))
-    except Exception as e:
-        print('MISSING %s %s: %s' % (m, e.__class__.__name__, e))
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -29,6 +29,14 @@
            "pathMappings": {
                "/app": "${workspaceFolder}"
            }
+        },
+        {
+            "name": "Python: Current File",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "justMyCode": true
        }
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -11,13 +11,23 @@
    // Let the Python extension invoke pytest via the interpreter; avoid hardcoded paths
    // Removed python.testing.pytestPath and legacy pytest.command overrides
    
-    "terminal.integrated.defaultProfile.linux": "fish",
+    "terminal.integrated.defaultProfile.linux": "zsh",
    "terminal.integrated.profiles.linux": {
-      "fish": {
-        "path": "/usr/bin/fish"
+      "zsh": {
+        "path": "/bin/zsh"
      }
    }
    ,
    // Fallback for older VS Code versions or schema validators that don't accept custom profiles
-    "terminal.integrated.shell.linux": "/usr/bin/fish"
+    "terminal.integrated.shell.linux": "/usr/bin/zsh"
+  ,
+  "python.linting.flake8Enabled": true,
+  "python.linting.enabled": true,
+  "python.linting.flake8Args": [
+    "--config=.flake8"
+  ],
+  "python.formatting.provider": "black",
+  "python.formatting.blackArgs": [
+    "--line-length=180"
+  ]
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -1,16 +1,27 @@
 {
  "version": "2.0.0",
+  "inputs": [
+    {
+      "id": "confirmPrune",
+      "type": "promptString",
+      "description": "DANGER! Type YES to confirm pruning all unused Docker resources. This will destroy containers, images, volumes, and networks!",
+      "default": ""
+    }
+  ],
  "tasks": [
    {
      "label": "[Any POSIX] Generate Devcontainer Configs",
      "type": "shell",
      "command": ".devcontainer/scripts/generate-configs.sh",
+      "detail": "Generates devcontainer configs from the template. This must be run after changes to devcontainer to combine/merge them into the final config used by VS Code. Note- this has no bearing on the production or test image.",
      "presentation": {
        "echo": true,
        "reveal": "always",
        "panel": "shared",
-        "showReuseMessage": false
+        "showReuseMessage": false,
+        "group": "POSIX Tasks"
      },
+      
      "problemMatcher": [],
      "group": {
        "kind": "build",
@@ -24,12 +35,19 @@
    {
      "label": "[Any] Docker system and build Prune",
      "type": "shell",
-  "command": ".devcontainer/scripts/confirm-docker-prune.sh",
+      "command": ".devcontainer/scripts/confirm-docker-prune.sh",
+      "detail": "DANGER! Prunes all unused Docker resources (images, containers, volumes, networks). Any stopped container will be wiped and data will be lost.  Use with caution.",
+      "options": {
+        "env": {
+          "CONFIRM_PRUNE": "${input:confirmPrune}"
+        }
+      },
      "presentation": {
        "echo": true,
        "reveal": "always",
        "panel": "shared",
-        "showReuseMessage": false
+        "showReuseMessage": false,
+        "group": "Any"
      },
      "problemMatcher": [],
      "group": {
@@ -45,6 +63,7 @@
      "label": "[Dev Container] Re-Run Startup Script",
      "type": "shell",
      "command": "./isDevContainer.sh || exit 1;/workspaces/NetAlertX/.devcontainer/scripts/setup.sh",
+      "detail": "The startup script runs directly after the container is started. It reprovisions permissions, links folders, and performs other setup tasks. Run this if you have made changes to the setup script or need to reprovision the container.",
      "options": {
        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"
      },
@@ -65,6 +84,7 @@
      "label": "[Dev Container] Start Backend (Python)",
      "type": "shell",
      "command": "./isDevContainer.sh || exit 1; /services/start-backend.sh",
+      "detail": "Restarts the NetAlertX backend (Python) service in the dev container. This may take 5 seconds to be completely ready.",
      "options": {
        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"
      },
@@ -73,7 +93,8 @@
        "reveal": "always",
        "panel": "shared",
        "showReuseMessage": false,
-        "clear": false
+        "clear": false,
+        "group": "Devcontainer"
      },
      "problemMatcher": [],
      "icon": {
@@ -85,6 +106,7 @@
      "label": "[Dev Container] Start CronD (Scheduler)",
      "type": "shell",
      "command": "./isDevContainer.sh || exit 1; /services/start-crond.sh",
+      "detail": "Stops and restarts the crond service.",
      "options": {
        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"
      },
@@ -93,7 +115,8 @@
        "reveal": "always",
        "panel": "shared",
        "showReuseMessage": false,
-        "clear": false
+        "clear": false,
+        "group": "Devcontainer"
      },
      "problemMatcher": [],
      "icon": {
@@ -105,6 +128,7 @@
      "label": "[Dev Container] Start Frontend (nginx and PHP-FPM)",
      "type": "shell",
      "command": "./isDevContainer.sh || exit 1; /services/start-php-fpm.sh & /services/start-nginx.sh  &",
+      "detail": "Stops and restarts the NetAlertX frontend services (nginx and PHP-FPM) in the dev container. This launches almost instantly.",
      "options": {
        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"

@@ -114,7 +138,8 @@
        "reveal": "always",
        "panel": "shared",
        "showReuseMessage": false,
-        "clear": false
+        "clear": false,
+        "group": "Devcontainer"
      },
      "problemMatcher": [],
      "icon": {
@@ -126,6 +151,7 @@
      "label": "[Dev Container] Stop Frontend & Backend Services",
      "type": "shell",
      "command": "./isDevContainer.sh || exit 1; pkill -f 'php-fpm83|nginx|crond|python3' || true",
+      "detail": "Stops all NetAlertX services running in the dev container.",
      "options": {
        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"
      },
@@ -133,7 +159,8 @@
        "echo": true,
        "reveal": "always",
        "panel": "shared",
-        "showReuseMessage": false
+        "showReuseMessage": false,
+        "group": "Devcontainer"
      },
      "problemMatcher": [],
      "icon": {
@@ -142,11 +169,54 @@
      }
    },
    {
-      "label": "[Dev Container] List NetAlertX Ports",
+      "label": "[Any] Build Unit Test Docker image",
      "type": "shell",
-      "command": "list-ports.sh",
+      "command": "docker buildx build -t netalertx-test . && echo '🧪 Unit Test Docker image built: netalertx-test'",
+      "detail": "This must be run after changes to the container.  Unit testing will not register changes until after this image is rebuilt. It takes about 30 seconds to build unless changes to the venv stage are made. venv takes 90s alone.",
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "panel": "shared",
+        "showReuseMessage": false,
+        "group": "Any"
+
+      },
+      "problemMatcher": [],
+      "group": {
+        "kind": "build",
+        "isDefault": false
+      },
+      "icon": {
+        "id": "beaker",
+        "color": "terminal.ansiBlue"
+      }
+    },
+    {
+      "label": "[Dev Container] Wipe and Regenerate Database",
+      "type": "shell",
+      "command": "killall 'python3' || true && sleep 1 && rm -rf /data/db/* /data/config/* && bash /entrypoint.d/15-first-run-config.sh && bash /entrypoint.d/20-first-run-db.sh && echo '✅ Database and config wiped and regenerated'",
+      "detail": "Wipes devcontainer db and config. Provides a fresh start in devcontainer, run this task, then run the Rerun Startup Task",
+      "options": {},
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "panel": "shared",
+        "showReuseMessage": false,
+        "group": "Devcontainer"
+      },
+      "problemMatcher": [],
+      "icon": {
+        "id": "database",
+        "color": "terminal.ansiRed"
+      }
+    },
+    {
+      "label": "Build & Launch Prodcution Docker Container",
+      "type": "shell",
+      "command": "docker compose up -d --build --force-recreate",
+      "detail": "Before launching, ensure VSCode Ports are closed and services are stopped. Tasks: Stop Frontend & Backend Services & Remote: Close Unused Forwarded Ports to ensure proper operation of the new container.",
      "options": {
-        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts"
+        "cwd": "/workspaces/NetAlertX"
      },
      "presentation": {
        "echo": true,
@@ -155,8 +225,12 @@
        "showReuseMessage": false
      },
      "problemMatcher": [],
+      "group": {
+        "kind": "build",
+        "isDefault": false
+      },
      "icon": {
-        "id": "output",
+        "id": "package",
        "color": "terminal.ansiBlue"
      }
    }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -50,4 +50,4 @@ By participating, you agree to follow our [Code of Conduct](./CODE_OF_CONDUCT.md
 If you have more in-depth questions or want to discuss contributing in other ways, feel free to reach out at:  
 📧 [jokob@duck.com](mailto:jokob@duck.com?subject=NetAlertX%20Contribution)

-We appreciate every contribution, big or small! 💙
+We appreciate every contribution, big or small! 💙
--- a/91
+++ b/91
@@ -1,16 +1,16 @@
 # The NetAlertX Dockerfile has 3 stages:
 #
 # Stage 1. Builder - NetAlertX Requires special tools and packages to build our virtual environment, but
-# which are not needed in future stages.  We build the builder and extract the venv for runner to use as 
+# which are not needed in future stages.  We build the builder and extract the venv for runner to use as
 # a base.
 #
 # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary
 # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation
-# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a 
+# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a
 # docker container as a VM for experimentation and various development patterns.
 #
 # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only
-# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the 
+# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the
 # code pushed out by the project is the only code which will run on the system after each container restart.
 # It reduces the chance of system hijacking and operates with all modern security protocols in place as is
 # expected from a security appliance.
@@ -29,10 +29,10 @@ COPY requirements.txt /tmp/requirements.txt
 RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \
    && python -m venv /opt/venv

-# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
+# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy
 # into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
 # together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+RUN pip install --no-cache-dir -r /tmp/requirements.txt && \
    chmod -R u-rwx,g-rwx /opt

 # second stage is the main runtime stage with just the minimum required to run the application
@@ -43,14 +43,16 @@ ARG INSTALL_DIR=/app

 # NetAlertX app directories
 ENV NETALERTX_APP=${INSTALL_DIR}
-ENV NETALERTX_CONFIG=${NETALERTX_APP}/config
+ENV NETALERTX_DATA=/data
+ENV NETALERTX_CONFIG=${NETALERTX_DATA}/config
 ENV NETALERTX_FRONT=${NETALERTX_APP}/front
+ENV NETALERTX_PLUGINS=${NETALERTX_FRONT}/plugins
 ENV NETALERTX_SERVER=${NETALERTX_APP}/server
-ENV NETALERTX_API=${NETALERTX_APP}/api
-ENV NETALERTX_DB=${NETALERTX_APP}/db
+ENV NETALERTX_API=/tmp/api
+ENV NETALERTX_DB=${NETALERTX_DATA}/db
 ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db
 ENV NETALERTX_BACK=${NETALERTX_APP}/back
-ENV NETALERTX_LOG=${NETALERTX_APP}/log
+ENV NETALERTX_LOG=/tmp/log
 ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins
 ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf

@@ -66,50 +68,55 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
+ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log

 # System Services configuration files
+ENV ENTRYPOINT_CHECKS=/entrypoint.d
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
-ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINX_CONFIG}/nginx.conf
+ENV SYSTEM_NGINX_CONFIG_TEMPLATE=${SYSTEM_NGINX_CONFIG}/netalertx.conf.template
+ENV SYSTEM_SERVICES_CONFIG_CRON=${SYSTEM_SERVICES_CONFIG}/cron
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=/tmp/nginx/active-config
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG_FILE=${SYSTEM_SERVICES_ACTIVE_CONFIG}/nginx.conf
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
-ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
-ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run
+ENV SYSTEM_SERVICES_RUN=/tmp/run
 ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 ENV READ_ONLY_FOLDERS="${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} \
-                       ${SYSTEM_SERVICES_CONFIG}"
-ENV READ_WRITE_FOLDERS="${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} \
-                       ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} \
-                       ${SYSTEM_SERVICES_RUN_LOG}"
+                       ${SYSTEM_SERVICES_CONFIG} ${ENTRYPOINT_CHECKS}"
+ENV READ_WRITE_FOLDERS="${NETALERTX_DATA} ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} \
+                       ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} \
+                       ${SYSTEM_SERVICES_RUN_TMP} ${SYSTEM_SERVICES_RUN_LOG} \
+                       ${SYSTEM_SERVICES_ACTIVE_CONFIG}"

 #Python environment
-ENV PYTHONUNBUFFERED=1 
+ENV PYTHONUNBUFFERED=1
 ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
-ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${VIRTUAL_ENV}/lib/python3.12/site-packages
-ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" 
+ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${NETALERTX_PLUGINS}:${VIRTUAL_ENV}/lib/python3.12/site-packages
+ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH"

 # App Environment
 ENV LISTEN_ADDR=0.0.0.0
 ENV PORT=20211
 ENV NETALERTX_DEBUG=0
 ENV VENDORSPATH=/app/back/ieee-oui.txt
-ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
+ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt
 ENV ENVIRONMENT=alpine
 ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly
 ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx
-ENV LANG=C.UTF-8 
+ENV LANG=C.UTF-8


 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx shadow && \
+    nginx supercronic shadow && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
    addgroup -g 20211 ${NETALERTX_GROUP} && \
@@ -123,11 +130,16 @@ COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} install/production-filesystem/
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 back ${NETALERTX_BACK}
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 front ${NETALERTX_FRONT}
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} --chmod=755 server ${NETALERTX_SERVER}
-RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 755 ${NETALERTX_API}  \
-    ${NETALERTX_LOG} ${SYSTEM_SERVICES_RUN_TMP} ${SYSTEM_SERVICES_RUN_LOG} && \
+
+# Create required folders with correct ownership and permissions
+RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
    sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \
    -exec chmod 750 {} \;"

+# Copy version information into the image
+COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION
+COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION_PREV
+
 # Copy the virtualenv from the builder stage
 COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}

@@ -136,20 +148,26 @@ COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN apk add libcap && \
+RUN for vfile in .VERSION .VERSION_PREV; do \
+        if [ ! -f "${NETALERTX_APP}/${vfile}" ]; then \
+            echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/${vfile}"; \
+        fi; \
+        chown 20212:20212 "${NETALERTX_APP}/${vfile}"; \
+    done && \
+    apk add --no-cache libcap && \
    setcap cap_net_raw+ep /bin/busybox && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
    setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
    /bin/sh /build/init-nginx.sh && \
    /bin/sh /build/init-php-fpm.sh && \
-    /bin/sh /build/init-crond.sh && \
+    /bin/sh /build/init-cron.sh && \
    /bin/sh /build/init-backend.sh && \
    rm -rf /build && \
    apk del libcap && \
-    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"


 ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
@@ -163,16 +181,18 @@ ENV UMASK=0077

 # Create readonly user and group with no shell access.
 # Readonly user marks folders that are created by NetAlertX, but should not be modified.
-# AI may claim this is stupid, but it's actually least possible permissions as 
+# AI may claim this is stupid, but it's actually least possible permissions as
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \
+    adduser -u 20212 -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"


 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 004 ${READ_ONLY_FOLDERS} && \
    find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
@@ -181,14 +201,17 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 600 ${READ_WRITE_FOLDERS} && \
    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
+    for dir in ${READ_WRITE_FOLDERS}; do \
+        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
+    done && \
    apk del apk-tools && \
    rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
    /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
    /srv /media && \
    sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
    sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo

 USER netalertx

--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@@ -49,14 +49,15 @@ FROM debian:bookworm-slim
 # NetAlertX app directories
 ENV INSTALL_DIR=/app
 ENV NETALERTX_APP=${INSTALL_DIR}
-ENV NETALERTX_CONFIG=${NETALERTX_APP}/config
+ENV NETALERTX_DATA=/data
+ENV NETALERTX_CONFIG=${NETALERTX_DATA}/config
 ENV NETALERTX_FRONT=${NETALERTX_APP}/front
 ENV NETALERTX_SERVER=${NETALERTX_APP}/server
-ENV NETALERTX_API=${NETALERTX_APP}/api
-ENV NETALERTX_DB=${NETALERTX_APP}/db
+ENV NETALERTX_API=/tmp/api
+ENV NETALERTX_DB=${NETALERTX_DATA}/db
 ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db
 ENV NETALERTX_BACK=${NETALERTX_APP}/back
-ENV NETALERTX_LOG=${NETALERTX_APP}/log
+ENV NETALERTX_LOG=/tmp/log
 ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins

 # NetAlertX log files
@@ -71,18 +72,20 @@ ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
 ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
 ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
 ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
-ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+ENV LOG_CRON=${NETALERTX_LOG}/cron.log
+ENV LOG_NGINX_ERROR=${NETALERTX_LOG}/nginx-error.log

 # System Services configuration files
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINIX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINIX_CONFIG}/nginx.conf
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=/tmp/nginx/active-config
 ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
 ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
-ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run
+ENV SYSTEM_SERVICES_RUN=/tmp/run
 ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
@@ -94,7 +97,7 @@ ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}:/services"
 ENV VENDORSPATH=/app/back/ieee-oui.txt
-ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
+ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt


 # App Environment
@@ -129,25 +132,29 @@ COPY --chmod=775 --chown=${USER_ID}:${USER_GID} . ${INSTALL_DIR}/


 # ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗ 
-RUN apt update && apt-get install -y \
+# hadolint ignore=DL3008,DL3027
+RUN apt-get update && apt-get install -y --no-install-recommends \
    tini snmp ca-certificates curl libwww-perl arp-scan sudo gettext-base \
    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools  \
    python3 python3-dev iproute2 nmap python3-pip zip git systemctl usbutils traceroute nbtscan openrc \
-    busybox nginx nginx-core mtr python3-venv
+    busybox nginx nginx-core mtr python3-venv && \
+    rm -rf /var/lib/apt/lists/*

 # While php8.3 is in debian bookworm repos, php-fpm is not included so we need to add sury.org repo
 # (Ondřej Surý maintains php packages for debian. This is temp until debian includes php-fpm in their
 # repos. Likely it will be in Debian Trixie.).  This keeps the image up-to-date with the alpine version.
+# hadolint ignore=DL3008
 RUN apt-get install -y --no-install-recommends \
    apt-transport-https \
    ca-certificates \
    lsb-release \
    wget && \
-    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
+    wget -q -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
    echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \
    apt-get update && \
-    apt-get install -y php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
-    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 # make it compatible with alpine version
+    apt-get install -y --no-install-recommends php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
+    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 && \
+    rm -rf /var/lib/apt/lists/* # make it compatible with alpine version

 # Setup virtual python environment and use pip3 to install packages
 RUN python3 -m venv ${VIRTUAL_ENV} && \
--- a/README.md
+++ b/README.md
@@ -6,38 +6,60 @@

 # NetAlertX - Network, presence scanner and alert framework

-Get visibility of what's going on on your WIFI/LAN network and enable presence detection of important devices. Schedule scans for devices, port changes and get alerts if unknown devices or changes are found. Write your own [Plugin](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) with auto-generated UI and in-build notification system. Build out and easily maintain your network source of truth (NSoT).
+Get visibility of what's going on on your WIFI/LAN network and enable presence detection of important devices. Schedule scans for devices, port changes and get alerts if unknown devices or changes are found. Write your own [Plugin](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) with auto-generated UI and in-build notification system. Build out and easily maintain your network source of truth (NSoT) and device inventory.

 ## 📋 Table of Contents

- [Features](#-features)
- [Documentation](#-documentation)
- [Quick Start](#-quick-start)
- [Alternative Apps](#-other-alternative-apps)
- [Security & Privacy](#-security--privacy)
- [FAQ](#-faq)
- [Known Issues](#-known-issues)
- [Donations](#-donations)
- [Contributors](#-contributors)
- [Translations](#-translations)
- [License](#license)
+- [NetAlertX - Network, presence scanner and alert framework](#netalertx---network-presence-scanner-and-alert-framework)
+  - [📋 Table of Contents](#-table-of-contents)
+  - [🚀 Quick Start](#-quick-start)
+  - [📦 Features](#-features)
+    - [Scanners](#scanners)
+    - [Notification gateways](#notification-gateways)
+    - [Integrations and Plugins](#integrations-and-plugins)
+    - [Workflows](#workflows)
+  - [📚 Documentation](#-documentation)
+  - [🔐 Security \& Privacy](#-security--privacy)
+  - [❓ FAQ](#-faq)
+  - [🐞 Known Issues](#-known-issues)
+  - [📃 Everything else](#-everything-else)
+    - [📧 Get notified what's new](#-get-notified-whats-new)
+    - [🔀 Other Alternative Apps](#-other-alternative-apps)
+    - [💙 Donations](#-donations)
+    - [🏗 Contributors](#-contributors)
+    - [🌍 Translations](#-translations)
+    - [License](#license)


 ## 🚀 Quick Start

+> [!WARNING]
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://jokob-sk.github.io/NetAlertX/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.
+
 Start NetAlertX in seconds with Docker:

 ```bash
-docker run -d --rm --network=host \
-  -v local_path/config:/app/config \
-  -v local_path/db:/app/db \
-  --mount type=tmpfs,target=/app/api \
-  -e PUID=200 -e PGID=300 \
-  -e TZ=Europe/Berlin \
+docker run -d \
+  --network=host \
+  --restart unless-stopped \
+  -v /local_data_dir:/data \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
  -e PORT=20211 \
+  -e APP_CONF_OVERRIDE='{"GRAPHQL_PORT":"20214"}' \
  ghcr.io/jokob-sk/netalertx:latest
 ```

+Note: Your `/local_data_dir` should contain a `config` and `db` folder.
+
+To deploy a containerized instance directly from the source repository, execute the following BASH sequence:
+```bash
+git clone https://github.com/jokob-sk/NetAlertX.git
+cd NetAlertX
+docker compose up --force-recreate --build
+# To customize: edit docker-compose.yaml and run that last command again
+```
+
 Need help configuring it? Check the [usage guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/README.md) or [full documentation](https://jokob-sk.github.io/NetAlertX/).

 For Home Assistant users: [Click here to add NetAlertX](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Falexbelgium%2Fhassio-addons)
@@ -45,10 +67,10 @@ For Home Assistant users: [Click here to add NetAlertX](https://my.home-assistan
 For other install methods, check the [installation docs](#-documentation)


-| [📑 Docker guide](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://jokob-sk.github.io/NetAlertX/) | [🔌 Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
-|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------| 
+| [📑 Docker guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://jokob-sk.github.io/NetAlertX/) | [🔌 Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
+|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------|

-![showcase][showcase] 
+![showcase][showcase]

 <details>
  <summary>📷 Click for more screenshots</summary>
@@ -66,15 +88,15 @@ For other install methods, check the [installation docs](#-documentation)

 ### Scanners

-The app scans your network for **New devices**, **New connections** (re-connections), **Disconnections**, **"Always Connected" devices down**, Devices **IP changes** and **Internet IP address changes**. Discovery & scan methods include: **arp-scan**,  **Pi-hole - DB import**,  **Pi-hole - DHCP leases import**, **Generic DHCP leases import**, **UNIFI controller import**, **SNMP-enabled router import**. Check the [Plugins](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) docs for a full list of avaliable plugins. 
+The app scans your network for **New devices**, **New connections** (re-connections), **Disconnections**, **"Always Connected" devices down**, Devices **IP changes** and **Internet IP address changes**. Discovery & scan methods include: **arp-scan**,  **Pi-hole - DB import**,  **Pi-hole - DHCP leases import**, **Generic DHCP leases import**, **UNIFI controller import**, **SNMP-enabled router import**. Check the [Plugins](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) docs for a full list of avaliable plugins.

 ### Notification gateways

-Send notifications to more than 80+ services, including Telegram via [Apprise](https://hub.docker.com/r/caronc/apprise), or use native [Pushsafer](https://www.pushsafer.com/), [Pushover](https://www.pushover.net/), or [NTFY](https://ntfy.sh/) publishers. 
+Send notifications to more than 80+ services, including Telegram via [Apprise](https://hub.docker.com/r/caronc/apprise), or use native [Pushsafer](https://www.pushsafer.com/), [Pushover](https://www.pushover.net/), or [NTFY](https://ntfy.sh/) publishers.

 ### Integrations and Plugins

-Feed your data and device changes into [Home Assistant](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HOME_ASSISTANT.md), read [API endpoints](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md), or use [Webhooks](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WEBHOOK_N8N.md) to setup custom automation flows. You can also 
+Feed your data and device changes into [Home Assistant](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HOME_ASSISTANT.md), read [API endpoints](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md), or use [Webhooks](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WEBHOOK_N8N.md) to setup custom automation flows. You can also
 build your own scanners with the [Plugin system](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) in as little as [15 minutes](https://www.youtube.com/watch?v=cdbxlwiWhv8).

 ### Workflows
@@ -87,10 +109,10 @@ The [workflows module](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WORK

 Supported browsers: Chrome, Firefox

- [[Installation] Docker](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md) 
- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx) 
- [[Installation] Bare metal](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) 
- [[Installation] Unraid App](https://unraid.net/community/apps) 
+- [[Installation] Docker](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md)
+- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx)
+- [[Installation] Bare metal](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md)
+- [[Installation] Unraid App](https://unraid.net/community/apps)
 - [[Setup] Usage and Configuration](https://github.com/jokob-sk/NetAlertX/blob/main/docs/README.md)
 - [[Development] API docs](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md)
 - [[Development] Custom Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS_DEV.md)
@@ -111,20 +133,20 @@ See [Security Best Practices](https://github.com/jokob-sk/NetAlertX/security) fo

 ## ❓ FAQ

-**Q: Why don’t I see any devices?**  
+**Q: Why don’t I see any devices?**
 A: Ensure the container has proper network access (e.g., use `--network host` on Linux). Also check that your scan method is properly configured in the UI.

-**Q: Does this work on Wi-Fi-only devices like Raspberry Pi?**  
+**Q: Does this work on Wi-Fi-only devices like Raspberry Pi?**
 A: Yes, but some scanners (e.g. ARP) work best on Ethernet. For Wi-Fi, try SNMP, DHCP, or Pi-hole import.

-**Q: Will this send any data to the internet?**  
+**Q: Will this send any data to the internet?**
 A: No. All scans and data remain local, unless you set up cloud-based notifications.

-**Q: Can I use this without Docker?**  
+**Q: Can I use this without Docker?**
 A: Yes! You can install it bare-metal. See the [bare metal installation guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md).

-**Q: Where is the data stored?**  
-A: In the `/config` and `/db` folders, mapped in Docker. Back up these folders regularly.
+**Q: Where is the data stored?**
+A: In the `/data/config` and `/data/db` folders. Back up these folders regularly.


 ## 🐞 Known Issues
@@ -141,9 +163,9 @@ Check the [GitHub Issues](https://github.com/jokob-sk/NetAlertX/issues) for the

 ### 📧 Get notified what's new

-Get notified about a new release, what new functionality you can use and about breaking changes. 
+Get notified about a new release, what new functionality you can use and about breaking changes.

-![Follow and star][follow_star] 
+![Follow and star][follow_star]

 ### 🔀 Other Alternative Apps

@@ -154,15 +176,15 @@ Get notified about a new release, what new functionality you can use and about b

 ### 💙 Donations

-Thank you to everyone who appreciates this tool and donates. 
+Thank you to everyone who appreciates this tool and donates.

 <details>
  <summary>Click for more ways to donate</summary>
-  
+
  <hr>

-  | [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) | 
-| --- | --- | --- | 
+  | [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) |
+| --- | --- | --- |

  - Bitcoin: `1N8tupjeCK12qRVU2XrV17WvKK7LCawyZM`
  - Ethereum: `0x6e2749Cb42F4411bc98501406BdcD82244e3f9C7`
@@ -173,11 +195,11 @@ Thank you to everyone who appreciates this tool and donates.

 ### 🏗 Contributors

-This project would be nothing without the amazing work of the community, with special thanks to: 
+This project would be nothing without the amazing work of the community, with special thanks to:

-> [pucherot/Pi.Alert](https://github.com/pucherot/Pi.Alert) (the original creator of PiAlert), [leiweibau](https://github.com/leiweibau/Pi.Alert): Dark mode (and much more), [Macleykun](https://github.com/Macleykun) (Help with Dockerfile clean-up), [vladaurosh](https://github.com/vladaurosh) for Alpine re-base help, [Final-Hawk](https://github.com/Final-Hawk) (Help with NTFY, styling and other fixes), [TeroRERO](https://github.com/terorero) (Spanish translations), [Data-Monkey](https://github.com/Data-Monkey), (Split-up of the python.py file and more), [cvc90](https://github.com/cvc90) (Spanish translation and various UI work) to name a few. Check out all the [amazing contributors](https://github.com/jokob-sk/NetAlertX/graphs/contributors). 
+> [pucherot/Pi.Alert](https://github.com/pucherot/Pi.Alert) (the original creator of PiAlert), [leiweibau](https://github.com/leiweibau/Pi.Alert): Dark mode (and much more), [Macleykun](https://github.com/Macleykun) (Help with Dockerfile clean-up), [vladaurosh](https://github.com/vladaurosh) for Alpine re-base help, [Final-Hawk](https://github.com/Final-Hawk) (Help with NTFY, styling and other fixes), [TeroRERO](https://github.com/terorero) (Spanish translations), [Data-Monkey](https://github.com/Data-Monkey), (Split-up of the python.py file and more), [cvc90](https://github.com/cvc90) (Spanish translation and various UI work) to name a few. Check out all the [amazing contributors](https://github.com/jokob-sk/NetAlertX/graphs/contributors).

-### 🌍 Translations 
+### 🌍 Translations

 Proudly using [Weblate](https://hosted.weblate.org/projects/pialert/). Help out and suggest languages in the [online portal of Weblate](https://hosted.weblate.org/projects/pialert/core/).

--- a/1
+++ b/1
@@ -0,0 +1 @@
+/tmp/api
--- a/back/cron_script.sh
+++ b/back/cron_script.sh
@@ -1,14 +1,17 @@
 #!/bin/bash
 export INSTALL_DIR=/app

-LOG_FILE="${INSTALL_DIR}/log/execution_queue.log"
-
-# Check if there are any entries with cron_restart_backend
-if grep -q "cron_restart_backend" "$LOG_FILE"; then
-  # Restart python application using s6
-  s6-svc -r /var/run/s6-rc/servicedirs/netalertx
-  echo 'done'
+if [ -f "${LOG_EXECUTION_QUEUE}" ] && grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
+  echo "$(date): Restarting backend triggered by cron_restart_backend"
+  killall python3 || echo "killall python3 failed or no process found"
+  sleep 2
+  /services/start-backend.sh &

  # Remove all lines containing cron_restart_backend from the log file
-  sed -i '/cron_restart_backend/d' "$LOG_FILE"
+  # Atomic replacement with temp file. grep returns 1 if no lines selected (file becomes empty), which is valid here.
+  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp"
+  RC=$?
+  if [ $RC -eq 0 ] || [ $RC -eq 1 ]; then
+    mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
+  fi
 fi
--- a/db/.gitignore
+++ b/db/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,89 +1,75 @@
 services:
  netalertx:
-    network_mode: host                          # Use host networking for ARP scanning and other services
+  #use an environmental variable to set host networking mode if needed
+    network_mode: ${NETALERTX_NETWORK_MODE:-host}   # Use host networking for ARP scanning and other services
    build:
-      context: .                                # Build context is the current directory   
-      dockerfile: Dockerfile                    # Specify the Dockerfile to use    
+      context: .                                    # Build context is the current directory
+      dockerfile: Dockerfile                        # Specify the Dockerfile to use
    image: netalertx:latest
-    container_name: netalertx                   # The name when you docker contiainer ls
-    read_only: true                             # Make the container filesystem read-only
-    cap_drop:                                   # Drop all capabilities for enhanced security
+    container_name: netalertx                       # The name when you docker contiainer ls
+    read_only: true                                 # Make the container filesystem read-only
+    cap_drop:                                       # Drop all capabilities for enhanced security
      - ALL
-    cap_add:                                    # Add only the necessary capabilities
-      - NET_ADMIN                               # Required for ARP scanning
-      - NET_RAW                                 # Required for raw socket operations
-      - NET_BIND_SERVICE                        # Required to bind to privileged ports (nbtscan)
+    cap_add:                                        # Add only the necessary capabilities
+      - NET_ADMIN                                   # Required for ARP scanning
+      - NET_RAW                                     # Required for raw socket operations
+      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)

    volumes:
-      - type: bind
-        source: ${APP_DATA_LOCATION}/netalertx/config
-        target: /app/config
-        read_only: false

-      - type: bind
-        source: ${APP_DATA_LOCATION}/netalertx/db
-        target: /app/db
-        read_only: false
+      - type: volume                                # Persistent Docker-managed Named Volume for storage
+        source: netalertx_data                      # the default name of the volume is netalertx_data
+        target: /data                               # consolidated configuration and database storage
+        read_only: false                            # writable volume

-      - type: bind
+    # Example custom local folder called /home/user/netalertx_data
+    # - type: bind
+    #   source: /home/user/netalertx_data
+    #   target: /data
+    #   read_only: false
+    # ... or use the alternative format
+    # - /home/user/netalertx_data:/data:rw
+
+      - type: bind                           # Bind mount for timezone consistency
        source: /etc/localtime
        target: /etc/localtime
        read_only: true

-      # Retain logs - comment out tmpfs /app/log if you want to retain logs between container restarts
-      # - /path/on/host/log:/app/log
-      # Optional logs
-      # - type: bind
-      #   source: ${LOGS_LOCATION}
-      #   target: /app/log
-      #   read_only: false
-
-      # Optional development mounts
-      - type: bind
-        source: ${DEV_LOCATION}
-        target: /app/front/plugins/custom
-        read_only: false
-
-      # Use a custom Enterprise-configured nginx config for ldap or other settings
-      # - /custom-enterprise.conf:/services/config/nginx/conf.active/netalertx.conf:ro
+  # Use a custom Enterprise-configured nginx config for ldap or other settings
+  # - /custom-enterprise.conf:/tmp/nginx/active-config/netalertx.conf:ro

      # Test your plugin on the production container
      # - /path/on/host:/app/front/plugins/custom

-    # Tempfs mounts for writable directories in a read-only container and improve system performance
+  # Retain logs - comment out tmpfs /tmp/log if you want to retain logs between container restarts
+  # - /path/on/host/log:/tmp/log
+
+    # tmpfs mounts for writable directories in a read-only container and improve system performance
+    # All writes now live under /tmp/* subdirectories which are created dynamically by entrypoint.d scripts
+    # uid=20211 and gid=20211 is the netalertx user inside the container
+    # mode=1700 gives rwx------ permissions to the netalertx user only
    tmpfs:
-      # Speed up logging. This can be commented out to retain logs between container restarts
-      - "/app/log:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
-      # Speed up API access as frontend/backend API is very chatty
-      - "/app/api:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,sync,noatime,nodiratime"  
-      # Required for customization of the nginx listen addr/port without rebuilding the container
-      - "/services/config/nginx/conf.active:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
-      # /services/config/nginx/conf.d is required for nginx and php to start
-      - "/services/run:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
-      # /tmp is required by php for session save this should be reworked to /services/run/tmp
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
-      LISTEN_ADDR: 0.0.0.0                          # Listen for connections on all interfaces
-      PORT: ${PORT}                                 # Application port
-      ALWAYS_FRESH_INSTALL: ${ALWAYS_FRESH_INSTALL} # Set to true to reset your config and database on each container start
-      NETALERTX_DEBUG: 0                            # 0=kill all services and restart if any dies. 1 keeps running dead services.
-      TZ: ${TZ}                                     # Timezone, e.g. Europe/Paris
-      # APP_CONF_OVERRIDE={"SCAN_SUBNETS":"['192.168.1.0/24 --interface=eth1']","GRAPHQL_PORT":"20223","UI_theme":"Light"} # (optional) app.conf settings override
-      # LOADED_PLUGINS=["DHCPLSS","PIHOLE","ASUSWRT","FREEBOX"] # (optional) default plugins to load
+      LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0}                      # Listen for connections on all interfaces
+      PORT: ${PORT:-20211}                                      # Application port
+      GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                      # GraphQL API port
+      ALWAYS_FRESH_INSTALL: ${ALWAYS_FRESH_INSTALL:-false}      # Set to true to reset your config and database on each container start
+      NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0}                    # 0=kill all services and restart if any dies. 1 keeps running dead services.

    # Resource limits to prevent resource exhaustion
-    mem_limit: 2048m
-    mem_reservation: 1024m
-    cpus: 4
-    pids_limit: 512
+    mem_limit: 2048m            # Maximum memory usage
+    mem_reservation: 1024m      # Soft memory limit
+    cpu_shares: 512             # Relative CPU weight for CPU contention scenarios
+    pids_limit: 512             # Limit the number of processes/threads to prevent fork bombs
    logging:
-      driver: "json-file"
+      driver: "json-file"       # Use JSON file logging driver
      options:
-        max-size: "10m"
-        max-file: "3"
+        max-size: "10m"         # Rotate log files after they reach 10MB
+        max-file: "3"           # Keep a maximum of 3 log files
+
+    # Always restart the container unless explicitly stopped
    restart: unless-stopped

-# volumes:
-#   netalertx_config:
-#   netalertx_db:
- 
+volumes:                        # Persistent volume for configuration and database storage
+  netalertx_data:
--- a/docs/API.md
+++ b/docs/API.md
@@ -1,4 +1,4 @@
-# NetAlertX API Documentation
+# API Documentation

 This API provides programmatic access to **devices, events, sessions, metrics, network tools, and sync** in NetAlertX. It is implemented as a **REST and GraphQL server**. All requests require authentication via **API Token** (`API_TOKEN` setting) unless explicitly noted. For example, to authorize a GraphQL request, you need to use a `Authorization: Bearer API_TOKEN` header as per example below:

@@ -64,8 +64,9 @@ http://<server>:<GRAPHQL_PORT>/
 * [Metrics](API_METRICS.md) – Prometheus metrics and per-device status
 * [Network Tools](API_NETTOOLS.md) – Utilities like Wake-on-LAN, traceroute, nslookup, nmap, and internet info
 * [Online History](API_ONLINEHISTORY.md) – Online/offline device records
-* [GraphQL](API_GRAPHQL.md) – Advanced queries and filtering
+* [GraphQL](API_GRAPHQL.md) – Advanced queries and filtering for Devices, Settings and Language Strings
 * [Sync](API_SYNC.md) – Synchronization between multiple NetAlertX instances
+* [Logs](API_LOGS.md) – Purging of logs and adding to the event execution queue for user triggered events
 * [DB query](API_DBQUERY.md) (⚠ Internal) - Low level database access - use other endpoints if possible

 See [Testing](API_TESTS.md) for example requests and usage.
--- a/docs/API_GRAPHQL.md
+++ b/docs/API_GRAPHQL.md
@@ -1,9 +1,10 @@
 # GraphQL API Endpoint

-GraphQL queries are **read-optimized for speed**. Data may be slightly out of date until the file system cache refreshes. The GraphQL endpoints allows you to access the following objects:
+GraphQL queries are **read-optimized for speed**. Data may be slightly out of date until the file system cache refreshes. The GraphQL endpoints allow you to access the following objects:

- Devices
- Settings
+* Devices
+* Settings
+* Language Strings (LangStrings)

 ## Endpoints

@@ -190,11 +191,74 @@ curl 'http://host:GRAPHQL_PORT/graphql' \
 }
 ```

+
+---
+
+## LangStrings Query
+
+The **LangStrings query** provides access to localized strings. Supports filtering by `langCode` and `langStringKey`. If the requested string is missing or empty, you can optionally fallback to `en_us`.
+
+### Sample Query
+
+```graphql
+query GetLangStrings {
+  langStrings(langCode: "de_de", langStringKey: "settings_other_scanners") {
+    langStrings {
+      langCode
+      langStringKey
+      langStringText
+    }
+    count
+  }
+}
+```
+
+### Query Parameters
+
+| Parameter        | Type    | Description                                                                              |
+| ---------------- | ------- | ---------------------------------------------------------------------------------------- |
+| `langCode`       | String  | Optional language code (e.g., `en_us`, `de_de`). If omitted, all languages are returned. |
+| `langStringKey`  | String  | Optional string key to retrieve a specific entry.                                        |
+| `fallback_to_en` | Boolean | Optional (default `true`). If `true`, empty or missing strings fallback to `en_us`.      |
+
+### `curl` Example
+
+```sh
+curl 'http://host:GRAPHQL_PORT/graphql' \
+  -X POST \
+  -H 'Authorization: Bearer API_TOKEN' \
+  -H 'Content-Type: application/json' \
+  --data '{
+    "query": "query GetLangStrings { langStrings(langCode: \"de_de\", langStringKey: \"settings_other_scanners\") { langStrings { langCode langStringKey langStringText } count } }"
+  }'
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "langStrings": {
+      "count": 1,
+      "langStrings": [
+        {
+          "langCode": "de_de",
+          "langStringKey": "settings_other_scanners",
+          "langStringText": "Other, non-device scanner plugins that are currently enabled."  // falls back to en_us if empty
+        }
+      ]
+    }
+  }
+}
+```
+
 ---

 ## Notes

-* Device and settings queries can be combined in one request since GraphQL supports batching.
+* Device, settings, and LangStrings queries can be combined in **one request** since GraphQL supports batching.
+* The `fallback_to_en` feature ensures UI always has a value even if a translation is missing.
+* Data is **cached in memory** per JSON file; changes to language or plugin files will only refresh after the cache detects a file modification.
 * The `setOverriddenByEnv` flag helps identify setting values that are locked at container runtime.
 * The schema is **read-only** — updates must be performed through other APIs or configuration management. See the other [API](API.md) endpoints for details. 

--- a/docs/API_LOGS.md
+++ b/docs/API_LOGS.md
@@ -0,0 +1,179 @@
+# Logs API Endpoints
+
+Manage or purge application log files stored under `/app/log` and manage the execution queue. These endpoints are primarily used for maintenance tasks such as clearing accumulated logs or adding system actions without restarting the container.
+
+Only specific, pre-approved log files can be purged for security and stability reasons.
+
+---
+
+## Delete (Purge) a Log File
+
+* **DELETE** `/logs?file=<log_file>` → Purge the contents of an allowed log file.
+
+**Query Parameter:**
+
+* `file` → The name of the log file to purge (e.g., `app.log`, `stdout.log`)
+
+**Allowed Files:**
+
+```
+app.log
+app_front.log
+IP_changes.log
+stdout.log
+stderr.log
+app.php_errors.log
+execution_queue.log
+db_is_locked.log
+```
+
+**Authorization:**
+Requires a valid API token in the `Authorization` header.
+
+---
+
+### `curl` Example (Success)
+
+```sh
+curl -X DELETE 'http://<server_ip>:<GRAPHQL_PORT>/logs?file=app.log' \
+  -H 'Authorization: Bearer <API_TOKEN>' \
+  -H 'Accept: application/json'
+```
+
+**Response:**
+
+```json
+{
+  "success": true,
+  "message": "[clean_log] File app.log purged successfully"
+}
+```
+
+---
+
+### `curl` Example (Not Allowed)
+
+```sh
+curl -X DELETE 'http://<server_ip>:<GRAPHQL_PORT>/logs?file=not_allowed.log' \
+  -H 'Authorization: Bearer <API_TOKEN>' \
+  -H 'Accept: application/json'
+```
+
+**Response:**
+
+```json
+{
+  "success": false,
+  "message": "[clean_log] File not_allowed.log is not allowed to be purged"
+}
+```
+
+---
+
+### `curl` Example (Unauthorized)
+
+```sh
+curl -X DELETE 'http://<server_ip>:<GRAPHQL_PORT>/logs?file=app.log' \
+  -H 'Accept: application/json'
+```
+
+**Response:**
+
+```json
+{
+  "error": "Forbidden"
+}
+```
+
+---
+
+## Add an Action to the Execution Queue
+
+* **POST** `/logs/add-to-execution-queue` → Add a system action to the execution queue.
+
+**Request Body (JSON):**
+
+```json
+{
+  "action": "update_api|devices"
+}
+```
+
+**Authorization:**
+Requires a valid API token in the `Authorization` header.
+
+---
+
+### `curl` Example (Success)
+
+The below will update the API cache for Devices
+
+```sh
+curl -X POST 'http://<server_ip>:<GRAPHQL_PORT>/logs/add-to-execution-queue' \
+  -H 'Authorization: Bearer <API_TOKEN>' \
+  -H 'Content-Type: application/json' \
+  --data '{"action": "update_api|devices"}'
+```
+
+**Response:**
+
+```json
+{
+  "success": true,
+  "message": "[UserEventsQueueInstance] Action \"update_api|devices\" added to the execution queue."
+}
+```
+
+---
+
+### `curl` Example (Missing Parameter)
+
+```sh
+curl -X POST 'http://<server_ip>:<GRAPHQL_PORT>/logs/add-to-execution-queue' \
+  -H 'Authorization: Bearer <API_TOKEN>' \
+  -H 'Content-Type: application/json' \
+  --data '{}'
+```
+
+**Response:**
+
+```json
+{
+  "success": false,
+  "message": "Missing parameters",
+  "error": "Missing required 'action' field in JSON body"
+}
+```
+
+---
+
+### `curl` Example (Unauthorized)
+
+```sh
+curl -X POST 'http://<server_ip>:<GRAPHQL_PORT>/logs/add-to-execution-queue' \
+  -H 'Content-Type: application/json' \
+  --data '{"action": "update_api|devices"}'
+```
+
+**Response:**
+
+```json
+{
+  "error": "Forbidden"
+}
+```
+
+---
+
+## Notes
+
+* Only predefined files in `/app/log` can be purged — arbitrary paths are **not permitted**.
+* When a log file is purged:
+
+  * Its content is replaced with a short marker text: `"File manually purged"`.
+  * A backend log entry is created via `mylog()`.
+  * A frontend notification is generated via `write_notification()`.
+* Execution queue actions are appended to `execution_queue.log` and can be processed asynchronously by background tasks or workflows.
+* Unauthorized or invalid attempts are safely logged and rejected.
+* For advanced log retrieval, analysis, or structured querying, use the frontend log viewer.
+* Always ensure that sensitive or production logs are handled carefully — purging cannot be undone.
--- a/docs/API_OLD.md
+++ b/docs/API_OLD.md
@@ -52,7 +52,7 @@ query GetDevices($options: PageQueryOptionsInput) {
 }
 ```

-See also: [Debugging GraphQL issues](./DEBUG_GRAPHQL.md)
+See also: [Debugging GraphQL issues](./DEBUG_API_SERVER.md)

 ### `curl` Command

@@ -141,7 +141,7 @@ The endpoints are updated when objects in the API endpoints are changed.

 ### Location of the endpoints

-In the container, these files are located under the `/app/api/` folder. You can access them via the `/php/server/query_json.php?file=user_notifications.json` endpoint.
+In the container, these files are located under the API directory (default: `/tmp/api/`, configurable via `NETALERTX_API` environment variable). You can access them via the `/php/server/query_json.php?file=user_notifications.json` endpoint.

 ### Available endpoints

@@ -332,7 +332,7 @@ Grafana template sample: [Download json](./samples/API/Grafana_Dashboard.json)

 ## API Endpoint: /log files

-This API endpoint retrieves files from the `/app/log` folder. 
+This API endpoint retrieves files from the `/tmp/log` folder. 

 - Endpoint URL: `php/server/query_logs.php?file=<file name>`
 - Host: `same as front end (web ui)`
@@ -357,7 +357,7 @@ This API endpoint retrieves files from the `/app/log` folder.

 ## API Endpoint: /config files

-To retrieve files from the `/app/config` folder. 
+To retrieve files from the `/data/config` folder. 

 - Endpoint URL: `php/server/query_config.php?file=<file name>`
 - Host: `same as front end (web ui)`
--- a/docs/BACKUPS.md
+++ b/docs/BACKUPS.md
@@ -1,90 +1,162 @@
-# Backing things up
+# Backing Things Up

 > [!NOTE]
-> To backup 99% of your configuration backup at least the `/app/config` folder. Please read the whole page (or at least "Scenario 2: Corrupted database") for details.
-> Note that database definitions might change over time. The safest way is to restore your older backups into the **same version** of the app they were taken from and then gradually upgarde between releases to the latest version.
+> To back up 99% of your configuration, back up at least the `/data/config` folder.
+> Database definitions can change between releases, so the safest method is to restore backups using the **same app version** they were taken from, then upgrade incrementally.

-There are 4 artifacts that can be used to backup the application:
+---

-| File                  | Description                   | Limitations                   |
-|-----------------------|-------------------------------|-------------------------------|
-| `/db/app.db`       | Database file(s)  | The database file might be in an uncommitted state or corrupted |
-| `/config/app.conf` | Configuration file |  Can be overridden with the [`APP_CONF_OVERRIDE` env variable](https://github.com/jokob-sk/NetAlertX/tree/main/dockerfiles#docker-environment-variables).  |
-| `/config/devices.csv`  | CSV file containing device information |     Doesn't contain historical data        |
-| `/config/workflows.json`  | A JSON file containing your workflows |     N/A        |
+## What to Back Up

+There are four key artifacts you can use to back up your NetAlertX configuration:

-## Backup strategies
+| File                     | Description                         | Limitations                                                                                                                                          |
+| ------------------------ | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `/db/app.db`             | The application database            | Might be in an uncommitted state or corrupted                                                                                                        |
+| `/config/app.conf`       | Configuration file                  | Can be overridden using the [`APP_CONF_OVERRIDE`](https://github.com/jokob-sk/NetAlertX/tree/main/dockerfiles#docker-environment-variables) variable |
+| `/config/devices.csv`    | CSV file containing device data     | Does not include historical data                                                                                                                     |
+| `/config/workflows.json` | JSON file containing your workflows | N/A                                                                                                                                                  |

-The safest approach to backups is to backup everything, by taking regular file system backups of the `/db` and `/config` folders (I use [Kopia](https://github.com/kopia/kopia)). 
+---

-Arguably, the most time is spent setting up the device list, so if only one file is kept I'd recommend to have a latest backup of the `devices_<timestamp>.csv` or `devices.csv` file, followed by the `app.conf` and `workflows.json` files. You can also download `app.conf` and `devices.csv` file in the Maintenance section:
+## Where the Data Lives

-![Backup and Restore Section in Maintenance](./img/BACKUPS/Maintenance_Backup_Restore.png)
-
-### Scenario 1: Full backup
-
-End-result: Full restore
-
-#### 💾 Source artifacts:
-
- `/app/db/app.db` (uncorrupted)
- `/app/config/app.conf`
- `/app/config/workflows.json`
-
-#### 📥 Recovery:
-
-To restore the application map the above files as described in the [Setup documentation](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md#docker-paths). 
-
-
-### Scenario 2: Corrupted database
-
-End-result: Partial restore (historical data and some plugin data will be missing)
-
-#### 💾 Source artifacts:
-
- `/app/config/app.conf`
- `/app/config/devices_<timestamp>.csv` or `/app/config/devices.csv`
- `/app/config/workflows.json`
-
-#### 📥 Recovery:
-
-Even with a corrupted database you can recover what I would argue is 99% of the configuration. 
-
- upload the `app.conf` and `workflows.json` files into the mounted `/app/config/` folder as described in the [Setup documentation](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md#docker-paths).
- rename the `devices_<timestamp>.csv` to `devices.csv` and place it in the `/app/config` folder
- Restore the `devices.csv` backup via the [Maintenance section](./DEVICES_BULK_EDITING.md)
-
-## Data and backup storage
-
-To decide on a backup strategy, check where the data is stored:
+Understanding where your data is stored helps you plan your backup strategy.

 ### Core Configuration

-The core application configuration is in the `app.conf` file (See [Settings System](./SETTINGS_SYSTEM.md) for details), such as:
+Stored in `/data/config/app.conf`.
+This includes settings for:

- Notification settings
- Scanner settings
- Scheduled maintenance settings
- UI configuration
+* Notifications
+* Scanning
+* Scheduled maintenance
+* UI preferences

-### Core Device Data
+(See [Settings System](./SETTINGS_SYSTEM.md) for details.)

-The core device data is backed up to the `devices_<timestamp>.csv` or `devices.csv` file via the [CSV Backup `CSVBCKP` Plugin](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/csv_backup). This file contains data, such as:
+### Device Data

- Device names
- Device icons
- Device network configuration
- Device categorization 
- Device custom properties data
+Stored in `/data/config/devices_<timestamp>.csv` or `/data/config/devices.csv`, created by the [CSV Backup `CSVBCKP` Plugin](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/csv_backup).
+Contains:

-### Historical data
+* Device names, icons, and categories
+* Network configuration
+* Custom properties

-Historical data is stored in the `app.db` database (See [Database overview](./DATABASE.md) for details). This data includes:
+### Historical Data

- Plugin objects
- Plugin historical entries
- History of Events, Notifications, Workflow Events
- Presence history
+Stored in `/data/db/app.db` (see [Database Overview](./DATABASE.md)).
+Contains:

+* Plugin data and historical entries
+* Event and notification history
+* Device presence history

+---
+
+## Backup Strategies
+
+The safest approach is to back up **both** the `/db` and `/config` folders regularly. Tools like [Kopia](https://github.com/kopia/kopia) make this simple and efficient.
+
+If you can only keep a few files, prioritize:
+
+1. The latest `devices_<timestamp>.csv` or `devices.csv`
+2. `app.conf`
+3. `workflows.json`
+
+You can also download the `app.conf` and `devices.csv` files from the **Maintenance** section:
+
+![Backup and Restore Section in Maintenance](./img/BACKUPS/Maintenance_Backup_Restore.png)
+
+---
+
+## Scenario 1: Full Backup and Restore
+
+**Goal:** Full recovery of your configuration and data.
+
+### 💾 What to Back Up
+
+* `/data/db/app.db` (uncorrupted)
+* `/data/config/app.conf`
+* `/data/config/workflows.json`
+
+### 📥 How to Restore
+
+Map these files into your container as described in the [Setup documentation](./DOCKER_INSTALLATION.md).
+
+---
+
+## Scenario 2: Corrupted Database
+
+**Goal:** Recover configuration and device data when the database is lost or corrupted.
+
+### 💾 What to Back Up
+
+* `/data/config/app.conf`
+* `/data/config/workflows.json`
+* `/data/config/devices_<timestamp>.csv` (rename to `devices.csv` during restore)
+
+### 📥 How to Restore
+
+1. Copy `app.conf` and `workflows.json` into `/data/config/`
+2. Rename and place `devices_<timestamp>.csv` → `/data/config/devices.csv`
+3. Restore via the **Maintenance** section under *Devices → Bulk Editing*
+
+This recovers nearly all configuration, workflows, and device metadata.
+
+---
+
+## Docker-Based Backup and Restore
+
+For users running NetAlertX via Docker, you can back up or restore directly from your host system — a convenient and scriptable option.
+
+### Full Backup (File-Level)
+
+1. **Stop the container:**
+
+   ```bash
+   docker stop netalertx
+   ```
+
+2. **Create a compressed archive** of your configuration and database volumes:
+
+   ```bash
+   docker run --rm -v local_path/config:/config -v local_path/db:/db alpine tar -cz /config /db > netalertx-backup.tar.gz
+   ```
+
+3. **Restart the container:**
+
+   ```bash
+   docker start netalertx
+   ```
+
+### Restore from Backup
+
+1. **Stop the container:**
+
+   ```bash
+   docker stop netalertx
+   ```
+
+2. **Restore from your backup file:**
+
+   ```bash
+   docker run --rm -i -v local_path/config:/config -v local_path/db:/db alpine tar -C / -xz < netalertx-backup.tar.gz
+   ```
+
+3. **Restart the container:**
+
+   ```bash
+   docker start netalertx
+   ```
+
+> This approach uses a temporary, minimal `alpine` container to access Docker-managed volumes. The `tar` command creates or extracts an archive directly from your host’s filesystem, making it fast, clean, and reliable for both automation and manual recovery.
+
+---
+
+## Summary
+
+* Back up `/data/config` for configuration and devices; `/data/db` for history
+* Keep regular backups, especially before upgrades
+* For Docker setups, use the lightweight `alpine`-based backup method for consistency and portability
--- a/docs/BUILDS.md
+++ b/docs/BUILDS.md
@@ -0,0 +1,82 @@
+# NetAlertX Builds: Choose Your Path
+
+NetAlertX provides different installation methods for different needs. This guide helps you choose the right path for security, experimentation, or development.
+
+## 1. Hardened Appliance (Default Production)
+
+> [!NOTE]
+> Use this image if: You want to use NetAlertX securely.
+
+### Who is this for?
+
+All users who want a stable, secure, "set-it-and-forget-it" appliance.
+
+### Methodology
+
+- Multi-stage Alpine build
+- Aggressively "amputated"
+- Locked down for max security
+
+### Source
+
+`Dockerfile (hardened target)`
+
+## 2. "Tinkerer's" Image (Insecure VM-Style)
+
+> [!NOTE]
+> Use this image if: You want to experiment with NetAlertX.
+
+### Who is this for?
+
+Power users, developers, and "tinkerers" wanting a familiar "VM-like" experience.
+
+### Methodology
+
+- Traditional Debian build
+- Includes full un-hardened OS
+- Contains `apt`, `sudo`, `git`
+
+### Source
+
+`Dockerfile.debian`
+
+## 3. Contributor's Devcontainer (Project Developers)
+
+> [!NOTE]
+> Use this image if: You want to develop NetAlertX itself.
+
+### Who is this for?
+
+Project contributors who are actively writing and debugging code for NetAlertX.
+
+### Methodology
+
+
+- Builds `FROM runner` stage
+- Loaded by VS Code
+- Full debug tools: `xdebug`, `pytest`
+
+
+### Source
+
+`Dockerfile (devcontainer target)`
+
+# Visualizing the Trade-Offs
+
+This chart compares the three builds across key attributes. A higher score means "more of" that attribute. Notice the clear trade-offs between security and development features.
+
+![tradeoffs](./img/BUILDS/build_images_options_tradeoffs.png)
+
+
+# Build Process & Origins
+
+The final images originate from two different files and build paths. The main `Dockerfile` uses stages to create *both* the hardened and development container images.
+
+## Official Build Path
+
+Dockerfile -> builder (Stage 1) -> runner (Stage 2) ->  hardened (Final Stage) (Production Image) + devcontainer (Final Stage) (Developer Image)
+
+
+## Legacy Build Path
+
+Dockerfile.debian -> "Tinkerer's" Image (Insecure VM-Style Image)
--- a/docs/COMMON_ISSUES.md
+++ b/docs/COMMON_ISSUES.md
@@ -1,57 +1,114 @@
-### Loading...
+# Troubleshooting Common Issues

-Often if the application is misconfigured the `Loading...` dialog is continuously displayed. This is most likely caused by the backed failing to start. The **Maintenance -> Logs** section should give you more details on what's happening. If there is no exception, check the Portainer log, or start the container in the foreground (without the `-d` parameter) to observe any exceptions. It's advisable to enable `trace` or `debug`. Check the [Debug tips](./DEBUG_TIPS.md) on detailed instructions. 
+> [!TIP]
+> Before troubleshooting, ensure you have set the correct [Debugging and LOG_LEVEL](./DEBUG_TIPS.md).

-### Incorrect SCAN_SUBNETS
+---

-One of the most common issues is not configuring `SCAN_SUBNETS` correctly. If this setting is misconfigured you will only see one or two devices in your devices list after a scan. Please read the [subnets docs](./SUBNETS.md) carefully to resolve this.
+## Docker Container Doesn't Start

-### Duplicate devices and notifications
-
-The app uses the MAC address as an unique identifier for devices. If a new MAC is detected a new device is added to the application and corresponding notifications are triggered. This means that if the MAC of an existing device changes, the device will be logged as a new device. You can usually prevent this from happening by changing the device configuration (in Android, iOS, or Windows) for your network. See the [Random Macs](./RANDOM_MAC.md) guide for details. 
+Initial setup issues are often caused by **missing permissions** or **incorrectly mapped volumes**. Always double-check your `docker run` or `docker-compose.yml` against the [official setup guide](./DOCKER_INSTALLATION.md) before proceeding.

 ### Permissions

-Make sure you [File permissions](./FILE_PERMISSIONS.md) are set correctly.
+Make sure your [file permissions](./FILE_PERMISSIONS.md) are correctly set:

-* If facing issues (AJAX errors, can't write to DB, empty screen, etc,) make sure permissions are set correctly, and check the logs under `/app/log`. 
-* To solve permission issues you can try setting the owner and group of the `app.db` by executing the following on the host system: `docker exec netalertx chown -R www-data:www-data /app/db/app.db`. 
-* If still facing issues, try to map the app.db file (⚠ not folder) to `:/app/db/app.db` (see [docker-compose Examples](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md#-docker-composeyml-examples) for details)
+* If you encounter AJAX errors, cannot write to the database, or see an empty screen, check that permissions are correct and review the logs under `/tmp/log`.
+* To fix permission issues with the database, update the owner and group of `app.db` as described in the [File Permissions guide](./FILE_PERMISSIONS.md).

-### Container restarts / crashes
+### Container Restarts / Crashes

-* Check the logs for details. Often a required setting for a notification method is missing. 
+* Check the logs for details. Often, required settings are missing.
+* For more detailed troubleshooting, see [Debug and Troubleshooting Tips](./DEBUG_TIPS.md).
+* To observe errors directly, run the container in the foreground instead of `-d`:

-### unable to resolve host
+```bash
+docker run --rm -it <your_image>
+```

-* Check that your `SCAN_SUBNETS` variable is using the correct mask and `--interface`. See the [subnets docs for details](./SUBNETS.md).  
+---

-### Invalid JSON
+## Docker Container Starts, But the Application Misbehaves

-Check the [Invalid JSON errors debug help](./DEBUG_INVALID_JSON.md) docs on how to proceed.
+If the container starts but the app shows unexpected behavior, the cause is often **data corruption**, **incorrect configuration**, or **unexpected input data**.

-### sudo execution failing (e.g.: on arpscan) on a Raspberry Pi 4 
+### Continuous "Loading..." Screen

-> sudo: unexpected child termination condition: 0
+A misconfigured application may display a persistent `Loading...` dialog. This is usually caused by the backend failing to start.

-Resolution based on [this issue](https://github.com/linuxserver/docker-papermerge/issues/4#issuecomment-1003657581)
+**Steps to troubleshoot:**
+
+1. Check **Maintenance → Logs** for exceptions.
+2. If no exception is visible, check the Portainer logs.
+3. Start the container in the foreground to observe exceptions.
+4. Enable `trace` or `debug` logging for detailed output (see [Debug Tips](./DEBUG_TIPS.md)).
+5. Verify that `GRAPHQL_PORT` is correctly configured.
+6. Check browser logs (press `F12`):
+
+   * **Console tab** → refresh the page
+   * **Network tab** → refresh the page
+
+If you are unsure how to resolve errors, provide screenshots or log excerpts in your issue report or Discord discussion.
+
+---
+
+### Common Configuration Issues
+
+#### Incorrect `SCAN_SUBNETS`
+
+If `SCAN_SUBNETS` is misconfigured, you may see only a few devices in your device list after a scan. See the [Subnets Documentation](./SUBNETS.md) for proper configuration.
+
+#### Duplicate Devices and Notifications
+
+* Devices are identified by their **MAC address**.
+* If a device's MAC changes, it will be treated as a new device, triggering notifications.
+* Prevent this by adjusting your device configuration for Android, iOS, or Windows. See the [Random MACs Guide](./RANDOM_MAC.md).
+
+#### Unable to Resolve Host
+
+* Ensure `SCAN_SUBNETS` uses the correct mask and `--interface`.
+* Refer to the [Subnets Documentation](./SUBNETS.md) for detailed guidance.
+
+#### Invalid JSON Errors
+
+* Follow the steps in [Invalid JSON Errors Debug Help](./DEBUG_INVALID_JSON.md).
+
+#### Sudo Execution Fails (e.g., on arpscan on Raspberry Pi 4)
+
+Error:

 ```
+sudo: unexpected child termination condition: 0
+```
+
+**Resolution**:
+
+```bash
 wget ftp.us.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.5.3-2_armhf.deb
 sudo dpkg -i libseccomp2_2.5.3-2_armhf.deb
 ```

-The link above will probably break in time too. Go to https://packages.debian.org/sid/armhf/libseccomp2/download to find the new version number and put that in the url.
+> ⚠️ The link may break over time. Check [Debian Packages](https://packages.debian.org/sid/armhf/libseccomp2/download) for the latest version.

-### Only Router and own device show up
+#### Only Router and Own Device Show Up

-Make sure that the subnet and interface in `SCAN_SUBNETS` are correct. If your device/NAS has multiple ethernet ports, you probably need to change `eth0` to something else.
+* Verify the subnet and interface in `SCAN_SUBNETS`.
+* On devices with multiple Ethernet ports, you may need to change `eth0` to the correct interface.

-### Losing my settings and devices after an update
+#### Losing Settings or Devices After Update

-If you lose your devices and/or settings after an update that means you don't have the `/app/db` and `/app/config` folders mapped to a permanent storage. That means every time you update these folders are re-created. Make sure you have the [volumes specified correctly](./DOCKER_COMPOSE.md) in your `docker-compose.yml` or run command.
+* Ensure `/data/db` and `/data/config` are mapped to persistent storage.
+* Without persistent volumes, these folders are recreated on every update.
+* See [Docker Volumes Setup](./DOCKER_COMPOSE.md) for proper configuration.

+#### Application Performance Issues

-### The application is slow
+Slowness can be caused by:
+
+* Incorrect settings (causing app restarts) → check `app.log`.
+* Too many background processes → disable unnecessary scanners.
+* Long scans → limit the number of scanned devices.
+* Excessive disk operations or failing maintenance plugins.
+
+> See [Performance Tips](./PERFORMANCE.md) for detailed optimization steps.

-Slowness is usually caused by incorrect settings (the app might restart, so check the `app.log`), too many background processes (disable unnecessary scanners), too long scans (limit the number of scanned devices), too many disk operations, or some maintenance plugins might have failed. See the [Performance tips](./PERFORMANCE.md) docs for details.
--- a/docs/DEBUG_API_SERVER.md
+++ b/docs/DEBUG_API_SERVER.md
@@ -1,35 +1,34 @@
 # Debugging GraphQL server issues

-The GraphQL server is an API middle layer, running on it's own port specified by `GRAPHQL_PORT`, to retrieve and show the data in the UI. It can also be used to retrieve data for custom third party integarions. Check the [API documentation](./API.md) for details. 
+The GraphQL server is an API middle layer, running on it's own port specified by `GRAPHQL_PORT`, to retrieve and show the data in the UI. It can also be used to retrieve data for custom third party integarions. Check the [API documentation](./API.md) for details.

 The most common issue is that the GraphQL server doesn't start properly, usually due to a **port conflict**. If you are running multiple NetAlertX instances, make sure to use **unique ports** by changing the `GRAPHQL_PORT` setting. The default is `20212`.

 ## How to update the `GRAPHQL_PORT` in case of issues

-As a first troubleshooting step try changing the default `GRAPHQL_PORT` setting. Please remember NetAlertX is running on the host so any application uising the same port will cause issues.  
+As a first troubleshooting step try changing the default `GRAPHQL_PORT` setting. Please remember NetAlertX is running on the host so any application uising the same port will cause issues.

 ### Updating the setting via the Settings UI

 Ideally use the Settings UI to update the setting under General -> Core -> GraphQL port:

-![GrapQL settings](./img/DEBUG_GRAPHQL/graphql_settings_port_token.png)
+![GrapQL settings](./img/DEBUG_API_SERVER/graphql_settings_port_token.png)

-You might need to temporarily stop other applications or NetAlertX instances causing conflicts to update the setting. The `API_TOKEN` is used to authenticate any API calls, including GraphQL requests. 
+You might need to temporarily stop other applications or NetAlertX instances causing conflicts to update the setting. The `API_TOKEN` is used to authenticate any API calls, including GraphQL requests.

 ### Updating the `app.conf` file

 If the UI is not accessible, you can directly edit the `app.conf` file in your `/config` folder:

-![Editing app.conf](./img/DEBUG_GRAPHQL/app_conf_graphql_port.png)
+![Editing app.conf](./img/DEBUG_API_SERVER/app_conf_graphql_port.png)

 ### Using a docker variable

-All application settings can also be initialized via the `APP_CONF_OVERRIDE` docker env variable. 
+All application settings can also be initialized via the `APP_CONF_OVERRIDE` docker env variable.

 ```yaml
 ...
 environment:
-      - TZ=Europe/Berlin      
      - PORT=20213
      - APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20214"}
 ...
@@ -43,22 +42,22 @@ There are several ways to check if the GraphQL server is running.

 You can navigate to Maintenance -> Init Check to see if `isGraphQLServerRunning` is ticked:

-![Init Check](./img/DEBUG_GRAPHQL/Init_check.png)
+![Init Check](./img/DEBUG_API_SERVER/Init_check.png)

 ### Checking the Logs

 You can navigate to Maintenance -> Logs and search for `graphql` to see if it started correctly and serving requests:

-![GraphQL Logs](./img/DEBUG_GRAPHQL/graphql_running_logs.png)
+![GraphQL Logs](./img/DEBUG_API_SERVER/graphql_running_logs.png)

 ### Inspecting the Browser console

 In your browser open the dev console (usually F12) and navigate to the Network tab where you can filter GraphQL requests (e.g., reload the Devices page).

-![Browser Network Tab](./img/DEBUG_GRAPHQL/network_graphql.png)
+![Browser Network Tab](./img/DEBUG_API_SERVER/network_graphql.png)

 You can then inspect any of the POST requests by opening them in a new tab.

-![Browser GraphQL Json](./img/DEBUG_GRAPHQL/dev_console_graphql_json.png)
+![Browser GraphQL Json](./img/DEBUG_API_SERVER/dev_console_graphql_json.png)


--- a/docs/DEBUG_INVALID_JSON.md
+++ b/docs/DEBUG_INVALID_JSON.md
@@ -3,13 +3,13 @@
 Check the the HTTP response of the failing backend call by following these steps:

 - Open developer console in your browser (usually, e. g. for Chrome, key F12 on the keyboard).
- Follow the steps in this screenshot: 
+- Follow the steps in this screenshot:

 ![F12DeveloperConsole][F12DeveloperConsole]

 - Copy the URL causing the error and enter it in the address bar of your browser directly and hit enter. The copied URLs could look something like this (notice the query strings at the end):
-  - `http://<NetAlertX URL>:20211/api/table_devices.json?nocache=1704141103121`
-  - `http://<NetAlertX URL>:20211/php/server/devices.php?action=getDevicesTotals`
+  - `http://<server>:20211/api/table_devices.json?nocache=1704141103121`
+  - `http://<server>:20211/php/server/devices.php?action=getDevicesTotals`


 - Post the error response in the existing issue thread on GitHub or create a new issue and include the redacted response of the failing query.
--- a/docs/DEBUG_PHP.md
+++ b/docs/DEBUG_PHP.md
@@ -27,7 +27,7 @@ Sometimes, the UI might not be accessible. In that case, you can access the logs
 3. **Check the PHP application error log:**

   ```bash
-   cat /app/log/app.php_errors.log
+   cat /tmp/log/app.php_errors.log
   ```

 These logs will help identify syntax issues, fatal errors, or startup problems when the UI fails to load properly.
--- a/docs/DEBUG_PLUGINS.md
+++ b/docs/DEBUG_PLUGINS.md
@@ -1,5 +1,8 @@
 # Troubleshooting plugins

+> [!TIP]
+> Before troubleshooting, please ensure you have the right [Debugging and LOG_LEVEL set](./DEBUG_TIPS.md).
+
 ## High-level overview

 If a Plugin supplies data to the main app it's done either vie a SQL query or via a script that updates the `last_result.log` file in the plugin log folder (`app/log/plugins/`).
@@ -9,7 +12,7 @@ For a more in-depth overview on how plugins work check the [Plugins development
 ### Prerequisites

 - Make sure you read and followed the specific plugin setup instructions.
- Ensure you have [debug enabled (see More Logging)](./DEBUG_TIPS.md) 
+- Ensure you have [debug enabled (see More Logging)](./DEBUG_TIPS.md)

 ### Potential issues

@@ -47,9 +50,9 @@ Input data from the plugin might cause mapping issues in specific edge cases. Lo
 17:31:05 [Plugins] history_to_insert count: 4
 17:31:05 [Plugins] objects_to_insert count: 0
 17:31:05 [Plugins] objects_to_update count: 4
-17:31:05 [Plugin utils] In pluginEvents there are 2 events with the status "watched-not-changed" 
-17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "missing-in-last-scan" 
-17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "watched-not-changed" 
+17:31:05 [Plugin utils] In pluginEvents there are 2 events with the status "watched-not-changed"
+17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "missing-in-last-scan"
+17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "watched-not-changed"
 17:31:05 [Plugins] Mapping objects to database table: CurrentScan
 17:31:05 [Plugins] SQL query for mapping: INSERT into CurrentScan ( "cur_MAC", "cur_IP", "cur_LastQuery", "cur_Name", "cur_Vendor", "cur_ScanMethod") VALUES ( ?, ?, ?, ?, ?, ?)
 17:31:05 [Plugins] SQL sqlParams for mapping: [('01:01:01:01:01:01', '172.30.0.1', 0, 'aaaa', 'vvvvvvvvv', 'PIHOLE'), ('02:42:ac:1e:00:02', '172.30.0.2', 0, 'dddd', 'vvvvv2222', 'PIHOLE')]
@@ -80,7 +83,7 @@ These values, if formatted correctly, will also show up in the UI:

 ### Sharing application state

-Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong. 
+Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong.

 1. Please set `LOG_LEVEL` to `trace` (Disable it once you have the info as this produces big log files).
 2. Wait for the issue to occur.
--- a/docs/DEBUG_TIPS.md
+++ b/docs/DEBUG_TIPS.md
@@ -1,30 +1,36 @@
 # Debugging and troubleshooting

-Please follow tips 1 - 4 to get a more detailed error. 
+Please follow tips 1 - 4 to get a more detailed error.

-## 1. More Logging 
+## 1. More Logging

 When debugging an issue always set the highest log level:

 `LOG_LEVEL='trace'`

-## 2. Surfacing errors when container restarts 
+## 2. Surfacing errors when container restarts

 Start the container via the **terminal** with a command similar to this one:

 ```bash
-docker run --rm --network=host \
-  -v local/path/netalertx/config:/app/config \
-  -v local/path/netalertx/db:/app/db \
-  -e TZ=Europe/Berlin \
+docker run \
+  --network=host \
+  --restart unless-stopped \
+  -v /local_data_dir:/data \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
  -e PORT=20211 \
+  -e APP_CONF_OVERRIDE='{"GRAPHQL_PORT":"20214"}' \
  ghcr.io/jokob-sk/netalertx:latest

 ```

-> ⚠ Please note, don't use the `-d` parameter so you see the error when the container crashes. Use this error in your issue description.
+Note: Your `/local_data_dir` should contain a `config` and `db` folder.

-## 3. Check the _dev image and open issues 
+> [!NOTE]
+> ⚠ The most important part is NOT to use the `-d` parameter so you see the error when the container crashes. Use this error in your issue description.
+
+## 3. Check the _dev image and open issues

 If possible, check if your issue got fixed in the `_dev` image before opening a new issue. The container is:

@@ -34,7 +40,7 @@ If possible, check if your issue got fixed in the `_dev` image before opening a

 Please also search [open issues](https://github.com/jokob-sk/NetAlertX/issues).

-## 4. Disable restart behavior 
+## 4. Disable restart behavior

 To prevent a Docker container from automatically restarting in a Docker Compose file, specify the restart policy as `no`:

@@ -48,9 +54,14 @@ services:
    # Other service configurations...
 ```

-## 5. Sharing application state
+## 5. TMP mount directories to rule host out permission issues

-Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong. 
+Try starting the container with all data to be in non-persistent volumes. If this works, the issue might be related to the permissions of your persistent data mount locations on your server. See teh [Permissions guide](./FILE_PERMISSIONS.md) for details.
+
+
+## 6. Sharing application state
+
+Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong.

 1. Please set `LOG_LEVEL` to `trace` (Disable it once you have the info as this produces big log files).
 2. Wait for the issue to occur.
@@ -61,4 +72,4 @@ Sometimes specific log sections are needed to debug issues. The Devices and Curr

 ## Common issues

-See [Common issues](./COMMON_ISSUES.md) for details. 
+See [Common issues](./COMMON_ISSUES.md) for additional troubleshooting tips.
--- a/docs/DEVICES_BULK_EDITING.md
+++ b/docs/DEVICES_BULK_EDITING.md
@@ -4,8 +4,8 @@ NetAlertX allows you to mass-edit devices via a CSV export and import feature, o

 ## UI multi edit

-> [!NOTE] 
-> Make sure you have your backups saved and restorable before doing any mass edits. Check [Backup strategies](./BACKUPS.md). 
+> [!NOTE]
+> Make sure you have your backups saved and restorable before doing any mass edits. Check [Backup strategies](./BACKUPS.md).

 You can select devices in the _Devices_ view by selecting devices to edit and then clicking the _Multi-edit_ button or via the _Maintenance_ > _Multi-Edit_ section.

@@ -16,23 +16,23 @@ You can select devices in the _Devices_ view by selecting devices to edit and th

 The database and device structure may change with new releases. When using the CSV import functionality, ensure the format matches what the application expects. To avoid issues, you can first export the devices and review the column formats before importing any custom data.

-> [!NOTE] 
+> [!NOTE]
 > As always, backup everything, just in case.

-1. In _Maintenance_ > _Backup / Restore_ click the _CSV Export_ button.  
+1. In _Maintenance_ > _Backup / Restore_ click the _CSV Export_ button.
 2. A `devices.csv` is generated in the `/config` folder
-3. Edit the `devices.csv` file however you like. 
+3. Edit the `devices.csv` file however you like.

 ![Maintenance > CSV Export](./img/DEVICES_BULK_EDITING/MAINTENANCE_CSV_EXPORT.png)

-> [!NOTE] 
-> The file containing a list of Devices including the Network relationships between Network Nodes and connected devices. You can also trigger this by acessing this URL: `<your netalertx url>/php/server/devices.php?action=ExportCSV` or via the `CSV Backup` plugin. (💡 You can schedule this)
+> [!NOTE]
+> The file containing a list of Devices including the Network relationships between Network Nodes and connected devices. You can also trigger this by acessing this URL: `<server>:20211/php/server/devices.php?action=ExportCSV` or via the `CSV Backup` plugin. (💡 You can schedule this)

 ![Settings > CSV Backup](./img/DEVICES_BULK_EDITING/CSV_BACKUP_SETTINGS.png)

 ### File encoding format

-> [!NOTE] 
+> [!NOTE]
 > Keep Linux line endings (suggested editors: Nano, Notepad++)

 ![Nodepad++ line endings](./img/DEVICES_BULK_EDITING/NOTEPAD++.png)
--- a/docs/DEVICE_MANAGEMENT.md
+++ b/docs/DEVICE_MANAGEMENT.md
@@ -1,8 +1,8 @@
-# NetAlertX - Device Management
+# Device Management

 The Main Info section is where most of the device identifiable information is stored and edited. Some of the information is autodetected via various plugins. Initial values for most of the fields can be specified in the `NEWDEV` plugin.

-> [!NOTE] 
+> [!NOTE]
 >
 > You can multi-edit devices by selecting them in the main Devices view, from the Mainetence section, or via the CSV Export functionality under Maintenance. More info can be found in the [Devices Bulk-editing docs](./DEVICES_BULK_EDITING.md).

@@ -14,23 +14,23 @@ The Main Info section is where most of the device identifiable information is st
  - **MAC**: MAC addres of the device. Not editable, unless creating a new dummy device.
  - **Last IP**: IP addres of the device. Not editable, unless creating a new dummy device.
  - **Name**: Friendly device name. Autodetected via various 🆎 Name discovery [plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md). The app attaches `(IP match)` if the name is discovered via an IP match and not MAC match which could mean the name could be incorrect as IPs might change.
-  - **Icon**: Partially autodetected. Select an existing or [add a custom icon](./ICONS.md). You can also auto-apply the same icon on all devices of the same type. 
+  - **Icon**: Partially autodetected. Select an existing or [add a custom icon](./ICONS.md). You can also auto-apply the same icon on all devices of the same type.
  - **Owner**: Device owner (The list is self-populated with existing owners and you can add custom values).
  - **Type**: Select a device type from the dropdown list (`Smartphone`, `Tablet`,
-      `Laptop`, `TV`, `router`, etc.) or add a new device type. If you want the device to act as a **Network device** (and be able to be a network node in the Network view), select a type under Network Devices or add a new Network Device type in Settings. More information can be found in the [Network Setup docs](./NETWORK_TREE.md). 
+      `Laptop`, `TV`, `router`, etc.) or add a new device type. If you want the device to act as a **Network device** (and be able to be a network node in the Network view), select a type under Network Devices or add a new Network Device type in Settings. More information can be found in the [Network Setup docs](./NETWORK_TREE.md).
  - **Vendor**: The manufacturing vendor. Automatically updated by NetAlertX when empty or unknown, can be edited.
  - **Group**: Select a group (`Always on`, `Personal`, `Friends`, etc.) or type
      your own Group name.
-  - **Location**: Select the location, usually a room, where the device is located (`Kitchen`, `Attic`, `Living room`, etc.) or add a custom Location.  
+  - **Location**: Select the location, usually a room, where the device is located (`Kitchen`, `Attic`, `Living room`, etc.) or add a custom Location.
  - **Comments**: Add any comments for the device, such as a serial number, or maintenance information.

-> [!NOTE] 
+> [!NOTE]
 >
-> Please note the above usage of the fields are only suggestions. You can use most of these fields for other purposes, such as storing the network interface, company owning a device, or similar. 
+> Please note the above usage of the fields are only suggestions. You can use most of these fields for other purposes, such as storing the network interface, company owning a device, or similar.

 ## Dummy devices

-You can create dummy devices from the Devices listing screen. 
+You can create dummy devices from the Devices listing screen.

 ![Create Dummy Device](./img/DEVICE_MANAGEMENT/Devices_CreateDummyDevice.png)

@@ -39,12 +39,12 @@ The **MAC** field and the **Last IP** field will then become editable.
 ![Save Dummy Device](./img/DEVICE_MANAGEMENT/DeviceEdit_SaveDummyDevice.png)


-> [!NOTE] 
+> [!NOTE]
 >
 > You can couple this with the `ICMP` plugin which can be used to monitor the status of these devices, if they are actual devices reachable with the `ping` command. If not, you can use a loopback IP address so they appear online, such as `0.0.0.0` or `127.0.0.1`.

-## Copying data from an existing device. 
+## Copying data from an existing device.

-To speed up device population you can also copy data from an existing device. This can be done from the **Tools** tab on the Device details. 
+To speed up device population you can also copy data from an existing device. This can be done from the **Tools** tab on the Device details.


--- a/docs/DEV_ENV_SETUP.md
+++ b/docs/DEV_ENV_SETUP.md
@@ -55,7 +55,6 @@ The file content should be following, with your custom values.
 #--------------------------------
 #NETALERTX
 #--------------------------------
-TZ=Europe/Berlin
 PORT=22222    # make sure this port is unique on your whole network
 DEV_LOCATION=/development/NetAlertX
 APP_DATA_LOCATION=/volume/docker_appdata
--- a/docs/DOCKER_COMPOSE.md
+++ b/docs/DOCKER_COMPOSE.md
@@ -1,203 +1,232 @@
-# `docker-compose.yaml` Examples
+# NetAlertX and Docker Compose

-> [!NOTE] 
-> The container needs to run in `network_mode:"host"`. This also means that not all functionality is supported on a Windows host as Docker for Windows doesn't support this networking option. 
+> [!WARNING]
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://jokob-sk.github.io/NetAlertX/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.

-### Example 1
+Great care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system.Good care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system.
+
+> [!NOTE]
+> The container needs to run in `network_mode:"host"` to access Layer 2 networking such as arp, nmap and others. Due to lack of support for this feature, Windows host is not a supported operating system.
+
+## Baseline Docker Compose
+
+There is one baseline for NetAlertX. That's the default security-enabled official distribution.

 ```yaml
 services:
  netalertx:
-    container_name: netalertx
-    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
-    restart: unless-stopped
+  #use an environmental variable to set host networking mode if needed
+    container_name: netalertx                       # The name when you docker contiainer ls
+    image: ghcr.io/jokob-sk/netalertx-dev:latest
+    network_mode: ${NETALERTX_NETWORK_MODE:-host}   # Use host networking for ARP scanning and other services
+
+    read_only: true                                 # Make the container filesystem read-only
+    cap_drop:                                       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:                                        # Add only the necessary capabilities
+      - NET_ADMIN                                   # Required for ARP scanning
+      - NET_RAW                                     # Required for raw socket operations
+      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)
+
    volumes:
-      - local_path/config:/app/config
-      - local_path/db:/app/db      
-      # (optional) useful for debugging if you have issues setting up the container
-      - local_path/logs:/app/log
-      # (API: OPTION 1) use for performance
-      - type: tmpfs
-        target: /app/api
-      # (API: OPTION 2) use when debugging issues 
-      # -  local_path/api:/app/api
+      - type: volume                                # Persistent Docker-managed named volume for config + database
+        source: netalertx_data
+        target: /data                               # `/data/config` and `/data/db` live inside this mount
+        read_only: false
+
+    # Example custom local folder called /home/user/netalertx_data
+    # - type: bind
+    #   source: /home/user/netalertx_data
+    #   target: /data
+    #   read_only: false
+    # ... or use the alternative format
+    # - /home/user/netalertx_data:/data:rw
+
+      - type: bind                                  # Bind mount for timezone consistency
+        source: /etc/localtime
+        target: /etc/localtime
+        read_only: true
+
+      # Mount your DHCP server file into NetAlertX for a plugin to access
+      # - path/on/host/to/dhcp.file:/resources/dhcp.file
+
+    # tmpfs mount consolidates writable state for a read-only container and improves performance
+    # uid=20211 and gid=20211 is the netalertx user inside the container
+    # mode=1700 grants rwx------ permissions to the netalertx user only
+    tmpfs:
+      # Comment out to retain logs between container restarts - this has a server performance impact.
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+
+      # Retain logs - comment out tmpfs /tmp if you want to retain logs between container restarts
+      # Please note if you remove the /tmp mount, you must create and maintain sub-folder mounts.
+      # - /path/on/host/log:/tmp/log
+      # - "/tmp/api:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # - "/tmp/nginx:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # - "/tmp/run:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+
    environment:
-      - TZ=Europe/Berlin      
-      - PORT=20211
+      LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0}                   # Listen for connections on all interfaces
+      PORT: ${PORT:-20211}                                   # Application port
+      GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                   # GraphQL API port (passed into APP_CONF_OVERRIDE at runtime)
+  #    NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0}                 # 0=kill all services and restart if any dies. 1 keeps running dead services.
+
+    # Resource limits to prevent resource exhaustion
+    mem_limit: 2048m            # Maximum memory usage
+    mem_reservation: 1024m      # Soft memory limit
+    cpu_shares: 512             # Relative CPU weight for CPU contention scenarios
+    pids_limit: 512             # Limit the number of processes/threads to prevent fork bombs
+    logging:
+      driver: "json-file"       # Use JSON file logging driver
+      options:
+        max-size: "10m"         # Rotate log files after they reach 10MB
+        max-file: "3"           # Keep a maximum of 3 log files
+
+    # Always restart the container unless explicitly stopped
+    restart: unless-stopped
+
+volumes:                        # Persistent volume for configuration and database storage
+  netalertx_data:
 ```

-To run the container execute: `sudo docker-compose up -d`
+Run or re-run it:

-### Example 2
-
-Example by [SeimuS](https://github.com/SeimusS).
-
-```yaml
-services:
-  netalertx:
-    container_name: NetAlertX
-    hostname: NetAlertX
-    privileged: true
-    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: ghcr.io/jokob-sk/netalertx:latest
-    environment:
-      - TZ=Europe/Bratislava
-    restart: always
-    volumes:
-      - ./netalertx/db:/app/db
-      - ./netalertx/config:/app/config
-    network_mode: host
+```sh
+docker compose up --force-recreate
 ```

-To run the container execute: `sudo docker-compose up -d`
+### Customize with Environmental Variables

-### Example 3
+You can override the default settings by passing environmental variables to the `docker compose up` command.

-`docker-compose.yml` 
+**Example using a single variable:**
+
+This command runs NetAlertX on port 8080 instead of the default 20211.
+
+```sh
+PORT=8080 docker compose up
+```
+
+**Example using all available variables:**
+
+This command demonstrates overriding all primary environmental variables: running with host networking, on port 20211, GraphQL on 20212, and listening on all IPs.
+
+```sh
+NETALERTX_NETWORK_MODE=host \
+LISTEN_ADDR=0.0.0.0 \
+PORT=20211 \
+GRAPHQL_PORT=20212 \
+NETALERTX_DEBUG=0 \
+docker compose up
+```
+
+## `docker-compose.yaml` Modifications
+
+### Modification 1: Use a Local Folder (Bind Mount)
+
+By default, the baseline compose file uses a single named volume (netalertx_data) mounted at `/data`. This single-volume layout is preferred because NetAlertX manages both configuration and the database under `/data` (for example, `/data/config` and `/data/db`) via its web UI. Using one named volume simplifies permissions and portability: Docker manages the storage and NetAlertX manages the files inside `/data`.
+
+A two-volume layout that mounts `/data/config` and `/data/db` separately (for example, `netalertx_config` and `netalertx_db`) is supported for backward compatibility and some advanced workflows, but it is an abnormal/legacy layout and not recommended for new deployments.
+
+However, if you prefer to have direct, file-level access to your configuration for manual editing, a "bind mount" is a simple alternative. This tells Docker to use a specific folder from your computer (the "host") inside the container.
+
+**How to make the change:**
+
+1. Choose a location on your computer. For example, `/local_data_dir`.
+
+2. Create the subfolders: `mkdir -p /local_data_dir/config` and `mkdir -p /local_data_dir/db`.
+
+3. Edit your `docker-compose.yml` and find the `volumes:` section (the one *inside* the `netalertx:` service).
+
+4. Comment out (add a `#` in front) or delete the `type: volume` blocks for `netalertx_config` and `netalertx_db`.
+
+5. Add new lines pointing to your local folders.
+
+**Before (Using Named Volumes - Preferred):**

 ```yaml
+...
+    volumes:
+      - netalertx_config:/data/config:rw #short-form volume (no /path is a short volume)
+      - netalertx_db:/data/db:rw
+...
+```
+
+**After (Using a Local Folder / Bind Mount):**
+Make sure to replace `/local_data_dir` with your actual path. The format is `<path_on_your_computer>:<path_inside_container>:<options>`.
+
+```yaml
+...
+    volumes:
+#      - netalertx_config:/data/config:rw
+#      - netalertx_db:/data/db:rw
+      - /local_data_dir/config:/data/config:rw
+      - /local_data_dir/db:/data/db:rw
+...
+```
+
+Now, any files created by NetAlertX in `/data/config` will appear in your `/local_data_dir/config` folder.
+
+This same method works for mounting other things, like custom plugins or enterprise NGINX files, as shown in the commented-out examples in the baseline file.
+
+## Example Configuration Summaries
+
+Here are the essential modifications for common alternative setups.
+
+### Example 2: External `.env` File for Paths
+
+This method is useful for keeping your paths and other settings separate from your main compose file, making it more portable.
+
+**`docker-compose.yml` changes:**
+
+```yaml
+...
 services:
  netalertx:
-    container_name: netalertx
-    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
-    restart: unless-stopped
-    volumes:
-      - ${APP_CONFIG_LOCATION}/netalertx/config:/app/config
-      - ${APP_DATA_LOCATION}/netalertx/db/:/app/db/      
-      # (optional) useful for debugging if you have issues setting up the container
-      - ${LOGS_LOCATION}:/app/log
-      # (API: OPTION 1) use for performance
-      - type: tmpfs
-        target: /app/api
-      # (API: OPTION 2) use when debugging issues 
-      # -  local/path/api:/app/api
    environment:
-      - TZ=${TZ}      
      - PORT=${PORT}
+      - GRAPHQL_PORT=${GRAPHQL_PORT}
+
+...
 ```

-`.env` file
+**`.env` file contents:**

-```yaml
-#GLOBAL PATH VARIABLES
-
-APP_DATA_LOCATION=/path/to/docker_appdata
-APP_CONFIG_LOCATION=/path/to/docker_config
-LOGS_LOCATION=/path/to/docker_logs
-
-#ENVIRONMENT VARIABLES
-
-TZ=Europe/Paris
+```sh
 PORT=20211
-
-#DEVELOPMENT VARIABLES
-
-DEV_LOCATION=/path/to/local/source/code
+NETALERTX_NETWORK_MODE=host
+LISTEN_ADDR=0.0.0.0
+GRAPHQL_PORT=20212
 ```

-To run the container execute: `sudo docker-compose --env-file /path/to/.env up`
+Run with: `sudo docker-compose --env-file /path/to/.env up`

+### Example 3: Docker Swarm

-### Example 4: Docker swarm
+This is for deploying on a Docker Swarm cluster. The key differences from the baseline are the removal of `network_mode:` from the service, and the addition of `deploy:` and `networks:` blocks at both the service and top-level.

-Notice how the host network is defined in a swarm setup:
+Here are the *only* changes you need to make to the baseline compose file to make it Swarm-compatible.

 ```yaml
 services:
  netalertx:
-    # Use the below line if you want to test the latest dev image
-    # image: "jokobsk/netalertx-dev:latest"
-    image: "ghcr.io/jokob-sk/netalertx:latest"
-    volumes:
-      - /mnt/MYSERVER/netalertx/config:/config:rw
-      - /mnt/MYSERVER/netalertx/db:/netalertx/db:rw
-      - /mnt/MYSERVER/netalertx/logs:/netalertx/front/log:rw
-    environment:
-      - TZ=Europe/London
-      - PORT=20211
+    ...
+    #    network_mode: ${NETALERTX_NETWORK_MODE:-host} # <-- DELETE THIS LINE
+    ...
+
+    # 2. ADD a 'networks:' block INSIDE the service to connect to the external host network.
    networks:
      - outside
+    # 3. ADD a 'deploy:' block to manage the service as a swarm replica.
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure

+
+# 4. ADD a new top-level 'networks:' block at the end of the file to define 'outside' as the external 'host' network.
 networks:
  outside:
    external:
      name: "host"
-
-
 ```
-
-### Example 5: same as 3 but with a top-level root directory; also works in Portainer as-is
-
-`docker-compose.yml` 
-
-```yaml
-services:
-  netalertx:
-    container_name: netalertx
-    # use the below line if you want to test the latest dev image instead of the stable release
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-
-    network_mode: "host"        
-    restart: unless-stopped
-    volumes:
-      - ${APP_FOLDER}/netalertx/config:/app/config
-      - ${APP_FOLDER}/netalertx/db:/app/db     
-      # (optional) useful for debugging if you have issues setting up the container
-      - ${APP_FOLDER}/netalertx/log:/app/log
-      # (API: OPTION 1) default -> use for performance
-      - type: tmpfs
-        target: /app/api
-      # (API: OPTION 2) use when debugging issues 
-      # -  ${APP_FOLDER}/netalertx/api:/app/api
-    environment:
-
-      - TZ=${TZ}
-      - PORT=${PORT}
-      - PUID=${PUID}
-      - PGID=${PGID}
-      - LISTEN_ADDR=${LISTEN_ADDR}
-```
-
-`.env` file
-
-```yaml
-APP_FOLDER=/path/to/local/NetAlertX/location
-
-#ENVIRONMENT VARIABLES
-
-PUID=200
-PGID=300
-
-TZ=America/New_York
-LISTEN_ADDR=0.0.0.0
-PORT=20211
-#GLOBAL PATH VARIABLE
-
-# you may want to create a dedicated user and group to run the container with 
-# sudo groupadd -g 300 nax-g 
-# sudo useradd -u 200 -g 300 nax-u
-# mkdir -p $APP_FOLDER/{db,config,log} 
-# chown -R 200:300 $APP_FOLDER
-# chmod -R 775 $APP_FOLDER
-
-# DEVELOPMENT VARIABLES
-# you can create  multiple env files called .env.dev1, .env.dev2 etc and use them by running:
-# docker compose --env-file .env.dev1 up -d
-# you can then clone  multiple dev copies of NetAlertX just make sure to change the APP_FOLDER and PORT variables in each .env.devX file
-
-```
-
-To run the container execute: `sudo docker-compose --env-file /path/to/.env up`
--- a/docs/DOCKER_INSTALLATION.md
+++ b/docs/DOCKER_INSTALLATION.md
@@ -0,0 +1,106 @@
+[![Docker Size](https://img.shields.io/docker/image-size/jokobsk/netalertx?label=Size&logo=Docker&color=0aa8d2&logoColor=fff&style=for-the-badge)](https://hub.docker.com/r/jokobsk/netalertx)
+[![Docker Pulls](https://img.shields.io/docker/pulls/jokobsk/netalertx?label=Pulls&logo=docker&color=0aa8d2&logoColor=fff&style=for-the-badge)](https://hub.docker.com/r/jokobsk/netalertx)
+[![GitHub Release](https://img.shields.io/github/v/release/jokob-sk/NetAlertX?color=0aa8d2&logoColor=fff&logo=GitHub&style=for-the-badge)](https://github.com/jokob-sk/NetAlertX/releases)
+[![Discord](https://img.shields.io/discord/1274490466481602755?color=0aa8d2&logoColor=fff&logo=Discord&style=for-the-badge)](https://discord.gg/NczTUTWyRr)
+[![Home Assistant](https://img.shields.io/badge/Repo-blue?logo=home-assistant&style=for-the-badge&color=0aa8d2&logoColor=fff&label=Add)](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Falexbelgium%2Fhassio-addons)
+
+# NetAlertX - Network scanner & notification framework
+
+| [📑 Docker guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://jokob-sk.github.io/NetAlertX/) | [🔌 Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
+|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------|
+
+<a href="https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/docs/img/GENERAL/github_social_image.jpg" target="_blank">
+  <img src="https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/docs/img/GENERAL/github_social_image.jpg" width="1000px" />
+</a>
+
+Head to [https://netalertx.com/](https://netalertx.com/) for more gifs and screenshots 📷.
+
+> [!NOTE]
+> There is also an experimental 🧪 [bare-metal install](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) method available.
+
+## 📕 Basic Usage
+
+> [!WARNING]
+> You will have to run the container on the `host` network and specify `SCAN_SUBNETS` unless you use other [plugin scanners](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md). The initial scan can take a few minutes, so please wait 5-10 minutes for the initial discovery to finish.
+
+```bash
+docker run -d --rm --network=host \
+  -v /local_data_dir:/data \
+  -v /etc/localtime:/etc/localtime \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  -e PORT=20211 \
+  -e APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20214"} \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+See alternative [docked-compose examples](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md).
+
+### Default ports
+
+| Default        | Description                    | How to override                                                                    |
+| :------------- |:-------------------------------| ----------------------------------------------------------------------------------:|
+| `20211`        |Port of the web interface       |  `-e PORT=20222`                                                                   |
+| `20212`        |Port of the backend API server  |  `-e APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20214"}` or via the `GRAPHQL_PORT` Setting |
+
+### Docker environment variables
+
+| Variable | Description | Example Value |
+| :------------- |:------------------------| -----:|
+| `PORT`      |Port of the web interface  |  `20211` |
+| `LISTEN_ADDR`      |Set the specific IP Address for the listener address for the nginx webserver (web interface). This could be useful when using multiple subnets to hide the web interface from all untrusted networks. |  `0.0.0.0` |
+|`LOADED_PLUGINS` | Default [plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) to load. Plugins cannot be loaded with `APP_CONF_OVERRIDE`, you need to use this variable instead and then specify the plugins settings with `APP_CONF_OVERRIDE`. |  `["PIHOLE","ASUSWRT"]` |
+|`APP_CONF_OVERRIDE` | JSON override for settings (except `LOADED_PLUGINS`).   |  `{"SCAN_SUBNETS":"['192.168.1.0/24 --interface=eth1']","GRAPHQL_PORT":"20212"}` |
+|`ALWAYS_FRESH_INSTALL` | ⚠ If `true` will delete the content of the `/db` & `/config` folders. For testing purposes. Can be coupled with [watchtower](https://github.com/containrrr/watchtower) to have an always freshly installed `netalertx`/`netalertx-dev` image.   |    `true` |
+
+> You can override the default GraphQL port setting `GRAPHQL_PORT` (set to `20212`) by using the `APP_CONF_OVERRIDE` env variable. `LOADED_PLUGINS` and settings in `APP_CONF_OVERRIDE` can be specified via the UI as well.
+
+### Docker paths
+
+> [!NOTE]
+> See also [Backup strategies](https://github.com/jokob-sk/NetAlertX/blob/main/docs/BACKUPS.md).
+
+| Required | Path | Description |
+| :------------- | :------------- | :-------------|
+| ✅ | `:/data` | Folder which will contain the `/db/app.db`, `/config/app.conf` & `/config/devices.csv` ([read about devices.csv](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEVICES_BULK_EDITING.md)) files  |
+| ✅ | `/etc/localtime:/etc/localtime:ro` | Ensuring the timezone is teh same as on teh server.  |
+| | `:/tmp/log` |  Logs folder useful for debugging if you have issues setting up the container  |
+| | `:/tmp/api` |  The [API endpoint](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md) containing static (but regularly updated) json and other files. Path configurable via `NETALERTX_API` environment variable.   |
+| | `:/app/front/plugins/<plugin>/ignore_plugin` | Map a file `ignore_plugin` to ignore a plugin. Plugins can be soft-disabled via settings. More in the [Plugin docs](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md).  |
+| | `:/etc/resolv.conf` | Use a custom `resolv.conf` file for [better name resolution](https://github.com/jokob-sk/NetAlertX/blob/main/docs/REVERSE_DNS.md).  |
+
+> Use separate `db` and `config` directories, do not nest them.
+
+### Initial setup
+
+- If unavailable, the app generates a default `app.conf` and `app.db` file on the first run.
+- The preferred way is to manage the configuration via the Settings section in the UI, if UI is inaccessible you can modify [app.conf](https://github.com/jokob-sk/NetAlertX/tree/main/back) in the `/data/config/` folder directly
+
+#### Setting up scanners
+
+You have to specify which network(s) should be scanned. This is done by entering subnets that are accessible from the host. If you use the default `ARPSCAN` plugin, you have to specify at least one valid subnet and interface in the `SCAN_SUBNETS` setting. See the documentation on [How to set up multiple SUBNETS, VLANs and what are limitations](https://github.com/jokob-sk/NetAlertX/blob/main/docs/SUBNETS.md) for troubleshooting and more advanced scenarios.
+
+If you are running PiHole you can synchronize devices directly. Check the [PiHole configuration guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PIHOLE_GUIDE.md) for details.
+
+> [!NOTE]
+> You can bulk-import devices via the [CSV import method](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEVICES_BULK_EDITING.md).
+
+#### Community guides
+
+You can read or watch several [community configuration guides](https://github.com/jokob-sk/NetAlertX/blob/main/docs/COMMUNITY_GUIDES.md) in Chinese, Korean, German, or French.
+
+> Please note these might be outdated. Rely on official documentation first.
+
+#### Common issues
+
+- Before creating a new issue, please check if a similar issue was [already resolved](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed).
+- Check also common issues and [debugging tips](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md).
+
+## 💙 Support me
+
+| [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) |
+| --- | --- | --- |
+
+- Bitcoin: `1N8tupjeCK12qRVU2XrV17WvKK7LCawyZM`
+- Ethereum: `0x6e2749Cb42F4411bc98501406BdcD82244e3f9C7`
+
+> 📧 Email me at [netalertx@gmail.com](mailto:netalertx@gmail.com?subject=NetAlertX Donations) if you want to get in touch or if I should add other sponsorship platforms.
--- a/docs/DOCKER_MAINTENANCE.md
+++ b/docs/DOCKER_MAINTENANCE.md
@@ -0,0 +1,203 @@
+# The NetAlertX Container Operator's Guide
+
+> [!WARNING]
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://jokob-sk.github.io/NetAlertX/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.
+
+This guide assumes you are starting with the official `docker-compose.yml` file provided with the project. We strongly recommend you start with or migrate to this file as your baseline and modify it to suit your specific needs (e.g., changing file paths). While there are many ways to configure NetAlertX, the default file is designed to meet the mandatory security baseline with layer-2 networking capabilities while operating securely and without startup warnings.
+
+This guide provides direct, concise solutions for common NetAlertX administrative tasks. It is structured to help you identify a problem, implement the solution, and understand the details.
+
+## Guide Contents
+
+- Using a Local Folder for Configuration
+- Migrating from a Local Folder to a Docker Volume
+- Applying a Custom Nginx Configuration
+- Mounting Additional Files for Plugins
+
+
+> [!NOTE]
+>
+>  Other relevant resources
+>  - [Fixing Permission Issues](./FILE_PERMISSIONS.md)
+>  - [Handling Backups](./BACKUPS.md)
+>  - [Accessing Application Logs](./LOGGING.md)
+
+---
+
+## Task: Using a Local Folder for Configuration
+
+### Problem
+
+You want to edit your `app.conf` and other configuration files directly from your host machine, instead of using a Docker-managed volume.
+
+### Solution
+
+1. Stop the container:
+
+   ```bash
+   docker-compose down
+   ```
+2. (Optional but Recommended) Back up your data using the method in Part 1.
+3. Create a local folder on your host machine (e.g., `/data/netalertx_config`).
+4. Edit `docker-compose.yml`:
+
+   * **Comment out** the `netalertx_config` volume entry.
+   * **Uncomment** and **set the path** for the "Example custom local folder" bind mount entry.
+
+   ```yaml
+   ...
+       volumes:
+         # - type: volume
+         #   source: netalertx_config
+         #   target: /data/config
+         #   read_only: false
+   ...
+       # Example custom local folder called /data/netalertx_config
+       - type: bind
+         source: /data/netalertx_config
+         target: /data/config
+         read_only: false
+   ...
+   ```
+5. (Optional) Restore your backup.
+6. Restart the container:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+### About This Method
+
+This replaces the Docker-managed volume with a "bind mount." This is a direct mapping between a folder on your host computer (`/data/netalertx_config`) and a folder inside the container (`/data/config`), allowing you to edit the files directly.
+
+---
+
+## Task: Migrating from a Local Folder to a Docker Volume
+
+### Problem
+
+You are currently using a local folder (bind mount) for your configuration (e.g., `/data/netalertx_config`) and want to switch to the recommended Docker-managed volume (`netalertx_config`).
+
+### Solution
+
+1. Stop the container:
+
+   ```bash
+   docker-compose down
+   ```
+2. Edit `docker-compose.yml`:
+
+   * **Comment out** the bind mount entry for your local folder.
+   * **Uncomment** the `netalertx_config` volume entry.
+
+   ```yaml
+   ...
+       volumes:
+         - type: volume
+           source: netalertx_config
+           target: /data/config
+           read_only: false
+   ...
+       # Example custom local folder called /data/netalertx_config
+       # - type: bind
+       #   source: /data/netalertx_config
+       #   target: /data/config
+       #   read_only: false
+   ...
+   ```
+3. (Optional) Initialize the volume:
+
+   ```bash
+   docker-compose up -d && docker-compose down
+   ```
+4. Run the migration command (**replace `/data/netalertx_config` with your actual path**):
+
+   ```bash
+   docker run --rm -v netalertx_config:/config -v /data/netalertx_config:/local-config alpine \
+     sh -c "tar -C /local-config -c . | tar -C /config -x"
+   ```
+5. Restart the container:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+### About This Method
+
+This uses a temporary `alpine` container that mounts *both* your source folder (`/local-config`) and destination volume (`/config`). The `tar ... | tar ...` command safely copies all files, including hidden ones, preserving structure.
+
+---
+
+## Task: Applying a Custom Nginx Configuration
+
+### Problem
+
+You need to override the default Nginx configuration to add features like LDAP, SSO, or custom SSL settings.
+
+### Solution
+
+1. Stop the container:
+
+   ```bash
+   docker-compose down
+   ```
+2. Create your custom config file on your host (e.g., `/data/my-netalertx.conf`).
+3. Edit `docker-compose.yml`:
+
+   ```yaml
+   ...
+       # Use a custom Enterprise-configured nginx config for ldap or other settings
+       - /data/my-netalertx.conf:/tmp/nginx/active-config/netalertx.conf:ro
+   ...
+   ```
+4. Restart the container:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+### About This Method
+
+Docker’s bind mount overlays your host file (`my-netalertx.conf`) on top of the default file inside the container. The container remains read-only, but Nginx reads your file as if it were the default.
+
+---
+
+## Task: Mounting Additional Files for Plugins
+
+### Problem
+
+A plugin (like `DHCPLSS`) needs to read a file from your host machine (e.g., `/var/lib/dhcp/dhcpd.leases`).
+
+### Solution
+
+1. Stop the container:
+
+   ```bash
+   docker-compose down
+   ```
+2. Edit `docker-compose.yml` and add a new line under the `volumes:` section:
+
+   ```yaml
+   ...
+       volumes:
+   ...
+         # Mount for DHCPLSS plugin
+         - /var/lib/dhcp/dhcpd.leases:/mnt/dhcpd.leases:ro
+   ...
+   ```
+3. Restart the container:
+
+   ```bash
+   docker-compose up -d
+   ```
+4. In the NetAlertX web UI, configure the plugin to read from:
+
+   ```
+   /mnt/dhcpd.leases
+   ```
+
+### About This Method
+
+This maps your host file to a new, read-only (`:ro`) location inside the container. The plugin can then safely read this file without exposing anything else on your host filesystem.
+
+
--- a/docs/DOCKER_PORTAINER.md
+++ b/docs/DOCKER_PORTAINER.md
@@ -8,12 +8,12 @@ This guide shows you how to set up **NetAlertX** using Portainer’s **Stacks**

 ## 1. Prepare Your Host

-Before deploying, make sure you have a folder on your Docker host for NetAlertX data. Replace `APP_FOLDER` with your preferred location, for example `/opt` here:
+Before deploying, make sure you have a folder on your Docker host for NetAlertX data. Replace `APP_FOLDER` with your preferred location, for example `/local_data_dir` here:

 ```bash
-mkdir -p /opt/netalertx/config
-mkdir -p /opt/netalertx/db
-mkdir -p /opt/netalertx/log
+mkdir -p /local_data_dir/netalertx/config
+mkdir -p /local_data_dir/netalertx/db
+mkdir -p /local_data_dir/netalertx/log
 ```

 ---
@@ -34,32 +34,27 @@ Copy and paste the following YAML into the **Web editor**:
 services:
  netalertx:
    container_name: netalertx
-
    # Use this line for stable release
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-
+    image: "ghcr.io/jokob-sk/netalertx:latest"
    # Or, use this for the latest development build
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
    network_mode: "host"
    restart: unless-stopped
-
+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
    volumes:
-      - ${APP_FOLDER}/netalertx/config:/app/config
-      - ${APP_FOLDER}/netalertx/db:/app/db
-      # Optional: logs (useful for debugging setup issues, comment out for performance)
-      - ${APP_FOLDER}/netalertx/log:/app/log
-
-      # API storage options:
-      # (Option 1) tmpfs (default, best performance)
-      - type: tmpfs
-        target: /app/api
-
-      # (Option 2) bind mount (useful for debugging)
-      # - ${APP_FOLDER}/netalertx/api:/app/api
-
+      - ${APP_FOLDER}/netalertx/config:/data/config
+      - ${APP_FOLDER}/netalertx/db:/data/db
+      # to sync with system time
+      - /etc/localtime:/etc/localtime:ro
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
-      - TZ=${TZ}
      - PORT=${PORT}
      - APP_CONF_OVERRIDE=${APP_CONF_OVERRIDE}
 ```
@@ -70,14 +65,26 @@ services:

 In the **Environment variables** section of Portainer, add the following:

-* `APP_FOLDER=/opt` (or wherever you created the directories in step 1)
-* `TZ=Europe/Berlin` (replace with your timezone)
+* `APP_FOLDER=/local_data_dir` (or wherever you created the directories in step 1)
 * `PORT=22022` (or another port if needed)
-* `APP_CONF_OVERRIDE={"GRAPHQL_PORT":"22023"}` (optional advanced settings)
+* `APP_CONF_OVERRIDE={"GRAPHQL_PORT":"22023"}` (optional advanced settings, otherwise the backend API server PORT defaults to `20212`)

 ---

-## 5. Deploy the Stack
+## 5. Ensure permissions
+
+> [!TIP]
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>
+
+
+---
+
+## 6. Deploy the Stack

 1. Scroll down and click **Deploy the stack**.
 2. Portainer will pull the image and start NetAlertX.
@@ -89,9 +96,9 @@ http://<your-docker-host-ip>:22022

 ---

-## 6. Verify and Troubleshoot
+## 7. Verify and Troubleshoot

 * Check logs via Portainer → **Containers** → `netalertx` → **Logs**.
 * Logs are stored under `${APP_FOLDER}/netalertx/log` if you enabled that volume.

-Once the application is running, configure it by reading the [initial setup](INITIAL_SETUP.md) guide, or [troubleshoot common issues](COMMON_ISSUES.md). 
+Once the application is running, configure it by reading the [initial setup](INITIAL_SETUP.md) guide, or [troubleshoot common issues](COMMON_ISSUES.md).
--- a/docs/DOCKER_SWARM.md
+++ b/docs/DOCKER_SWARM.md
@@ -41,15 +41,7 @@ Use the following Compose snippet to deploy NetAlertX with a **static LAN IP** a
 services:
  netalertx:
    image: ghcr.io/jokob-sk/netalertx:latest
-    ports:
-      - 20211:20211
-    volumes:
-      - /mnt/YOUR_SERVER/netalertx/config:/app/config:rw
-      - /mnt/YOUR_SERVER/netalertx/db:/netalertx/app/db:rw
-      - /mnt/YOUR_SERVER/netalertx/logs:/netalertx/app/log:rw
-    environment:
-      - TZ=Europe/London
-      - PORT=20211
+...
    networks:
      swarm-ipvlan:
        ipv4_address: 192.168.1.240     # ⚠️ Choose a free IP from your LAN
--- a/docs/FILE_PERMISSIONS.md
+++ b/docs/FILE_PERMISSIONS.md
@@ -1,23 +1,96 @@
-# Managing File Permissions for NetAlertX on Nginx with Docker
+# Managing File Permissions for NetAlertX on a Read-Only Container
+
+Sometimes, permission issues arise if your existing host directories were created by a previous container running as root or another UID. The container will fail to start with "Permission Denied" errors.

 > [!TIP]
-> If you are facing permission issues, try to start the container without mapping your volumes. If that works, then the issue is permission related. You can try e.g., the following command: 
->  ``` 
->  docker run -d --rm --network=host \
->  -e TZ=Europe/Berlin \
->  -e PUID=200 -e PGID=200 \
->  -e PORT=20211 \
->  ghcr.io/jokob-sk/netalertx:latest
-> ```
-NetAlertX runs on an Nginx web server. On Alpine Linux, Nginx operates as the `nginx` user (if PUID and GID environment variables are not specified, nginx user UID will be set to 102, and its supplementary group `www-data` ID to 82). Consequently, files accessed or written by the NetAlertX application are owned by `nginx:www-data`.
+> NetAlertX runs in a **secure, read-only Alpine-based container** under a dedicated `netalertx` user (UID 20211, GID 20211). All writable paths are either mounted as **persistent volumes** or **`tmpfs` filesystems**. This ensures consistent file ownership and prevents privilege escalation.

-Upon starting, NetAlertX changes nginx user UID and www-data GID to specified values (or defaults), and the ownership of files on the host system mapped to `/app/config` and `/app/db` in the container to `nginx:www-data`. This ensures that Nginx can access and write to these files. Since the user in the Docker container is mapped to a user on the host system by ID:GID, the files in `/app/config` and `/app/db` on the host system are owned by a user with the same ID and GID (defaults are ID 102 and GID 82). On different systems, this ID:GID may belong to different users, or there may not be a group with ID 82 at all.
+Try starting the container with all data to be in non-persistent volumes. If this works, the issue might be related to the permissions of your persistent data mount locations on your server.

-Option to set specific user UID and GID can be useful for host system users needing to access these files (e.g., backup scripts).
+```bash
+docker run --rm --network=host \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  -e PORT=20211 \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+> [!WARNING]
+> The above should be only used as a test - once the container restarts, all data is lost.
+
+---
+
+## Writable Paths
+
+NetAlertX requires certain paths to be writable at runtime. These paths should be mounted either as **host volumes** or **`tmpfs`** in your `docker-compose.yml` or `docker run` command:
+
+| Path                                 | Purpose                             | Notes                                                  |
+| ------------------------------------ | ----------------------------------- | ------------------------------------------------------ |
+| `/data/config`                        | Application configuration           | Persistent volume recommended                          |
+| `/data/db`                            | Database files                      | Persistent volume recommended                          |
+| `/tmp/log`                           | Logs                                | Lives under `/tmp`; optional host bind to retain logs  |
+| `/tmp/api`                           | API cache                           | Subdirectory of `/tmp`                                 |
+| `/tmp/nginx/active-config` | Active nginx configuration override | Mount `/tmp` (or override specific file)               |
+| `/tmp/run`                      | Runtime directories for nginx & PHP | Subdirectory of `/tmp`                                 |
+| `/tmp`                               | PHP session save directory          | Backed by `tmpfs` for runtime writes                   |
+
+> Mounting `/tmp` as `tmpfs` automatically covers all of its subdirectories (`log`, `api`, `run`, `nginx/active-config`, etc.).
+
+> All these paths will have **UID 20211 / GID 20211** inside the container. Files on the host will appear owned by `20211:20211`.
+
+---
+
+### Solution
+
+1. **Run the container once as root** (`--user "0"`) to allow it to correct permissions automatically:
+
+```bash
+docker run -it --rm --name netalertx --user "0" \
+  -v /local_data_dir:/data \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+2. Wait for logs showing **permissions being fixed**. The container will then **hang intentionally**.
+3. Press **Ctrl+C** to stop the container.
+4. Start the container normally with your `docker-compose.yml` or `docker run` command.
+
+> The container startup script detects `root` and runs `chown -R 20211:20211` on all volumes, fixing ownership for the secure `netalertx` user.
+
+> [!TIP]
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>
+
+---
+
+## Example: docker-compose.yml with `tmpfs`
+
+```yaml
+services:
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx"
+    network_mode: "host"
+    cap_drop:                                       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:                                        # Add only the necessary capabilities
+      - NET_ADMIN                                   # Required for ARP scanning
+      - NET_RAW                                     # Required for raw socket operations
+      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)
+    restart: unless-stopped
+    volumes:
+      - /local_data_dir:/data
+      - /etc/localtime:/etc/localtime
+    environment:
+      - PORT=20211
+    tmpfs:
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+```
+
+> This setup ensures all writable paths are either in `tmpfs` or host-mounted, and the container never writes outside of controlled volumes.

-### Permissions Table for Individual Folders

-| Folder         | User   | User ID | Group     | Group ID | Permissions | Notes                                                               |
-|----------------|--------|---------|-----------|----------|-------------|---------------------------------------------------------------------|
-| `/app/config`  | nginx  | PUID (default 102)     | www-data  | PGID (default 82)       | rwxr-xr-x   | Ensure `nginx` can read/write; other users can read if in `www-data` |
-| `/app/db`      | nginx  | PUID (default 102)     | www-data  | PGID (default 82)       | rwxr-xr-x   | Same as above                                                       |
--- a/docs/HELPER_SCRIPTS.md
+++ b/docs/HELPER_SCRIPTS.md
@@ -1,4 +1,4 @@
-# NetAlertX Community Helper Scripts Overview
+# Community Helper Scripts Overview

 This page provides an overview of community-contributed scripts for NetAlertX. These scripts are not actively maintained and are provided as-is.

@@ -14,8 +14,8 @@ You can find all scripts in this [scripts GitHub folder](https://github.com/joko

 ## Important Notes

-> [!NOTE]  
-> These scripts are community-supplied and not actively maintained. Use at your own discretion.  
+> [!NOTE]
+> These scripts are community-supplied and not actively maintained. Use at your own discretion.

 For detailed usage instructions, refer to each script's documentation in each [scripts GitHub folder](https://github.com/jokob-sk/NetAlertX/tree/main/scripts).

--- a/docs/HW_INSTALL.md
+++ b/docs/HW_INSTALL.md
@@ -5,7 +5,7 @@ To download and install NetAlertX on the hardware/server directly use the `curl`
 > [!NOTE]
 > This is an Experimental feature 🧪 and it relies on community support.
 >
-> 🙏 Looking for maintainers for this installation method 🙂 Current community volunteers: 
+> 🙏 Looking for maintainers for this installation method 🙂 Current community volunteers:
 >   - [slammingprogramming](https://github.com/slammingprogramming)
 >   - [ingoratsdorf](https://github.com/ingoratsdorf)
 >
@@ -13,8 +13,7 @@ To download and install NetAlertX on the hardware/server directly use the `curl`
 > Data loss is a possibility, **it is recommended to install NetAlertX using the supplied Docker image**.

 > [!WARNING]
-> A warning to the installation method below: Piping to bash is [controversial](https://pi-hole.net/2016/07/25/curling-and-piping-to-bash) and may
-be dangerous, as you cannot see the code that's about to be executed on your system.
+> A warning to the installation method below: Piping to bash is [controversial](https://pi-hole.net/2016/07/25/curling-and-piping-to-bash) and may be dangerous, as you cannot see the code that's about to be executed on your system.

 If you trust this repo, you can download the install script via one of the methods (curl/wget) below and it will fo its best to install NetAlertX on your system.

@@ -40,7 +39,7 @@ Some facts about what and where something will be changed/installed by the HW in
 - Only tested to work on the system listed in the install directory.
 - **EXPERIMENTAL** and not recommended way to install NetAlertX.

-> [!TIP]  
+> [!TIP]
 > If the below fails try grabbing and installing one of the [previous releases](https://github.com/jokob-sk/NetAlertX/releases) and run the installation from the zip package.

 These commands will download the `install.debian12.sh` script from the GitHub repository, make it executable with `chmod`, and then run it using `./install.debian12.sh`.
@@ -81,7 +80,7 @@ wget https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/install/ubuntu24/

 > [!NOTE]
 > Use this on a clean LXC/VM for Debian 13 OR Ubuntu 24.
-> The Scipt will detect OS and build acordingly. 
+> The Scipt will detect OS and build acordingly.
 > Maintained by [JVKeller](https://github.com/JVKeller)

 ### Installation via wget
--- a/docs/INSTALLATION.md
+++ b/docs/INSTALLATION.md
@@ -4,7 +4,7 @@

 NetAlertX can be installed several ways. The best supported option is Docker, followed by a supervised Home Assistant instance, as an Unraid app, and lastly, on bare metal. 

- [[Installation] Docker (recommended)](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md) 
+- [[Installation] Docker (recommended)](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) 
 - [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx) 
 - [[Installation] Unraid App](https://unraid.net/community/apps) 
 - [[Installation] Bare metal (experimental - looking for maintainers)](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) 
--- a/docs/LOGGING.md
+++ b/docs/LOGGING.md
@@ -1,17 +1,15 @@
 # Logging

-NetAlertX comes with several logs that help to identify application issues. 
-
-For plugin-specific log debugging, please read the [Debug Plugins](./DEBUG_PLUGINS.md) guide.
-
-When debugging any issue, increase the `LOG_LEVEL` Setting as per the [Debug tips](./DEBUG_TIPS.md) documentation.
+NetAlertX comes with several logs that help to identify application issues. These include nginx logs, app, or plugin logs. For plugin-specific log debugging, please read the [Debug Plugins](./DEBUG_PLUGINS.md) guide.

+> [!NOTE]
+> When debugging any issue, increase the `LOG_LEVEL` Setting as per the [Debug tips](./DEBUG_TIPS.md) documentation.

 ## Main logs

 You can find most of the logs exposed in the UI under _Maintenance -> Logs_. 

-If the UI is inaccessible, you can access them under `/app/log`.
+If the UI is inaccessible, you can access them under `/tmp/log`.

 ![Logs](./img/LOGGING/maintenance_logs.png)

@@ -24,3 +22,54 @@ If a Plugin supplies data to the main app it's done either vie a SQL query or vi
 The data is in most of the cases then displayed in the application under _Integrations -> Plugins_ (or _Device -> Plugins_ if the plugin is supplying device-specific data). 

 ![Plugin objects](./img/LOGGING/logging_integrations_plugins.png)
+
+## Viewing Logs on the File System
+
+You cannot find any log files on the filesystem. The container is `read-only` and writes logs to a temporary in-memory filesystem (`tmpfs`) for security and performance. The application follows container best-practices by writing all logs to the standard output (`stdout`) and standard error (`stderr`) streams. Docker's logging driver (set in `docker-compose.yml`) captures this stream automatically, allowing you to access it with the `docker logs <image_name>` command.
+
+* **To see all logs since the last restart:**
+
+  ```bash
+  docker logs netalertx
+  ```
+* **To watch the logs live (live feed):**
+
+  ```bash
+  docker logs -f netalertx
+  ```
+## Enabling Persistent File-Based Logs
+
+The default logs are erased every time the container restarts because they are stored in temporary in-memory storage (`tmpfs`). If you need to keep a persistent, file-based log history, follow the steps below.
+
+> [!NOTE]
+> This might lead to performance degradation so this approach is only suggested when actively debugging issues. See the [Performance optimization](./PERFORMANCE.md) documentation for details.
+
+1. Stop the container:
+
+   ```bash
+   docker-compose down
+   ```
+
+2. Edit your `docker-compose.yml` file:
+
+   * **Comment out** the `/tmp/log` line under the `tmpfs:` section.
+   * **Uncomment** the "Retain logs" line under the `volumes:` section and set your desired host path.
+
+   ```yaml
+   ...
+       tmpfs:
+         # - "/tmp/log:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+   ...
+       volumes:
+   ...
+         # Retain logs - comment out tmpfs /tmp/log if you want to retain logs between container restarts
+         - /home/adam/netalertx_logs:/tmp/log
+   ...
+   ```
+3. Restart the container:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+This change stops Docker from mounting a temporary in-memory volume at `/tmp/log`. Instead, it "bind mounts" a persistent folder from your host computer (e.g., `/data/netalertx_logs`) to that *same location* inside the container. 
--- a/docs/MIGRATION.md
+++ b/docs/MIGRATION.md
@@ -1,138 +1,292 @@
-# Migration form PiAlert to NetAlertX
+# Migration

-> [!WARNING] 
-> Follow this guide only after you you downloaded and started a version of NetAlertX prior to v25.6.7 (e.g. `docker pull ghcr.io/jokob-sk/netalertx:25.5.24`) at least once after previously using the PiAlert image. Later versions don't support migration and devices and settings will have to migrated manually, e.g. via [CSV import](./DEVICES_BULK_EDITING.md).
+When upgrading from older versions of NetAlertX (or PiAlert by jokob-sk), follow the migration steps below to ensure your data and configuration are properly transferred.

-## STEPS: 
+> [!TIP]
+> It's always important to have a [backup strategy](./BACKUPS.md) in place.

-> [!TIP] 
-> In short: The application will auto-migrate the database, config, and all device information. A ticker message on top will be displayed until you update your docker mount points. It's always good to have a [backup strategy](./BACKUPS.md) in place.
+## Migration scenarios

-1. Backup your current config and database (optional `devices.csv` to have a backup) (See bellow tip if facing issues)
-2. Stop the container 
-2. Update the Docker file mount locations in your `docker-compose.yml` or docker run command (See bellow **New Docker mount locations**). 
-3. Rename the DB and conf files to `app.db` and `app.conf` and place them in the appropriate location.
-4. Start the Container
+- You are running PiAlert (by jokob-sk)
+  → [Read the 1.1 Migration from PiAlert to NetAlertX `v25.5.24`](#11-migration-from-pialert-to-netalertx-v25524)
+
+- You are running NetAlertX (by jokob-sk) `25.5.24` or older
+  → [Read the 1.2 Migration from NetAlertX `v25.5.24`](#12-migration-from-netalertx-v25524)
+
+- You are running NetAlertX (by jokob-sk) (`v25.6.7` to `v25.10.1`)
+  → [Read the 1.3 Migration from NetAlertX `v25.10.1`](#13-migration-from-netalertx-v25101)


-> [!TIP] 
-> If you have troubles accessing past backups, config or database files you can copy them into the newly mapped directories, for example by running this command in the container:  `cp -r /app/config /home/pi/pialert/config/old_backup_files`. This should create a folder in the `config` directory called `old_backup_files` conatining all the files in that location. Another approach is to map the old location and the new one at the same time to copy things over. 
+### 1.0 Manual Migration
+
+You can migrate data manually, for example by exporting and importing devices using the [CSV import](./DEVICES_BULK_EDITING.md) method.


-### New Docker mount locations
+### 1.1 Migration from PiAlert to NetAlertX `v25.5.24`

-The application installation folder in the docker container has changed from `/home/pi/pialert` to `/app`. That means the new mount points are:
+#### STEPS:

- | Old mount point | New mount point | 
- |----------------------|---------------| 
- | `/home/pi/pialert/config` | `/app/config` |
- | `/home/pi/pialert/db` | `/app/db` |
+The application will automatically migrate the database, configuration, and all device information.
+A banner message will appear at the top of the web UI reminding you to update your Docker mount points.
+
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
+3. Update the Docker file mount locations in your `docker-compose.yml` or docker run command (See below **New Docker mount locations**).
+4. Rename the DB and conf files to `app.db` and `app.conf` and place them in the appropriate location.
+5. Start the container
+
+
+> [!TIP]
+> If you have trouble accessing past backups, config or database files you can copy them into the newly mapped directories, for example by running this command in the container:  `cp -r /data/config /home/pi/pialert/config/old_backup_files`. This should create a folder in the `config` directory called `old_backup_files` containing all the files in that location. Another approach is to map the old location and the new one at the same time to copy things over.
+
+#### New Docker mount locations
+
+The internal application path in the container has changed from `/home/pi/pialert` to `/app`. Update your volume mounts as follows:
+
+ | Old mount point | New mount point |
+ |----------------------|---------------|
+ | `/home/pi/pialert/config` | `/data/config` |
+ | `/home/pi/pialert/db` | `/data/db` |


 If you were mounting files directly, please note the file names have changed:

- | Old file name | New file name | 
- |----------------------|---------------| 
+ | Old file name | New file name |
+ |----------------------|---------------|
 | `pialert.conf` | `app.conf` |
 | `pialert.db` | `app.db` |


-> [!NOTE] 
-> The application uses symlinks linking the old db and config locations to the new ones, so data loss should not occur. [Backup strategies](./BACKUPS.md) are still recommended to backup your setup.
+> [!NOTE]
+> The application automatically creates symlinks from the old database and config locations to the new ones, so data loss should not occur. Read the [backup strategies](./BACKUPS.md) guide to backup your setup.


-# Examples
+#### Examples

 Examples of docker files with the new mount points.

-## Example 1: Mapping folders
+##### Example 1: Mapping folders

-### Old docker-compose.yml
+###### Old docker-compose.yml

 ```yaml
 services:
  pialert:
    container_name: pialert
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "jokobsk/pialert:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "jokobsk/pialert:latest"
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - local/path/config:/home/pi/pialert/config  
-      - local/path/db:/home/pi/pialert/db         
+      - /local_data_dir/config:/home/pi/pialert/config
+      - /local_data_dir/db:/home/pi/pialert/db
      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/home/pi/pialert/front/log
+      - /local_data_dir/logs:/home/pi/pialert/front/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

-### New docker-compose.yml
+###### New docker-compose.yml

 ```yaml
 services:
-  netalertx:                                  # ⚠  This has changed (🟡optional) 
-    container_name: netalertx                 # ⚠  This has changed (🟡optional) 
-    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"         # ⚠  This has changed (🟡optional/🔺required in future) 
-    network_mode: "host"        
+  netalertx:                                  # 🆕 This has changed
+    container_name: netalertx                 # 🆕 This has changed
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - local/path/config:/app/config         # ⚠  This has changed (🔺required) 
-      - local/path/db:/app/db                 # ⚠  This has changed (🔺required) 
+      - /local_data_dir/config:/data/config         # 🆕 This has changed
+      - /local_data_dir/db:/data/db                 # 🆕 This has changed
      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/app/log        # ⚠  This has changed (🟡optional) 
+      - /local_data_dir/logs:/tmp/log        # 🆕 This has changed
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```


-## Example 2: Mapping files
+##### Example 2: Mapping files

-> [!NOTE] 
-> The recommendation is to map folders as in Example 1, map files directly only when needed. 
+> [!NOTE]
+> The recommendation is to map folders as in Example 1, map files directly only when needed.

-### Old docker-compose.yml
+###### Old docker-compose.yml

 ```yaml
 services:
  pialert:
    container_name: pialert
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "jokobsk/pialert:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "jokobsk/pialert:latest"
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - local/path/config/pialert.conf:/home/pi/pialert/config/pialert.conf  
-      - local/path/db/pialert.db:/home/pi/pialert/db/pialert.db         
+      - /local_data_dir/config/pialert.conf:/home/pi/pialert/config/pialert.conf
+      - /local_data_dir/db/pialert.db:/home/pi/pialert/db/pialert.db
      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/home/pi/pialert/front/log
+      - /local_data_dir/logs:/home/pi/pialert/front/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

-### New docker-compose.yml
+###### New docker-compose.yml

 ```yaml
 services:
-  netalertx:                                  # ⚠  This has changed (🟡optional) 
-    container_name: netalertx                 # ⚠  This has changed (🟡optional) 
-    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"         # ⚠  This has changed (🟡optional/🔺required in future) 
-    network_mode: "host"        
+  netalertx:                                  # 🆕 This has changed
+    container_name: netalertx                 # 🆕 This has changed
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - local/path/config/app.conf:/app/config/app.conf # ⚠  This has changed (🔺required) 
-      - local/path/db/app.db:/app/db/app.db             # ⚠  This has changed (🔺required) 
+      - /local_data_dir/config/app.conf:/data/config/app.conf # 🆕 This has changed
+      - /local_data_dir/db/app.db:/data/db/app.db             # 🆕 This has changed
      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/app/log                  # ⚠  This has changed (🟡optional) 
+      - /local_data_dir/logs:/tmp/log                  # 🆕 This has changed
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```
+
+
+### 1.2 Migration from NetAlertX `v25.5.24`
+
+Versions before `v25.10.1` require an intermediate migration through `v25.5.24` to ensure database compatibility. Skipping this step may cause compatibility issues due to database schema changes introduced after `v25.5.24`.
+
+#### STEPS:
+
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
+3. Upgrade to `v25.5.24` by pinning the release version (See Examples below)
+4. Start the container and verify everything works as expected.
+5. Stop the container
+6. Upgrade to `v25.10.1` by pinning the release version (See Examples below)
+7. Start the container and verify everything works as expected.
+
+#### Examples
+
+Examples of docker files with the tagged version.
+
+##### Example 1: Mapping folders
+
+###### docker-compose.yml changes
+
+```yaml
+services:
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This is important
+    network_mode: "host"
+    restart: unless-stopped
+    volumes:
+      - /local_data_dir/config:/data/config
+      - /local_data_dir/db:/data/db
+      # (optional) useful for debugging if you have issues setting up the container
+      - /local_data_dir/logs:/tmp/log
+    environment:
+      - TZ=Europe/Berlin
+      - PORT=20211
+```
+
+```yaml
+services:
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important
+    network_mode: "host"
+    restart: unless-stopped
+    volumes:
+      - /local_data_dir/config:/data/config
+      - /local_data_dir/db:/data/db
+      # (optional) useful for debugging if you have issues setting up the container
+      - /local_data_dir/logs:/tmp/log
+    environment:
+      - TZ=Europe/Berlin
+      - PORT=20211
+```
+
+### 1.3 Migration from NetAlertX `v25.10.1`
+
+Starting from v25.10.1, the container uses a [more secure, read-only runtime environment](./SECURITY_FEATURES.md), which requires all writable paths (e.g., logs, API cache, temporary data) to be mounted as `tmpfs` or permanent writable volumes, with sufficient access [permissions](./FILE_PERMISSIONS.md). The data location has also hanged from `/app/db` and `/app/config` to `/data/db` and `/data/config`. See detailed steps below.
+
+#### STEPS:
+
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
+3. Upgrade to `v25.10.1` by pinning the release version (See the example below)
+
+```yaml
+services:
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important
+    network_mode: "host"
+    restart: unless-stopped
+    volumes:
+      - /local_data_dir/config:/app/config
+      - /local_data_dir/db:/app/db
+      # (optional) useful for debugging if you have issues setting up the container
+      - /local_data_dir/logs:/tmp/log
+    environment:
+      - TZ=Europe/Berlin
+      - PORT=20211
+```
+
+4. Start the container and verify everything works as expected.
+5. Stop the container.
+6. Perform a one-off migration to the latest `netalertx` image and `20211` user:
+
+> [!NOTE]
+> The example below assumes your `/config` and `/db` folders are stored in `local_data_dir`.
+> Replace this path with your actual configuration directory. `netalertx` is the container name, which might differ from your setup.
+
+```sh
+docker run -it --rm --name netalertx --user "0" \
+  -v /local_data_dir/config:/data/config \
+  -v /local_data_dir/db:/data/db \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+...or alternatively execute:
+
+```bash
+sudo chown -R 20211:20211 /local_data_dir
+sudo chmod -R a+rwx /local_data_dir
+```
+
+7. Stop the container
+8. Update the `docker-compose.yml` as per example below.
+
+```yaml
+services:
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx"  # 🆕 This has changed
+    network_mode: "host"
+    cap_drop:                # 🆕 New line
+      - ALL                  # 🆕 New line
+    cap_add:                 # 🆕 New line
+      - NET_RAW              # 🆕 New line
+      - NET_ADMIN            # 🆕 New line
+      - NET_BIND_SERVICE     # 🆕 New line
+    restart: unless-stopped
+    volumes:
+      - /local_data_dir:/data  # 🆕 This folder contains your /db and /config directories and the parent changed from /app to /data
+      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
+      - /etc/localtime:/etc/localtime:ro    # 🆕 New line
+    environment:
+      - PORT=20211
+    # 🆕 New "tmpfs" section START 🔽
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+    # 🆕 New "tmpfs" section END  🔼
+```
+
+9. Start the container and verify everything works as expected.
--- a/docs/NETWORK_TREE.md
+++ b/docs/NETWORK_TREE.md
@@ -1,6 +1,6 @@
 ## How to Set Up Your Network Page

-The **Network** page lets you map how devices connect — visually and logically.  
+The **Network** page lets you map how devices connect — visually and logically.
 It’s especially useful for planning infrastructure, assigning parent-child relationships, and spotting gaps.

 ![Network tree details](./img/NETWORK_TREE/Network_Sample.png)
@@ -9,11 +9,11 @@ To get started, you’ll need to define at least one root node and mark certain

 ---

-Start by creating a root device with the MAC address `Internet`, if the application didn’t create one already.  
-This special MAC address (`Internet`) is required for the root network node — no other value is currently supported.  
+Start by creating a root device with the MAC address `Internet`, if the application didn’t create one already.
+This special MAC address (`Internet`) is required for the root network node — no other value is currently supported.
 Set its **Type** to a valid network type — such as `Router` or `Gateway`.

-> [!TIP]  
+> [!TIP]
 > If you don’t have one, use the [Create new device](./DEVICE_MANAGEMENT.md#dummy-devices) button on the **Devices** page to add a root device.

 ---
@@ -21,15 +21,15 @@ Set its **Type** to a valid network type — such as `Router` or `Gateway`.
 ## ⚡ Quick Setup

 1. Open the device you want to use as a network node (e.g. a Switch).
-2. Set its **Type** to one of the following:  
-   `AP`, `Firewall`, `Gateway`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`  
+2. Set its **Type** to one of the following:
+   `AP`, `Firewall`, `Gateway`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`
   *(Or add custom types under **Settings → General → `NETWORK_DEVICE_TYPES`**.)*
 3. Save the device.
 4. Go to the **Network** page — supported device types will appear as tabs.
 5. Use the **Assign** button to connect unassigned devices to a network node.
 6. If the **Port** is `0` or empty, a Wi-Fi icon is shown. Otherwise, an Ethernet icon appears.

-> [!NOTE]  
+> [!NOTE]
 > Use [bulk editing](./DEVICES_BULK_EDITING.md) with _CSV Export_ to fix `Internet` root assignments or update many devices at once.

 ---
@@ -42,20 +42,22 @@ Let’s walk through setting up a device named `raspberrypi` to act as a network

 ### 1. Set Device Type and Parent

- Go to the **Devices** page  
+- Go to the **Devices** page
 - Open the device detail view for `raspberrypi`
 - In the **Type** dropdown, select `Switch`

 ![Device details](./img/NETWORK_TREE/Network_Device_Details.png)

- Optionally assign a **Parent Node** (where this device connects to) and the **Relationship type** of the connection.  
+- Optionally assign a **Parent Node** (where this device connects to) and the **Relationship type** of the connection.
  The `nic` relationship type can affect parent notifications — see the setting description and [Notifications documentation](./NOTIFICATIONS.md) for more.
+- A device’s parent MAC will be overwritten by plugins if its current value is any of the following: "null", "(unknown)" "(Unknown)".
+- If you want plugins to be able to overwrite the parent value (for example, when mixing plugins that do not provide parent MACs like `ARPSCAN` with those that do, like `UNIFIAPI`), you must set the setting `NEWDEV_devParentMAC` to None.

-![Device details](./img/NETWORK_TREE/Network_Device_Details_Parent.png)  
+![Device details](./img/NETWORK_TREE/Network_Device_Details_Parent.png)

-> [!NOTE]  
-> Only certain device types can act as network nodes:  
-> `AP`, `Firewall`, `Gateway`, `Hypervisor`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`  
+> [!NOTE]
+> Only certain device types can act as network nodes:
+> `AP`, `Firewall`, `Gateway`, `Hypervisor`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`
 > You can add custom types via the `NETWORK_DEVICE_TYPES` setting.

 - Click **Save**
@@ -81,7 +83,7 @@ You can confirm that `raspberrypi` now acts as a network device in two places:
 ### 3. Assign Connected Devices

 - Use the **Assign** button to link other devices (e.g. PCs) to `raspberrypi`.
- After assigning, connected devices will appear beneath the `raspberrypi` switch node.  
+- After assigning, connected devices will appear beneath the `raspberrypi` switch node.

 ![Assigned nodes](./img/NETWORK_TREE/Network_Assigned_Nodes.png)

@@ -92,9 +94,9 @@ You can confirm that `raspberrypi` now acts as a network device in two places:
 > Hovering over devices in the tree reveals connection details and tooltips for quick inspection.

 > [!NOTE]
-> Selecting certain relationship types hides the device in the default device views.  
-> You can change this behavior by adjusting the `UI_hide_rel_types` setting, which by default is set to `["nic","virtual"]`.  
-> This means devices with `devParentRelType` set to `nic` or `virtual` will not be shown.  
+> Selecting certain relationship types hides the device in the default device views.
+> You can change this behavior by adjusting the `UI_hide_rel_types` setting, which by default is set to `["nic","virtual"]`.
+> This means devices with `devParentRelType` set to `nic` or `virtual` will not be shown.
 > All devices, regardless of relationship type, are always accessible in the **All devices** view.

 ---
--- a/docs/NOTIFICATIONS.md
+++ b/docs/NOTIFICATIONS.md
@@ -44,14 +44,19 @@ In Notification Processing settings, you can specify blanket rules. These allow

 1. Notify on (`NTFPRCS_INCLUDED_SECTIONS`) allows you to specify which events trigger notifications. Usual setups will have `new_devices`, `down_devices`, and possibly `down_reconnected` set. Including `plugin` (dependenton the Plugin `<plugin>_WATCH` and `<plugin>_REPORT_ON` settings) and `events` (dependent on the on-device **Alert Events** setting) might be too noisy for most setups. More info in the [NTFPRCS plugin](https://github.com/jokob-sk/NetAlertX/blob/main/front/plugins/notification_processing/README.md) on what events these selections include. 
 2. Alert down after (`NTFPRCS_alert_down_time`) is useful if you want to wait for some time before the system sends out a down notification for a device. This is related to the on-device **Alert down** setting and only devices with this checked will trigger a down notification.
-3. A filter to allow you to set device-specific exceptions to New devices being added to the app.
-4. A filter to allow you to set device-specific exceptions to generated Events.

-## Ignoring devices 🔕
+You can filter out unwanted notifications globally. This could be because of a misbehaving device (GoogleNest/GoogleHub (See also [ARPSAN docs and the `--exclude-broadcast` flag](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/arp_scan#ip-flipping-on-google-nest-devices))) which flips between IP addresses, or because you want to ignore new device notifications of a certain pattern.
+
+1. Events Filter (`NTFPRCS_event_condition`) - Filter out Events from notifications.
+2. New Devices Filter (`NTFPRCS_new_dev_condition`) - Filter out New Devices from notifications, but log and keep a new device in the system.
+
+## Ignoring devices 💻

 ![Ignoring new devices](./img/NOTIFICATIONS/NEWDEV_ignores.png)

 You can completely ignore detected devices globally. This could be because your instance detects docker containers, you want to ignore devices from a specific manufacturer via MAC rules or you want to ignore devices on a specific IP range. 

 1. Ignored MACs (`NEWDEV_ignored_MACs`) - List of MACs to ignore.
-2. Ignored IPs (`NEWDEV_ignored_IPs`) - List of IPs to ignore. 
+2. Ignored IPs (`NEWDEV_ignored_IPs`) - List of IPs to ignore. 
+
+
--- a/docs/PERFORMANCE.md
+++ b/docs/PERFORMANCE.md
@@ -1,47 +1,50 @@
 # Performance Optimization Guide

-There are several ways to improve the application's performance. The application has been tested on a range of devices, from a Raspberry Pi 4 to NAS and NUC systems. If you are running the application on a lower-end device, carefully fine-tune the performance settings to ensure an optimal user experience.
+There are several ways to improve the application's performance. The application has been tested on a range of devices, from Raspberry Pi 4 units to NAS and NUC systems. If you are running the application on a lower-end device, fine-tuning the performance settings can significantly improve the user experience.

 ## Common Causes of Slowness

 Performance issues are usually caused by:

- **Incorrect settings** – The app may restart unexpectedly. Check `app.log` under **Maintenance → Logs** for details.
- **Too many background processes** – Disable unnecessary scanners.
- **Long scan durations** – Limit the number of scanned devices.
- **Excessive disk operations** – Optimize scanning and logging settings.
- **Failed maintenance plugins** – Ensure maintenance tasks are running properly.
+* **Incorrect settings** – The app may restart unexpectedly. Check `app.log` under **Maintenance → Logs** for details.
+* **Too many background processes** – Disable unnecessary scanners.
+* **Long scan durations** – Limit the number of scanned devices.
+* **Excessive disk operations** – Optimize scanning and logging settings.
+* **Maintenance plugin failures** – If cleanup tasks fail, performance can degrade over time.

-The application performs regular maintenance and database cleanup. If these tasks fail, performance may degrade.
+The application performs regular maintenance and database cleanup. If these tasks are failing, you will see slowdowns.

 ### Database and Log File Size

-A large database or oversized log files can slow down performance. You can check database and table sizes on the **Maintenance** page.
+A large database or oversized log files can impact performance. You can check database and table sizes on the **Maintenance** page.

 ![DB size check](./img/PERFORMANCE/db_size_check.png)

 > [!NOTE]
-> - For **~100 devices**, the database should be around **50MB**.
-> - No table should exceed **10,000 rows** in a healthy system.
-> - These numbers vary based on network activity and settings.
+>
+> * For **~100 devices**, the database should be around **50 MB**.
+> * No table should exceed **10,000 rows** in a healthy system.
+> * Actual values vary based on network activity and plugin settings.

 ---

 ## Maintenance Plugins

-Two plugins help maintain the application’s performance:
+Two plugins help maintain the system’s performance:

 ### **1. Database Cleanup (DBCLNP)**
- Responsible for database maintenance.
- Check settings in the [DB Cleanup Plugin Docs](/front/plugins/db_cleanup/README.md).
- Ensure it’s not failing by checking logs.
- Adjust the schedule (`DBCLNP_RUN_SCHD`) and timeout (`DBCLNP_RUN_TIMEOUT`) if needed.
+
+* Handles database maintenance and cleanup.
+* See the [DB Cleanup Plugin Docs](/front/plugins/db_cleanup/README.md).
+* Ensure it’s not failing by checking logs.
+* Adjust the schedule (`DBCLNP_RUN_SCHD`) and timeout (`DBCLNP_RUN_TIMEOUT`) if necessary.

 ### **2. Maintenance (MAINT)**
- Handles log cleanup and other maintenance tasks.
- Check settings in the [Maintenance Plugin Docs](/front/plugins/maintenance/README.md).
- Ensure it’s running correctly by checking logs.
- Adjust the schedule (`MAINT_RUN_SCHD`) and timeout (`MAINT_RUN_TIMEOUT`) if needed.
+
+* Cleans logs and performs general maintenance tasks.
+* See the [Maintenance Plugin Docs](/front/plugins/maintenance/README.md).
+* Verify proper operation via logs.
+* Adjust the schedule (`MAINT_RUN_SCHD`) and timeout (`MAINT_RUN_TIMEOUT`) if needed.

 ---

@@ -50,47 +53,56 @@ Two plugins help maintain the application’s performance:
 Frequent scans increase resource usage, network traffic, and database read/write cycles.

 ### **Optimizations**
- **Increase scan intervals** (`<PLUGIN>_RUN_SCHD`) on busy networks or low-end hardware.
- **Extend scan timeouts** (`<PLUGIN>_RUN_TIMEOUT`) to prevent failures.
- **Reduce the subnet size** – e.g., from `/16` to `/24` to lower scan loads.

-Some plugins have additional options to limit the number of scanned devices. If certain plugins take too long to complete, check if you can optimize scan times by selecting a scan range. 
+* **Increase scan intervals** (`<PLUGIN>_RUN_SCHD`) on busy networks or low-end hardware.
+* **Increase timeouts** (`<PLUGIN>_RUN_TIMEOUT`) to avoid plugin failures.
+* **Reduce subnet size** – e.g., use `/24` instead of `/16` to reduce scan load.

-For example, the **ICMP plugin** allows you to specify a regular expression to scan only IPs that match a specific pattern.
+Some plugins also include options to limit which devices are scanned. If certain plugins consistently run long, consider narrowing their scope.
+
+For example, the **ICMP plugin** allows scanning only IPs that match a specific regular expression.

 ---

 ## Storing Temporary Files in Memory

-On systems with slower I/O speeds, you can optimize performance by storing temporary files in memory. This primarily applies to the `/app/api` and `/app/log` folders.
+On devices with slower I/O, you can improve performance by storing temporary files (and optionally the database) in memory using `tmpfs`.

-Using `tmpfs` reduces disk writes and improves performance. However, it should be **disabled** if persistent logs or API data storage are required.
+> [!WARNING]
+> Storing the **database** in `tmpfs` is generally discouraged. Use this only if device data and historical records are not required to persist. If needed, you can pair this setup with the `SYNC` plugin to store important persistent data on another node. See the [Plugins docs](./PLUGINS.md) for details.

-Below is an optimized `docker-compose.yml` snippet:
+Using `tmpfs` reduces disk writes and speeds up I/O, but **all data stored in memory will be lost on restart**.

+Below is an optimized `docker-compose.yml` snippet using non-persistent logs, API data, and DB:

 ```yaml
-version: "3"
 services:
  netalertx:
    container_name: netalertx
-    # Uncomment the line below to test the latest dev image
+    # Use this line for the stable release
+    image: "ghcr.io/jokob-sk/netalertx:latest"
+    # Or use this line for the latest development build
    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
+    network_mode: "host"
    restart: unless-stopped
-    volumes:
-      - local/path/config:/app/config
-      - local/path/db:/app/db      
-      # (Optional) Useful for debugging setup issues
-      - local/path/logs:/app/log
-      # (API: OPTION 1) Store temporary files in memory (recommended for performance)
-      - type: tmpfs              # ◀ 🔺
-        target: /app/api         # ◀ 🔺
-      # (API: OPTION 2) Store API data on disk (useful for debugging)
-      # - local/path/api:/app/api
-    environment:
-      - TZ=Europe/Berlin      
-      - PORT=20211

+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
+
+    volumes:
+      - ${APP_FOLDER}/netalertx/config:/data/config
+      - /etc/localtime:/etc/localtime:ro
+
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/data/db:uid=20211,gid=20211,mode=1700"  # ⚠ You will lose historical data on restart
+
+    environment:
+      - PORT=${PORT}
+      - APP_CONF_OVERRIDE=${APP_CONF_OVERRIDE}
 ```
--- a/docs/PIHOLE_GUIDE.md
+++ b/docs/PIHOLE_GUIDE.md
@@ -1,6 +1,6 @@
 # Integration with PiHole

-NetAlertX comes with 2 plugins suitable for integarting with your existing PiHole instace. One plugin is using a direct SQLite DB connection, the other leverages the DHCP.leases file generated by PiHole. You can combine both approaches and also supplement it with other [plugins](/docs/PLUGINS.md). 
+NetAlertX comes with 2 plugins suitable for integrating with your existing PiHole instance. One plugin is using a direct SQLite DB connection, the other leverages the DHCP.leases file generated by PiHole. You can combine both approaches and also supplement it with other [plugins](/docs/PLUGINS.md). 

 ## Approach 1: `DHCPLSS` Plugin - Import devices from the PiHole DHCP leases file

--- a/docs/PLUGINS.md
+++ b/docs/PLUGINS.md
@@ -64,6 +64,7 @@ Device-detecting plugins insert values into the `CurrentScan` database table.  T
 | `LUCIRPC`       | [luci_import](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/luci_import/)                         | 🔍       | Import connected devices from OpenWRT     |          |          |
 | `MAINT`         | [maintenance](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/maintenance/)                          | ⚙        | Maintenance of logs, etc.                 |          |          |
 | `MQTT`          | [_publisher_mqtt](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/_publisher_mqtt/)                | ▶️       | MQTT for synching to Home Assistant       |          |          |
+| `MTSCAN`        | [mikrotik_scan](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/mikrotik_scan/)                    | 🔍       | Mikrotik device import & sync              |          |          |
 | `NBTSCAN`       | [nbtscan_scan](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/nbtscan_scan/)                       | 🆎       | Nbtscan (NetBIOS-based) name resolution   |          |          |
 | `NEWDEV`        | [newdev_template](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/newdev_template/)                 | ⚙        | New device template                       |          | Yes      |
 | `NMAP`          | [nmap_scan](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/nmap_scan/)                             | ♻        | Nmap port scanning & discovery            |          |          |
@@ -74,6 +75,7 @@ Device-detecting plugins insert values into the `CurrentScan` database table.  T
 | `OMDSDN`        | [omada_sdn_imp](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/omada_sdn_imp/)                    | 📥/🆎 ❌  | UNMAINTAINED use `OMDSDNOPENAPI`          | 🖧 🔄    |          |
 | `OMDSDNOPENAPI` | [omada_sdn_openapi](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/omada_sdn_openapi/)            | 📥/🆎    | OMADA TP-Link import via OpenAPI          | 🖧       |          |
 | `PIHOLE`        | [pihole_scan](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/pihole_scan/)                         | 🔍/🆎/📥 | Pi-hole device import & sync              |          |          |
+| `PIHOLEAPI`     | [pihole_api_scan](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/pihole_api_scan/)                 | 🔍/🆎/📥 | Pi-hole device import & sync via API v6+ |          |          |
 | `PUSHSAFER`     | [_publisher_pushsafer](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/_publisher_pushsafer/)      | ▶️       | Pushsafer notifications                   |          |          |
 | `PUSHOVER`      | [_publisher_pushover](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/_publisher_pushover/)        | ▶️       | Pushover notifications                    |          |          |
 | `SETPWD`        | [set_password](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/set_password/)                       | ⚙        | Set password                              |          | Yes      |
--- a/docs/PLUGINS_DEV_CONFIG.md
+++ b/docs/PLUGINS_DEV_CONFIG.md
@@ -1,146 +1,192 @@
-## config.json Lifecycle in NetAlertX
+# Plugins Implementation Details

-This document describes on a high level how `config.json` is read, processed, and used by the NetAlertX core and plugins. It also outlines the plugin output contract and the main plugin types.
+Plugins provide data to the NetAlertX core, which processes it to detect changes, discover new devices, raise alerts, and apply heuristics.

-> [!NOTE]
-> For a deep-dive on the specific configuration options and sections of the `config.json` plugin manifest, consult the [Plugins Development Guide](PLUGINS_DEV.md).
+---
+
+## Overview: Plugin Data Flow
+
+1. Each plugin runs on a defined schedule.
+2. Aligning all plugin schedules is recommended so they execute in the same loop.
+3. During execution, all plugins write their collected data into the **`CurrentScan`** table.
+4. After all plugins complete, the `CurrentScan` table is evaluated to detect **new devices**, **changes**, and **triggers**.
+
+Although plugins run independently, they contribute to the shared `CurrentScan` table.
+To inspect its contents, set `LOG_LEVEL=trace` and check for the log section:
+
+```
+================ CurrentScan table content ================
+```
+
+---
+
+## `config.json` Lifecycle
+
+This section outlines how each plugin’s `config.json` manifest is read, validated, and used by the core and plugins.
+It also describes plugin output expectations and the main plugin categories.
+
+> [!TIP]
+> For detailed schema and examples, see the [Plugin Development Guide](PLUGINS_DEV.md).

 ---

 ### 1. Loading

-* On startup, the app core loads `config.json` for each plugin.
-* The `config.json` represents a plugin manifest, that contains metadata and runtime settings.
+* On startup, the core loads `config.json` for each plugin.
+* The file acts as a **plugin manifest**, defining metadata, runtime configuration, and database mappings.

 ---

 ### 2. Validation

-* The core checks that each required settings key (such as `RUN`) for a plugin exists.
-* Invalid or missing values may be replaced with defaults, or the plugin may be disabled.
+* The core validates required keys (for example, `RUN`).
+* Missing or invalid entries may be replaced with defaults or cause the plugin to be disabled.

 ---

 ### 3. Preparation

-* The plugin’s settings (paths, commands, parameters) are prepared.
-* Database mappings (`mapped_to_table`, `database_column_definitions`) for data ingestion into the core app are parsed.
+* Plugin parameters (paths, commands, and options) are prepared for execution.
+* Database mappings (`mapped_to_table`, `database_column_definitions`) are parsed to define how data integrates with the main app.

 ---

 ### 4. Execution

-* Plugins can be run at different core app execution points, such as on schedule, once on start, after a notification, etc. 
-* At runtime, the scheduler triggers plugins according to their `interval`.
-* The plugin executes its command or script.
+* Plugins may run:
+
+  * On a fixed schedule.
+  * Once at startup.
+  * After a notification or other trigger.
+* The scheduler executes plugins according to their `interval`.

 ---

 ### 5. Parsing

-* Plugin output is expected in **pipe (`|`)-delimited format**.
-* The core parses lines into fields, matching the **plugin interface contract**.
+* Plugin output must be **pipe-delimited (`|`)**.
+* The core parses each output line following the **Plugin Interface Contract**, splitting and mapping fields accordingly.

 ---

 ### 6. Mapping

-* Each parsed field is moved into the `Plugins_` database tables and can be mapped into a configured database table.
-* Controlled by `database_column_definitions` and `mapped_to_table`.
-* Example: `Object_PrimaryID → Devices.MAC`.
+* Parsed fields are inserted into the plugin’s `Plugins_*` table.
+* Data can be mapped into other tables (e.g., `Devices`, `CurrentScan`) as defined by:
+
+  * `database_column_definitions`
+  * `mapped_to_table`
+
+**Example:** `Object_PrimaryID → devMAC`

 ---

 ### 6a. Plugin Output Contract

-Each plugin must output results in the **plugin interface contract format**, pipe (`|`)-delimited values, in the column order described under [Plugin Interface Contract](PLUGINS_DEV.md)
+All plugins must follow the **Plugin Interface Contract** defined in `PLUGINS_DEV.md`.
+Output values are pipe-delimited in a fixed order.

-#### IDs
+#### Identifiers

-  * `Object_PrimaryID` and `Object_SecondaryID` identify the record (e.g. `MAC|IP`).
+* `Object_PrimaryID` and `Object_SecondaryID` uniquely identify records (for example, `MAC|IP`).

-#### **Watched values (`Watched_Value1–4`)**
+#### Watched Values (`Watched_Value1–4`)

-  * Used by the core to detect changes between runs.
-  * Changes here can trigger **notifications**.
+* Used by the core to detect changes between runs.
+* Changes in these fields can trigger notifications.

-#### **Extra value (`Extra`)**
+#### Extra Field (`Extra`)

-  * Optional, extra field.
-  * Stored in the database but **not used for alerts**.
+* Optional additional value.
+* Stored in the database but not used for alerts.

-#### **Helper values (`Helper_Value1–3`)**
+#### Helper Values (`Helper_Value1–3`)

-  * Added for cases where more than IDs + watched + extra are needed.
-  * Can be made visible in the UI.
-  * Stored in the database but **not used for alerts**.
+* Optional auxiliary data (for display or plugin logic).
+* Stored but not alert-triggering.

-#### **Mapping matters**
+#### Mapping

-  * While the plugin output is free-form, the `database_column_definitions` and `mapped_to_table` settings in `config.json` determine the **target columns and data types** in NetAlertX.
+* While the output format is flexible, the plugin’s manifest determines the destination and type of each field.

 ---

 ### 7. Persistence

-* Data is upserted into the database.
-* Conflicts are resolved using `Object_PrimaryID` + `Object_SecondaryID`.
+* Parsed data is **upserted** into the database.
+* Conflicts are resolved using the combined key: `Object_PrimaryID + Object_SecondaryID`.

 ---

-### 8. Plugin Types and Expected Outputs
+## Plugin Categories

-Beyond the `data_source` setting, plugins fall into functional categories. Each has its own input requirements and output expectations:
+Plugins fall into several functional categories depending on their purpose and expected outputs.

-#### **Device discovery plugins**
+### 1. Device Discovery Plugins

-  * **Inputs:** `N/A`, subnet, or API for discovery service, or similar.
-  * **Outputs:** At minimum `MAC` and `IP` that results in a new or updated device records in the `Devices` table.
-  * **Mapping:** Must be mapped to the `CurrentScan` table via `database_column_definitions` and `data_filters`.
-  * **Examples:** ARP-scan, NMAP device discovery (e.g., `ARPSCAN`, `NMAPDEV`).
-
-#### **Device-data enrichment plugins**
-
-  * **Inputs:** Device identifier (usually `MAC`, `IP`).
-  * **Outputs:** Additional data for that device (e.g. open ports).
-  * **Mapping:** Controlled via `database_column_definitions` and `data_filters`.
-  * **Examples:** Ports, MQTT messages (e.g., `NMAP`, `MQTT`)
-
-#### **Name resolver plugins**
-
-  * **Inputs:** Device identifiers (MAC, IP, or hostname).
-  * **Outputs:** Updated `devName` and `devFQDN` fields.
-  * **Mapping:** Not expected.
-  * **Note:** Currently requires **core app modification** to add new plugins, not fully driven by the plugins’ `config.json`.
-  * **Examples:** Avahiscan (e.g., `NBTSCAN`, `NSLOOKUP`).
-
-#### **Generic plugins**
-
-  * **Inputs:** Whatever the script or query provides.
-  * **Outputs:** Data shown only in **Integrations → Plugins**, not tied to devices.
-  * **Mapping:** Not expected.
-  * **Examples:** External monitoring data (e.g., `INTRSPD`)
-
-#### **Configuration-only plugins**
-
-  * **Inputs/Outputs:** None at runtime.
-  * **Mapping:** Not expected. 
-  * **Examples:** Used to provide additional settings or execute scripts (e.g., `MAINT`, `CSVBCKP`).
+* **Inputs:** None, subnet, or discovery API.
+* **Outputs:** `MAC` and `IP` for new or updated device records in `Devices`.
+* **Mapping:** Required – usually into `CurrentScan`.
+* **Examples:** `ARPSCAN`, `NMAPDEV`.

 ---

-### 9. Post-Processing
+### 2. Device Data Enrichment Plugins

-* Notifications are generated if watched values change.
-* UI is updated with new or updated records.
-* All values that are configured to be shown in teh UI appear in the Plugins section.
+* **Inputs:** Device identifiers (`MAC`, `IP`).
+* **Outputs:** Additional metadata (for example, open ports or sensors).
+* **Mapping:** Controlled via manifest definitions.
+* **Examples:** `NMAP`, `MQTT`.

 ---

-### 10. Summary
+### 3. Name Resolver Plugins

-The lifecycle of `config.json` entries is:
+* **Inputs:** Device identifiers (`MAC`, `IP`, hostname`).
+* **Outputs:** Updated `devName` and `devFQDN`.
+* **Mapping:** Typically none.
+* **Note:** Adding new resolvers currently requires a core change.
+* **Examples:** `NBTSCAN`, `NSLOOKUP`.
+
+---
+
+### 4. Generic Plugins
+
+* **Inputs:** Custom, based on the plugin logic or script.
+* **Outputs:** Data displayed under **Integrations → Plugins** only.
+* **Mapping:** Not required.
+* **Examples:** `INTRSPD`, custom monitoring scripts.
+
+---
+
+### 5. Configuration-Only Plugins
+
+* **Inputs/Outputs:** None at runtime.
+* **Purpose:** Used for configuration or maintenance tasks.
+* **Examples:** `MAINT`, `CSVBCKP`.
+
+---
+
+## Post-Processing
+
+After persistence:
+
+* The core generates notifications for any watched value changes.
+* The UI updates with new or modified data.
+* Plugins with UI-enabled data display under **Integrations → Plugins**.
+
+---
+
+## Summary
+
+The lifecycle of a plugin configuration is:

 **Load → Validate → Prepare → Execute → Parse → Map → Persist → Post-process**

-Plugins must follow the **output contract**, and their category (discovery, specific, resolver, generic, config-only) defines what inputs they require and what outputs are expected.
+Each plugin must:
+
+* Follow the **output contract**.
+* Declare its type and expected output structure.
+* Define mappings and watched values clearly in `config.json`.
+
+
--- a/docs/README.md
+++ b/docs/README.md
@@ -13,13 +13,13 @@ There is also an in-app Help / FAQ section that should be answering frequently a

 #### 🐳 Docker (Fully supported)

- The main installation method is as a [docker container - follow these instructions here](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md). 
+- The main installation method is as a [docker container - follow these instructions here](./DOCKER_INSTALLATION.md).

 #### 💻 Bare-metal / On-server (Experimental/community supported 🧪)

- [(Experimental 🧪) On-hardware instructions](./HW_INSTALL.md) 
+- [(Experimental 🧪) On-hardware instructions](./HW_INSTALL.md)

- Alternative bare-metal install forks: 
+- Alternative bare-metal install forks:
  - [leiweibau's fork](https://github.com/leiweibau/Pi.Alert/) (maintained)
  - [pucherot's original code](https://github.com/pucherot/Pi.Alert/) (un-maintained)

@@ -63,7 +63,6 @@ There is also an in-app Help / FAQ section that should be answering frequently a

 #### ♻ Misc

- [Version history (legacy)](./VERSIONS_HISTORY.md)
 - [Reverse proxy (Nginx, Apache, SWAG)](./REVERSE_PROXY.md)
 - [Installing Updates](./UPDATES.md)
 - [Setting up Authelia](./AUTHELIA.md) (DRAFT)
@@ -80,27 +79,27 @@ There is also an in-app Help / FAQ section that should be answering frequently a
 - [Frontend development tips](./FRONTEND_DEVELOPMENT.md)
 - [Webhook secrets](./WEBHOOK_SECRET.md)

-Feel free to suggest or submit new docs via a PR. 
+Feel free to suggest or submit new docs via a PR.

 ## 👨‍💻 Development priorities

 Priorities from highest to lowest:

 * 🔼 Fixing core functionality bugs not solvable with workarounds
-* 🔵 New core functionality unlocking other opportunities (e.g.: plugins) 
-* 🔵 Refactoring enabling faster implementation of future functionality 
+* 🔵 New core functionality unlocking other opportunities (e.g.: plugins)
+* 🔵 Refactoring enabling faster implementation of future functionality
 * 🔽 (low) UI functionality & improvements (PRs welcome 😉)

-Design philosophy: Focus on core functionality and leverage existing apps and tools to make NetAlertX integrate into other workflows. 
+Design philosophy: Focus on core functionality and leverage existing apps and tools to make NetAlertX integrate into other workflows.

-Examples: 
+Examples:

    1. Supporting apprise makes more sense than implementing multiple individual notification gateways
-    2. Implementing regular expression support across settings for validation makes more sense than validating one setting with a specific expression. 
+    2. Implementing regular expression support across settings for validation makes more sense than validating one setting with a specific expression.

 UI-specific requests are a low priority as the framework picked by the original developer is not very extensible (and afaik doesn't support components) and has limited mobile support. Also, I argue the value proposition is smaller than working on something else.

-Feel free to submit PRs if interested. try to **keep the PRs small/on-topic** so they are easier to review and approve. 
+Feel free to submit PRs if interested. try to **keep the PRs small/on-topic** so they are easier to review and approve.

 That being said, I'd reconsider if more people and or recurring sponsors file a request 😉.

@@ -112,8 +111,8 @@ Please be as detailed as possible with **workarounds** you considered and why a

 If you submit a PR please:

-1. Check that your changes are backward compatible with existing installations and with a blank setup. 
-2. Existing features should always be preserved. 
+1. Check that your changes are backward compatible with existing installations and with a blank setup.
+2. Existing features should always be preserved.
 3. Keep the PR small, on-topic and don't change code that is not necessary for the PR to work
 4. New features code should ideally be re-usable for different purposes, not for a very narrow use case.
 5. New functionality should ideally be implemented via the Plugins system, if possible.
@@ -131,13 +130,13 @@ Suggested test cases:
 Some additional context:

 * Permanent settings/config is stored in the `app.conf` file
-* Currently temporary (session?) settings are stored in the `Parameters` DB table as key-value pairs. This table is wiped during a container rebuild/restart and its values are re-initialized from cookies/session data from the browser. 
+* Currently temporary (session?) settings are stored in the `Parameters` DB table as key-value pairs. This table is wiped during a container rebuild/restart and its values are re-initialized from cookies/session data from the browser.

 ## 🐛 Submitting an issue or bug

 Before submitting a new issue please spend a couple of minutes on research:

-* Check [🛑 Common issues](./DEBUG_TIPS.md#common-issues) 
+* Check [🛑 Common issues](./DEBUG_TIPS.md#common-issues)
 * Check [💡 Closed issues](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed) if a similar issue was solved in the past.
 * When submitting an issue ❗[enable debug](./DEBUG_TIPS.md)❗

--- a/docs/REVERSE_DNS.md
+++ b/docs/REVERSE_DNS.md
@@ -2,21 +2,21 @@

 If you are running a DNS server, such as **AdGuard**, set up **Private reverse DNS servers** for a better name resolution on your network. Enabling this setting will enable NetAlertX to execute dig and nslookup commands to automatically resolve device names based on their IP addresses.

-> [!TIP]  
-> Before proceeding, ensure that [name resolution plugins](./NAME_RESOLUTION.md) are enabled.  
-> You can customize how names are cleaned using the `NEWDEV_NAME_CLEANUP_REGEX` setting.  
+> [!TIP]
+> Before proceeding, ensure that [name resolution plugins](/local_data_dir/NAME_RESOLUTION.md) are enabled.
+> You can customize how names are cleaned using the `NEWDEV_NAME_CLEANUP_REGEX` setting.
 > To auto-update Fully Qualified Domain Names (FQDN), enable the `REFRESH_FQDN` setting.


 > Example 1: Reverse DNS `disabled`
-> 
+>
 > ```
 > jokob@Synology-NAS:/$ nslookup 192.168.1.58
 > ** server can't find 58.1.168.192.in-addr.arpa: NXDOMAIN
 > ```

 > Example 2: Reverse DNS `enabled`
-> 
+>
 > ```
 > jokob@Synology-NAS:/$ nslookup 192.168.1.58
 > 45.1.168.192.in-addr.arpa       name = jokob-NUC.localdomain.
@@ -33,22 +33,14 @@ If you are running a DNS server, such as **AdGuard**, set up **Private reverse D

 ### Specifying the DNS in the container

-You can specify the DNS server in the docker-compose to improve name resolution on your network. 
+You can specify the DNS server in the docker-compose to improve name resolution on your network.

 ```yaml
 services:
  netalertx:
    container_name: netalertx
    image: "ghcr.io/jokob-sk/netalertx:latest"
-    restart: unless-stopped
-    volumes:
-      -  /home/netalertx/config:/app/config
-      -  /home/netalertx/db:/app/db
-      -  /home/netalertx/log:/app/log
-    environment:
-      - TZ=Europe/Berlin
-      - PORT=20211
-    network_mode: host
+...
    dns:           # specifying the DNS servers used for the container
      - 10.8.0.1
      - 10.8.0.17
@@ -56,7 +48,7 @@ services:

 ### Using a custom resolv.conf file

-You can configure a custom **/etc/resolv.conf** file in **docker-compose.yml** and set the nameserver to your LAN DNS server (e.g.: Pi-Hole). See the relevant [resolv.conf man](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) entry for details. 
+You can configure a custom **/etc/resolv.conf** file in **docker-compose.yml** and set the nameserver to your LAN DNS server (e.g.: Pi-Hole). See the relevant [resolv.conf man](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) entry for details.

 #### docker-compose.yml:

@@ -65,22 +57,13 @@ version: "3"
 services:
  netalertx:
    container_name: netalertx
-    image: "ghcr.io/jokob-sk/netalertx:latest"
-    restart: unless-stopped
    volumes:
-      - ./config/app.conf:/app/config/app.conf
-      - ./db:/app/db
-      - ./log:/app/log
-      - ./config/resolv.conf:/etc/resolv.conf                          # Mapping the /resolv.conf file for better name resolution
-    environment:
-      - TZ=Europe/Berlin
-      - PORT=20211
-    ports:
-      - "20211:20211"
-    network_mode: host
+...
+      - /local_data_dir/config/resolv.conf:/etc/resolv.conf                          # ⚠ Mapping the /resolv.conf file for better name resolution
+...
 ```

-#### ./config/resolv.conf:
+#### /local_data_dir/config/resolv.conf:

 The most important below is the `nameserver` entry (you can add multiple):

--- a/docs/REVERSE_PROXY.md
+++ b/docs/REVERSE_PROXY.md
@@ -2,9 +2,9 @@

 > Submitted by amazing [cvc90](https://github.com/cvc90) 🙏

-> [!NOTE] 
+> [!NOTE]
 > There are various NGINX config files for NetAlertX, some for the bare-metal install, currently Debian 12 and Ubuntu 24 (`netalertx.conf`), and one for the docker container (`netalertx.template.conf`).
-> 
+>
 > The first one you can find in the respective bare metal installer folder `/app/install/\<system\>/netalertx.conf`.
 > The docker one can be found in the [install](https://github.com/jokob-sk/NetAlertX/tree/main/install) folder. Map, or use, the one appropriate for your setup.

@@ -17,14 +17,14 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 80; 
-     server_name netalertx; 
-     proxy_preserve_host on; 
-     proxy_pass http://localhost:20211/; 
-     proxy_pass_reverse http://localhost:20211/; 
+   server {
+     listen 80;
+     server_name netalertx;
+     proxy_preserve_host on;
+     proxy_pass http://localhost:20211/;
+     proxy_pass_reverse http://localhost:20211/;
    }
-``` 
+```

 3. Activate the new website by running the following command:

@@ -43,18 +43,18 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 80; 
-     server_name netalertx; 
-     proxy_preserve_host on; 
+   server {
+     listen 80;
+     server_name netalertx;
+     proxy_preserve_host on;
     location ^~ /netalertx/ {
          proxy_pass http://localhost:20211/;
-          proxy_pass_reverse http://localhost:20211/; 
+          proxy_pass_reverse http://localhost:20211/;
          proxy_redirect ~^/(.*)$ /netalertx/$1;
-          rewrite ^/netalertx/?(.*)$ /$1 break;			
+          rewrite ^/netalertx/?(.*)$ /$1 break;
     }
    }
-``` 
+```

 3. Check your config with `nginx -t`. If there are any issues, it will tell you.

@@ -73,13 +73,13 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 80; 
-     server_name netalertx; 
-     proxy_preserve_host on; 
+   server {
+     listen 80;
+     server_name netalertx;
+     proxy_preserve_host on;
     location ^~ /netalertx/ {
          proxy_pass http://localhost:20211/;
-          proxy_pass_reverse http://localhost:20211/; 
+          proxy_pass_reverse http://localhost:20211/;
          proxy_redirect ~^/(.*)$ /netalertx/$1;
          rewrite ^/netalertx/?(.*)$ /$1 break;
 	  sub_filter_once off;
@@ -89,13 +89,13 @@
 	  sub_filter '(?>$host)/js'  '/netalertx/js';
 	  sub_filter '/img' '/netalertx/img';
 	  sub_filter '/lib' '/netalertx/lib';
-	  sub_filter '/php' '/netalertx/php';				
+	  sub_filter '/php' '/netalertx/php';
     }
    }
-``` 
+```

 3. Check your config with `nginx -t`. If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `nginx -s reload` or `systemctl restart nginx`
@@ -111,17 +111,17 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 443; 
-     server_name netalertx; 
+   server {
+     listen 443;
+     server_name netalertx;
     SSLEngine On;
     SSLCertificateFile /etc/ssl/certs/netalertx.pem;
     SSLCertificateKeyFile /etc/ssl/private/netalertx.key;
-     proxy_preserve_host on; 
-     proxy_pass http://localhost:20211/; 
-     proxy_pass_reverse http://localhost:20211/; 
+     proxy_preserve_host on;
+     proxy_pass http://localhost:20211/;
+     proxy_pass_reverse http://localhost:20211/;
    }
-``` 
+```

 3. Check your config with `nginx -t`. If there are any issues, it will tell you.

@@ -140,23 +140,23 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 443; 
-     server_name netalertx; 
+   server {
+     listen 443;
+     server_name netalertx;
     SSLEngine On;
     SSLCertificateFile /etc/ssl/certs/netalertx.pem;
     SSLCertificateKeyFile /etc/ssl/private/netalertx.key;
     location ^~ /netalertx/ {
          proxy_pass http://localhost:20211/;
-          proxy_pass_reverse http://localhost:20211/; 
+          proxy_pass_reverse http://localhost:20211/;
          proxy_redirect ~^/(.*)$ /netalertx/$1;
-          rewrite ^/netalertx/?(.*)$ /$1 break;		
+          rewrite ^/netalertx/?(.*)$ /$1 break;
     }
    }
-``` 
+```

 3. Check your config with `nginx -t`. If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `nginx -s reload` or `systemctl restart nginx`
@@ -172,15 +172,15 @@
 2. In this file, paste the following code:

 ```
-   server { 
-     listen 443; 
-     server_name netalertx; 
+   server {
+     listen 443;
+     server_name netalertx;
     SSLEngine On;
     SSLCertificateFile /etc/ssl/certs/netalertx.pem;
     SSLCertificateKeyFile /etc/ssl/private/netalertx.key;
     location ^~ /netalertx/ {
          proxy_pass http://localhost:20211/;
-          proxy_pass_reverse http://localhost:20211/; 
+          proxy_pass_reverse http://localhost:20211/;
          proxy_redirect ~^/(.*)$ /netalertx/$1;
          rewrite ^/netalertx/?(.*)$ /$1 break;
 	  sub_filter_once off;
@@ -190,13 +190,13 @@
 	  sub_filter '(?>$host)/js'  '/netalertx/js';
 	  sub_filter '/img' '/netalertx/img';
 	  sub_filter '/lib' '/netalertx/lib';
-	  sub_filter '/php' '/netalertx/php';		
+	  sub_filter '/php' '/netalertx/php';
     }
    }
-``` 
+```

 3. Check your config with `nginx -t`. If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `nginx -s reload` or `systemctl restart nginx`
@@ -218,10 +218,10 @@
         ProxyPass / http://localhost:20211/
         ProxyPassReverse / http://localhost:20211/
    </VirtualHost>
-``` 
+```

 3. Check your config with `httpd -t` (or `apache2ctl -t` on Debian/Ubuntu). If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `a2ensite netalertx` or `service apache2 reload`
@@ -245,10 +245,10 @@
               ProxyPassReverse / http://localhost:20211/
         }
    </VirtualHost>
-```   
+```

 3. Check your config with `httpd -t` (or `apache2ctl -t` on Debian/Ubuntu). If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `a2ensite netalertx` or `service apache2 reload`
@@ -273,10 +273,10 @@
         ProxyPass / http://localhost:20211/
         ProxyPassReverse / http://localhost:20211/
    </VirtualHost>
-```   
+```

 3. Check your config with `httpd -t` (or `apache2ctl -t` on Debian/Ubuntu). If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

    `a2ensite netalertx` or `service apache2 reload`
@@ -290,11 +290,11 @@
 1. On your Apache server, create a new file called /etc/apache2/sites-available/netalertx.conf.

 2. In this file, paste the following code:
-                            
+
 ```
-	<VirtualHost *:443> 
+	<VirtualHost *:443>
        ServerName netalertx
-        SSLEngine On 
+        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/netalertx.pem
        SSLCertificateKeyFile /etc/ssl/private/netalertx.key
        location ^~ /netalertx/ {
@@ -303,10 +303,10 @@
              ProxyPassReverse / http://localhost:20211/
        }
    </VirtualHost>
-```       
+```

 3. Check your config with `httpd -t` (or `apache2ctl -t` on Debian/Ubuntu). If there are any issues, it will tell you.
-   
+
 4. Activate the new website by running the following command:

   `a2ensite netalertx` or `service apache2 reload`
@@ -381,7 +381,7 @@ location ^~ /netalertx/ {

 > Submitted by [Isegrimm](https://github.com/Isegrimm) 🙏 (based on this [discussion](https://github.com/jokob-sk/NetAlertX/discussions/449#discussioncomment-7281442))

-Assuming the user already has a working Traefik setup, this is what's needed to make NetAlertX work at a URL like www.domain.com/netalertx/. 
+Assuming the user already has a working Traefik setup, this is what's needed to make NetAlertX work at a URL like www.domain.com/netalertx/.

 Note: Everything in these configs assumes '**www.domain.com**' as your domainname and '**section31**' as an arbitrary name for your certificate setup. You will have to substitute these with your own.

@@ -496,14 +496,9 @@ server {
 Mapping the updated file (on the local filesystem at `/appl/docker/netalertx/default`) into the docker container:


-```bash
-docker run -d --rm --network=host \
-  --name=netalertx \
-  -v /appl/docker/netalertx/config:/app/config \
-  -v /appl/docker/netalertx/db:/app/db \
-  -v /appl/docker/netalertx/default:/etc/nginx/sites-available/default \
-  -e TZ=Europe/Amsterdam \
-  -e PORT=20211 \
-  ghcr.io/jokob-sk/netalertx:latest
-
+```yaml
+...
+  volumes:
+    - /appl/docker/netalertx/default:/etc/nginx/sites-available/default
+...
 ```
--- a/docs/SECURITY_FEATURES.md
+++ b/docs/SECURITY_FEATURES.md
@@ -0,0 +1,85 @@
+# NetAlertX Security: A Layered Defense
+
+Your network security monitor has the "keys to the kingdom," making it a prime target for attackers. If it gets compromised, the game is over.
+
+NetAlertX is engineered from the ground up to prevent this. It's not just an app; it's a purpose-built **security appliance.** Its core design is built on a **zero-trust** philosophy, which is a modern way of saying we **assume a breach will happen** and plan for it. This isn't a single "lock on the door"; it's a **"defense-in-depth"** strategy, more like a medieval castle with a moat, high walls, and guards at every door.
+
+Here’s a breakdown of the defensive layers you get, right out of the box using the default configuration.
+
+## Feature 1: The "Digital Concrete" Filesystem
+
+**Methodology:** The core application and its system files are treated as immutable. Once built, the app's code is "set in concrete," preventing attackers from modifying it or planting malware.
+
+* **Immutable Filesystem:** At runtime, the container's entire filesystem is set to `read_only: true`. The application code, system libraries, and all other files are literally frozen. This single control neutralizes a massive range of common attacks.
+
+* **"Ownership-as-a-Lock" Pattern:** During the build, all system files are assigned to a special `readonly` user. This user has no login shell and no power to write to *any* files, even its own. It’s a clever, defense-in-depth locking mechanism.
+
+* **Data Segregation:** All user-specific data (like configurations and the device database) is stored completely outside the container in Docker volumes. The application is disposable; the data is persistent.
+
+**What's this mean to you:** Even if an attacker gets in, they **cannot modify the application code or plant malware.** It's like the app is set in digital concrete.
+
+## Feature 2: Surgical, "Keycard-Only" Access
+
+**Methodology:** The principle of least privilege is strictly enforced. Every process gets only the absolute minimum set of permissions needed for its specific job.
+
+* **Non-Privileged Execution:** The entire NetAlertX stack runs as a dedicated, low-power, non-root user (`netalertx`). No "god mode" privileges are available to the application.
+
+* **Kernel-Level Capability Revocation:** The container is launched with `cap_drop: - ALL`, which tells the Linux kernel to revoke *all* "root-like" special powers.
+
+* **Binary-Specific Privileges (setcap):** This is the "keycard" metaphor in action. After revoking all powers, the system uses `setcap` to grant specific, necessary permissions *only* to the binaries that absolutely require them (like `nmap` and `arp-scan`). This means that even if an attacker compromises the web server, they can't start scanning the network. The web server's "keycard" doesn't open the "scanning" door.
+
+**What's this mean to you:** A security breach is **firewalled.** An attacker who gets into the web UI **does not have the "keycard"** to start scanning your network or take over the system. The breach is contained.
+
+## Feature 3: Attack Surface "Amputation"
+
+**Methodology:** The potential attack surface is aggressively minimized by removing every non-essential tool an attacker would want to use.
+
+* **Package Manager Removal:** The `hardened` build stage explicitly deletes the Alpine package manager (`apk del apk-tools`). This makes it impossible for an attacker to simply `apk add` their malicious toolkit.
+
+* **`sudo` Neutralization:** All `sudo` configurations are removed, and the `/usr/bin/sudo` command is replaced with a non-functional shim. Any attempt to escalate privileges this way will fail.
+
+* **Build Toolchain Elimination:** The `Dockerfile` uses a multi-stage build. The initial "builder" stage, which contains all the powerful compilers (`gcc`) and development tools, is completely discarded. The final production image is lean and contains no build tools.
+
+* **Minimal User & Group Files:** The `hardened` stage scrubs the system's `passwd` and `group` files, removing all default system users to minimize potential avenues for privilege escalation.
+
+**What's this mean to you:** An attacker who breaks in finds themselves in an **empty room with no tools.** They have no `sudo` to get more power, no package manager to download weapons, and no compilers to build new ones.
+
+## Feature 4: "Self-Cleaning" Writable Areas
+
+**Methodology:** All writable locations are treated as untrusted, temporary, and non-executable by default.
+
+* **In-Memory Volatile Storage:** The `docker-compose.yml` configuration maps all temporary directories (e.g., `/tmp/log`, `/tmp/api`, `/tmp`) to in-memory `tmpfs` filesystems. They do not exist on the host's disk.
+
+* **Volatile Data:** Because these locations exist only in RAM, their contents are **instantly and irrevocably erased** when the container is stopped. This provides a "self-cleaning" mechanism that purges any attacker-dropped files or payloads on every single restart.
+
+* **Secure Mount Flags:** These in-memory mounts are configured with the `noexec` flag. This is a critical security control: it **prohibits the execution of any binary or script** from a location that is writable.
+
+**What's this mean to you:** Any malicious file an attacker *does* manage to drop is **written in invisible, non-permanent ink.** The file is written to RAM, not disk, so it **vaporizes the instant you restart** the container. Even worse for them, the `noexec` flag means they **can't even run the file** in the first place.
+
+## Feature 5: Built-in Resource Guardrails
+
+**Methodology:** The container is constrained by resource limits to function as a "good citizen" on the host system. This prevents a compromised or runaway process from consuming excessive resources, a common vector for Denial of Service (DoS) attacks.
+
+* **Process Limiting:** The `docker-compose.yml` defines a `pids_limit: 512`. This directly mitigates "fork bomb" attacks, where a process attempts to crash the host by recursively spawning thousands of new processes.
+
+* **Memory & CPU Limits:** The configuration file defines strict resource limits to prevent any single process from exhausting the host's available system resources.
+
+**What's this mean to you:** NetAlertX is a "good neighbor" and **can't be used to crash your host machine.** Even if a process is compromised, it's in a digital straitjacket and **cannot** pull a "denial of service" attack by hogging all your CPU or memory.
+
+## Feature 6: The "Pre-Flight" Self-Check
+
+**Methodology:** Before any services start, NetAlertX runs a comprehensive "pre-flight" check to ensure its own security and configuration are sound. It's like a built-in auditor who verifies its own defenses.
+
+* **Active Self-Diagnosis:** On every single boot, NetAlertX runs a series of startup pre-checks—and it's fast. The entire self-check process typically completes in less than a second, letting you get to the web UI in about three seconds from startup.
+
+* **Validates Its Own Security:** These checks actively inspect the other security features. For example, `check-0-permissions.sh` validates that all the "Digital Concrete" files are locked down and all the "Self-Cleaning" areas are writable, just as they should be. It also checks that the correct `netalertx` user is running the show, not `root`.
+
+* **Catches Misconfigurations:** This system acts as a "safety inspector" that catches misconfigurations *before* they can become security holes. If you've made a mistake in your configuration (like a bad folder permission or incorrect network mode), NetAlertX will tell you in the logs *why* it can't start, rather than just failing silently.
+
+**What's this mean to you:** The system is **self-aware and checks its own work.** You get instant feedback if a setting is wrong, and you get peace of mind on every single boot knowing all these security layers are **active and verified,** all in about one second.
+
+## Conclusion: Security by Default
+
+No single security control is a silver bullet. The robust security posture of NetAlertX is achieved through **defense in depth**, layering these methodologies.
+
+An adversary must not only gain initial access but must also find a way to write a payload to a non-executable, in-memory location, without access to any standard system tools, `sudo`, or a package manager. And they must do this while operating as an unprivileged user in a resource-limited environment where the application code is immutable and *actively checks its own integrity on every boot*.
--- a/docs/SESSION_INFO.md
+++ b/docs/SESSION_INFO.md
@@ -1,62 +1,64 @@
-# Sessions Section in Device View
+# Sessions Section – Device View

-The **Sessions Section** provides details about a device's connection history. This data is automatically detected and cannot be edited by the user.
+The **Sessions Section** shows a device’s connection history. All data is automatically detected and **cannot be edited**.

- ![Session info](./img/SESSION_INFO/DeviceDetails_SessionInfo.png)
+![Session info](./img/SESSION_INFO/DeviceDetails_SessionInfo.png)

 ---

 ## Key Fields

-1. **Date and Time of First Connection**
-   - **Description:** Displays the first detected connection time for the device.
-   - **Editability:** Uneditable (auto-detected).
-   - **Source:** Automatically captured when the device is first added to the system.
-
-2. **Date and Time of Last Connection**
-   - **Description:** Shows the most recent time the device was online.
-   - **Editability:** Uneditable (auto-detected).
-   - **Source:** Updated with every new connection event.
-
-3. **Offline Devices with Missing or Conflicting Data**
-   - **Description:** Handles cases where a device is offline but has incomplete or conflicting session data (e.g., missing start times).
-   - **Handling:** The system flags these cases for review and attempts to infer missing details.
+| Field                          | Description                                                                                      | Editable?       |
+| ------------------------------ | ------------------------------------------------------------------------------------------------ | --------------- |
+| **First Connection**           | The first time the device was detected on the network.                                           | ❌ Auto-detected |
+| **Last Connection**            | The most recent time the device was online.                                                      | ❌ Auto-detected |

 ---

-## How Sessions are Discovered and Calculated
+## How Session Information Works

 ### 1. Detecting New Devices
-When a device is first detected in the network, the system logs it in the events table:

-`INSERT INTO Events (eve_MAC, eve_IP, eve_DateTime, eve_EventType, eve_AdditionalInfo, eve_PendingAlertEmail) SELECT cur_MAC, cur_IP, '{startTime}', 'New Device', cur_Vendor, 1 FROM CurrentScan WHERE NOT EXISTS (SELECT 1 FROM Devices WHERE devMac = cur_MAC)`
+* New devices are automatically detected when they first appear on the network.
+* A **New Device** record is created, capturing the MAC, IP, vendor, and detection time.

- Devices scanned in the current cycle (**CurrentScan**) are checked against the **Devices** table.
- If a device is new:
-  - A **New Device** event is logged.
-  - The device’s MAC, IP, vendor, and detection time are recorded.
+### 2. Recording Connection Sessions

-### 2. Logging Connection Sessions
-When a new connection is detected, the system creates a session record:
+* Every time a device connects, a session entry is created.
+* Captured details include:

-`INSERT INTO Sessions (ses_MAC, ses_IP, ses_EventTypeConnection, ses_DateTimeConnection, ses_EventTypeDisconnection, ses_DateTimeDisconnection, ses_StillConnected, ses_AdditionalInfo) SELECT cur_MAC, cur_IP, 'Connected', '{startTime}', NULL, NULL, 1, cur_Vendor FROM CurrentScan WHERE NOT EXISTS (SELECT 1 FROM Sessions WHERE ses_MAC = cur_MAC)`
-
- A new session is logged in the **Sessions** table if no prior session exists.
- Fields like `MAC`, `IP`, `Connection Type`, and `Connection Time` are populated.
- The `Still Connected` flag is set to `1` (active connection).
+  * Connection type (wired or wireless)
+  * Connection time
+  * Device details (MAC, IP, vendor)

 ### 3. Handling Missing or Conflicting Data
- Devices with incomplete or conflicting session data (e.g., missing start times) are detected.
- The system flags these records and attempts corrections by inferring details from available data.
+
+* **Triggers:**
+  Devices are flagged when session data is incomplete, inconsistent, or conflicting. Examples include:
+
+  * Missing first or last connection timestamps
+  * Overlapping session records
+  * Sessions showing a device as connected and disconnected at the same time
+
+* **System response:**
+
+  * Automatically highlights affected devices in the **Sessions Section**.
+  * Attempts to **infer missing information** from available data, such as:
+
+    * Estimating first or last connection times from nearby session events
+    * Correcting overlapping session periods
+    * Reconciling conflicting connection statuses
+
+* **User impact:**
+
+  * Users do **not** need to manually fix session data.
+  * The system ensures the device’s connection history remains as accurate as possible for monitoring and reporting.

 ### 4. Updating Sessions
- When a device reconnects, its session is updated with a new connection timestamp.
- When a device disconnects:
-  - The **Disconnection Time** is recorded.
-  - The `Still Connected` flag is set to `0`.

-The session information is then used to display the device presence under **Monitoring** -> **Presence**.
+* **Reconnect:** Updates session with the new connection timestamp.
+* **Disconnect:** Records disconnection time and marks the device as offline.
+
+This session information feeds directly into **Monitoring → Presence**, providing a live view of which devices are currently online.

 ![Monitoring Device Presence](./img/SESSION_INFO/Monitoring_Presence.png)
-
-
--- a/docs/SYNOLOGY_GUIDE.md
+++ b/docs/SYNOLOGY_GUIDE.md
@@ -1,10 +1,10 @@
 # Installation on a Synology NAS

-There are different ways to install NetAlertX on a Synology, including SSH-ing into the machine and using the command line. For this guide, we will use the Project option in Container manager. 
+There are different ways to install NetAlertX on a Synology, including SSH-ing into the machine and using the command line. For this guide, we will use the Project option in Container manager.

 ## Create the folder structure

-The folders you are creating below will contain the configuration and the database. Back them up regularly. 
+The folders you are creating below will contain the configuration and the database. Back them up regularly.

 1. Create a parent folder named `netalertx`
 2. Create a `db` sub-folder
@@ -29,23 +29,31 @@ The folders you are creating below will contain the configuration and the databa
 - Path: `/app_storage/netalertx` (will differ from yours)
 - Paste in the following template:

+
 ```yaml
 version: "3"
 services:
  netalertx:
    container_name: netalertx
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "ghcr.io/jokob-sk/netalertx:latest"
+    network_mode: "host"
    restart: unless-stopped
+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
    volumes:
-      - local/path/config:/app/config
-      - local/path/db:/app/db      
-      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/app/log
+      - /app_storage/netalertx:/data
+      # to sync with system time
+      - /etc/localtime:/etc/localtime:ro
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
-      - TZ=Europe/Berlin      
      - PORT=20211
 ```

@@ -57,10 +65,7 @@ services:

 ```yaml
 volumes:
-      - /volume1/app_storage/netalertx/config:/app/config
-      - /volume1/app_storage/netalertx/db:/app/db      
-      # (optional) useful for debugging if you have issues setting up the container
-      # - local/path/logs:/app/log <- commented out with # ⚠
+      - /volume1/app_storage/netalertx:/data
 ```

 ![Adjusting docker-compose](./img/SYNOLOGY/08_Adjust_docker_compose_volumes.png)
@@ -71,4 +76,13 @@ services:
 ![Build](./img/SYNOLOGY/09_Run_and_build.png)

 10. Navigate to `<Synology URL>:20211` (or your custom port).
-11. Read the [Subnets](./SUBNETS.md) and [Plugins](/docs/PLUGINS.md) docs to complete your setup. 
+11. Read the [Subnets](./SUBNETS.md) and [Plugins](/docs/PLUGINS.md) docs to complete your setup.
+
+
+> [!TIP]
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>
--- a/docs/UPDATES.md
+++ b/docs/UPDATES.md
@@ -1,7 +1,8 @@
 # Docker Update Strategies to upgrade NetAlertX

-> [!WARNING] 
+> [!WARNING]
 > For versions prior to `v25.6.7` upgrade to version `v25.5.24` first (`docker pull ghcr.io/jokob-sk/netalertx:25.5.24`) as later versions don't support a full upgrade. Alternatively, devices and settings can be migrated manually, e.g. via [CSV import](./DEVICES_BULK_EDITING.md).
+> See the [Migration guide](./MIGRATION.md) for details.

 This guide outlines approaches for updating Docker containers, usually when upgrading to a newer version of NetAlertX. Each method offers different benefits depending on the situation. Here are the methods:

@@ -15,7 +16,7 @@ You can choose any approach that fits your workflow.
 > In the examples I assume that the container name is `netalertx` and the image name is `netalertx` as well.

 > [!NOTE]
-> See also [Backup strategies](./BACKUPS.md) to be on the safe side.  
+> See also [Backup strategies](./BACKUPS.md) to be on the safe side.

 ## 1. Manual Updates

@@ -48,7 +49,7 @@ sudo docker-compose up --pull always -d

 ## 2. Dockcheck for Bulk Container Updates

-Always check the [Dockcheck](https://github.com/mag37/dockcheck) docs if encountering issues with the guide below. 
+Always check the [Dockcheck](https://github.com/mag37/dockcheck) docs if encountering issues with the guide below.

 Dockcheck is a useful tool if you have multiple containers to update and some flexibility for handling potential issues that might arise during mass updates. Dockcheck allows you to inspect each container and decide when to update.

@@ -74,7 +75,7 @@ sudo ./dockcheck.sh

 ## 3. Automated Updates with Watchtower

-Always check the [watchtower](https://github.com/containrrr/watchtower) docs if encountering issues with the guide below. 
+Always check the [watchtower](https://github.com/containrrr/watchtower) docs if encountering issues with the guide below.

 Watchtower monitors your Docker containers and automatically updates them when new images are available. This is ideal for ongoing updates without manual intervention.

@@ -96,7 +97,7 @@ docker run -d \
  --interval 300 # Check for updates every 5 minutes
 ```

-#### 3. Run Watchtower to update only NetAlertX: 
+#### 3. Run Watchtower to update only NetAlertX:

 You can specify which containers to monitor by listing them. For example, to monitor netalertx only:

--- a/docs/WEB_UI_PORT_DEBUG.md
+++ b/docs/WEB_UI_PORT_DEBUG.md
@@ -2,7 +2,7 @@

 The application uses the following default ports:

- **Web UI**: `20211`  
+- **Web UI**: `20211`
 - **GraphQL API**: `20212`

 The **Web UI** is served by an **nginx** server, while the **API backend** runs on a **Flask (Python)** server.
@@ -15,7 +15,7 @@ The **Web UI** is served by an **nginx** server, while the **API backend** runs
  APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20212"}
  ```

-For more information, check the [Docker installation guide](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md).
+For more information, check the [Docker installation guide](./DOCKER_INSTALLATION.md).

 ## Possible issues and troubleshooting

@@ -25,8 +25,8 @@ Follow all of the below in order to disqualify potential causes of issues and to

 When opening an issue or debugging:

-1. Include a screenshot of what you see when accessing `HTTP://<your rpi IP>/20211` (or your custom port)
-1. [Follow steps 1, 2, 3, 4  on this page](./DEBUG_TIPS.md) 
+1. Include a screenshot of what you see when accessing `HTTP://<your_server>:20211` (or your custom port)
+1. [Follow steps 1, 2, 3, 4  on this page](./DEBUG_TIPS.md)
 1. Execute the following in the container to see the processes and their ports and submit a screenshot of the result:
   - `sudo apk add lsof`
   - `sudo lsof -i`
@@ -36,21 +36,21 @@ When opening an issue or debugging:

 ![lsof ports](./img/WEB_UI_PORT_DEBUG/container_port.png)

-### 2. JavaScript issues 
+### 2. JavaScript issues

 Check for browser console (F12 browser dev console) errors + check different browsers.

 ### 3. Clear the app cache and cached JavaScript files

-Refresh the browser cache (usually shoft + refresh), try a private window, or different browsers. Please also refresh the app cache by clicking the 🔃 (reload) button in the header of the application. 
+Refresh the browser cache (usually shoft + refresh), try a private window, or different browsers. Please also refresh the app cache by clicking the 🔃 (reload) button in the header of the application.

 ### 4. Disable proxies

-If you have any reverse proxy or similar, try disabling it. 
+If you have any reverse proxy or similar, try disabling it.

 ### 5. Disable your firewall

-If you are using a firewall, try to temporarily disabling it. 
+If you are using a firewall, try to temporarily disabling it.

 ### 6. Post your docker start details

@@ -62,11 +62,11 @@ In the container execute and investigate:

 `cat /var/log/nginx/error.log`

-`cat /app/log/app.php_errors.log`
+`cat /tmp/log/app.php_errors.log`

 ### 8. Make sure permissions are correct

 > [!TIP]
-> You can try to start the container without mapping the `/app/config` and `/app/db` dirs and if the UI shows up then the issue is most likely related to your file system permissions or file ownership. 
+> You can try to start the container without mapping the `/data/config` and `/data/db` dirs and if the UI shows up then the issue is most likely related to your file system permissions or file ownership.

-Please read the [Permissions troubleshooting guide](./FILE_PERMISSIONS.md) and provide a screesnhot of the permissions and ownership in the `/app/db` and `app/config` directories. 
+Please read the [Permissions troubleshooting guide](./FILE_PERMISSIONS.md) and provide a screesnhot of the permissions and ownership in the `/data/db` and `app/config` directories.
--- a/docs/WORKFLOWS_DEBUGGING.md
+++ b/docs/WORKFLOWS_DEBUGGING.md
@@ -1,22 +1,22 @@
 # Workflows debugging and troubleshooting

 > [!TIP]
-> Before troubleshooting, please ensure you have [Debugging enabled](./DEBUG_TIPS.md).
+> Before troubleshooting, please ensure you have the right [Debugging and LOG_LEVEL set](./DEBUG_TIPS.md).

-Workflows are triggered by various events. These events are captured and listed in the _Integrations -> App Events_ section of the application. 
+Workflows are triggered by various events. These events are captured and listed in the _Integrations -> App Events_ section of the application.

 ## Troubleshooting triggers

 > [!NOTE]
-> Workflow events are processed once every 5 seconds. However, if a scan or other background tasks are running, this can cause a delay up to a few minutes. 
+> Workflow events are processed once every 5 seconds. However, if a scan or other background tasks are running, this can cause a delay up to a few minutes.

-If an event doesn't trigger a workflow as expected, check the _App Events_ section for the event. You can filter these by the ID of the device (`devMAC` or `devGUID`). 
+If an event doesn't trigger a workflow as expected, check the _App Events_ section for the event. You can filter these by the ID of the device (`devMAC` or `devGUID`).

 ![App events search](./img/WORKFLOWS/workflows_app_events_search.png)

-Once you find the _Event Guid_ and _Object GUID_, use them to find relevant debug entries. 
+Once you find the _Event Guid_ and _Object GUID_, use them to find relevant debug entries.

-Navigate to _Mainetenace -> Logs_ where you can filter the logs based on the _Event or Object GUID_. 
+Navigate to _Mainetenace -> Logs_ where you can filter the logs based on the _Event or Object GUID_.

 ![Log events search](./img/WORKFLOWS/workflows_logs_search.png)

@@ -24,9 +24,9 @@ Below you can find some example `app.log` entries that will help you understand

 ```bash
 16:27:03 [WF] Checking if '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggers the workflow 'Sample Device Update Workflow'
-16:27:03 [WF] self.triggered 'False' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "insert"}' 
+16:27:03 [WF] self.triggered 'False' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "insert"}'
 16:27:03 [WF] Checking if '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggers the workflow 'Location Change'
-16:27:03 [WF] self.triggered 'True' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "update"}' 
+16:27:03 [WF] self.triggered 'True' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "update"}'
 16:27:03 [WF] Event with GUID '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggered the workflow 'Location Change'
 ```

--- a/docs/docker-troubleshooting/excessive-capabilities.md
+++ b/docs/docker-troubleshooting/excessive-capabilities.md
@@ -0,0 +1,32 @@
+# Excessive Capabilities
+
+## Issue Description
+
+Excessive Linux capabilities are detected beyond the necessary NET_ADMIN, NET_BIND_SERVICE, and NET_RAW. This may indicate overly permissive container configuration.
+
+## Security Ramifications
+
+While the detected capabilities might not directly harm operation, running with more privileges than necessary increases the attack surface. If the container is compromised, additional capabilities could allow broader system access or privilege escalation.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker configuration grants more capabilities than required for network monitoring. The application only needs specific network-related capabilities for proper function.
+
+## How to Correct the Issue
+
+Limit capabilities to only those required:
+
+- In docker-compose.yml, specify only needed caps:
+  ```yaml
+  cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - NET_BIND_SERVICE
+  ```
+- Remove any unnecessary `--cap-add` or `--privileged` flags from docker run commands
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/file-permissions.md
+++ b/docs/docker-troubleshooting/file-permissions.md
@@ -0,0 +1,27 @@
+# File Permission Issues
+
+## Issue Description
+
+NetAlertX cannot read from or write to critical configuration and database files. This prevents the application from saving data, logs, or configuration changes.
+
+## Security Ramifications
+
+Incorrect file permissions can expose sensitive configuration data or database contents to unauthorized access. Network monitoring tools handle sensitive information about devices on your network, and improper permissions could lead to information disclosure.
+
+## Why You're Seeing This Issue
+
+This occurs when the mounted volumes for configuration and database files don't have proper ownership or permissions set for the netalertx user (UID 20211). The container expects these files to be accessible by the service account, not root or other users.
+
+## How to Correct the Issue
+
+Fix permissions on the host system for the mounted directories:
+
+- Ensure the config and database directories are owned by the netalertx user: `chown -R 20211:20211 /path/to/config /path/to/db`
+- Set appropriate permissions: `chmod -R 755 /path/to/config /path/to/db` for directories, `chmod 644` for files
+- Alternatively, restart the container with root privileges temporarily to allow automatic permission fixing, then switch back to the default user
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/incorrect-user.md
+++ b/docs/docker-troubleshooting/incorrect-user.md
@@ -0,0 +1,28 @@
+# Incorrect Container User
+
+## Issue Description
+
+NetAlertX is running as UID:GID other than the expected 20211:20211. This bypasses hardened permissions, file ownership, and runtime isolation safeguards.
+
+## Security Ramifications
+
+The application is designed with security hardening that depends on running under a dedicated, non-privileged service account. Using a different user account can silently fail future upgrades and removes crucial isolation between the container and host system.
+
+## Why You're Seeing This Issue
+
+This occurs when you override the container's default user with custom `user:` directives in docker-compose.yml or `--user` flags in docker run commands. The container expects to run as the netalertx user for proper security isolation.
+
+## How to Correct the Issue
+
+Restore the container to the default user:
+
+- Remove any `user:` overrides from docker-compose.yml
+- Avoid `--user` flags in docker run commands
+- Allow the container to run with its default UID:GID 20211:20211
+- Recreate the container so volume ownership is reset automatically
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/missing-capabilities.md
+++ b/docs/docker-troubleshooting/missing-capabilities.md
@@ -0,0 +1,32 @@
+# Missing Network Capabilities
+
+## Issue Description
+
+Raw network capabilities (NET_RAW, NET_ADMIN, NET_BIND_SERVICE) are missing. Tools that rely on these capabilities (e.g., nmap -sS, arp-scan, nbtscan) will not function.
+
+## Security Ramifications
+
+Network scanning and monitoring requires low-level network access that these capabilities provide. Without them, the application cannot perform essential functions like ARP scanning, port scanning, or passive network discovery, severely limiting its effectiveness.
+
+## Why You're Seeing This Issue
+
+This occurs when the container doesn't have the necessary Linux capabilities granted. Docker containers run with limited capabilities by default, and network monitoring tools need elevated network privileges.
+
+## How to Correct the Issue
+
+Add the required capabilities to your container:
+
+- In docker-compose.yml:
+  ```yaml
+  cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - NET_BIND_SERVICE
+  ```
+- For docker run: `--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE`
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/mount-configuration-issues.md
+++ b/docs/docker-troubleshooting/mount-configuration-issues.md
@@ -0,0 +1,36 @@
+# Mount Configuration Issues
+
+## Issue Description
+
+NetAlertX has detected configuration issues with your Docker volume mounts. These may include write permission problems, data loss risks, or performance concerns marked with ❌ in the table.
+
+## Security Ramifications
+
+Improper mount configurations can lead to data loss, performance degradation, or security vulnerabilities. For persistent data (database and configuration), using non-persistent storage like tmpfs can result in complete data loss on container restart. For temporary data, using persistent storage may unnecessarily expose sensitive logs or cache data.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker Compose or run configuration doesn't properly map host directories to container paths, or when the mounted volumes have incorrect permissions. The application requires specific paths to be writable for operation, and some paths should use persistent storage while others should be temporary.
+
+## How to Correct the Issue
+
+Review and correct your volume mounts in docker-compose.yml:
+
+- Ensure `${NETALERTX_DB}` and `${NETALERTX_CONFIG}` use persistent host directories
+- Ensure `${NETALERTX_API}`, `${NETALERTX_LOG}` have appropriate permissions
+- Avoid mounting sensitive paths to non-persistent filesystems like tmpfs for critical data
+- Use bind mounts with proper ownership (netalertx user: 20211:20211)
+
+Example volume configuration:
+```yaml
+volumes:
+  - ./data/db:/data/db
+  - ./data/config:/data/config
+  - ./data/log:/tmp/log
+```
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/network-mode.md
+++ b/docs/docker-troubleshooting/network-mode.md
@@ -0,0 +1,27 @@
+# Network Mode Configuration
+
+## Issue Description
+
+NetAlertX is not running with `--network=host`. Bridge networking blocks passive discovery (ARP, NBNS, mDNS) and active scanning accuracy.
+
+## Security Ramifications
+
+Host networking is required for comprehensive network monitoring. Bridge mode isolates the container from raw network access needed for ARP scanning, passive discovery protocols, and accurate device detection. Without host networking, the application cannot fully monitor your network.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker configuration uses bridge networking instead of host networking. Network monitoring requires direct access to the host's network interfaces to perform passive discovery and active scanning.
+
+## How to Correct the Issue
+
+Enable host networking mode:
+
+- In docker-compose.yml, add: `network_mode: host`
+- For docker run, use: `--network=host`
+- Ensure the container has required capabilities: `--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE`
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/nginx-configuration-mount.md
+++ b/docs/docker-troubleshooting/nginx-configuration-mount.md
@@ -0,0 +1,36 @@
+# Nginx Configuration Mount Issues
+
+## Issue Description
+
+You've configured a custom port for NetAlertX, but the required nginx configuration mount is missing or not writable. Without this mount, the container cannot apply your port changes and will fall back to the default port 20211.
+
+## Security Ramifications
+
+Running in read-only mode (as recommended) prevents the container from modifying its own nginx configuration. Without a writable mount, custom port configurations cannot be applied, potentially exposing the service on unintended ports or requiring fallback to defaults.
+
+## Why You're Seeing This Issue
+
+This occurs when you set a custom PORT environment variable (other than 20211) but haven't provided a writable mount for nginx configuration. The container needs to write custom nginx config files when running in read-only mode.
+
+## How to Correct the Issue
+
+If you want to use a custom port, create a bind mount for the nginx configuration:
+
+- Create a directory on your host: `mkdir -p /path/to/nginx-config`
+- Add to your docker-compose.yml:
+  ```yaml
+  volumes:
+    - /path/to/nginx-config:/tmp/nginx/active-config
+  environment:
+    - PORT=your_custom_port
+  ```
+- Ensure it's owned by the netalertx user: `chown -R 20211:20211 /path/to/nginx-config`
+- Set permissions: `chmod -R 700 /path/to/nginx-config`
+
+If you don't need a custom port, simply omit the PORT environment variable and the container will use 20211 by default.
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/port-conflicts.md
+++ b/docs/docker-troubleshooting/port-conflicts.md
@@ -0,0 +1,86 @@
+# Port Conflicts
+
+## Issue Description
+
+The configured application port (default 20211) or GraphQL API port (default 20212) is already in use by another service. This commonly occurs when you already have another NetAlertX instance running.
+
+## Security Ramifications
+
+Port conflicts prevent the application from starting properly, leaving network monitoring services unavailable. Running multiple instances on the same ports can also create configuration confusion and potential security issues if services are inadvertently exposed.
+
+## Why You're Seeing This Issue
+
+This error typically occurs when:
+
+- **You already have NetAlertX running** - Another Docker container or devcontainer instance is using the default ports 20211 and 20212
+- **Port conflicts with other services** - Other applications on your system are using these ports
+- **Configuration error** - Both PORT and GRAPHQL_PORT environment variables are set to the same value
+
+## How to Correct the Issue
+
+### Check for Existing NetAlertX Instances
+
+First, check if you already have NetAlertX running:
+
+```bash
+# Check for running NetAlertX containers
+docker ps | grep netalertx
+
+# Check for devcontainer processes
+ps aux | grep netalertx
+
+# Check what services are using the ports
+netstat -tlnp | grep :20211
+netstat -tlnp | grep :20212
+```
+
+### Stop Conflicting Instances
+
+If you find another NetAlertX instance:
+
+```bash
+# Stop specific container
+docker stop <container_name>
+
+# Stop all NetAlertX containers
+docker stop $(docker ps -q --filter ancestor=jokob-sk/netalertx)
+
+# Stop devcontainer services
+# Use VS Code command palette: "Dev Containers: Rebuild Container"
+```
+
+### Configure Different Ports
+
+If you need multiple instances, configure unique ports:
+
+```yaml
+environment:
+  - PORT=20211          # Main application port
+  - GRAPHQL_PORT=20212  # GraphQL API port
+```
+
+For a second instance, use different ports:
+
+```yaml
+environment:
+  - PORT=20213          # Different main port
+  - GRAPHQL_PORT=20214  # Different API port
+```
+
+### Alternative: Use Different Container Names
+
+When running multiple instances, use unique container names:
+
+```yaml
+services:
+  netalertx-primary:
+    # ... existing config
+  netalertx-secondary:
+    # ... config with different ports
+```
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/read-only-filesystem.md
+++ b/docs/docker-troubleshooting/read-only-filesystem.md
@@ -0,0 +1,27 @@
+# Read-Only Filesystem Mode
+
+## Issue Description
+
+The container is running as read-write instead of read-only mode. This reduces the security hardening of the appliance.
+
+## Security Ramifications
+
+Read-only root filesystem is a security best practice that prevents malicious modifications to the container's filesystem. Running read-write allows potential attackers to modify system files or persist malware within the container.
+
+## Why You're Seeing This Issue
+
+This occurs when the Docker configuration doesn't mount the root filesystem as read-only. The application is designed as a security appliance that should prevent filesystem modifications.
+
+## How to Correct the Issue
+
+Enable read-only mode:
+
+- In docker-compose.yml, add: `read_only: true`
+- For docker run, use: `--read-only`
+- Ensure necessary directories are mounted as writable volumes (tmp, logs, etc.)
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/docs/docker-troubleshooting/running-as-root.md
+++ b/docs/docker-troubleshooting/running-as-root.md
@@ -0,0 +1,29 @@
+# Running as Root User
+
+## Issue Description
+
+NetAlertX has detected that the container is running with root privileges (UID 0). This configuration bypasses all built-in security hardening measures designed to protect your system.
+
+## Security Ramifications
+
+Running security-critical applications like network monitoring tools as root grants unrestricted access to your host system. A successful compromise here could jeopardize your entire infrastructure, including other containers, host services, and potentially your network.
+
+## Why You're Seeing This Issue
+
+This typically occurs when you've explicitly overridden the container's default user in your Docker configuration, such as using `user: root` or `--user 0:0` in docker-compose.yml or docker run commands. The application is designed to run under a dedicated, non-privileged service account for security.
+
+## How to Correct the Issue
+
+Switch to the dedicated 'netalertx' user by removing any custom user directives:
+
+- Remove `user:` entries from your docker-compose.yml
+- Avoid `--user` flags in docker run commands
+- Ensure the container runs with the default UID 20211:20211
+
+After making these changes, restart the container. The application will automatically adjust ownership of required directories.
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
--- a/install/production-filesystem/app/log/IP_changes.log
+++ b/install/production-filesystem/app/log/IP_changes.log
--- a/docs/img/BUILDS/build_images_options_tradeoffs.png
+++ b/docs/img/BUILDS/build_images_options_tradeoffs.png
--- a/docs/img/DEBUG_API_SERVER/Init_check.png
+++ b/docs/img/DEBUG_API_SERVER/Init_check.png
--- a/docs/img/DEBUG_API_SERVER/app_conf_graphql_port.png
+++ b/docs/img/DEBUG_API_SERVER/app_conf_graphql_port.png
--- a/docs/img/DEBUG_API_SERVER/dev_console_graphql_json.png
+++ b/docs/img/DEBUG_API_SERVER/dev_console_graphql_json.png
--- a/docs/img/DEBUG_API_SERVER/graphql_running_logs.png
+++ b/docs/img/DEBUG_API_SERVER/graphql_running_logs.png
--- a/docs/img/DEBUG_API_SERVER/graphql_settings_port_token.png
+++ b/docs/img/DEBUG_API_SERVER/graphql_settings_port_token.png
--- a/docs/img/DEBUG_API_SERVER/network_graphql.png
+++ b/docs/img/DEBUG_API_SERVER/network_graphql.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -21,7 +21,7 @@ The app can be installed different ways, with the best support of the docker-bas

 NetAlertX is fully supported in Docker environments, allowing for easy setup and configuration. Follow the official guide to get started:

- [Docker Installation Guide](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md)
+- [Docker Installation Guide](./DOCKER_INSTALLATION.md)

 This guide will take you through the process of setting up NetAlertX using Docker Compose or standalone Docker commands.

--- a/front/css/app.css
+++ b/front/css/app.css
@@ -1,6 +1,6 @@
 /* -----------------------------------------------------------------------------
 #  NetAlertX
-#  Open Source Network Guard / WIFI & LAN intrusion detector 
+#  Open Source Network Guard / WIFI & LAN intrusion detector
 #
 #  app.css - Front module. CSS styles
 #-------------------------------------------------------------------------------
@@ -36,7 +36,7 @@ a[target="_blank"] {
    display: inline-block; /* Needed for positioning */
    padding-right: 0.6em;    /* Space for the icon */
  }
-  
+
  a[target="_blank"]::after {
    content: '↗';
    position: absolute;
@@ -55,7 +55,7 @@ a[target="_blank"] {
    right: -7px;
    top: 1px;
  } */
-  
+
 /* .select2-container--default .select2-selection--multiple .select2-selection__choice
 {
    padding-right: 15px !important;
@@ -70,6 +70,11 @@ a[target="_blank"] {
    opacity: 1;
 }

+[data-is-valid="0"] {
+    /* border: 1px solid red;  */
+    background-color: #ff4b4b !important;
+}
+
 /* -----------------------------------------------------------------------------
   Helper Classes
 ----------------------------------------------------------------------------- */
@@ -100,7 +105,7 @@ a[target="_blank"] {
  background-color: black;
  font-family: 'Courier New', monospace;
  font-size: .85em;
-  
+
 }
 .logs-row textarea
 {
@@ -110,12 +115,12 @@ a[target="_blank"] {
    display:contents;
    position: relative;
    padding: 0.4em
-    
+
 }

 #tab_Logging .actions .toggle{

-    margin: 0.5em;    
+    margin: 0.5em;
    height: 3em;
 }

@@ -134,8 +139,8 @@ a[target="_blank"] {
 }
 .log-area
 {
-    padding: 3px;    
-    width:100%;    
+    padding: 3px;
+    width:100%;
    border-bottom-width: 1px;
    border-bottom-style: solid;
    border-color: #606060;
@@ -246,7 +251,7 @@ a[target="_blank"] {
 {
    padding:8px;
    color: white;
-} 
+}

 .header-status
 {
@@ -262,7 +267,7 @@ a[target="_blank"] {
    position: absolute;
    top: 3px;
    margin-left: 15px;
-    display: none; 
+    display: none;

 }

@@ -298,9 +303,9 @@ body

 .NetAlertX-logo
 {
-    border-color:transparent !important;  
-    height: 50px !important; 
-    width: 50px !important; 
+    border-color:transparent !important;
+    height: 50px !important;
+    width: 50px !important;
    margin-top:15px !important;
    border-radius: 1px !important;
 }
@@ -327,7 +332,7 @@ body
 .content-wrapper,
 .right-side,
 .main-footer {
-    margin-left: 150px;    
+    margin-left: 150px;
 }


@@ -740,7 +745,7 @@ body
    text-decoration: underline;
 }

-#ticker-message 
+#ticker-message
 {
    color:#FFFFFF;
 }
@@ -774,7 +779,7 @@ body
 .file-checking .icon-wrap{
    width: 200px;
    overflow: hidden;
-    text-overflow: ellipsis; 
+    text-overflow: ellipsis;
    display: block;
 }

@@ -788,7 +793,7 @@ body

 .file-checking .file-name-wrap{
    overflow: hidden;
-    text-overflow: ellipsis; 
+    text-overflow: ellipsis;
    display: flex;
    padding: 5px;
 }
@@ -796,7 +801,7 @@ body
 .file-checking{
    display: block;
    overflow: hidden;
-    text-overflow: ellipsis; 
+    text-overflow: ellipsis;
 }


@@ -854,16 +859,16 @@ body

 .db_tools_table_cell_a {
    display: table-cell;
-    text-align: center; 
-    padding: 10px; 
-    min-width: 180px; 
-    width: 20%; 
+    text-align: center;
+    padding: 10px;
+    min-width: 180px;
+    width: 20%;
    vertical-align: middle;
 }
 .db_tools_table_cell_b {
    display: table-cell;
-    text-align: justify; 
-    font-size: 16px; 
+    text-align: justify;
+    font-size: 16px;
    vertical-align: middle;
    padding: 10px;
 }
@@ -876,12 +881,12 @@ height: 50px;
 }

 .nav-tabs-custom .tab-content {
-  background-color: white;  
-  
+  background-color: white;
+
 }

@media (max-width: 767px) {
-    .nav-tabs-custom .tab-content {          
+    .nav-tabs-custom .tab-content {
        overflow: scroll;
      }
 }
@@ -898,7 +903,7 @@ height: 50px;
    font-size: 16px !important;
 }

-.deviceSelector 
+.deviceSelector
 {
    display: block;
 }
@@ -935,7 +940,7 @@ height: 50px;
    height: 10px;
    display: inline-block;
    /* background: #fff; */
-    opacity: .75; 
+    opacity: .75;
 }

 /* --------------------------------------------------------- */
@@ -979,32 +984,32 @@ height: 50px;
    }
    /* .setting_input{
        width:70%;
-        
+
    }
    .setting_name
    {
-        width:30%;         
+        width:30%;
    } */
  }

@media (min-width: 768px) {
-.setting_description {        
+.setting_description {
    /* color: green; */
    display: block;
 }
 /* .setting_input{
-    width:40%;        
+    width:40%;

 }
 .setting_name
 {
-    width:19%;         
+    width:19%;
 } */
 }

 /* Hide unusable buttons on the settings page for the NEWDEV plugin*/
-#settingsPage #add_option_NEWDEV_devGroup, 
-#settingsPage #add_option_NEWDEV_devLocation, 
+#settingsPage #add_option_NEWDEV_devGroup,
+#settingsPage #add_option_NEWDEV_devLocation,
 #settingsPage #add_option_NEWDEV_devOwner,
 #settingsPage #copy_icons_NEWDEV_devIcon,
 #settingsPage #add_icon_NEWDEV_devIcon,
@@ -1024,11 +1029,11 @@ height: 50px;

 #settingsPage .small-box .inner .card-title {
    overflow: hidden;
-    text-overflow: ellipsis;        
+    text-overflow: ellipsis;
    white-space: nowrap;
    color: white;
 }
-  
+

 .settingswrap
 {
@@ -1048,13 +1053,13 @@ height: 50px;
 .padding-bottom
 {
    padding-bottom: 100px;
-} 
+}

 .settings-group
-{   
+{
    font-size: 20px;
    padding-top: 7px;
-    padding-bottom: 9px;    
+    padding-bottom: 9px;
 }

 .overview-section .small-box  .icon
@@ -1069,7 +1074,7 @@ height: 50px;
 }

 .overview-group
-{   
+{
    font-size: 20px;
    padding-top: 7px;
    padding-bottom: 9px;
@@ -1082,8 +1087,8 @@ height: 50px;
 }


-#settingsPage .table_row {    
-    padding: 3px;    
+#settingsPage .table_row {
+    padding: 3px;
    /* width:100%; */
    /* display: flex; */
    border-bottom-width: 1px;
@@ -1102,7 +1107,7 @@ height: 50px;
 .setting_name
 {
   /* width:19%; */
-    font-weight: 300;    
+    font-weight: 300;
 }


@@ -1111,24 +1116,24 @@ height: 50px;
    display:none !important;
 }

-.center 
+.center
 {
    margin: 0;
-    position: relative;    
+    position: relative;
    left: 50%;
    -ms-transform: translate(-50%, -50%);
    transform: translate(-50%, -50%);
 }

-.top-margin 
+.top-margin
 {
    margin-top: 50px;
 }

 /* Settings */

-#settingsPage .overview-setting-value{    
-    display:unset;    
+#settingsPage .overview-setting-value{
+    display:unset;

 }

@@ -1165,7 +1170,7 @@ height: 50px;
 }

 .text-overflow-hidden
-{    
+{
    overflow: hidden;
    text-overflow: clip;
 }
@@ -1175,9 +1180,9 @@ height: 50px;
    padding: 10px;
    /* background-color: #272c30; */
    margin: 10px;
-    
+
 }
-#settingsPage .panel-heading:hover{    
+#settingsPage .panel-heading:hover{
    background-color: #272c30;
 }

@@ -1185,12 +1190,12 @@ height: 50px;
    font-size: medium;
    /* background-color: #272c30; */
    margin: 10px;
-    
+
 }

-.settings_content input[type=checkbox] 
-{ 
-    width: auto 
+.settings_content input[type=checkbox]
+{
+    width: auto
 }

 .override{
@@ -1212,7 +1217,7 @@ height: 50px;
 input[readonly] {
    /* Apply styles to the readonly input */
    background-color: #646566 !important;
-    color: #e6e6e6;    
+    color: #e6e6e6;
    cursor: not-allowed;
  }

@@ -1300,7 +1305,7 @@ input[readonly] {
    /* margin-bottom:20px; */
 }

-#settingsPage .select2-selection 
+#settingsPage .select2-selection
 {
    width: initial;
    display: inline-block;
@@ -1314,8 +1319,8 @@ input[readonly] {
 #settingsPage  .select2-selection
 {
    background-color: rgb(96, 96, 96);
-} 
-#settingsPage  .select2-container 
+}
+#settingsPage  .select2-container
 {
    width: 100% !important;
 }
@@ -1398,7 +1403,7 @@ input[readonly] {
    backdrop-filter: brightness(50%);
 }

-.iconPreviewSelector 
+.iconPreviewSelector
 {
    text-align: center;
    padding: 15px;
@@ -1440,7 +1445,7 @@ input[readonly] {
 }


-.dummyDevice 
+.dummyDevice
 {
    text-align: end;
 }
@@ -1461,7 +1466,7 @@ input[readonly] {
 }

 .info-icon-nav
-{   
+{
    top: -6px;
    position: absolute;
    z-index: 1;
@@ -1538,7 +1543,7 @@ input[readonly] {
 }

 #panDetails .input-group {
-        
+
    min-height: 40px;
 }

@@ -1583,7 +1588,7 @@ input[readonly] {
 }

 .devicePropAction
-{    
+{
    width: 1.2em;
    height: 1.2em;
    display: inline-block;
@@ -1593,11 +1598,11 @@ input[readonly] {
 }

 .devicePropAction:hover
-{    
+{
    font-size: larger;
    padding: 0em;
    margin: 0em;
-    
+
 }


@@ -1607,7 +1612,7 @@ input[readonly] {
    display: block;
    float:inline-end;
    height: 2em;
-} 
+}

 #panDetails .dataTables_wrapper .bottom .dataTables_info
 {
@@ -1636,22 +1641,22 @@ input[readonly] {
    height: 14px;
 }

-#deviceDetailsEdit .select2-container--default .select2-selection--multiple .select2-selection__choice 
+#deviceDetailsEdit .select2-container--default .select2-selection--multiple .select2-selection__choice
 {
    height: 20px;
 }

-#deviceDetailsEdit .select2-container--disabled 
+#deviceDetailsEdit .select2-container--disabled
 {
-    background-color: #606060;    
+    background-color: #606060;
 }

-#deviceDetailsEdit .select2-container--default .select2-selection--multiple .select2-selection__choice span 
+#deviceDetailsEdit .select2-container--default .select2-selection--multiple .select2-selection__choice span
 {
    font-size: 14px;
 }

-#deviceDetailsEdit .select2-selection 
+#deviceDetailsEdit .select2-selection
 {
    width: initial;
    display: inline-block;
@@ -1681,7 +1686,7 @@ input[readonly] {
    font-size: 14px;
 }
 .custom-badge
-{    
+{
    border: 1px solid #aaa;
    border-radius: 4px;
    border-style: solid;
@@ -1716,7 +1721,7 @@ input[readonly] {
 }


-#deviceDetailsEdit .select2-container 
+#deviceDetailsEdit .select2-container
 {
    width: 100% !important;
 }
@@ -1799,7 +1804,7 @@ input[readonly] {
    z-index: 5;
 }
 #networkTree .netNodeText
-{ 
+{
    position: absolute;
 }
 #networkTree .netPort
@@ -1812,7 +1817,7 @@ input[readonly] {
 #networkTree .portBckgIcon
 {
    opacity: 0.3;
-    display: initial;    
+    display: initial;
    float: left;
    width: 1em;
 }
@@ -1822,7 +1827,7 @@ input[readonly] {
    margin-left: 16px;
    /* border: solid;
    border-color:#606060;     */
-    position: relative;    
+    position: relative;
 }
 #networkTree .netIcon
 {
@@ -1850,8 +1855,8 @@ input[readonly] {
 }

 #hover-box .devName
-{    
-    font-size: larger;    
+{
+    font-size: larger;
    display: contents;
 }

@@ -1910,7 +1915,7 @@ input[readonly] {
 #networkTree .highlightedNode
 {
    /* border: solid; */
-    border-color:var(--color-lightblue); 
+    border-color:var(--color-lightblue);
    box-shadow: var(--color-lightblue) 0px 0px 20px;
 }

@@ -1968,7 +1973,7 @@ input[readonly] {
 }

 .sort-btn {
-    
+
    right: 5px;
    top: 50%;
    transform: translateY(-50%);
@@ -2020,7 +2025,7 @@ input[readonly] {
 }

 .plugin-filters
-{    
+{
    margin: 7px;
    margin-right: 7px;
    margin-bottom: 9px;
@@ -2054,7 +2059,7 @@ input[readonly] {
 }

 .plugin-content #tabs-content-location
-{    
+{
    margin: 0px;
    padding-top: 0;
 }
@@ -2066,7 +2071,7 @@ input[readonly] {
 }

 .plugin-content .tab-content
-{    
+{
    padding-top: 10px;
 }

@@ -2103,7 +2108,7 @@ input[readonly] {

@media (max-width: 500px) {
    .header-server-time {
-      display: none;      
+      display: none;
    }
  }

@@ -2234,12 +2239,12 @@ input[readonly] {
    display: grid;
 }

-#workflowContainerWrap .panel-collapse 
+#workflowContainerWrap .panel-collapse
 {
    padding: 5px;
 }

-.workflows 
+.workflows
 {
    max-width: 800px;
 }
@@ -2285,7 +2290,7 @@ input[readonly] {
    color: #000;
 }

-.workflows .button-container 
+.workflows .button-container
 {
    /* display: contents; */
    text-align: center;
@@ -2305,7 +2310,7 @@ input[readonly] {
    margin: 5px;
 }

-.workflows .button-container 
+.workflows .button-container
 {
    padding-right: 0px !important;
    padding-left: 0px !important;
@@ -2318,19 +2323,19 @@ input[readonly] {

 /* .button-container button
 {
-    width:100%; 
+    width:100%;
 } */

 .red-hover-text:hover
 {
-    color: var(--color-red) !important;    
+    color: var(--color-red) !important;
 }

 .green-hover-text:hover
 {
    color: var(--color-green) !important;
 }
- 
+
 .workflows .bckg-icon-1-line
 {
    font-size: 3em;
@@ -2362,7 +2367,7 @@ input[readonly] {
    z-index: 1;
 }

-.workflows .workflow-card 
+.workflows .workflow-card
 {
    display: block;
 }
@@ -2372,7 +2377,7 @@ input[readonly] {
    padding: 10px;
 }

-.workflow-card, .actions-list 
+.workflow-card, .actions-list
 {
    display: contents;
    padding: 5px;
@@ -2384,7 +2389,7 @@ input[readonly] {
    z-index:1;
 }

-.condition 
+.condition
 {
    padding: 5px;
    padding-left: 10px;
--- a/front/devices.php
+++ b/front/devices.php
@@ -1,7 +1,7 @@
 <!--
 #---------------------------------------------------------------------------------#
-#  NetAlertX                                                                       #
-#  Open Source Network Guard / WIFI & LAN intrusion detector                      #  
+#  NetAlertX                                                                      #
+#  Open Source Network Guard / WIFI & LAN intrusion detector                      #
 #                                                                                 #
 #  devices.php - Front module. Devices list page                                  #
 #---------------------------------------------------------------------------------#
@@ -15,15 +15,28 @@
 <?php

  require 'php/templates/header.php';
+
  // check permissions
-  $dbPath = "../db/app.db";
-  $confPath = "../config/app.conf";
+  // Use environment-aware paths with fallback to legacy locations
+  $dbFolderPath = rtrim(getenv('NETALERTX_DB') ?: '/data/db', '/');
+  $configFolderPath = rtrim(getenv('NETALERTX_CONFIG') ?: '/data/config', '/');
+
+  $dbPath = $dbFolderPath . '/app.db';
+  $confPath = $configFolderPath . '/app.conf';
+
+  // Fallback to legacy paths if new locations don't exist
+  if (!file_exists($dbPath) && file_exists('../db/app.db')) {
+      $dbPath = '../db/app.db';
+  }
+  if (!file_exists($confPath) && file_exists('../config/app.conf')) {
+      $confPath = '../config/app.conf';
+  }

  checkPermissions([$dbPath, $confPath]);
 ?>

 <!-- ----------------------------------------------------------------------- -->
- 
+

 <!-- Page ------------------------------------------------------------------ -->
  <div class="content-wrapper">
@@ -42,15 +55,15 @@
          <div class="col-md-12">
            <div class="box" id="clients">
              <div class="box-header ">
-                <h3 class="box-title col-md-12"><?= lang('Device_Shortcut_OnlineChart');?> </h3> 
+                <h3 class="box-title col-md-12"><?= lang('Device_Shortcut_OnlineChart');?> </h3>
              </div>
              <div class="box-body">
                <div class="chart">
                  <script src="lib/chart.js/Chart.js?v=<?php include 'php/templates/version.php'; ?>"></script>
                  <!-- presence chart -->
-                  <?php  
+                  <?php
                      require 'php/components/graph_online_history.php';
-                  ?>     
+                  ?>
                </div>
              </div>
              <!-- /.box-body -->
@@ -61,7 +74,7 @@
      <!-- Device Filters ------------------------------------------------------- -->
      <div class="box box-aqua hidden" id="columnFiltersWrap">
        <div class="box-header ">
-          <h3 class="box-title col-md-12"><?= lang('Devices_Filters');?> </h3> 
+          <h3 class="box-title col-md-12"><?= lang('Devices_Filters');?> </h3>
        </div>
        <!-- Placeholder ------------------------------------------------------- -->
         <div id="columnFilters" ></div>
@@ -75,8 +88,8 @@
            <!-- box-header -->
            <div class="box-header">
              <div class=" col-sm-8 ">
-                <h3 id="tableDevicesTitle" class="box-title text-gray "></h3>  
-              </div>    
+                <h3 id="tableDevicesTitle" class="box-title text-gray "></h3>
+              </div>
              <div  class="dummyDevice col-sm-4 ">
                <span id="multiEditPlc">
                  <!-- multi edit button placeholder -->
@@ -91,8 +104,8 @@
            <div class="box-body table-responsive">
              <table id="tableDevices" class="table table-bordered table-hover table-striped">
                <thead>
-                <tr>                
-                  
+                <tr>
+
                </tr>
                </thead>
              </table>
@@ -109,7 +122,7 @@
 <!-- ----------------------------------------------------------------------- -->
    </section>
    <!-- /.content -->
-    
+
  </div>
  <!-- /.content-wrapper -->

@@ -123,9 +136,9 @@
 <!-- page script ----------------------------------------------------------- -->
 <script>
  var deviceStatus    = 'all';
-  var tableRows       = getCache ("nax_parTableRows") == "" ? parseInt(getSetting("UI_DEFAULT_PAGE_SIZE")) : getCache ("nax_parTableRows") ;
+
  var tableOrder      = getCache ("nax_parTableOrder") == "" ? [[3,'desc'], [0,'asc']] : JSON.parse(getCache ("nax_parTableOrder")) ;
-  
+
  var tableColumnHide = [];
  var tableColumnOrder = [];
  var tableColumnVisible = [];
@@ -148,7 +161,7 @@ function main () {

  //initialize the table headers in the correct order
  var availableColumns = getSettingOptions("UI_device_columns").split(",");
-  headersDefaultOrder = availableColumns.map(val => getString(val));  
+  headersDefaultOrder = availableColumns.map(val => getString(val));

  var selectedColumns = JSON.parse(getSetting("UI_device_columns").replace(/'/g, '"'));

@@ -177,10 +190,10 @@ function main () {

  // Initialize components with parameters
  initializeDatatable(getUrlAnchor('my_devices'));
-  
+
  // check if data outdated and show spinner if so
  handleLoadingDialog()
-  
+
 }

 // -----------------------------------------------------------------------------
@@ -189,7 +202,7 @@ function mapIndx(oldIndex)
 {
  // console.log(oldIndex);
  // console.log(tableColumnOrder);
-  
+
  for(i=0;i<tableColumnOrder.length;i++)
  {
    if(tableColumnOrder[i] == oldIndex)
@@ -298,7 +311,7 @@ function processDeviceTotals(devicesData) {
    }
  });

-  // Render info boxes/tile cards  
+  // Render info boxes/tile cards
  renderInfoboxes(dataArray);
 }

@@ -337,9 +350,9 @@ function initFilters() {
            nocache: Date.now() // Prevent caching with a timestamp
        },
        success: function(response) {
-            if (response && response.data) {                
-                
-                let resultJSON = response.data; 
+            if (response && response.data) {
+
+                let resultJSON = response.data;

                // Save the result to cache
                setCache("devicesFilters", JSON.stringify(resultJSON));
@@ -368,7 +381,7 @@ function initFilters() {
                    });

                    // Filter resultJSON to include only entries with columnName in columnFilters
-                    resultJSON = resultJSON.filter(entry => 
+                    resultJSON = resultJSON.filter(entry =>
                        columnFilters.some(filter => filter[0] === entry.columnName)
                    );

@@ -438,7 +451,7 @@ function initFilters() {
 function renderFilters(customData) {

  // console.log(JSON.stringify(customData));
-  
+
  // Load filter data from the JSON file
  $.ajax({
    url: 'php/components/devices_filters.php', // PHP script URL
@@ -458,7 +471,7 @@ function renderFilters(customData) {

          // Update DataTable with the new filters or search value (if applicable)
          $('#tableDevices').DataTable().draw();
-          
+
          // Optionally, apply column filters (if using filters for individual columns)
          const table = $('#tableDevices').DataTable();
          table.columnFilters = columnFilters;  // Apply your column filters logic
@@ -480,11 +493,11 @@ function collectFilters() {
    // Loop through each filter group
    document.querySelectorAll('.filter-group').forEach(filterGroup => {
        const dropdown = filterGroup.querySelector('.filter-dropdown');
-        
+
        if (dropdown) {
            const filterColumn = dropdown.getAttribute('data-column');
            const filterValue = dropdown.value;
-            
+
            if (filterValue && filterColumn) {
                columnFilters.push({
                    filterColumn: filterColumn,
@@ -535,7 +548,7 @@ function mapColumnIndexToFieldName(index, tableColumnVisible) {
    "devReqNicsOnline"         // 29
  ];

-  // console.log("OrderBy: " + columnNames[tableColumnOrder[index]]);  
+  // console.log("OrderBy: " + columnNames[tableColumnOrder[index]]);

  return columnNames[tableColumnOrder[index]] || null;
 }
@@ -544,12 +557,15 @@ function mapColumnIndexToFieldName(index, tableColumnVisible) {
 // ---------------------------------------------------------
 // Initializes the main devices list datatable
 function initializeDatatable (status) {
-  
+
  if(!status)
  {
    status = 'my_devices'
  }

+  // retrieve page size
+  var tableRows       = getCache ("nax_parTableRows") == "" ? parseInt(getSetting("UI_DEFAULT_PAGE_SIZE")) : getCache ("nax_parTableRows") ;
+
  // Save status selected
  deviceStatus = status;

@@ -566,7 +582,7 @@ function initializeDatatable (status) {
    case 'all_devices':     tableTitle = getString('Gen_All_Devices');             color = 'gray';    break;
    case 'network_devices': tableTitle = getString('Network_Devices');             color = 'aqua';    break;
    default:                tableTitle = getString('Device_Shortcut_Devices');     color = 'gray';    break;
-  } 
+  }

  // Set title and color
  $('#tableDevicesTitle')[0].className = 'box-title text-'+ color;
@@ -575,23 +591,23 @@ function initializeDatatable (status) {

  // render table headers
  html = '';
-                                  
+
  for(index = 0; index < tableColumnOrder.length; index++)
  {
    html += '<th>' + headersDefaultOrder[tableColumnOrder[index]] + '</th>';
  }

-  $('#tableDevices tr').html(html);  
+  $('#tableDevices tr').html(html);

  hideUIelements("UI_DEV_SECTIONS")

  for(i = 0; i < tableColumnOrder.length; i++)
-  {    
-    // hide this column if not in the tableColumnVisible variable (we need to keep the MAC address (index 11) for functionality reasons)    
+  {
+    // hide this column if not in the tableColumnVisible variable (we need to keep the MAC address (index 11) for functionality reasons)
    if(tableColumnVisible.includes(tableColumnOrder[i]) == false)
    {
      tableColumnHide.push(mapIndx(tableColumnOrder[i]));
-    }    
+    }
  }

  var table = $('#tableDevices').DataTable({
@@ -677,7 +693,7 @@ function initializeDatatable (status) {
              "status": deviceStatus,
              "filters" : columnFilters
            }
-            
+
          }
        };

@@ -753,8 +769,8 @@ function initializeDatatable (status) {

    // Parameters
    'pageLength'   : tableRows,
-    'order'        : tableOrder,   
-    'select'       : true, // Enable selection   
+    'order'        : tableOrder,
+    'select'       : true, // Enable selection

    'fixedHeader': true,
    'fixedHeader': {
@@ -763,19 +779,19 @@ function initializeDatatable (status) {
    },

    'columnDefs'   : [
-      {visible:   false,         targets: tableColumnHide },      
-      {className: 'text-center', targets: [mapIndx(4), mapIndx(9), mapIndx(10), mapIndx(15), mapIndx(18)] },      
-      {className: 'iconColumn text-center',  targets: [mapIndx(3)]},      
-      {width:     '80px',        targets: [mapIndx(6), mapIndx(7), mapIndx(15), mapIndx(27)] },      
-      {width:     '85px',        targets: [mapIndx(9)] },      
-      {width:     '30px',        targets: [mapIndx(3), mapIndx(10), mapIndx(13), mapIndx(18)] },      
+      {visible:   false,         targets: tableColumnHide },
+      {className: 'text-center', targets: [mapIndx(4), mapIndx(9), mapIndx(10), mapIndx(15), mapIndx(18)] },
+      {className: 'iconColumn text-center',  targets: [mapIndx(3)]},
+      {width:     '80px',        targets: [mapIndx(6), mapIndx(7), mapIndx(15), mapIndx(27)] },
+      {width:     '85px',        targets: [mapIndx(9)] },
+      {width:     '30px',        targets: [mapIndx(3), mapIndx(10), mapIndx(13), mapIndx(18)] },
      {orderData: [mapIndx(12)],          targets: mapIndx(8) },

      // Device Name and FQDN
      {targets: [mapIndx(0), mapIndx(27)],
-        'createdCell': function (td, cellData, rowData, row, col) {    
-                      
-            // console.log(cellData)      
+        'createdCell': function (td, cellData, rowData, row, col) {
+
+            // console.log(cellData)
            $(td).html (
              `<b class="anonymizeDev "
              >
@@ -798,9 +814,9 @@ function initializeDatatable (status) {
            );
      } },

-      // Connected Devices       
+      // Connected Devices
      {targets: [mapIndx(15)],
-        'createdCell': function (td, cellData, rowData, row, col) {                   
+        'createdCell': function (td, cellData, rowData, row, col) {
          // check if this is a network device
          if(getSetting("NETWORK_DEVICE_TYPES").includes(`'${rowData[mapIndx(2)]}'`)   )
          {
@@ -810,13 +826,13 @@ function initializeDatatable (status) {
          {
            $(td).html (`<i class="fa-solid fa-xmark" title="${getString("Device_Table_Not_Network_Device")}"></i>`)
          }
-            
+
      } },

-      // Icon      
+      // Icon
      {targets: [mapIndx(3)],
        'createdCell': function (td, cellData, rowData, row, col) {
-         
+
          if (!emptyArr.includes(cellData)){
            $(td).html (atob(cellData));
          } else {
@@ -824,7 +840,7 @@ function initializeDatatable (status) {
          }
      } },

-      // Full MAC      
+      // Full MAC
      {targets: [mapIndx(11)],
        'createdCell': function (td, cellData, rowData, row, col) {
          if (!emptyArr.includes(cellData)){
@@ -833,8 +849,8 @@ function initializeDatatable (status) {
            $(td).html ('');
          }
      } },
-      
-      // IP address     
+
+      // IP address
      {targets: [mapIndx(8)],
        'createdCell': function (td, cellData, rowData, row, col) {
            if (!emptyArr.includes(cellData)){
@@ -851,9 +867,9 @@ function initializeDatatable (status) {
            } else {
              $(td).html ('');
            }
-        } 
+        }
      },
-      // IP address (ordeable)     
+      // IP address (ordeable)
      {targets: [mapIndx(12)],
        'createdCell': function (td, cellData, rowData, row, col) {
            if (!emptyArr.includes(cellData)){
@@ -861,10 +877,10 @@ function initializeDatatable (status) {
            } else {
              $(td).html ('');
            }
-        } 
+        }
      },

-      // Custom Properties     
+      // Custom Properties
      {targets: [mapIndx(26)],
        'createdCell': function (td, cellData, rowData, row, col) {
            if (!emptyArr.includes(cellData)){
@@ -872,10 +888,10 @@ function initializeDatatable (status) {
            } else {
              $(td).html ('');
            }
-        } 
+        }
      },
-      
-      // Favorite      
+
+      // Favorite
      {targets: [mapIndx(4)],
        'createdCell': function (td, cellData, rowData, row, col) {
          if (cellData == 1){
@@ -884,8 +900,8 @@ function initializeDatatable (status) {
            $(td).html ('');
          }
      } },
-        
-      // Dates      
+
+      // Dates
      {targets: [mapIndx(6), mapIndx(7)],
        'createdCell': function (td, cellData, rowData, row, col) {
          var result = cellData.toString(); // Convert to string
@@ -895,7 +911,7 @@ function initializeDatatable (status) {
          $(td).html (translateHTMLcodes (result));
      } },

-      // Random MAC      
+      // Random MAC
      {targets: [mapIndx(9)],
        'createdCell': function (td, cellData, rowData, row, col) {
          // console.log(cellData)
@@ -906,7 +922,7 @@ function initializeDatatable (status) {
          }
      } },

-      // Parent Mac      
+      // Parent Mac
      {targets: [mapIndx(14)],
        'createdCell': function (td, cellData, rowData, row, col) {
          if (!isValidMac(cellData)) {
@@ -925,13 +941,13 @@ function initializeDatatable (status) {

          const chipHtml = renderDeviceLink(data, spanWrap, true); // pass the td as container

-          $(spanWrap).append(chipHtml); 
-        } 
+          $(spanWrap).append(chipHtml);
+        }
      },
-      // Status color      
+      // Status color
      {targets: [mapIndx(10)],
        'createdCell': function (td, cellData, rowData, row, col) {
-          
+
          tmp_devPresentLastScan = rowData[mapIndx(24)]
          tmp_devAlertDown = rowData[mapIndx(25)]

@@ -941,11 +957,11 @@ function initializeDatatable (status) {
            rowData[mapIndx(11)],  // MAC
            cellData               // optional text
          );
-      
+
          $(td).html (`<a href="${badge.url}" class="badge ${badge.cssClass}">${badge.iconHtml} ${badge.text}</a>`);
      } },
    ],
-    
+
    // Processing
    'processing'  : true,
    'language'    : {
@@ -965,7 +981,7 @@ function initializeDatatable (status) {
      $('#tableDevices').on( 'length.dt', function ( e, settings, len ) {
            setCache ("nax_parTableRows", len, 129600); // save for 90 days
          } );
-            
+
          $('#tableDevices').on( 'order.dt', function () {
            setCache ("nax_parTableOrder", JSON.stringify (table.order()), 129600); // save for 90 days
          } );
@@ -985,12 +1001,12 @@ function initializeDatatable (status) {
                // Toggle visibility of element with ID 'multiEdit'
                $('#multiEdit').toggle(anyRowSelected);
            }, 100);
-            
+
          });

          // search only after idle
          var typingTimer;  // Timer identifier
-          var debounceTime = 500;  // Delay in milliseconds
+          var debounceTime = 750;  // Delay in milliseconds

          $('input[aria-controls="tableDevices"]').off().on('keyup', function () {
              clearTimeout(typingTimer);  // Clear the previous timer
@@ -1001,59 +1017,59 @@ function initializeDatatable (status) {
              }, debounceTime);
          });

-          initHoverNodeInfo(); 
+          initHoverNodeInfo();
          hideSpinner();
-          
+
    },
    createdRow: function(row, data, dataIndex) {
        // add devMac to the table row
-        $(row).attr('my-devMac', data[mapIndx(11)]); 
-                
+        $(row).attr('my-devMac', data[mapIndx(11)]);
+
    }
-    
-  });  
+
+  });
 }


 // -----------------------------------------------------------------------------
 function handleLoadingDialog(needsReload = false)
 {
-  // console.log(`needsReload: ${needsReload}`); 
+  // console.log(`needsReload: ${needsReload}`);

-  $.get('php/server/query_logs.php?file=execution_queue.log&nocache=' + Date.now(), function(data) {     
+  $.get('php/server/query_logs.php?file=execution_queue.log&nocache=' + Date.now(), function(data) {

    if(data.includes("update_api|devices"))
-    {       
+    {
      showSpinner("devices_old")

      setTimeout(handleLoadingDialog(true), 1000);

    } else if (needsReload)
-    {    
-      location.reload();     
+    {
+      location.reload();
    }else
    {
-      // hideSpinner();     
-    }      
+      // hideSpinner();
+    }

  })
-  
+
 }

 // -----------------------------------------------------------------------------
-// Function collects selected devices in the DataTable and redirects the user to 
-// the Miantenance section with a 'macs' query string identifying selected devices 
+// Function collects selected devices in the DataTable and redirects the user to
+// the Miantenance section with a 'macs' query string identifying selected devices
 function multiEditDevices()
 {
  // get selected devices
  var selectedDevicesDataTableData = $('#tableDevices').DataTable().rows({ selected: true, page: 'current' }).data().toArray();

  console.log(selectedDevicesDataTableData);
- 
+
  macs = ""

  for (var j = 0; j < selectedDevicesDataTableData.length; j++) {
-    macs += selectedDevicesDataTableData[j][mapIndx(11)] + ",";  // [11] == MAC    
+    macs += selectedDevicesDataTableData[j][mapIndx(11)] + ",";  // [11] == MAC
  }

  // redirect to the Maintenance section
@@ -1062,7 +1078,7 @@ function multiEditDevices()


 // -----------------------------------------------------------------------------
-// Function collects shown devices from the DataTable  
+// Function collects shown devices from the DataTable
 function getMacsOfShownDevices() {
  var table = $('#tableDevices').DataTable();

@@ -1083,15 +1099,15 @@ function getMacsOfShownDevices() {


 // -----------------------------------------------------------------------------
-// Handle custom actions/properties on a device    
+// Handle custom actions/properties on a device
 function renderCustomProps(custProps, mac) {
  // Decode and parse the custom properties

  if (!isBase64(custProps)) {

-    console.error(`Unable to decode CustomProps for ${mac}`);    
-    console.error(custProps);    
-    
+    console.error(`Unable to decode CustomProps for ${mac}`);
+    console.error(custProps);
+
  } else{
    const props = JSON.parse(atob(custProps));
    let html = "";
@@ -1137,13 +1153,13 @@ function renderCustomProps(custProps, mac) {


 // -----------------------------------------------------------------------------
-// Update cache with shown devices before navigating away    
+// Update cache with shown devices before navigating away
 window.addEventListener('beforeunload', function(event) {
    // Call your function here
    macs = getMacsOfShownDevices();

    setCache("ntx_visible_macs", macs)
-  
+
 });

 </script>
--- a/front/js/common.js
+++ b/front/js/common.js
@@ -1,6 +1,6 @@
 /* -----------------------------------------------------------------------------
 *  NetAlertX
-*  Open Source Network Guard / WIFI & LAN intrusion detector 
+*  Open Source Network Guard / WIFI & LAN intrusion detector
 *
 *  common.js - Front module. Common Javascript functions
 *-------------------------------------------------------------------------------
@@ -12,7 +12,7 @@ var timerRefreshData = ''

 var   emptyArr      = ['undefined', "", undefined, null, 'null'];
 var   UI_LANG       = "English (en_us)";
-const allLanguages  = ["ar_ar","ca_ca","cs_cz","de_de","en_us","es_es","fa_fa","fr_fr","it_it","nb_no","pl_pl","pt_br","pt_pt","ru_ru","tr_tr","uk_ua","zh_cn"]; // needs to be same as in lang.php
+const allLanguages  = ["ar_ar","ca_ca","cs_cz","de_de","en_us","es_es","fa_fa","fr_fr","it_it","ja_jp","nb_no","pl_pl","pt_br","pt_pt","ru_ru","sv_sv","tr_tr","uk_ua","zh_cn"]; // needs to be same as in lang.php
 var   settingsJSON  = {}


@@ -35,16 +35,16 @@ function getCache(key, noCookie = false)
    // }
  }

-  return "";  
+  return "";
 }

 // -----------------------------------------------------------------------------
 function setCache(key, data, expirationMinutes='')
 {
-  localStorage.setItem(key, data);  
+  localStorage.setItem(key, data);

  // // create cookie if expiration set to handle refresh of data
-  // if (expirationMinutes != '') 
+  // if (expirationMinutes != '')
  // {
  //   setCookie ('cache_session_expiry', 'OK', 1)
  // }
@@ -57,7 +57,7 @@ function setCookie (cookie, value, expirationMinutes='') {
  var expires = '';
  if (typeof expirationMinutes === 'number') {
    expires = ';expires=' + new Date(Date.now() + expirationMinutes *60*1000).toUTCString();
-  } 
+  }

  // Save Cookie
  document.cookie = cookie + "=" + value + expires;
@@ -107,42 +107,42 @@ function deleteAllCookies() {


 // -----------------------------------------------------------------------------
-// Get settings from the .json file generated by the python backend 
-// and cache them, if available, with options 
+// Get settings from the .json file generated by the python backend
+// and cache them, if available, with options
 // -----------------------------------------------------------------------------
 function cacheSettings()
 {
  return new Promise((resolve, reject) => {
    if(!getCache('cacheSettings_completed') === true)
-    {  
-      $.get('php/server/query_json.php', { file: 'table_settings.json', nocache: Date.now() }, function(resSet) { 
+    {
+      $.get('php/server/query_json.php', { file: 'table_settings.json', nocache: Date.now() }, function(resSet) {

        $.get('php/server/query_json.php', { file: 'plugins.json', nocache: Date.now() }, function(resPlug) {
-       
-          pluginsData = resPlug["data"]; 
-          settingsData = resSet["data"];  

-          settingsData.forEach((set) => {  
+          pluginsData = resPlug["data"];
+          settingsData = resSet["data"];
+
+          settingsData.forEach((set) => {

            resolvedOptions = createArray(set.setOptions)
            resolvedOptionsOld = resolvedOptions
            setPlugObj     = {};
            options_params = [];
            resolved = ""
-          
+
            // proceed only if first option item contains something to resolve
-            if( !set.setKey.includes("__metadata") && 
-                resolvedOptions.length != 0 && 
+            if( !set.setKey.includes("__metadata") &&
+                resolvedOptions.length != 0 &&
                resolvedOptions[0].includes("{value}"))
            {
              // get setting definition from the plugin config if available
              setPlugObj = getPluginSettingObject(pluginsData, set.setKey)

-              // check if options contains parameters and resolve 
+              // check if options contains parameters and resolve
              if(setPlugObj != {} && setPlugObj["options_params"])
              {
                // get option_params for {value} resolution
-                options_params = setPlugObj["options_params"]      
+                options_params = setPlugObj["options_params"]

                if(options_params != [])
                {
@@ -154,19 +154,19 @@ function cacheSettings()
                  {
                    resolvedOptions = `[${resolved}]`
                  } else // one value only
-                  { 
+                  {
                    resolvedOptions = `["${resolved}"]`
-                  }                  
+                  }
                }
-              }    
+              }
            }

-            setCache(`nax_set_${set.setKey}`, set.setValue)             
-            setCache(`nax_set_opt_${set.setKey}`, resolvedOptions) 
+            setCache(`nax_set_${set.setKey}`, set.setValue)
+            setCache(`nax_set_opt_${set.setKey}`, resolvedOptions)
          });
        }).then(() => handleSuccess('cacheSettings', resolve())).catch(() => handleFailure('cacheSettings', reject("cacheSettings already completed")));    // handle AJAX synchronization
      })
-    } 
+    }
  });
 }

@@ -176,7 +176,7 @@ function getSettingOptions (key) {

  // handle initial load to make sure everything is set-up and cached
  // handleFirstLoad()
- 
+
  result = getCache(`nax_set_opt_${key}`, true);

  if (result == "")
@@ -194,7 +194,7 @@ function getSetting (key) {

  // handle initial load to make sure everything is set-up and cached
  // handleFirstLoad()
- 
+
  result = getCache(`nax_set_${key}`, true);

  if (result == "")
@@ -210,7 +210,7 @@ function getSetting (key) {
 // -----------------------------------------------------------------------------
 function cacheStrings() {
  return new Promise((resolve, reject) => {
-    
+
      // Create a promise for each language (include en_us by default as fallback)
      languagesToLoad = ['en_us']

@@ -222,11 +222,11 @@ function cacheStrings() {
      }

      console.log(languagesToLoad);
-      
+
      const languagePromises = languagesToLoad.map((language_code) => {
        return new Promise((resolveLang, rejectLang) => {
          // Fetch core strings and translations
-          
+
          $.get(`php/templates/language/${language_code}.json?nocache=${Date.now()}`)
            .done((res) => {
              // Iterate over each key-value pair and store the translations
@@ -238,7 +238,7 @@ function cacheStrings() {
              $.get('php/server/query_json.php', { file: 'table_plugins_language_strings.json', nocache: Date.now() })
                .done((pluginRes) => {
                  const data = pluginRes["data"];
-                  
+
                  // Store plugin translations
                  data.forEach((langString) => {
                    setCache(`pia_lang_${langString.String_Key}_${langString.Language_Code}`, langString.String_Value);
@@ -269,7 +269,7 @@ function cacheStrings() {
          // Handle failure in any of the language processing
          handleFailure('cacheStrings', reject);
        });
-    
+
  });
 }

@@ -278,7 +278,7 @@ function cacheStrings() {
 function getString(key) {

  function fetchString(key) {
-    
+
    lang_code = getLangCode();

    let result = getCache(`pia_lang_${key}_${lang_code}`, true);
@@ -337,9 +337,15 @@ function getLangCode() {
      case 'Turkish (tr_tr)':
        lang_code = 'tr_tr';
        break;
+      case 'Swedish (sv_sv)':
+        lang_code = 'sv_sv';
+        break;
      case 'Italian (it_it)':
        lang_code = 'it_it';
        break;
+      case 'Japanese (ja_jp)':
+        lang_code = 'ja_jp';
+        break;
      case 'Russian (ru_ru)':
        lang_code = 'ru_ru';
        break;
@@ -372,7 +378,7 @@ function localizeTimestamp(input) {
  let tz = getSetting("TIMEZONE") || 'Europe/Berlin';
  input = String(input || '').trim();

-  // ✅ 1. Unix timestamps (10 or 13 digits)
+  // 1. Unix timestamps (10 or 13 digits)
  if (/^\d+$/.test(input)) {
    const ms = input.length === 10 ? parseInt(input, 10) * 1000 : parseInt(input, 10);
    return new Intl.DateTimeFormat('default', {
@@ -383,39 +389,53 @@ function localizeTimestamp(input) {
    }).format(new Date(ms));
  }

-  // ✅ 2. European DD/MM/YYYY
+  // 2. European DD/MM/YYYY
  let match = input.match(/^(\d{1,2})\/(\d{1,2})\/(\d{4})(?:[ ,]+(\d{1,2}:\d{2}(?::\d{2})?))?(.*)$/);
  if (match) {
-    let [ , d, m, y, t = "00:00:00", tzPart = "" ] = match;
+    let [, d, m, y, t = "00:00:00", tzPart = ""] = match;
    const iso = `${y}-${m.padStart(2,'0')}-${d.padStart(2,'0')}T${t.length===5?t+":00":t}${tzPart}`;
    return formatSafe(iso, tz);
  }

-  // ✅ 3. US MM/DD/YYYY
+  // 3. US MM/DD/YYYY
  match = input.match(/^(\d{1,2})\/(\d{1,2})\/(\d{4})(?:[ ,]+(\d{1,2}:\d{2}(?::\d{2})?))?(.*)$/);
  if (match) {
-    let [ , m, d, y, t = "00:00:00", tzPart = "" ] = match;
+    let [, m, d, y, t = "00:00:00", tzPart = ""] = match;
    const iso = `${y}-${m.padStart(2,'0')}-${d.padStart(2,'0')}T${t.length===5?t+":00":t}${tzPart}`;
    return formatSafe(iso, tz);
  }

-  // ✅ 4. ISO-style (with T, Z, offsets)
-  match = input.match(/^(\d{4}-\d{1,2}-\d{1,2})[ T](\d{1,2}:\d{2}(?::\d{2})?)(Z|[+-]\d{2}:?\d{2})?$/);
+  // 4. ISO YYYY-MM-DD with optional Z/+offset
+  match = input.match(/^(\d{4})-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])[ T](\d{1,2}:\d{2}(?::\d{2})?)(Z|[+-]\d{2}:?\d{2})?$/);
  if (match) {
-    let [ , ymd, time, offset = "" ] = match;
-    // normalize to YYYY-MM-DD
-    let [y, m, d] = ymd.split('-').map(x => x.padStart(2,'0'));
+    let [, y, m, d, time, offset = ""] = match;
    const iso = `${y}-${m}-${d}T${time.length===5?time+":00":time}${offset}`;
    return formatSafe(iso, tz);
  }

-  // ✅ 5. RFC2822 / "25 Aug 2025 13:45:22 +0200"
+  // 5. RFC2822 / "25 Aug 2025 13:45:22 +0200"
  match = input.match(/^\d{1,2} [A-Za-z]{3,} \d{4}/);
  if (match) {
    return formatSafe(input, tz);
  }

-  // ✅ 6. Fallback (whatever Date() can parse)
+  // 6. DD-MM-YYYY with optional time
+  match = input.match(/^(\d{1,2})-(\d{1,2})-(\d{4})(?:[ T](\d{1,2}:\d{2}(?::\d{2})?))?$/);
+  if (match) {
+    let [, d, m, y, time = "00:00:00"] = match;
+    const iso = `${y}-${m.padStart(2,'0')}-${d.padStart(2,'0')}T${time.length===5?time+":00":time}`;
+    return formatSafe(iso, tz);
+  }
+
+  // 7. Strict YYYY-DD-MM with optional time
+  match = input.match(/^(\d{4})-(0[1-9]|[12]\d|3[01])-(0[1-9]|1[0-2])(?:[ T](\d{1,2}:\d{2}(?::\d{2})?))?$/);
+  if (match) {
+    let [, y, d, m, time = "00:00:00"] = match;
+    const iso = `${y}-${m}-${d}T${time.length === 5 ? time + ":00" : time}`;
+    return formatSafe(iso, tz);
+  }
+
+  // 8. Fallback
  return formatSafe(input, tz);

  function formatSafe(str, tz) {
@@ -434,6 +454,7 @@ function localizeTimestamp(input) {
 }


+
 // ----------------------------------------------------
 /**
 * Replaces double quotes within single-quoted strings, then converts all single quotes to double quotes,
@@ -494,11 +515,39 @@ function isValidBase64(str) {
 // -------------------------------------------------------------------
 // Utility function to check if the value is already Base64
 function isBase64(value) {
-  const base64Regex =
-    /^(?:[A-Za-z0-9+\/]{4})*?(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/;
-  return base64Regex.test(value);
+  if (typeof value !== "string" || value.trim() === "") return false;
+
+  // Must have valid length
+  if (value.length % 4 !== 0) return false;
+
+  // Valid Base64 characters
+  const base64Regex = /^[A-Za-z0-9+/]+={0,2}$/;
+  if (!base64Regex.test(value)) return false;
+
+
+  try {
+    const decoded = atob(value);
+
+    // Re-encode
+    const reencoded = btoa(decoded);
+
+    if (reencoded !== value) return false;
+
+    // Extra verification:
+    // Ensure decoding didn't silently drop bytes (atob bug)
+    // Encode raw bytes: check if large char codes exist (invalid UTF-16)
+    for (let i = 0; i < decoded.length; i++) {
+      const code = decoded.charCodeAt(i);
+      if (code > 255) return false; // invalid binary byte
+    }
+
+    return true;
+  } catch (e) {
+    return false;
+  }
 }

+
 // ----------------------------------------------------
 function isValidJSON(jsonString) {
  try {
@@ -534,7 +583,7 @@ function decodeSpecialChars(str) {
 function utf8ToBase64(str) {
  // Convert the string to a Uint8Array using TextEncoder
  const utf8Bytes = new TextEncoder().encode(str);
-  
+
  // Convert the Uint8Array to a base64-encoded string
  return btoa(String.fromCharCode(...utf8Bytes));
 }
@@ -563,31 +612,31 @@ function handle_locked_DB(data)
 {
  if(data.includes('database is locked'))
  {
-    // console.log(data)    
+    // console.log(data)
    showSpinner()

    setTimeout(function() {
      console.warn("Database locked - reload")
-      location.reload(); 
+      location.reload();
    }, 5000);
  }
 }

 // -----------------------------------------------------------------------------
 function numberArrayFromString(data)
-{  
+{
  data = JSON.parse(sanitize(data));
  return data.replace(/\[|\]/g, '').split(',').map(Number);
 }

-// -----------------------------------------------------------------------------  
+// -----------------------------------------------------------------------------
 function saveData(functionName, id, value) {
  $.ajax({
    method: "GET",
    url: "php/server/devices.php",
    data: { action: functionName, id: id, value:value  },
-    success: function(data) {      
-        
+    success: function(data) {
+
        if(sanitize(data) == 'OK')
        {
          showMessage("Saved")
@@ -596,7 +645,7 @@ function saveData(functionName, id, value) {
        } else
        {
          showMessage("ERROR")
-        }        
+        }

      }
  });
@@ -636,13 +685,13 @@ function sleep(milliseconds) {
  } while (currentDate - date < milliseconds);
 }

-// --------------------------------------------------------- 
+// ---------------------------------------------------------
 somethingChanged = false;
 function settingsChanged()
 {
  somethingChanged = true;
  // Enable navigation prompt ... "Are you sure you want to leave..."
-  window.onbeforeunload = function() {  
+  window.onbeforeunload = function() {
    return true;
  };
 }
@@ -660,16 +709,16 @@ function getUrlAnchor(defaultValue){
    selectedTab = defaultValue

    // the #target from the url
-    target = window.location.hash.substr(1) 
+    target = window.location.hash.substr(1)

    // get only the part between #...?
    if(target.includes('?'))
    {
      target = target.split('?')[0]
    }
-  
+
    return target
-  
+
  }

 }
@@ -681,7 +730,7 @@ function getQueryString(key){
    get: (searchParams, prop) => searchParams.get(prop),
  });

-  tmp = params[key] 
+  tmp = params[key]

  if(emptyArr.includes(tmp))
  {
@@ -692,17 +741,17 @@ function getQueryString(key){

    if (fullUrl.includes('?')) {
      var queryString = fullUrl.split('?')[1];
-  
+
      // Split the query string into individual parameters
      var paramsArray = queryString.split('&');
-  
+
      // Loop through the parameters array
      paramsArray.forEach(function(param) {
          // Split each parameter into key and value
          var keyValue = param.split('=');
          var keyTmp = decodeURIComponent(keyValue[0]);
          var value = decodeURIComponent(keyValue[1] || '');
-  
+
          // Store key-value pair in the queryParams object
          queryParams[keyTmp] = value;
      });
@@ -716,7 +765,7 @@ function getQueryString(key){
  result = emptyArr.includes(tmp) ? "" : tmp;

  return result
-}  
+}
 // -----------------------------------------------------------------------------
 function translateHTMLcodes (text) {
  if (text == null || emptyArr.includes(text)) {
@@ -735,14 +784,14 @@ function translateHTMLcodes (text) {
 // -----------------------------------------------------------------------------
 function stopTimerRefreshData () {
  try {
-    clearTimeout (timerRefreshData); 
+    clearTimeout (timerRefreshData);
  } catch (e) {}
 }


 // -----------------------------------------------------------------------------
 function newTimerRefreshData (refeshFunction, timeToRefresh) {
-  
+
  if(timeToRefresh && (timeToRefresh != 0 || timeToRefresh != ""))
  {
    time = parseInt(timeToRefresh)
@@ -779,7 +828,7 @@ function openInNewTab (url) {
  window.open(url, "_blank");
 }

-// ----------------------------------------------------------------------------- 
+// -----------------------------------------------------------------------------
 // Navigate to URL if the current URL is not in the provided list of URLs
 function openUrl(urls) {
  var currentUrl = window.location.href;
@@ -810,21 +859,21 @@ function openUrl(urls) {
 function forceLoadUrl(relativeUrl) {

  window.location.replace(relativeUrl);
-  window.location.reload()  
-  
+  window.location.reload()
+
 }

 // -----------------------------------------------------------------------------
 function navigateToDeviceWithIp (ip) {

-  $.get('php/server/query_json.php', { file: 'table_devices.json', nocache: Date.now() }, function(res) {    
-        
+  $.get('php/server/query_json.php', { file: 'table_devices.json', nocache: Date.now() }, function(res) {
+
    devices = res["data"];

    mac = ""
-    
+
    $.each(devices, function(index, obj) {
-      
+
      if(obj.devLastIP.trim() == ip.trim())
      {
        mac = obj.devMac;
@@ -832,7 +881,7 @@ function navigateToDeviceWithIp (ip) {
        window.open('./deviceDetails.php?mac=' + mac , "_blank");
      }
    });
-    
+
  });
 }

@@ -864,7 +913,7 @@ function getMac(){
  });

  return params.mac
-}  
+}

 // -----------------------------------------------------------------------------
 // A function used to make the IP address orderable
@@ -916,7 +965,7 @@ function isRandomMAC(mac)
 {
  isRandom = false;

-  isRandom = ["2", "6", "A", "E", "a", "e"].includes(mac[1]); 
+  isRandom = ["2", "6", "A", "E", "a", "e"].includes(mac[1]);

  // if detected as random, make sure it doesn't start with a prefix which teh suer doesn't want to mark as random
  if(isRandom)
@@ -925,17 +974,17 @@ function isRandomMAC(mac)

      if(mac.startsWith(prefix))
      {
-        isRandom = false;     
-      }    
-      
+        isRandom = false;
+      }
+
    });
-    
+
  }

  return isRandom;
 }

-  // ---------------------------------------------------------  
+  // ---------------------------------------------------------
  // Generate an array object from a string representation of an array
  function createArray(input) {
    // Is already array, return
@@ -946,25 +995,25 @@ function isRandomMAC(mac)
    if (input === '[]' || input === '') {
      return [];
    }
-    // handle integer 
+    // handle integer
    if (typeof input === 'number') {
      input = input.toString();
    }
-  
+
    // Regex pattern for brackets
    const patternBrackets = /(^\s*\[)|(\]\s*$)/g;
    const replacement = '';
-  
+
    // Remove brackets
    const noBrackets = input.replace(patternBrackets, replacement);
-  
+
    const options = [];
-  
+
    // Detect the type of quote used after the opening bracket
    const firstChar = noBrackets.trim()[0];
    const isDoubleQuoted = firstChar === '"';
    const isSingleQuoted = firstChar === "'";
-  
+
    // Create array while handling commas within quoted segments
    let currentSegment = '';
    let withinQuotes = false;
@@ -982,7 +1031,7 @@ function isRandomMAC(mac)
    }
    // Push the last segment
    options.push(currentSegment.trim());
-  
+
    // Remove quotes based on detected type
    options.forEach((item, index) => {
      let trimmedItem = item.trim();
@@ -994,7 +1043,7 @@ function isRandomMAC(mac)
      }
      options[index] = trimmedItem;
    });
-  
+
    return options;
  }

@@ -1003,7 +1052,7 @@ function isRandomMAC(mac)
 //  for the value to be returned
 function getDevDataByMac(macAddress, dbColumn) {

-  const sessionDataKey = 'devicesListAll_JSON';  
+  const sessionDataKey = 'devicesListAll_JSON';
  const devicesCache = getCache(sessionDataKey);

  if (!devicesCache || devicesCache == "") {
@@ -1034,11 +1083,11 @@ function getDevDataByMac(macAddress, dbColumn) {
 // -----------------------------------------------------------------------------
 // Cache the devices as one JSON
 function cacheDevices()
-{ 
+{
  return new Promise((resolve, reject) => {

-    $.get('php/server/query_json.php', { file: 'table_devices.json', nocache: Date.now() }, function(data) {    
-        
+    $.get('php/server/query_json.php', { file: 'table_devices.json', nocache: Date.now() }, function(data) {
+
        // console.log(data)

        devicesListAll_JSON = data["data"]
@@ -1059,11 +1108,11 @@ function cacheDevices()

        // console.log(getCache('devicesListAll_JSON'))
      }).then(() => handleSuccess('cacheDevices', resolve())).catch(() => handleFailure('cacheDevices', reject("cacheDevices already completed"))); // handle AJAX synchronization
-    } 
+    }
  );
 }

-var devicesListAll_JSON      = [];   // this will contain a list off all devices 
+var devicesListAll_JSON      = [];   // this will contain a list off all devices

 // -----------------------------------------------------------------------------
 function isEmpty(value)
@@ -1093,7 +1142,7 @@ function getGuid() {
 }

 // -----------------------------------------------------------------------------
-// UI 
+// UI
 // -----------------------------------------------------------------------------
 // -----------------------------------------------------------------------------

@@ -1196,7 +1245,7 @@ function hideSpinner() {
  });
 }

-    
+
 // --------------------------------------------------------
 // Calls a backend function to add a front-end event to an execution queue
 function updateApi(apiEndpoints)
@@ -1216,9 +1265,9 @@ function updateApi(apiEndpoints)
  })
 }

-// ----------------------------------------------------------------------------- 
+// -----------------------------------------------------------------------------
 // handling smooth scrolling
-// ----------------------------------------------------------------------------- 
+// -----------------------------------------------------------------------------
 function setupSmoothScrolling() {
  // Function to scroll to the element
  function scrollToElement(id) {
@@ -1276,17 +1325,17 @@ function getPluginSettingObject(pluginsData, setting_key, unique_prefix ) {

  result = {}
  unique_prefix == undefined ? unique_prefix = setting_key.split("_")[0] : unique_prefix = unique_prefix;
-  
+
  $.each(pluginsData, function (i, plgnObj){
    // go thru plugins
    if(plgnObj.unique_prefix == unique_prefix)
    {
      // go thru plugin settings
      $.each(plgnObj["settings"], function (j, setObj){
-        
+
        if(`${unique_prefix}_${setObj.function}` == setting_key)
-        {          
-          result = setObj          
+        {
+          result = setObj
        }

      });
@@ -1338,7 +1387,7 @@ function arraysContainSameValues(arr1, arr2) {
  if (!Array.isArray(arr1) || !Array.isArray(arr2)) {
    return false;
  } else
-  {  
+  {
    // Sort and stringify arrays, then compare
    return JSON.stringify(arr1.slice().sort()) === JSON.stringify(arr2.slice().sort());
  }
@@ -1349,7 +1398,7 @@ function arraysContainSameValues(arr1, arr2) {
 function hideUIelements(setKey) {

  hiddenSectionsSetting = getSetting(setKey)
-  
+
  if(hiddenSectionsSetting != "") // handle if settings not yet initialized
  {

@@ -1364,9 +1413,9 @@ function hideUIelements(setKey) {

      if($('#' + hiddenSection))
      {
-        $('#' + hiddenSection).hide()      
-      }    
-      
+        $('#' + hiddenSection).hide()
+      }
+
    });
  }

@@ -1377,7 +1426,7 @@ function getDevicesList()
 {
  // Read cache (skip cookie expiry check)
  devicesList = getCache('devicesListAll_JSON', true);
-  
+
  if (devicesList != '') {
      devicesList = JSON.parse (devicesList);
  } else {
@@ -1434,7 +1483,7 @@ $(document).ready(function() {
 // Restart Backend Python Server

 function askRestartBackend() {
-  // Ask 
+  // Ask
  showModalWarning(getString('Maint_RestartServer'), getString('Maint_Restart_Server_noti_text'),
  getString('Gen_Cancel'), getString('Maint_RestartServer'), 'restartBackend');
 }
@@ -1443,7 +1492,7 @@ function askRestartBackend() {
 function restartBackend() {

  modalEventStatusId = 'modal-message-front-event'
-  
+
  // Execute
  $.ajax({
      method: "POST",
@@ -1489,7 +1538,7 @@ function clearCache() {
 // -----------------------------------------------------------------------------
 // Function to check if cache needs to be refreshed because of setting changes
 function checkSettingChanges() {
-  $.get('php/server/query_json.php', { file: 'app_state.json', nocache: Date.now() }, function(appState) {   
+  $.get('php/server/query_json.php', { file: 'app_state.json', nocache: Date.now() }, function(appState) {
    const importedMilliseconds = parseInt(appState["settingsImported"] * 1000);
    const lastReloaded = parseInt(sessionStorage.getItem(sessionStorageKey + '_time'));

@@ -1560,7 +1609,7 @@ function isAppInitialized() {

  lang_shouldBeCompletedCalls = getLangCode() == 'en_us' ? 1 : 2;

-  // check if each ajax call completed succesfully 
+  // check if each ajax call completed succesfully
  $.each(completedCalls_final, function(index, call_name){

    if(getCache(call_name + "_completed") != "true")
@@ -1588,15 +1637,14 @@ async function executeOnce() {

  if (!isAppInitialized()) {
    try {
-      console.log("HERE");
-      
+
      await waitForGraphQLServer(); // Wait for the server to start

      await cacheDevices();
      await cacheSettings();
      await cacheStrings();

-      console.log("✅ All AJAX callbacks have completed");
+      console.log("All AJAX callbacks have completed");
      onAllCallsComplete();
    } catch (error) {
      console.error("Error:", error);
@@ -1646,7 +1694,7 @@ const onAllCallsComplete = () => {
    // setTimeout(() => {
    //   location.reload()
    // }, 10);
-   
+
  } else {
    // If not all strings are initialized, retry initialization
    console.log('❌ Not all strings are initialized. Retrying...');
@@ -1668,7 +1716,7 @@ const areAllStringsInitialized = () => {
 // Call the function to execute the code
 executeOnce();

-// Set timer for regular UI refresh if enabled 
+// Set timer for regular UI refresh if enabled
 setTimeout(() => {

  // page refresh if configured
--- a/front/js/modal.js
+++ b/front/js/modal.js
@@ -96,7 +96,7 @@ function showModalInput(
  btnOK = getString("Gen_Okay"),
  callbackFunction = null,
  triggeredBy = null,
-  defaultValue = ""  
+  defaultValue = ""
 ) {
  prefix = "modal-input";

@@ -121,7 +121,7 @@ function showModalInput(
  setTimeout(function () {
    $(`#${prefix}-textarea`).focus();
  }, 500);
-  
+
 }

 // -----------------------------------------------------------------------------
@@ -143,7 +143,7 @@ function showModalFieldInput(
  $(`#${prefix}-OK`).html(btnOK);

  if (callbackFunction != null) {
-    
+
    modalCallbackFunction = callbackFunction;
  }

@@ -181,11 +181,11 @@ function showModalPopupForm(
  $(`#${prefix}-cancel`).html(btnCancel);
  $(`#${prefix}-OK`).html(btnOK);

-  // if curValue not null 
+  // if curValue not null

  if (curValue)
  {
-    initialValues = JSON.parse(atob(curValue));    
+    initialValues = JSON.parse(atob(curValue));
  }

  outputHtml = "";
@@ -193,7 +193,7 @@ function showModalPopupForm(
  if (Array.isArray(popupFormJson)) {
    popupFormJson.forEach((field, index) => {
        // You'll need to define these or map them from `field`
-        const setKey = field.function || `field_${index}`;        
+        const setKey = field.function || `field_${index}`;
        const setName = getString(`${parentSettingKey}_popupform_${setKey}_name`);
        const labelClasses = "col-sm-2"; // example, or from your obj.labelClasses
        const inputClasses = "col-sm-10"; // example, or from your obj.inputClasses
@@ -207,9 +207,9 @@ function showModalPopupForm(
          }
        }

-        const fieldOptionsOverride = field.type?.elements[0]?.elementOptions || [];        
+        const fieldOptionsOverride = field.type?.elements[0]?.elementOptions || [];
        const setValue = initialValue;
-        const setType = JSON.stringify(field.type); 
+        const setType = JSON.stringify(field.type);
        const setEvents = field.events || [];  // default to empty array if missing
        const setObj = { setKey, setValue, setType, setEvents };

@@ -218,17 +218,17 @@ function showModalPopupForm(
                              <div class="form-group col-xs-12">
                                  <label id="${setKey}_label" class="${labelClasses}"> ${setName}
                                      <i my-set-key="${parentSettingKey}_popupform_${setKey}"
-                                          title="${getString("Settings_Show_Description")}" 
-                                          class="fa fa-circle-info pointer helpIconSmallTopRight" 
+                                          title="${getString("Settings_Show_Description")}"
+                                          class="fa fa-circle-info pointer helpIconSmallTopRight"
                                          onclick="showDescriptionPopup(this)">
                                      </i>
                                  </label>
                                  <div class="${inputClasses}">
                                      ${generateFormHtml(
                                        null, // settingsData only required for datatables
-                                        setObj, 
-                                        null, 
-                                        fieldOptionsOverride, 
+                                        setObj,
+                                        null,
+                                        fieldOptionsOverride,
                                        null
                                      )}
                                  </div>
@@ -239,7 +239,7 @@ function showModalPopupForm(
        outputHtml += inputFormHtml;
    });
  }
-  
+
  $(`#modal-form-plc`).html(outputHtml);

  // Bind OK button click event
@@ -247,12 +247,19 @@ function showModalPopupForm(
    let settingsArray = [];
    if (Array.isArray(popupFormJson)) {
        popupFormJson.forEach(field => {
-            collectSetting(
+            const result = collectSetting(
                `${parentSettingKey}_popupform`, // prefix
                field.function,                  // setCodeName
                field.type,                      // setType (object)
                settingsArray
            );
+            settingsArray = result.settingsArray;
+
+            if (!result.dataIsValid) {
+                msg = getString("Gen_Invalid_Value") + ":" + result.failedSettingKey;
+                console.error(msg);
+                showModalOk("ERROR", msg);
+            }
        });
    }

@@ -276,7 +283,7 @@ function showModalPopupForm(
      const newOption = $("<option class='interactable-option'></option>")
          .attr("value", encodedValue)
          .text(label);
-  
+
      $("#" + selectId).append(newOption);
      initListInteractionOptions(newOption);
    }
@@ -429,10 +436,10 @@ function safeDecodeURIComponent(content) {
    return content;  // Return the original content if decoding fails
  }
  }
-  
+

 // -----------------------------------------------------------------------------
-// Backend notification Polling 
+// Backend notification Polling
 // -----------------------------------------------------------------------------
 // Function to check for notifications
 function checkNotification() {
@@ -440,7 +447,7 @@ function checkNotification() {
  const phpEndpoint = 'php/server/utilNotification.php';

  $.ajax({
-    url: notificationEndpoint, 
+    url: notificationEndpoint,
    type: 'GET',
    success: function(response) {
      // console.log(response);
@@ -492,7 +499,7 @@ function checkNotification() {
    },
    error: function() {
      console.warn(`🟥 Error checking ${notificationEndpoint}`)
-      
+
    }
  });
 }
@@ -582,7 +589,7 @@ const phpEndpoint = 'php/server/utilNotification.php';

 // --------------------------------------------------
 // Write a notification
-function write_notification(content, level) {  
+function write_notification(content, level) {

  $.ajax({
    url: phpEndpoint, // Change this to the path of your PHP script
@@ -603,8 +610,8 @@ function write_notification(content, level) {

 // --------------------------------------------------
 // Write a notification
-function markNotificationAsRead(guid) {  
-  
+function markNotificationAsRead(guid) {
+
  $.ajax({
    url: phpEndpoint,
    type: 'GET',
@@ -628,8 +635,8 @@ function markNotificationAsRead(guid) {

 // --------------------------------------------------
 // Remove a notification
-function removeNotification(guid) {  
-  
+function removeNotification(guid) {
+
  $.ajax({
    url: phpEndpoint,
    type: 'GET',
--- a/front/js/settings_utils.js
+++ b/front/js/settings_utils.js
@@ -71,7 +71,7 @@ function getPluginConfig(pluginsData, prefix) {
 // Show the description of a setting
 function showDescriptionPopup(e) {

-  console.log($(e).attr("my-set-key"));    
+  console.log($(e).attr("my-set-key"));

  showModalOK("Info", getString($(e).attr("my-set-key") + '_description'))
 }
@@ -92,13 +92,13 @@ function pluginCards(prefixesOfEnabledPlugins, includeSettings) {
                  prefix + "_" + set
                }">
                  <code>${getSetting(prefix + "_" + set)}</code>
-                </div> 
+                </div>
              </a>
            </div>
          `;
    });

-    html += `            
+    html += `
              <div class="col-xs-6 col-sm-4 col-md-3 col-lg-2  col-xxl-1  padding-5px">
                <div class="small-box bg-green col-sm-12 " >
                  <div class="inner col-sm-12">
@@ -110,10 +110,10 @@ function pluginCards(prefixesOfEnabledPlugins, includeSettings) {
                    ${includeSettings_html}
                  </div>
                  <a href="#${prefix}_header" onclick="toggleAllSettings('open')">
-                    <div class="icon"> ${getString(prefix + "_icon")} </div> 
-                  </a>  
+                    <div class="icon"> ${getString(prefix + "_icon")} </div>
+                  </a>
                </div>
-                
+
              </div>
            `;
  });
@@ -251,17 +251,17 @@ function settingsCollectedCorrectly(settingsArray, settingsJSON_DB) {
 function cloneDataTableRow(el){

  console.log(el);
-  
+
  const id = "NEWDEV_devCustomProps_table"; // Your table ID
  const table = $('#'+id).DataTable();

-  
+
  // Get the 'my-index' attribute from the closest tr element
  const myIndex = parseInt($(el).closest("tr").attr("my-index"));

  // Find the row in the table with the matching 'my-index'
  const row = table.rows().nodes().to$().filter(`[my-index="${myIndex}"]`).first().get(0);
-  
+
  // Clone the row (including its data and controls)
  let clonedRow = $(row).clone(true, true); // The true arguments copy the data and event handlers

@@ -270,7 +270,7 @@ function cloneDataTableRow(el){


  console.log(clonedRow);
-  
+

  // Add the cloned row to the DataTable
  table.row.add(clonedRow[0]).draw();
@@ -291,13 +291,13 @@ function removeDataTableRow(el) {

    // Find the row in the table with the matching 'my-index'
    const row = table.rows().nodes().to$().filter(`[my-index="${myIndex}"]`).first().get(0);
-    
+
    // Remove the row from the DataTable
    table.row(row).remove().draw();
  }
  else
  {
-    showMessage (getString("CustProps_cant_remove"), 3000, "modal_red");  
+    showMessage (getString("CustProps_cant_remove"), 3000, "modal_red");
  }
 }

@@ -308,9 +308,9 @@ function addViaPopupForm(element) {

  const toId = $(element).attr("my-input-to");
  const curValue = $(`#${toId}`).val();
-  const parsed = JSON.parse(atob($(`#${toId}`).data("elementoptionsbase64")));  
+  const parsed = JSON.parse(atob($(`#${toId}`).data("elementoptionsbase64")));
  const popupFormJson = parsed.find(obj => "popupForm" in obj)?.popupForm ?? null;
-  
+
  console.log(`toId  | curValue: ${toId}  | ${curValue}`);

  showModalPopupForm(
@@ -393,7 +393,7 @@ function selectAll(element) {
  settingsChanged();

  var selectElement = $(`#${$(element).attr("my-input-to")}`);
-  
+
  // Iterate over each option within the select element
  selectElement.find('option').each(function() {
    // Mark each option as selected
@@ -409,13 +409,13 @@ function selectAll(element) {
 function unselectAll(element) {
  settingsChanged();
  var selectElement = $(`#${$(element).attr("my-input-to")}`);
-  
+
  // Iterate over each option within the select element
  selectElement.find('option').each(function() {
    // Unselect each option
    $(this).prop('selected', false);
  });
-  
+
  // Trigger the 'change' event to notify Bootstrap Select of the changes
  selectElement.trigger('change');
 }
@@ -426,7 +426,7 @@ function selectChange(element) {
  settingsChanged();

  var selectElement = $(`#${$(element).attr("my-input-to")}`);
-  
+
  selectElement.parent().find("input").focus().click();
 }

@@ -464,9 +464,9 @@ function initListInteractionOptions(element) {
          // Parent has my-transformers="name|base64"
          const toId =  $parent.attr("id");
          const curValue = $option.val();
-          const parsed = JSON.parse(atob($parent.data("elementoptionsbase64")));  
+          const parsed = JSON.parse(atob($parent.data("elementoptionsbase64")));
          const popupFormJson = parsed.find(obj => "popupForm" in obj)?.popupForm ?? null;
-                  
+
          showModalPopupForm(
            `<i class="fa fa-pen-to-square"></i> ${getString("Gen_Update_Value")}`, // title
            "",                                                                     // message
@@ -515,8 +515,8 @@ function filterRows(inputText) {
      var $panelHeader = $panel.find('.panel-heading');
      var $panelBody = $panel.find('.panel-collapse');

-      $panel.show() 
-      $panelHeader.show() 
+      $panel.show()
+      $panelHeader.show()
      $panelBody.collapse('show');

      $panelBody.find(".table_row:not(.docs)").each(function () {
@@ -525,11 +525,11 @@ function filterRows(inputText) {
        var isMetadataRow = rowId && rowId.endsWith("__metadata");
        if (!isMetadataRow) {
          $row.show()
-        }        
+        }
      });
-      
+
    });
-    
+
  } else{
    // filter

@@ -537,25 +537,25 @@ function filterRows(inputText) {
      var $panel = $(this);
      var $panelHeader = $panel.find('.panel-heading');
      var $panelBody = $panel.find('.panel-collapse');
-  
+
      var anyVisible = false; // Flag to check if any row is visible
-  
+
      $panelBody.find(".table_row:not(.docs)").each(function () {
        var $row = $(this);
-  
+
        // Check if the row ID ends with "__metadata"
        var rowId = $row.attr("id");
        var isMetadataRow = rowId && rowId.endsWith("__metadata");
-  
+
        // Always hide metadata rows
        if (isMetadataRow) {
          $row.hide();
          return; // Skip further processing for metadata rows
        }
-  
+
        var description = $row.find(".setting_description").text().toLowerCase();
        var setKey = $row.find(".setting_name code").text().toLowerCase();
-  
+
        if (
          description.includes(inputText.toLowerCase()) ||
          setKey.includes(inputText.toLowerCase())
@@ -566,7 +566,7 @@ function filterRows(inputText) {
          $row.hide();
        }
      });
-  
+
      // Determine whether to hide or show the panel based on visibility of rows
      if (anyVisible) {
        $panelBody.collapse('show'); // Ensure the panel body is shown if there are visible rows
@@ -582,7 +582,7 @@ function filterRows(inputText) {

  }

-  
+
 }


@@ -661,7 +661,7 @@ function generateOptionsOrSetOptions(
  processDataCallback, // Callback function to generate entries based on options
  targetField, // Target field or element where selected value should be applied or updated
  transformers = [], // Transformers to be applied to the values
-  overrideOptions = null // override options if available  
+  overrideOptions = null // override options if available
 ) {

  // console.log(setKey);
@@ -712,7 +712,7 @@ function applyTransformers(val, transformers) {
        break;
      case "getString":
        // no change
-        val = val;        
+        val = val;
        break;
      default:
        console.warn(`Unknown transformer: ${transformer}`);
@@ -745,13 +745,13 @@ function reverseTransformers(val, transformers) {
        break;
      case "getString":
        // retrieve string
-        val = getString(val);        
+        val = getString(val);
        break;
      case "deviceChip":
-        mac = val  // value is mac   
+        mac = val  // value is mac
        val =  `${getDevDataByMac(mac, "devName")}`
        break;
-      case "deviceRelType":        
+      case "deviceRelType":
        val =  val; // nothing to do
        break;
      default:
@@ -779,10 +779,11 @@ const handleElementOptions = (setKey, elementOptions, transformers, val) => {
  let getStringKey = "";
  let onClick = "console.log('onClick - Not implemented');";
  let onChange = "console.log('onChange - Not implemented');";
+  let focusout = "console.log('focusout - Not implemented');";
  let customParams = "";
  let customId = "";
  let columns = [];
-  let base64Regex = "";  
+  let base64Regex = "";
  let elementOptionsBase64 = btoa(JSON.stringify(elementOptions));

  elementOptions.forEach((option) => {
@@ -830,6 +831,9 @@ const handleElementOptions = (setKey, elementOptions, transformers, val) => {
    if (option.onChange) {
      onChange = option.onChange;
    }
+    if (option.focusout) {
+      focusout = option.focusout;
+    }
    if (option.customParams) {
      customParams = option.customParams;
    }
@@ -867,7 +871,8 @@ const handleElementOptions = (setKey, elementOptions, transformers, val) => {
    customId,
    columns,
    base64Regex,
-    elementOptionsBase64
+    elementOptionsBase64,
+    focusout
  };
 };

@@ -877,7 +882,7 @@ const handleElementOptions = (setKey, elementOptions, transformers, val) => {
 // -----------------------------------------------------------------------------

 // --------------------------------------------------
-// Creates an object from an array 
+// Creates an object from an array
 function arrayToObject(array) {
  const obj = [];
  array.forEach((item, index) => {
@@ -895,18 +900,18 @@ function generateOptions(options, valuesArray, targetField, transformers, placeh

  resultArray    = []
  selectedArray  = []
-  cssClass       = ""  
+  cssClass       = ""

  // determine if options or values are used in the listing
  if (valuesArray.length > 0 && options.length > 0){

-    // multiselect list ->  options only + selected the ones in valuesArray 
+    // multiselect list ->  options only + selected the ones in valuesArray
    resultArray   = options;
    selectedArray = valuesArray

  } else if (valuesArray.length > 0 && options.length == 0){

-    // editable list -> values only     
+    // editable list -> values only
    resultArray   = arrayToObject(valuesArray)
    cssClass = "interactable-option"  // generates [1x 📝 | 2x 🚮]
  } else if (options.length > 0){
@@ -914,7 +919,7 @@ function generateOptions(options, valuesArray, targetField, transformers, placeh
    // dropdown -> options only (value == 1 STRING not ARRAY)
    resultArray   = options;
  }
- 
+
  // Create a map to track the index of each item in valuesArray
  const orderMap = new Map(valuesArray.map((item, index) => [item, index]));

@@ -961,7 +966,7 @@ function generateList(options, valuesArray, targetField, transformers, placehold

    listHtml += `<li ${selected}>${labelName}</li>`;
  });
-  
+
  // Place the resulting HTML into the specified placeholder div
  $("#" + placeholder).replaceWith(listHtml);
 }
@@ -972,7 +977,7 @@ function genListWithInputSet(options, valuesArray, targetField, transformers, pl

  var listHtml = "";

-  
+
  options.forEach(function(item) {

    let selected = valuesArray.includes(item.id) ? 'selected' : '';
@@ -988,9 +993,9 @@ function genListWithInputSet(options, valuesArray, targetField, transformers, pl
    }

    listHtml += `<li ${selected}>
-                      <a href="javascript:void(0)" onclick="setTextValue('${targetField}','${item.id}')">${labelName}</a> 
+                      <a href="javascript:void(0)" onclick="setTextValue('${targetField}','${item.id}')">${labelName}</a>
                </li>`;
-    
+
  });

  // Place the resulting HTML into the specified placeholder div
@@ -1001,8 +1006,8 @@ function genListWithInputSet(options, valuesArray, targetField, transformers, pl
 // Collects a setting based on code name
 function collectSetting(prefix, setCodeName, setType, settingsArray) {
  // Parse setType if it's a JSON string
-  const setTypeObject = (typeof setType === "string") 
-      ? JSON.parse(processQuotes(setType)) 
+  const setTypeObject = (typeof setType === "string")
+      ? JSON.parse(processQuotes(setType))
      : setType;

  const dataType = setTypeObject.dataType;
@@ -1015,6 +1020,20 @@ function collectSetting(prefix, setCodeName, setType, settingsArray) {

  const { elementType, elementOptions = [], transformers = [] } = elementWithInputValue;

+  // Check if validation failed
+  if (
+    $(`#${setCodeName}`)
+    && $(`#${setCodeName}`).attr("data-is-valid")
+    && $(`#${setCodeName}`).attr("data-is-valid") == 0
+  )
+  {
+     return {
+      "settingsArray": settingsArray,
+      "dataIsValid": false,
+      "failedSettingKey": setCodeName
+    };
+  }
+
  const opts = handleElementOptions('none', elementOptions, transformers, val = "");

  // Map of handlers
@@ -1038,7 +1057,7 @@ function collectSetting(prefix, setCodeName, setType, settingsArray) {
          let temps = [];
          if (opts.isOrdeable) {
              temps = $(`#${setCodeName}`).val();
-          } else {            
+          } else {
              const sel = $(`#${setCodeName}`).attr("my-editable") === "true" ? "" : ":selected";
              $(`#${setCodeName} option${sel}`).each(function() {
                  const vl = $(this).val();
@@ -1066,7 +1085,7 @@ function collectSetting(prefix, setCodeName, setType, settingsArray) {
  let handlerKey;
  if (dataType === "string" && elementType === "datatable") {
      handlerKey = "datatableString";
-  } else if (dataType === "string" || 
+  } else if (dataType === "string" ||
            (dataType === "integer" && (opts.inputType === "number" || opts.inputType === "text"))) {
      handlerKey = "simpleValue";
  } else if (opts.inputType === "checkbox") {
@@ -1084,7 +1103,11 @@ function collectSetting(prefix, setCodeName, setType, settingsArray) {
  const value = handlers[handlerKey]();
  settingsArray.push([prefix, setCodeName, dataType, value]);

-  return settingsArray;
+  return {
+    "settingsArray": settingsArray,
+    "dataIsValid": true,
+    "failedSettingKey": ""
+  };
 }


@@ -1093,22 +1116,22 @@ function collectSetting(prefix, setCodeName, setType, settingsArray) {
 function generateFormHtml(settingsData, set, overrideValue, overrideOptions, originalSetKey) {
  let inputHtml = '';

-  isEmpty(overrideValue) ? inVal = set['setValue'] : inVal = overrideValue;  
+  isEmpty(overrideValue) ? inVal = set['setValue'] : inVal = overrideValue;
  const setKey = set['setKey'];
  const setType = set['setType'];

  // if (setKey == '') {
-    
+
  // console.log(setType);
  // console.log(setKey);
  // console.log(overrideValue);
-  // console.log(inVal);  
+  // console.log(inVal);

  // }

  // Parse the setType JSON string
  // console.log(processQuotes(setType));
-  
+
  const setTypeObject = JSON.parse(processQuotes(setType))
  const dataType = setTypeObject.dataType;
  const elements = setTypeObject.elements || [];
@@ -1137,20 +1160,21 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
      customId,
      columns,
      base64Regex,
-      elementOptionsBase64
+      elementOptionsBase64,
+      focusout
    } = handleElementOptions(setKey, elementOptions, transformers, inVal);

    // Override value
    let val = valRes;

    // if (setKey == '') {
-    
+
    //   console.log(setType);
    //   console.log(setKey);
    //   console.log(overrideValue);
-    //   console.log(inVal);  
-    //   console.log(val);  
-    
+    //   console.log(inVal);
+    //   console.log(val);
+
    //   }

    // Generate HTML based on elementType
@@ -1159,16 +1183,17 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
        const multi = isMultiSelect ? "multiple" : "";
        const addCss = isOrdeable ? "select2 select2-hidden-accessible" : "";

-        inputHtml += `<select onChange="settingsChanged();${onChange}" 
-                              my-data-type="${dataType}" 
-                              my-editable="${editable}" 
-                              class="form-control ${addCss} ${cssClasses}" 
-                              name="${setKey}" 
-                              id="${setKey}" 
+        inputHtml += `<select onChange="settingsChanged();${onChange}"
+                              onfocusout="${focusout}"
+                              my-data-type="${dataType}"
+                              my-editable="${editable}"
+                              class="form-control ${addCss} ${cssClasses}"
+                              name="${setKey}"
+                              id="${setKey}"
                              my-transformers=${transformers}
-                              my-customparams="${customParams}" 
-                              my-customid="${customId}" 
-                              my-originalSetKey="${originalSetKey}" 
+                              my-customparams="${customParams}"
+                              my-customid="${customId}"
+                              my-originalSetKey="${originalSetKey}"
                              data-elementoptionsbase64="${elementOptionsBase64}"
                              ${multi}
                              ${readOnly ? "disabled" : ""}>
@@ -1182,31 +1207,32 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
        const checked = val === 'True' || val === 'true' ||  val === '1' ? 'checked' : '';
        const inputClass = inputType === 'checkbox' ? 'checkbox' : 'form-control';

-        inputHtml += `<input 
-                        class="${inputClass} ${cssClasses}" 
-                        onChange="settingsChanged();${onChange}" 
-                        my-data-type="${dataType}" 
-                        my-customparams="${customParams}" 
-                        my-customid="${customId}" 
+        inputHtml += `<input
+                        class="${inputClass} ${cssClasses}"
+                        onChange="settingsChanged();${onChange}"
+                        onfocusout="${focusout}"
+                        my-data-type="${dataType}"
+                        my-customparams="${customParams}"
+                        my-customid="${customId}"
                        my-originalSetKey="${originalSetKey}"
                        my-base64Regex="${base64Regex}"
-                        id="${setKey}${suffix}" 
-                        type="${inputType}" 
-                        value="${val}" 
+                        id="${setKey}${suffix}"
+                        type="${inputType}"
+                        value="${val}"
                        ${readOnly}
                        ${checked}
-                        placeholder="${placeholder}" 
+                        placeholder="${placeholder}"
                      />`;
        break;

      case 'button':
-        inputHtml += `<button 
-                        class="btn btn-primary ${cssClasses}" 
-                        my-customparams="${customParams}" 
-                        my-customid="${customId}" 
+        inputHtml += `<button
+                        class="btn btn-primary ${cssClasses}"
+                        my-customparams="${customParams}"
+                        my-customid="${customId}"
                        my-originalSetKey="${originalSetKey}"
-                        my-input-from="${sourceIds}" 
-                        my-input-to="${setKey}" 
+                        my-input-from="${sourceIds}"
+                        my-input-to="${setKey}"
                        data-elementoptionsbase64="${elementOptionsBase64}"
                        onclick="${onClick}">
                        ${getString(getStringKey)}
@@ -1214,21 +1240,23 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
        break;

      case 'textarea':
-        inputHtml += `<textarea 
-                        class="form-control input" 
-                        my-customparams="${customParams}" 
-                        my-customid="${customId}" 
+        inputHtml += `<textarea
+                        class="form-control input"
+                        onChange="settingsChanged();${onChange}"
+                        onfocusout="${focusout}"
+                        my-customparams="${customParams}"
+                        my-customid="${customId}"
                        my-originalSetKey="${originalSetKey}"
-                        my-data-type="${dataType}" 
-                        id="${setKey}" 
+                        my-data-type="${dataType}"
+                        id="${setKey}"
                        ${readOnly}>${val}</textarea>`;
        break;

      case 'span':
-        inputHtml += `<span 
-                        class="${cssClasses}" 
-                        my-data-type="${dataType}" 
-                        my-customparams="${customParams}" 
+        inputHtml += `<span
+                        class="${cssClasses}"
+                        my-data-type="${dataType}"
+                        my-customparams="${customParams}"
                        my-customid="${customId}"
                        my-originalSetKey="${originalSetKey}"
                        onclick="${onClick}">
@@ -1264,13 +1292,13 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
              columnSetting["setOptions"] = getSetting(column.optionsOverride.replace("setting.",""));
            } else {
              columnSetting["setOptions"] = column.optionsOverride;
-            }            
+            }
          }

          columnSettings.push(columnSetting)
-          
+
          // helper for if val is empty
-          emptyVal.push(''); 
+          emptyVal.push('');
        });
        datatableHtml += '</tr></thead>';

@@ -1290,7 +1318,7 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
        let index = 0;
        val.forEach(rowData => {
            datatableHtml += `<tr my-index="${index}">`;
-            
+
            let j = 0;
            columnSettings.forEach(set => {
                // Extract the value for the current column based on the new structure
@@ -1300,11 +1328,11 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
                {
                  columnOverrideValue = ""
                }
-        
+
                // Create unique key to prevent dropdown data duplication
                const oldKey = set["setKey"];
                set["setKey"] = oldKey + "_" + index;
-        
+
                // Generate the cell HTML using the extracted value
                const cellHtml = generateFormHtml(
                    settingsData,
@@ -1314,17 +1342,17 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori
                    oldKey
                );
                datatableHtml += `<td> <div class="input-group"> ${cellHtml} </div></td>`;
-        
+
                // Restore the original key
                set["setKey"] = oldKey;
-        
+
                j++;
            });
            datatableHtml += '</tr>';
            index++;
        });
-        
-        
+
+
        datatableHtml += '</tbody></table>';

        inputHtml += datatableHtml;
@@ -1347,8 +1375,8 @@ function generateFormHtml(settingsData, set, overrideValue, overrideOptions, ori

  // Generate event HTML if applicable
  let eventsHtml = '';
- 
-  const eventsList = createArray(set['setEvents']); 
+
+  const eventsList = createArray(set['setEvents']);
  // inline buttons events
 if (eventsList.length > 0) {
  eventsList.forEach(event => {
@@ -1387,7 +1415,7 @@ if (eventsList.length > 0) {
                    data-myparam-setkey="${setKey}"
                    data-myparam="${setKey}"
                    data-myparam-plugin="${setKey.split('_')[0] || ''}"
-                    data-myevent="${event}"  
+                    data-myevent="${event}"
                    onclick="execute_settingEvent(this)">
                    <i title="${getString(event + "_event_tooltip")}" class="fa ${eventIcon}"></i>
                  </span>`;
@@ -1406,15 +1434,15 @@ function getSetObject(settingsData, setKey) {
  result = ""

  settingsData.forEach(function(set) {
-   
+
    if (set.setKey == setKey) {
-      // console.log(set);      
-      
+      // console.log(set);
+
      result = set;
      return;
-      
-    }   
-    
+
+    }
+
  });

  if(result == "")
@@ -1439,7 +1467,7 @@ function collectTableData(tableSelector) {

      cells.each((index, cell) => {
          const input = $(cell).find('input, select, textarea');
-          
+
          if (input.length) {
              if (input.attr('type') === 'checkbox') {
                  // For checkboxes, check if they are checked
@@ -1455,10 +1483,10 @@ function collectTableData(tableSelector) {
          }
      });

-      tableData.push(rowData); 
+      tableData.push(rowData);
  });

-  return tableData;  
+  return tableData;
 }


--- a/front/js/ui_components.js
+++ b/front/js/ui_components.js
@@ -1,6 +1,6 @@
 /* -----------------------------------------------------------------------------
 *  NetAlertX
-*  Open Source Network Guard / WIFI & LAN intrusion detector 
+*  Open Source Network Guard / WIFI & LAN intrusion detector
 *
 *  ui_components.js - Front module. Common UI components
 *-------------------------------------------------------------------------------
@@ -56,7 +56,7 @@ function getRandomBytes(elem, length) {
  window.crypto.getRandomValues(array);

  // Convert bytes to hexadecimal string
-  let hexString = Array.from(array, byte => 
+  let hexString = Array.from(array, byte =>
    byte.toString(16).padStart(2, '0')
  ).join('');

@@ -71,7 +71,7 @@ function getRandomBytes(elem, length) {
 }

 // ----------------------------------------------
-// Updates the icon preview  
+// Updates the icon preview
 function updateAllIconPreviews() {
  $(".iconInputVal").each((index, el)=>{
    updateIconPreview(el)
@@ -79,7 +79,7 @@ function updateAllIconPreviews() {
 }

 // ----------------------------------------------
-// Updates the icon preview  
+// Updates the icon preview
 function updateIconPreview(elem) {

  const previewSpan =  $(elem).parent().find(".iconPreview");
@@ -97,7 +97,7 @@ function updateIconPreview(elem) {
        previewSpan.html(atob(newValue));
      });
      return; // Stop retrying if successful
-    } 
+    }

    attempts++;
    if (attempts < 10) {
@@ -119,9 +119,9 @@ function validateRegex(elem) {
  const iconSpan  = $(elem).parent().find(".validityCheck");
  const inputElem = $(elem);
  const regexTmp  = atob($(inputElem).attr("my-base64Regex")); // Decode base64 regex
-  
+
  const regex = new RegExp(regexTmp); // Convert to a valid RegExp object
-  
+
  let attempts = 0;

  function tryUpdateValidityResultIcon() {
@@ -140,8 +140,11 @@ function validateRegex(elem) {
      // Validate against regex
      if (regex.test(value)) {
          iconSpan.html("<i class='fa fa-check'></i>");
+          inputElem.attr("data-is-valid", "1");
      } else {
          iconSpan.html("<i class='fa fa-xmark'></i>");
+          showModalOk('WARNING', getString("Gen_Invalid_Value"));
+          inputElem.attr("data-is-valid", "0"); 
      }
  }

@@ -175,7 +178,7 @@ function initializeiCheck () {
   increaseArea:  '20%'
 });

- 
+
 }


@@ -206,7 +209,7 @@ function copyToClipboard(buttonElement) {
 }

 // -----------------------------------------------------------------------------
-// Simple Sortable Table columns 
+// Simple Sortable Table columns
 // -----------------------------------------------------------------------------

 // Function to handle column sorting when a user clicks on a table header
@@ -268,9 +271,9 @@ function ipToNum(ip) {
 }


-// ----------------------------------------------------------------------------- 
-// handling events 
-// ----------------------------------------------------------------------------- 
+// -----------------------------------------------------------------------------
+// handling events
+// -----------------------------------------------------------------------------

 modalEventStatusId = 'modal-message-front-event'

@@ -301,41 +304,41 @@ function execute_settingEvent(element) {
          updateModalState()
      }
    })
-    
+
  } else if (["add_option"].includes(feEvent)) {
    showModalFieldInput (
      '<i class="fa fa-square-plus pointer"></i> ' + getString('Gen_Add'),
      getString('Gen_Add'),
-      getString('Gen_Cancel'), 
-      getString('Gen_Okay'), 
+      getString('Gen_Cancel'),
+      getString('Gen_Okay'),
      '', // curValue
      'addOptionFromModalInput',
      feSourceId // triggered by id
    );
  } else if (["add_icon"].includes(feEvent)) {

-      // Add new icon as base64 string 
+      // Add new icon as base64 string
    showModalInput (
      '<i class="fa fa-square-plus pointer"></i> ' + getString('DevDetail_button_AddIcon'),
      getString('DevDetail_button_AddIcon_Help'),
-      getString('Gen_Cancel'), 
-      getString('Gen_Okay'), 
+      getString('Gen_Cancel'),
+      getString('Gen_Okay'),
      () => addIconAsBase64(element), // Wrap in an arrow function
      feSourceId // triggered by id
    );
  } else if (["select_icon"].includes(feEvent)) {

    showIconSelection(feSetKey)
-    // myparam-setkey  
+    // myparam-setkey

  } else if (["copy_icons"].includes(feEvent)) {

-    // Ask overwrite icon types 
+    // Ask overwrite icon types
    showModalWarning (
-      getString('DevDetail_button_OverwriteIcons'), 
+      getString('DevDetail_button_OverwriteIcons'),
      getString('DevDetail_button_OverwriteIcons_Warning'),
-      getString('Gen_Cancel'), 
-      getString('Gen_Okay'), 
+      getString('Gen_Cancel'),
+      getString('Gen_Okay'),
      'overwriteIconType',
      feSourceId // triggered by id
    );
@@ -343,30 +346,30 @@ function execute_settingEvent(element) {

    goToDevice(feValue);
  } else if (["go_to_node"].includes(feEvent)) {
-    
+
    goToNetworkNode(feValue);

  } else {
    console.warn(`🔺Not implemented: ${feEvent}`)
-  } 
-  
+  }
+
 }


 // -----------------------------------------------------------------------------
 // Go to the correct network node in the Network section
 function overwriteIconType()
-{ 
+{
  const mac = getMac();

  if (!isValidMac(mac)) {
-    showModalOK("Error", getString("Gen_InvalidMac")) 
+    showModalOK("Error", getString("Gen_InvalidMac"))
    return;
  }

  // Construct SQL query
  const rawSql = `
-   UPDATE Devices 
+   UPDATE Devices
    SET devIcon = (
      SELECT devIcon FROM Devices WHERE devMac = "${mac}"
    )
@@ -391,24 +394,24 @@ function overwriteIconType()
 // -----------------------------------------------------------------------------
 // Go to the correct network node in the Network section
 function goToNetworkNode(mac)
-{ 
+{
  setCache('activeNetworkTab', mac.replaceAll(":","_")+'_id');
  window.location.href = './network.php';
-  
+
 }

 // -----------------------------------------------------------------------------
-// Go to the device 
+// Go to the device
 function goToDevice(mac, newtab = false) {
  const url = './deviceDetails.php?mac=' + encodeURIComponent(mac);
-  
+
  if (newtab) {
    window.open(url, '_blank');
  } else {
    window.location.href = url;
  }
 }
-  
+

 // --------------------------------------------------------
 // Updating the execution queue in in modal pop-up
@@ -437,7 +440,7 @@ function updateModalState() {
 function addOptionFromModalInput() {
  var inputVal = $(`#modal-field-input-field`).val();
  console.log($('#modal-field-input-field'));
-  
+
  var triggeredBy = $('#modal-field-input').attr("data-myparam-triggered-by");
  var targetId = $('#' + triggeredBy).attr("data-myparam-setkey");

@@ -475,16 +478,16 @@ function addIconAsBase64 (el) {


  console.log($('#modal-field-input-field'));
-  
+
  var triggeredBy = $('#modal-input').attr("data-myparam-triggered-by");
  var targetId = $('#' + triggeredBy).attr("data-myparam-setkey");

-  // $('#'+targetId).val(iconHtmlBase64); 
+  // $('#'+targetId).val(iconHtmlBase64);

  // Add new option and set it as selected
  $('#' + targetId).append(new Option(iconHtmlBase64, iconHtmlBase64)).val(iconHtmlBase64);

-  updateIconPreview(el)  
+  updateIconPreview(el)

 }

@@ -522,8 +525,8 @@ function showIconSelection(setKey) {
  // Populate the icon list
  Array.from(selectElement.options).forEach(option => {
    if (option.value != "") {
-        
-      
+
+
      const value = option.value;

      // Decode the base64 value
@@ -566,7 +569,7 @@ function showIconSelection(setKey) {
  });

  //
-  
+
 }


@@ -661,7 +664,7 @@ function getRelationshipConf(relType) {
  // --color-red: #dd4b39;

  switch (relType) {
-        
+
    case "child":
      color = "#f39c12"; // yellow
      cssClass = "text-yellow";
@@ -673,11 +676,11 @@ function getRelationshipConf(relType) {
    case "virtual":
      color = "#0060df"; // blue
      cssClass = "text-blue";
-      break;      
+      break;
    case "logical":
      color = "#00a65a"; // green
      cssClass = "text-green";
-      break;      
+      break;
    default:
      color = "#5B5B66"; // grey
      cssClass = "text-light-grey";
@@ -703,13 +706,13 @@ function initSelect2() {
  //  check if cache ready
  if(isValidJSON(devicesListAll_JSON))
  {
-    
+
    // --------------------------------------------------------
    //Initialize Select2 Elements and make them sortable
-    
+
    $(function () {
      // Iterate over each Select2 dropdown
-      $('.select2').each(function() {          
+      $('.select2').each(function() {
          // handle Device chips, if my-transformers="deviceChip"
          if($(this).attr("my-transformers") == "deviceChip")
          {
@@ -721,7 +724,7 @@ function initSelect2() {
                return m; // Allow HTML
              }
            });
-            
+
          } else if($(this).attr("my-transformers") == "deviceRelType") // handling dropdown for relationships
          {
            var selectEl = $(this).select2({
@@ -730,26 +733,26 @@ function initSelect2() {
                if (!data.id) return data.text; // default for placeholder etc.

                const relConf = getRelationshipConf(data.text);
-                                
+
                // Custom HTML
-                const html = $(`                  
-                    <span class="custom-chip ${relConf.cssClass}" >                      
-                      ${data.text}                      
-                    </span>                  
+                const html = $(`
+                    <span class="custom-chip ${relConf.cssClass}" >
+                      ${data.text}
+                    </span>
                `);
-          
+
                return html;
              },
              escapeMarkup: function (m) {
                return m; // Allow HTML
              }
            });
-            
+
          } else // default handling - default template
          {
            var selectEl = $(this).select2();
          }
-    
+
          // Apply sortable functionality to the dropdown's dropdown-container
          selectEl.next().children().children().children().sortable({
              containment: 'parent',
@@ -757,14 +760,14 @@ function initSelect2() {
                  var sortedValues = $(this).children().map(function() {
                      return $(this).attr('title');
                  }).get();
-    
+
                  var sortedOptions = selectEl.find('option').sort(function(a, b) {
                      return sortedValues.indexOf($(a).text()) - sortedValues.indexOf($(b).text());
                  });
-    
+
                  // Replace all options in selectEl
                  selectEl.empty().append(sortedOptions);
-    
+
                  // Trigger change event on Select2
                  selectEl.trigger('change');
              }
@@ -776,7 +779,7 @@ function initSelect2() {
    setTimeout(() => {
      initSelect2()
    }, 1000);
-  }  
+  }
 }

 // ------------------------------------------
@@ -816,7 +819,7 @@ function renderDeviceLink(data, container, useName = false) {
      'data-alert': device.devAlertDown,
      'data-icon': device.devIcon
    });
-  
+
  return `
    <a href="${badge.url}" target="_blank">
      <span class="custom-chip">
@@ -866,7 +869,7 @@ function initHoverNodeInfo() {
  $(document).on('mouseenter', '.hover-node-info', function (e) {
    const $el = $(this);
    lastTarget = this;
-    
+
    // use timeout to prevent a quick hover and exit toi flash a card when navigating to a target node with your mouse
    clearTimeout(hoverTimeout);

@@ -893,25 +896,25 @@ function initHoverNodeInfo() {
        <div class="line">
          <b>Status:</b> <span>${status}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>IP:</b> <span>${ip}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>MAC:</b> <span>${mac}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>Vendor:</b> <span>${vendor}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>Type:</b> <span>${type}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>First seen:</b> <span>${firstseen}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>Last seen:</b> <span>${lastseen}</span><br>
        </div>
-        <div class="line">  
+        <div class="line">
          <b>Relationship:</b> <span class="${getRelationshipConf(relationship).cssClass}">${relationship}</span>
        </div>
      `;
--- a/Show More
+++ b/Show More