Merge branch 'main' of https://github.com/jokob-sk/NetAlertX

BE: ensure not empty SYNC_node_name
Signed-off-by: jokob-sk <jokob.sk@gmail.com>
2026-03-31 07:12:23 -07:00 · 2026-01-17 14:41:24 +11:00 · 2026-01-17 14:41:09 +11:00 · 2026-01-16 18:01:49 +01:00 · 2026-01-16 10:33:12 +11:00 · 2026-01-16 10:32:20 +11:00
407 changed files with 25873 additions and 11899 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,9 @@
+reviews:
+  profile: "chill"
+  estimate_code_review_effort: false
+  auto_review:
+    enabled: true
+  high_level_summary: true
+issue_enrichment:
+  auto_enrich:
+    enabled: false
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -4,16 +4,16 @@
 # The NetAlertX Dockerfile has 3 stages:
 #
 # Stage 1. Builder - NetAlertX Requires special tools and packages to build our virtual environment, but
-# which are not needed in future stages.  We build the builder and extract the venv for runner to use as 
+# which are not needed in future stages.  We build the builder and extract the venv for runner to use as
 # a base.
 #
 # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary
 # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation
-# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a 
+# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a
 # docker container as a VM for experimentation and various development patterns.
 #
 # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only
-# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the 
+# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the
 # code pushed out by the project is the only code which will run on the system after each container restart.
 # It reduces the chance of system hijacking and operates with all modern security protocols in place as is
 # expected from a security appliance.
@@ -29,13 +29,25 @@ ENV PATH="/opt/venv/bin:$PATH"

 # Install build dependencies
 COPY requirements.txt /tmp/requirements.txt
-RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+        bash \
+        shadow \
+        python3 \
+        python3-dev \
+        gcc \
+        musl-dev \
+        libffi-dev \
+        openssl-dev \
+        git \
+        rust \
+        cargo \
    && python -m venv /opt/venv

-# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
-# into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
-# together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+# Upgrade pip/wheel/setuptools and install Python packages
+# hadolint ignore=DL3013, DL3042
+RUN python -m pip install --upgrade pip setuptools wheel && \
+    pip install --prefer-binary --no-cache-dir -r /tmp/requirements.txt && \
    chmod -R u-rwx,g-rwx /opt

 # second stage is the main runtime stage with just the minimum required to run the application
@@ -43,6 +55,12 @@ RUN pip install -r /tmp/requirements.txt && \
 FROM alpine:3.22 AS runner

 ARG INSTALL_DIR=/app
+# Runtime service account (override at build; container user can still be overridden at run time)
+ARG NETALERTX_UID=20211
+ARG NETALERTX_GID=20211
+# Read-only lock owner (separate from service account to avoid UID/GID collisions)
+ARG READONLY_UID=20212
+ARG READONLY_GID=20212

 # NetAlertX app directories
 ENV NETALERTX_APP=${INSTALL_DIR}
@@ -98,11 +116,11 @@ ENV READ_WRITE_FOLDERS="${NETALERTX_DATA} ${NETALERTX_CONFIG} ${NETALERTX_DB} ${
                       ${SYSTEM_SERVICES_ACTIVE_CONFIG}"

 #Python environment
-ENV PYTHONUNBUFFERED=1 
+ENV PYTHONUNBUFFERED=1
 ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
 ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${NETALERTX_PLUGINS}:${VIRTUAL_ENV}/lib/python3.12/site-packages
-ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" 
+ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH"

 # App Environment
 ENV LISTEN_ADDR=0.0.0.0
@@ -113,17 +131,17 @@ ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt
 ENV ENVIRONMENT=alpine
 ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly
 ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx
-ENV LANG=C.UTF-8 
+ENV LANG=C.UTF-8


-RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
+RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap fping \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx supercronic shadow && \
+    nginx supercronic shadow su-exec && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
-    addgroup -g 20211 ${NETALERTX_GROUP} && \
-    adduser -u 20211 -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
+    addgroup -g ${NETALERTX_GID} ${NETALERTX_GROUP} && \
+    adduser -u ${NETALERTX_UID} -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
    apk del shadow


@@ -141,79 +159,91 @@ RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FO

 # Copy version information into the image
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION
+COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION_PREV

-# Copy the virtualenv from the builder stage
-COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
+# Copy the virtualenv from the builder stage (owned by readonly lock owner)
+COPY --from=builder --chown=${READONLY_UID}:${READONLY_GID} ${VIRTUAL_ENV} ${VIRTUAL_ENV}


 # Initialize each service with the dockerfiles/init-*.sh scripts, once.
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN if [ -f .VERSION ]; then \
-        cp .VERSION ${NETALERTX_APP}/.VERSION; \
-    else \
-        echo "DEVELOPMENT 00000000" > ${NETALERTX_APP}/.VERSION; \
-    fi && \
-    chown 20212:20212 ${NETALERTX_APP}/.VERSION && \
-    apk add libcap && \
-    setcap cap_net_raw+ep /bin/busybox && \
+# hadolint ignore=DL3018
+RUN for vfile in .VERSION .VERSION_PREV; do \
+        if [ ! -f "${NETALERTX_APP}/${vfile}" ]; then \
+            echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/${vfile}"; \
+        fi; \
+        chown ${READONLY_UID}:${READONLY_GID} "${NETALERTX_APP}/${vfile}"; \
+    done && \
+    apk add --no-cache libcap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
    setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
    /bin/sh /build/init-nginx.sh && \
    /bin/sh /build/init-php-fpm.sh && \
    /bin/sh /build/init-cron.sh && \
    /bin/sh /build/init-backend.sh && \
    rm -rf /build && \
    apk del libcap && \
-    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"


-ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
+ENTRYPOINT ["/bin/bash","/entrypoint.sh"]

 # Final hardened stage to improve security by setting least possible permissions and removing sudo access.
 # When complete, if the image is compromised, there's not much that can be done with it.
 # This stage is separate from Runner stage so that devcontainer can use the Runner stage.
 FROM runner AS hardened

+# Re-declare UID/GID args for this stage
+ARG NETALERTX_UID=20211
+ARG NETALERTX_GID=20211
+ARG READONLY_UID=20212
+ARG READONLY_GID=20212
+
 ENV UMASK=0077

 # Create readonly user and group with no shell access.
 # Readonly user marks folders that are created by NetAlertX, but should not be modified.
-# AI may claim this is stupid, but it's actually least possible permissions as 
+# AI may claim this is stupid, but it's actually least possible permissions as
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g ${READONLY_GID} "${READ_ONLY_GROUP}" && \
+    adduser -u ${READONLY_UID} -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"


 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 004 ${READ_ONLY_FOLDERS} && \
    find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
-    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
-    chown -R ${NETALERTX_USER}:${NETALERTX_GROUP} ${READ_WRITE_FOLDERS} && \
-    chmod -R 600 ${READ_WRITE_FOLDERS} && \
-    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
-    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
-    for dir in ${READ_WRITE_FOLDERS}; do \
-        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
-    done && \
+    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 0777 ${READ_WRITE_FOLDERS} && \
+    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /root-entrypoint.sh /opt /opt/venv && \
+    chmod 005 /entrypoint.sh /root-entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
+    # Do not bake first-run artifacts into the image. If present, Docker volume copy-up
+    # will persist restrictive ownership/modes into fresh named volumes, breaking
+    # arbitrary non-root UID/GID runs.
+    rm -f \
+      "${NETALERTX_CONFIG}/app.conf" \
+      "${NETALERTX_DB_FILE}" \
+      "${NETALERTX_DB_FILE}-shm" \
+      "${NETALERTX_DB_FILE}-wal" || true && \
    apk del apk-tools && \
    rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
    /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
    /srv /media && \
-    sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
-    sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    # Preserve root and system identities so hardened entrypoint never needs to patch /etc/passwd or /etc/group at runtime.
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+USER "0"

-USER netalertx
+# Call root-entrypoint.sh which drops priviliges to run entrypoint.sh.
+ENTRYPOINT ["/root-entrypoint.sh"]

 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
    CMD /services/healthcheck.sh
@@ -230,6 +260,7 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
 # Open and wide to avoid permission issues during development allowing max
 # flexibility.

+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app

@@ -243,9 +274,18 @@ ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
 USER root
 # Install common tools, create user, and set up sudo
+
+# Ensure entrypoint scripts stay executable in the devcontainer (avoids 126 errors)
+RUN chmod +x /entrypoint.sh /root-entrypoint.sh /entrypoint.d/*.sh && \
+    chmod +x /entrypoint.d/35-apply-conf-override.sh
+
 RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
    pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
-    docker-cli-compose shellcheck
+    docker-cli-compose shellcheck py3-psutil chromium chromium-chromedriver
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint

 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
    cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
@@ -267,6 +307,6 @@ RUN mkdir -p /workspaces && \
    chown netalertx:netalertx /home/netalertx && \
    sed -i -e 's#/app:#/workspaces:#' /etc/passwd && \
    find /opt/venv -type d -exec chmod o+rwx {} \;
-    
+
 USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -12,7 +12,8 @@
  "capAdd": [
    "SYS_ADMIN", // For mounting ramdisks
    "NET_ADMIN", // For network interface configuration
-    "NET_RAW" // For raw packet manipulation
+    "NET_RAW", // For raw packet manipulation
+    "NET_BIND_SERVICE" // For privileged port binding (e.g., UDP 137)
  ],
  "runArgs": [
    "--security-opt",
@@ -25,7 +26,7 @@
    // even within this container and connect to them as needed.
    // "--network=host",
  ],
-  "mounts": [ 
+  "mounts": [
    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" //used for testing various conditions in docker
  ],
  // ATTENTION: If running with --network=host, COMMENT `forwardPorts` OR ELSE THERE WILL BE NO WEBUI!
@@ -46,12 +47,12 @@
  },

  "postCreateCommand": {
-      "Install Pip Requirements": "/opt/venv/bin/pip3 install pytest docker debugpy",
-      "Workspace Instructions": "printf '\n\n<> DevContainer Ready!\n\n📁 To access /tmp folders in the workspace:\n   File → Open Workspace from File → NetAlertX.code-workspace\n\n📖 See .devcontainer/WORKSPACE.md for details\n\n'"
+      "Install Pip Requirements": "/opt/venv/bin/pip3 install pytest docker debugpy selenium",
+      "Workspace Instructions": "printf '\n\n<> DevContainer Ready! Starting Services...\n\n📁 To access /tmp folders in the workspace:\n   File → Open Workspace from File → NetAlertX.code-workspace\n\n📖 See .devcontainer/WORKSPACE.md for details\n\n'"
  },
  "postStartCommand": {
      "Start Environment":"${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
-      "Build test-container":"echo building netalertx-test container in background. check /tmp/build.log for progress. && setsid docker buildx build -t netalertx-test . > /tmp/build.log 2>&1 &"
+      "Build test-container":"echo To speed up tests, building test container in background... && setsid docker buildx build -t netalertx-test . > /tmp/build.log 2>&1 && echo '🧪 Unit Test Docker image built: netalertx-test' &"
  },
  "customizations": {
    "vscode": {
@@ -76,6 +77,7 @@
        "mkhl.shfmt",
        "charliermarsh.ruff",
        "ms-python.flake8",
+        "exiasr.hadolint",
        "timonwong.shellcheck"
      ],
      "settings": {
@@ -87,7 +89,7 @@
          }
        },
        "terminal.integrated.defaultProfile.linux": "zsh",
-        
+
        // Python testing configuration
        "python.testing.pytestEnabled": true,
        "python.testing.unittestEnabled": false,
--- a/.devcontainer/resources/devcontainer-Dockerfile
+++ b/.devcontainer/resources/devcontainer-Dockerfile
@@ -7,6 +7,7 @@
 # Open and wide to avoid permission issues during development allowing max
 # flexibility.

+# hadolint ignore=DL3006
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app

@@ -20,9 +21,18 @@ ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
 USER root
 # Install common tools, create user, and set up sudo
+
+# Ensure entrypoint scripts stay executable in the devcontainer (avoids 126 errors)
+RUN chmod +x /entrypoint.sh /root-entrypoint.sh /entrypoint.d/*.sh && \
+    chmod +x /entrypoint.d/35-apply-conf-override.sh
+
 RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
    pytest-cov zsh alpine-zsh-config shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx \
-    docker-cli-compose shellcheck
+    docker-cli-compose shellcheck py3-psutil chromium chromium-chromedriver
+
+# Install hadolint (Dockerfile linter)
+RUN curl -L https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
+    chmod +x /usr/local/bin/hadolint

 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
    cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
@@ -44,6 +54,6 @@ RUN mkdir -p /workspaces && \
    chown netalertx:netalertx /home/netalertx && \
    sed -i -e 's#/app:#/workspaces:#' /etc/passwd && \
    find /opt/venv -type d -exec chmod o+rwx {} \;
-    
+
 USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
--- a/.devcontainer/scripts/load-devices.sh
+++ b/.devcontainer/scripts/load-devices.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+if [ -n "${CSV_PATH:-}" ]; then
+  : # user provided CSV_PATH
+else
+  # Portable mktemp fallback: try GNU coreutils first, then busybox-style
+  if mktemp --version >/dev/null 2>&1; then
+    CSV_PATH="$(mktemp --tmpdir netalertx-devices-XXXXXX.csv 2>/dev/null || mktemp /tmp/netalertx-devices-XXXXXX.csv)"
+  else
+    CSV_PATH="$(mktemp -t netalertx-devices.XXXXXX 2>/dev/null || mktemp /tmp/netalertx-devices-XXXXXX.csv)"
+  fi
+fi
+DEVICE_COUNT="${DEVICE_COUNT:-255}"
+SEED="${SEED:-20211}"
+NETWORK_CIDR="${NETWORK_CIDR:-192.168.50.0/22}"
+DB_DIR="${NETALERTX_DB:-/data/db}"
+DB_FILE="${DB_DIR%/}/app.db"
+
+# Ensure we are inside the devcontainer
+"${SCRIPT_DIR}/isDevContainer.sh" >/dev/null
+
+if [ ! -f "${DB_FILE}" ]; then
+  echo "[load-devices] Database not found at ${DB_FILE}. Is the devcontainer initialized?" >&2
+  exit 1
+fi
+
+if ! command -v sqlite3 >/dev/null 2>&1; then
+  echo "[load-devices] sqlite3 is required but not installed." >&2
+  exit 1
+fi
+if ! command -v python3 >/dev/null 2>&1; then
+  echo "[load-devices] python3 is required but not installed." >&2
+  exit 1
+fi
+if ! command -v curl >/dev/null 2>&1; then
+  echo "[load-devices] curl is required but not installed." >&2
+  exit 1
+fi
+
+# Generate synthetic device inventory CSV
+python3 "${REPO_ROOT}/scripts/generate-device-inventory.py" \
+  --output "${CSV_PATH}" \
+  --devices "${DEVICE_COUNT}" \
+  --seed "${SEED}" \
+  --network "${NETWORK_CIDR}" >/dev/null
+
+echo "[load-devices] CSV generated at ${CSV_PATH} (devices=${DEVICE_COUNT}, seed=${SEED})"
+
+API_TOKEN="$(sqlite3 "${DB_FILE}" "SELECT setValue FROM Settings WHERE setKey='API_TOKEN';")"
+GRAPHQL_PORT="$(sqlite3 "${DB_FILE}" "SELECT setValue FROM Settings WHERE setKey='GRAPHQL_PORT';")"
+
+if [ -z "${API_TOKEN}" ] || [ -z "${GRAPHQL_PORT}" ]; then
+  echo "[load-devices] Failed to read API_TOKEN or GRAPHQL_PORT from ${DB_FILE}" >&2
+  exit 1
+fi
+
+IMPORT_URL="http://localhost:${GRAPHQL_PORT}/devices/import"
+
+HTTP_CODE=$(curl -sS -o /tmp/load-devices-response.json -w "%{http_code}" \
+  -X POST "${IMPORT_URL}" \
+  -H "Authorization: Bearer ${API_TOKEN}" \
+  -F "file=@${CSV_PATH}")
+
+if [ "${HTTP_CODE}" != "200" ]; then
+  echo "[load-devices] Import failed with HTTP ${HTTP_CODE}. Response:" >&2
+  cat /tmp/load-devices-response.json >&2
+  exit 1
+fi
+
+# Fetch totals for a quick sanity check
+TOTALS=$(curl -sS -H "Authorization: Bearer ${API_TOKEN}" "http://localhost:${GRAPHQL_PORT}/devices/totals" || true)
+
+echo "[load-devices] Import succeeded (HTTP ${HTTP_CODE})."
+echo "[load-devices] Devices totals: ${TOTALS}"
+echo "[load-devices] Done. CSV kept at ${CSV_PATH}"
--- a/.devcontainer/scripts/setup.sh
+++ b/.devcontainer/scripts/setup.sh
@@ -47,6 +47,9 @@ sudo mount -t tmpfs -o size=50m,mode=0777 tmpfs /tmp/nginx 2>/dev/null || true

 sudo chmod 777 /tmp/log /tmp/api /tmp/run /tmp/nginx

+# Create critical subdirectories immediately after tmpfs mount
+sudo install -d -m 777 /tmp/run/tmp
+sudo install -d -m 777 /tmp/log/plugins


 sudo rm -rf /entrypoint.d
@@ -85,9 +88,7 @@ sudo chmod 777 "${LOG_DB_IS_LOCKED}"

 sudo pkill -f python3 2>/dev/null || true

-sudo chmod 777 "${PY_SITE_PACKAGES}" "${NETALERTX_DATA}" "${NETALERTX_DATA}"/* 2>/dev/null || true
-
-sudo chmod 005 "${PY_SITE_PACKAGES}" 2>/dev/null || true
+sudo chmod -R 777 "${PY_SITE_PACKAGES}" "${NETALERTX_DATA}" 2>/dev/null || true

 sudo chown -R "${NETALERTX_USER}:${NETALERTX_GROUP}" "${NETALERTX_APP}"
 date +%s | sudo tee "${NETALERTX_FRONT}/buildtimestamp.txt" >/dev/null
--- a/.github/ISSUE_TEMPLATE/documentation-feedback.yml
+++ b/.github/ISSUE_TEMPLATE/documentation-feedback.yml
@@ -14,7 +14,7 @@ body:
    label: What document or section does this relate to?
    description: |
      Please include a link to the file and section, if applicable. Be specific about what part of the documentation you are referencing.
-    placeholder: e.g. https://github.com/jokob-sk/NetAlertX/blob/main/docs/FRONTEND_DEVELOPMENT.md
+    placeholder: e.g. https://docs.netalertx.com/FRONTEND_DEVELOPMENT
  validations:
    required: true
 - type: textarea
@@ -49,7 +49,7 @@ body:
    required: false
 - type: checkboxes
  attributes:
-    label: Can I help implement this? 👩‍💻👨‍💻 
+    label: Can I help implement this? 👩‍💻👨‍💻
    description: The maintainer can provide guidance and review your changes.
    options:
      - label: "Yes, I’d like to help implement the improvement"
--- a/.github/ISSUE_TEMPLATE/enhancement-request.yml
+++ b/.github/ISSUE_TEMPLATE/enhancement-request.yml
@@ -1,33 +0,0 @@
-name: Enhancement Request
-description: Propose an improvement to an existing feature or UX behavior.
-labels: ['enhancement ♻️']
-body:
- type: checkboxes
-  attributes:
-    label: Is there an existing issue for this?
-    options:
-      - label: I have searched existing open and closed issues
-        required: true
- type: textarea
-  attributes:
-    label: What is the enhancement?
-    description: Describe the change or optimization you’d like to see to an existing feature.
-    placeholder: e.g. Make scan intervals configurable from UI instead of just `app.conf`
-    required: true
- type: textarea
-  attributes:
-    label: What problem does this solve or improve?
-    description: Describe why this change would improve user experience or project maintainability.
-    required: true
- type: textarea
-  attributes:
-    label: Additional context or examples
-    description: |
-      Screenshots? Comparisons? Reference repos?
-    required: false
- type: checkboxes
-  attributes:
-    label: Are you willing to help implement this?
-    options:
-      - label: "Yes"
-      - label: "No"
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -5,7 +5,7 @@ body:
 - type: checkboxes
  attributes:
    label: Is there an existing issue for this?
-    description: Please search to see if an open or closed issue already exists for the feature you are requesting. 
+    description: Please search to see if an open or closed issue already exists for the feature you are requesting.
    options:
    - label: I have searched the existing open and closed issues
      required: true
@@ -32,21 +32,21 @@ body:
    label: Anything else?
    description: |
      Links? References? Mockups? Anything that will give us more context about the feature you are encountering!
-      
+
      Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
  validations:
    required: true
 - type: checkboxes
  attributes:
    label: Am I willing to test this? 🧪
-    description: I rely on the community to test unreleased features. If you are requesting a feature, please be willing to test it within 48h of test request. Otherwise, the feature might be pulled from the code base. 
+    description: I rely on the community to test unreleased features. If you are requesting a feature, please be willing to test it within 48h of test request. Otherwise, the feature might be pulled from the code base.
    options:
    - label: I will do my best to test this feature on the `netlertx-dev` image when requested within 48h and report bugs to help deliver a great user experience for everyone and not to break existing installations.
      required: true
 - type: checkboxes
  attributes:
-    label: Can I help implement this? 👩‍💻👨‍💻 
-    description: The maintainer will provide guidance and help. The implementer will read the PR guidelines https://jokob-sk.github.io/NetAlertX/DEV_ENV_SETUP/
+    label: Can I help implement this? 👩‍💻👨‍💻
+    description: The maintainer will provide guidance and help. The implementer will read the PR guidelines https://docs.netalertx.com/DEV_ENV_SETUP/
    options:
    - label: "Yes"
    - label: "No"
--- a/.github/ISSUE_TEMPLATE/i-have-an-issue.yml
+++ b/.github/ISSUE_TEMPLATE/i-have-an-issue.yml
@@ -2,17 +2,31 @@ name: Bug Report
 description: 'When submitting an issue enable LOG_LEVEL="trace" and have a look at the docs.'
 labels: ['bug 🐛']
 body:
+- type: dropdown
+  id: installation_type
+  attributes:
+    label: What installation are you running?
+    options:
+      - Production (netalertx) 📦
+      - Dev (netalertx-dev) 👩‍💻
+      - Home Assistant (addon) 🏠
+      - Home Assistant fa (full-access addon) 🏠
+      - Bare-metal (community only support - Check Discord) ❗
+      - Proxmox (community only support - Check Discord) ❗
+      - Unraid (community only support - Check Discord) ❗
+  validations:
+    required: true
 - type: checkboxes
  attributes:
    label: Is there an existing issue for this?
    description: Please search to see if an open or closed issue already exists for the bug you encountered.
    options:
-    - label: I have searched the existing open and closed issues and I checked the docs https://jokob-sk.github.io/NetAlertX/
+    - label: I have searched the existing open and closed issues and I checked the docs https://docs.netalertx.com/
      required: true
 - type: checkboxes
  attributes:
    label: The issue occurs in the following browsers. Select at least 2.
-    description: This step helps me understand if this is a cache or browser-specific issue. 
+    description: This step helps me understand if this is a cache or browser-specific issue.
    options:
    - label: "Firefox"
    - label: "Chrome"
@@ -44,9 +58,9 @@ body:
    required: false
 - type: textarea
  attributes:
-    label: Relevant `app.conf` settings 
+    label: Relevant `app.conf` settings
    description: |
-      Paste relevant `app.conf`settings (remove sensitive info)    
+      Paste relevant `app.conf`settings (remove sensitive info)
    render: python
  validations:
    required: false
@@ -54,22 +68,10 @@ body:
  attributes:
    label: docker-compose.yml
    description: |
-      Paste your `docker-compose.yml`    
+      Paste your `docker-compose.yml`
    render: yaml
  validations:
    required: false
- type: dropdown
-  id: installation_type
-  attributes:
-    label: What installation are you running?
-    options:
-      - Production (netalertx)
-      - Dev (netalertx-dev)
-      - Home Assistant (addon)
-      - Home Assistant fa (full-access addon)
-      - Bare-metal (community only support - Check Discord)
-  validations:
-    required: true
 - type: checkboxes
  attributes:
    label: Debug or Trace enabled
@@ -82,10 +84,10 @@ body:
    label: Relevant `app.log` section
    value: |
        ```
-          PASTE LOG HERE. Using the triple backticks preserves format. 
+          PASTE LOG HERE. Using the triple backticks preserves format.
        ```
    description: |
-      Logs with debug enabled (https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md) ⚠
+      Logs with debug enabled (https://docs.netalertx.com/DEBUG_TIPS) ⚠
      ***Generally speaking, all bug reports should have logs provided.***
      Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
      Additionally, any additional info? Screenshots? References? Anything that will give us more context about the issue you are encountering!
@@ -99,7 +101,7 @@ body:
     You can retrieve the logs from Portainer -> Containers -> your NetAlertX container -> Logs or by running `sudo docker logs netalertx`.
    value: |
        ```
-          PASTE DOCKER LOG HERE. Using the triple backticks preserves format. 
+          PASTE DOCKER LOG HERE. Using the triple backticks preserves format.
        ```
  validations:
    required: true
--- a/.github/ISSUE_TEMPLATE/refactor-codequality-request.yml
+++ b/.github/ISSUE_TEMPLATE/refactor-codequality-request.yml
@@ -1,37 +0,0 @@
-name: Refactor / Code Quality Request ♻️
-description: Suggest improvements to code structure, style, or maintainability.
-labels: ['enhancement ♻️']
-body:
- type: checkboxes
-  attributes:
-    label: Is there an existing issue for this?
-    description: Please check if a similar request already exists.
-    options:
-      - label: I have searched the existing open and closed issues
-        required: true
- type: textarea
-  attributes:
-    label: What part of the code needs refactoring or improvement?
-    description: Specify files, modules, or components.
-    required: true
- type: textarea
-  attributes:
-    label: Describe the proposed changes
-    description: Explain the refactoring or quality improvements you suggest.
-    required: true
- type: textarea
-  attributes:
-    label: Why is this improvement needed?
-    description: Benefits such as maintainability, readability, performance, or scalability.
-    required: true
- type: textarea
-  attributes:
-    label: Additional context or examples
-    description: Any relevant links, references, or related issues.
-    required: false
- type: checkboxes
-  attributes:
-    label: Can you help implement this change?
-    options:
-      - label: Yes
-      - label: No
--- a/.github/ISSUE_TEMPLATE/setup-help.yml
+++ b/.github/ISSUE_TEMPLATE/setup-help.yml
@@ -2,21 +2,35 @@ name: Setup help
 description: 'When submitting an issue enable LOG_LEVEL="trace" and re-search first.'
 labels: ['Setup 📥']
 body:
+- type: dropdown
+  id: installation_type
+  attributes:
+    label: What installation are you running?
+    options:
+      - Production (netalertx) 📦
+      - Dev (netalertx-dev) 👩‍💻
+      - Home Assistant (addon) 🏠
+      - Home Assistant fa (full-access addon) 🏠
+      - Bare-metal (community only support - Check Discord) ❗
+      - Proxmox (community only support - Check Discord) ❗
+      - Unraid (community only support - Check Discord) ❗
+  validations:
+    required: true
 - type: checkboxes
  attributes:
    label: Did I research?
    description: Please confirm you checked the usual places before opening a setup support request.
    options:
-    - label: I have searched the docs https://jokob-sk.github.io/NetAlertX/
+    - label: I have searched the docs https://docs.netalertx.com/
      required: true
    - label: I have searched the existing open and closed issues
      required: true
-    - label: I confirm my SCAN_SUBNETS is configured and tested as per https://github.com/jokob-sk/NetAlertX/blob/main/docs/SUBNETS.md
+    - label: I confirm my SCAN_SUBNETS is configured and tested as per https://docs.netalertx.com/SUBNETS
      required: true
 - type: checkboxes
  attributes:
    label: The issue occurs in the following browsers. Select at least 2.
-    description: This step helps me understand if this is a cache or browser-specific issue. 
+    description: This step helps me understand if this is a cache or browser-specific issue.
    options:
    - label: "Firefox"
    - label: "Chrome"
@@ -32,38 +46,26 @@ body:
  attributes:
    label: Relevant settings you changed
    description: |
-      Paste a screenshot or setting values of the settings you changed. 
+      Paste a screenshot or setting values of the settings you changed.
  validations:
    required: false
 - type: textarea
  attributes:
    label: docker-compose.yml
    description: |
-      Paste your `docker-compose.yml`    
+      Paste your `docker-compose.yml`
    render: python
  validations:
    required: false
- type: dropdown
-  id: installation_type
-  attributes:
-    label: What installation are you running?
-    options:
-      - Production (netalertx)
-      - Dev (netalertx-dev)
-      - Home Assistant (addon)
-      - Home Assistant fa (full-access addon)
-      - Bare-metal (community only support - Check Discord)
-  validations:
-    required: true
 - type: textarea
  attributes:
    label: app.log
    description: |
-      Logs with debug enabled (https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md) ⚠
+      Logs with debug enabled (https://docs.netalertx.com/DEBUG_TIPS) ⚠
      ***Generally speaking, all bug reports should have logs provided.***
      Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
      Additionally, any additional info? Screenshots? References? Anything that will give us more context about the issue you are encountering!
-      You can use `tail -100 /app/log/app.log` in the container if you have trouble getting to the log files. 
+      You can use `tail -100 /app/log/app.log` in the container if you have trouble getting to the log files.
  validations:
    required: false
 - type: checkboxes
--- a/.github/ISSUE_TEMPLATE/translation-request.yml
+++ b/.github/ISSUE_TEMPLATE/translation-request.yml
@@ -1,36 +0,0 @@
-name: Translation / Localization Request 🌐
-description: Suggest adding or improving translations or localization support.
-labels: ['enhancement 🌐']
-body:
- type: checkboxes
-  attributes:
-    label: Have you checked for existing translation efforts or related issues?
-    options:
-      - label: I have searched existing open and closed issues
-        required: true
- type: textarea
-  attributes:
-    label: Language(s) involved
-    description: Specify the language(s) this request pertains to.
-    required: true
- type: textarea
-  attributes:
-    label: Describe the translation or localization improvement
-    description: Examples include adding new language support, fixing translation errors, or improving formatting.
-    required: true
- type: textarea
-  attributes:
-    label: Why is this important for the project or users?
-    description: Describe the benefits or target audience.
-    required: false
- type: textarea
-  attributes:
-    label: Additional context or references
-    description: Link to files, previous translation PRs, or external resources.
-    required: false
- type: checkboxes
-  attributes:
-    label: Can you help with translation or review?
-    options:
-      - label: Yes
-      - label: No
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,14 +1,23 @@
+### ROLE: NETALERTX ARCHITECT & STRICT CODE AUDITOR
+You are a cynical Security Engineer and Core Maintainer of NetAlertX. Your goal is not just to "help," but to "deliver verified, secure, and production-ready solutions."
+
+### MANDATORY BEHAVIORAL OVERRIDES:
+1.  **Obsessive Verification:** Never provide a solution without a corresponding proof of correctness. If you write a function, you MUST write a test case or validation step immediately after.
+2.  **Anti-Laziness Protocol:** You are forbidden from using placeholders (e.g., `// ... rest of code`, ``). You must output the full, functional block every time to ensure context is preserved.
+3.  **Priority Hierarchy:** Priority 1 is Correctness. Priority 2 is Completeness. Priority 3 is Speed.
+4.  **Mantra:** "Job's not done 'till unit tests run."
+
+---
+
 # NetAlertX AI Assistant Instructions
 This is NetAlertX — network monitoring & alerting. NetAlertX provides Network inventory, awareness, insight, categorization, intruder and presence detection. This is a heavily community-driven project, welcoming of all contributions.

-You are expected to be concise, opinionated, and biased toward security and simplicity.
-
 ## Architecture (what runs where)
 - Backend (Python): main loop + GraphQL/REST endpoints orchestrate scans, plugins, workflows, notifications, and JSON export.
-	- Key: `server/__main__.py`, `server/plugin.py`, `server/initialise.py`, `server/api_server/api_server_start.py`
+  - Key: `server/__main__.py`, `server/plugin.py`, `server/initialise.py`, `server/api_server/api_server_start.py`
 - Data (SQLite): persistent state in `db/app.db`; helpers in `server/database.py` and `server/db/*`.
 - Frontend (Nginx + PHP + JS): UI reads JSON, triggers execution queue events.
-	- Key: `front/`, `front/js/common.js`, `front/php/server/*.php`
+  - Key: `front/`, `front/js/common.js`, `front/php/server/*.php`
 - Plugins (Python): acquisition/enrichment/publishers under `front/plugins/*` with `config.json` manifests.
 - Messaging/Workflows: `server/messaging/*`, `server/workflows/*`
 - API JSON Cache for UI: generated under `api/*.json`
@@ -34,16 +43,17 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 - Use logging as shown in other plugins.
 - Collect results with `Plugin_Objects.add_object(...)` during processing and call `plugin_objects.write_result_file()` exactly once at the end of the script.
 - Prefer to log a brief summary before writing (e.g., total objects added) to aid troubleshooting; keep logs concise at `info` level and use `verbose` or `debug` for extra context.
-
 - Do not write ad‑hoc files for results; the only consumable output is `last_result.<PREF>.log` generated by `Plugin_Objects`.
+
 ## API/Endpoints quick map
 - Flask app: `server/api_server/api_server_start.py` exposes routes like `/device/<mac>`, `/devices`, `/devices/export/{csv,json}`, `/devices/import`, `/devices/totals`, `/devices/by-status`, plus `nettools`, `events`, `sessions`, `dbquery`, `metrics`, `sync`.
 - Authorization: all routes expect header `Authorization: Bearer <API_TOKEN>` via `get_setting_value('API_TOKEN')`.
+- All responses need to return `"success":<False:True>` and if `False` an "error" message needs to be returned, e.g. `{"success": False, "error": f"No stored open ports for Device"}`

 ## Conventions & helpers to reuse
 - Settings: add/modify via `ccd()` in `server/initialise.py` or per‑plugin manifest. Never hardcode ports or secrets; use `get_setting_value()`.
- Logging: use `logger.mylog(level, [message])`; levels: none/minimal/verbose/debug/trace.
- Time/MAC/strings: `helper.py` (`timeNowDB`, `normalize_mac`, sanitizers). Validate MACs before DB writes.
+- Logging: use `mylog(level, [message])`; levels: none/minimal/verbose/debug/trace. `none` is used for most important messages that should always appear, such as exceptions. Do NOT use `error` as level.
+- Time/MAC/strings: `server/utils/datetime_utils.py` (`timeNowDB`), `front/plugins/plugin_helper.py` (`normalize_mac`), `server/helper.py` (sanitizers). Validate MACs before DB writes.
 - DB helpers: prefer `server/db/db_helper.py` functions (e.g., `get_table_json`, device condition helpers) over raw SQL in new paths.

 ## Dev workflow (devcontainer)
@@ -55,37 +65,25 @@ Backend loop phases (see `server/__main__.py` and `server/plugin.py`): `once`, `
 - Run a plugin manually: `python3 front/plugins/<code_name>/script.py` (ensure `sys.path` includes `/app/front/plugins` and `/app/server` like the template).
 - Testing: pytest available via Alpine packages. Tests live in `test/`; app code is under `server/`. PYTHONPATH is preconfigured to include workspace and `/opt/venv` site‑packages.
 - **Subprocess calls:** ALWAYS set explicit timeouts. Default to 60s minimum unless plugin config specifies otherwise. Nested subprocess calls (e.g., plugins calling external tools) need their own timeout - outer plugin timeout won't save you.
+- you need to set the BACKEND_API_URL setting (e.g. in teh app.conf file or via the APP_CONF_OVERRIDE env variable) to the backend api port url , e.g. https://something-20212.app.github.dev/ depending on your github codespace url.

 ## What “done right” looks like
 - When adding a plugin, start from `front/plugins/__template`, implement with `plugin_helper`, define manifest settings, and wire phase via `<PREF>_RUN`. Verify logs in `/tmp/log/plugins/` and data in `api/*.json`.
 - When introducing new config, define it once (core `ccd()` or plugin manifest) and read it via helpers everywhere.
 - When exposing new server functionality, add endpoints in `server/api_server/*` and keep authorization consistent; update UI by reading/writing JSON cache rather than bypassing the pipeline.
+- Always try following the DRY principle, do not re-implement functionality, but re-use existing methods where possible, or refactor to use a common method that is called multiple times
+- If new functionality needs to be added, look at impenting it into existing handlers (e.g. `DeviceInstance` in `server/models/device_instance.py`) or create a new one if it makes sense. Do not access the DB from otehr application layers.
+- Code files shoudln't be longer than 500 lines of code

 ## Useful references
 - Docs: `docs/PLUGINS_DEV.md`, `docs/SETTINGS_SYSTEM.md`, `docs/API_*.md`, `docs/DEBUG_*.md`
 - Logs: All logs are under `/tmp/log/`. Plugin logs are very shortly under `/tmp/log/plugins/` until picked up by the server.
-    - plugin logs: `/tmp/log/app.log`
-	- backend logs: `/tmp/log/stdout.log` and `/tmp/log/stderr.log`
-	- frontend commands logs: `/tmp/log/app_front.log`
-	- php errors: `/tmp/log/app.php_errors.log`
-	- nginx logs: `/tmp/log/nginx-access.log` and `/tmp/log/nginx-error.log`
-
-## Assistant expectations:
- Be concise, opinionated, and biased toward security and simplicity.
- Reference concrete files/paths/environmental variables.
- Use existing helpers/settings.
- Offer a quick validation step (log line, API hit, or JSON export) for anything you add.
- Be blunt about risks and when you offer suggestions ensure they're also blunt,
- Ask for confirmation before making changes that run code or change multiple files.
- Make statements actionable and specific; propose exact edits.
- Request confirmation before applying changes that affect more than a single, clearly scoped line or file.
- Ask the user to debug something for an actionable value if you're unsure.
- Be sure to offer choices when appropriate.
- Always understand the intent of the user's request and undo/redo as needed.
- Above all, use the simplest possible code that meets the need so it can be easily audited and maintained.
- Always leave logging enabled. If there is a possiblity it will be difficult to debug with current logging, add more logging.
- Always run the testFailure tool before executing any tests to gather current failure information and avoid redundant runs.
- Always prioritize using the appropriate tools in the environment first. As an example if a test is failing use `testFailure` then `runTests`. Never `runTests` first. 
- Docker tests take an extremely long time to run.  Avoid changes to docker or tests until you've examined the exisiting testFailures and runTests results.
- Environment tools are designed specifically for your use in this project and running them in this order will give you the best results. 
+  - plugin logs: `/tmp/log/plugins/*.log`
+  - backend logs: `/tmp/log/stdout.log` and `/tmp/log/stderr.log`
+  - php errors: `/tmp/log/app.php_errors.log`
+  - nginx logs: `/tmp/log/nginx-access.log` and `/tmp/log/nginx-error.log`

+## Execution Protocol (Strict)
+- Always run the `testFailure` tool before executing any tests to gather current failure information and avoid redundant runs.
+- Always prioritize using the appropriate tools in the environment first. Example: if a test is failing use `testFailure` then `runTests`.
+- Docker tests take an extremely long time to run. Avoid changes to docker or tests until you've examined the existing `testFailure`s and `runTests` results.
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -84,7 +84,7 @@ jobs:
        continue-on-error: true
        run: |
          echo "🔍 Linting Dockerfiles..."
-          /tmp/hadolint Dockerfile* || true
+          /tmp/hadolint --config .hadolint.yaml Dockerfile* || true

  docker-tests:
    runs-on: ubuntu-latest
--- a/.github/workflows/docker_dev.yml
+++ b/.github/workflows/docker_dev.yml
@@ -13,7 +13,7 @@ on:
 jobs:
  docker_dev:
    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
    permissions:
      contents: read
      packages: write
@@ -47,6 +47,12 @@ jobs:
        id: get_version
        run: echo "version=Dev" >> $GITHUB_OUTPUT

+      # --- debug output
+      - name: Debug version
+        run: |
+          echo "GITHUB_REF: $GITHUB_REF"
+          echo "Version: '${{ steps.get_version.outputs.version }}'"
+
      # --- Write the timestamped version to .VERSION file
      - name: Create .VERSION file
        run: echo "${{ steps.timestamp.outputs.version }}" > .VERSION
@@ -90,3 +96,5 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/.github/workflows/docker_prod.yml
+++ b/.github/workflows/docker_prod.yml
@@ -17,7 +17,7 @@ on:
 jobs:
  docker:
    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
    permissions:
      contents: read
      packages: write
@@ -32,14 +32,34 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      # --- Previous approach Get release version from tag
+      - name: Set up dynamic build ARGs
+        id: getargs
+        run: echo "version=$(cat ./stable/VERSION)" >> $GITHUB_OUTPUT
+
+      - name: Get release version
+        id: get_version_prev
+        run: echo "::set-output name=version::${GITHUB_REF#refs/tags/}"
+
+      - name: Create .VERSION file
+        run: echo "${{ steps.get_version.outputs.version }}" >> .VERSION_PREV
+
      # --- Get release version from tag
      - name: Get release version
        id: get_version
        run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

+
+      # --- debug output
+      - name: Debug version
+        run: |
+          echo "GITHUB_REF: $GITHUB_REF"
+          echo "Version: '${{ steps.get_version.outputs.version }}'"
+          echo "Version prev: '${{ steps.get_version_prev.outputs.version }}'"
+
      # --- Write version to .VERSION file
      - name: Create .VERSION file
-        run: echo "${{ steps.get_version.outputs.version }}" > .VERSION
+        run: echo -n "${{ steps.get_version.outputs.version }}" > .VERSION

      # --- Generate Docker metadata and tags
      - name: Docker meta
--- a/.github/workflows/label-issues.yml
+++ b/.github/workflows/label-issues.yml
@@ -21,7 +21,7 @@ jobs:

            let labelsToAdd = [];

-            if (lowerBody.includes('bare-metal')) {
+            if (lowerBody.includes('bare-metal') || lowerBody.includes('proxmox')) {
              labelsToAdd.push('bare-metal ❗');
            }

--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -3,7 +3,10 @@ name: Deploy MkDocs
 on:
  push:
    branches:
-      - main  # Change if your default branch is different
+      - main
+
+permissions:
+  contents: write

 jobs:
  deploy:
@@ -19,7 +22,15 @@ jobs:

      - name: Install MkDocs
        run: |
-          pip install mkdocs mkdocs-material && pip install mkdocs-github-admonitions-plugin 
+          pip install mkdocs mkdocs-material
+          pip install mkdocs-github-admonitions-plugin
+
+      - name: Build MkDocs
+        run: mkdocs build
+
+      - name: Add CNAME
+        run: |
+          echo "docs.netalertx.com" > site/CNAME

      - name: Deploy MkDocs
        run: mkdocs gh-deploy --force
--- a/.github/workflows/social_post_on_release.yml
+++ b/.github/workflows/social_post_on_release.yml
@@ -7,8 +7,8 @@ jobs:
  post-discord:
    runs-on: ubuntu-latest
    steps:
-      - name: Wait for 15 minutes
-        run: sleep 900  # 15 minutes delay
+      - name: Wait for 60 minutes
+        run: sleep 3600  # 60 minutes delay

      - name: Post to Discord
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ nohup.out
 config/*
 .ash_history
 .VERSION
+.VERSION_PREV
 config/pialert.conf
 config/app.conf
 db/*
@@ -43,3 +44,5 @@ front/css/cloud_services.css

 docker-compose.yml.ffsb42
 .env.omada.ffsb42
+.venv
+test_mounts/
--- a/.hadolint.yaml
+++ b/.hadolint.yaml
@@ -0,0 +1,2 @@
+ignored:
+  - DL3018
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,10 +4,12 @@
    "python.testing.pytestEnabled": true,
    "python.testing.unittestEnabled": false,
    "python.testing.pytestArgs": [
-        "test"
+      "test"
    ],
-    // Ensure VS Code uses the devcontainer virtualenv
+    // NetAlertX devcontainer uses /opt/venv; this ensures pip/pytest are available for discovery.
    "python.defaultInterpreterPath": "/opt/venv/bin/python",
+    "python.testing.cwd": "${workspaceFolder}",
+    "python.testing.autoTestDiscoverOnSaveEnabled": true,
    // Let the Python extension invoke pytest via the interpreter; avoid hardcoded paths
    // Removed python.testing.pytestPath and legacy pytest.command overrides
    
@@ -16,8 +18,7 @@
      "zsh": {
        "path": "/bin/zsh"
      }
-    }
-    ,
+    },
    // Fallback for older VS Code versions or schema validators that don't accept custom profiles
    "terminal.integrated.shell.linux": "/usr/bin/zsh"
  ,
@@ -29,5 +30,6 @@
  "python.formatting.provider": "black",
  "python.formatting.blackArgs": [
    "--line-length=180"
-  ]
+  ],
+
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -21,7 +21,6 @@
        "showReuseMessage": false,
        "group": "POSIX Tasks"
      },
-      
      "problemMatcher": [],
      "group": {
        "kind": "build",
@@ -59,6 +58,31 @@
        "color": "terminal.ansiRed"
      }
    },
+    {
+      "label": "[Dev Container] Load Sample Devices",
+      "type": "shell",
+      "command": "./isDevContainer.sh || exit 1; ./load-devices.sh",
+      "detail": "Generates a synthetic device inventory and imports it into the devcontainer database via /devices/import.",
+      "options": {
+        "cwd": "/workspaces/NetAlertX/.devcontainer/scripts",
+        "env": {
+          "CSV_PATH": "/tmp/netalertx-devices.csv"
+        }
+      },
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "panel": "shared",
+        "showReuseMessage": false,
+        "clear": false,
+        "group": "Devcontainer"
+      },
+      "problemMatcher": [],
+      "icon": {
+        "id": "cloud-upload",
+        "color": "terminal.ansiYellow"
+      }
+    },
    {
      "label": "[Dev Container] Re-Run Startup Script",
      "type": "shell",
@@ -73,7 +97,6 @@
        "panel": "shared",
        "showReuseMessage": false
      },
-
      "problemMatcher": [],
      "icon": {
        "id": "beaker",
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,7 +12,7 @@ Please use the [GitHub Issue Tracker](https://github.com/jokob-sk/NetAlertX/issu
 - Documentation feedback 📖

 Before opening a new issue:
- 🛑 [Check Common Issues & Debug Tips](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md#common-issues)
+- 🛑 [Check Common Issues & Debug Tips](https://docs.netalertx.com/DEBUG_TIPS#common-issues)
 - 🔍 [Search Closed Issues](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed)

 ---
@@ -27,7 +27,7 @@ Please:
 - Follow existing **code style and structure**
 - Provide a clear title and description for your PR
 - If relevant, add or update tests and documentation
- For plugins, refer to the [Plugin Dev Guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS_DEV.md)
+- For plugins, refer to the [Plugin Dev Guide](https://docs.netalertx.com/PLUGINS_DEV)

 ---

@@ -47,7 +47,7 @@ By participating, you agree to follow our [Code of Conduct](./CODE_OF_CONDUCT.md

 ## 📬 Contact

-If you have more in-depth questions or want to discuss contributing in other ways, feel free to reach out at:  
+If you have more in-depth questions or want to discuss contributing in other ways, feel free to reach out at:
 📧 [jokob@duck.com](mailto:jokob@duck.com?subject=NetAlertX%20Contribution)

 We appreciate every contribution, big or small! 💙
--- a/118
+++ b/118
@@ -1,16 +1,16 @@
 # The NetAlertX Dockerfile has 3 stages:
 #
 # Stage 1. Builder - NetAlertX Requires special tools and packages to build our virtual environment, but
-# which are not needed in future stages.  We build the builder and extract the venv for runner to use as 
+# which are not needed in future stages.  We build the builder and extract the venv for runner to use as
 # a base.
 #
 # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary
 # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation
-# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a 
+# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a
 # docker container as a VM for experimentation and various development patterns.
 #
 # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only
-# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the 
+# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the
 # code pushed out by the project is the only code which will run on the system after each container restart.
 # It reduces the chance of system hijacking and operates with all modern security protocols in place as is
 # expected from a security appliance.
@@ -26,13 +26,25 @@ ENV PATH="/opt/venv/bin:$PATH"

 # Install build dependencies
 COPY requirements.txt /tmp/requirements.txt
-RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+        bash \
+        shadow \
+        python3 \
+        python3-dev \
+        gcc \
+        musl-dev \
+        libffi-dev \
+        openssl-dev \
+        git \
+        rust \
+        cargo \
    && python -m venv /opt/venv

-# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy 
-# into hardened stage without worrying about permissions and keeps image size small. Keeping the commands
-# together makes for a slightly smaller image size.
-RUN pip install -r /tmp/requirements.txt && \
+# Upgrade pip/wheel/setuptools and install Python packages
+# hadolint ignore=DL3013, DL3042
+RUN python -m pip install --upgrade pip setuptools wheel && \
+    pip install --prefer-binary --no-cache-dir -r /tmp/requirements.txt && \
    chmod -R u-rwx,g-rwx /opt

 # second stage is the main runtime stage with just the minimum required to run the application
@@ -40,6 +52,12 @@ RUN pip install -r /tmp/requirements.txt && \
 FROM alpine:3.22 AS runner

 ARG INSTALL_DIR=/app
+# Runtime service account (override at build; container user can still be overridden at run time)
+ARG NETALERTX_UID=20211
+ARG NETALERTX_GID=20211
+# Read-only lock owner (separate from service account to avoid UID/GID collisions)
+ARG READONLY_UID=20212
+ARG READONLY_GID=20212

 # NetAlertX app directories
 ENV NETALERTX_APP=${INSTALL_DIR}
@@ -95,11 +113,11 @@ ENV READ_WRITE_FOLDERS="${NETALERTX_DATA} ${NETALERTX_CONFIG} ${NETALERTX_DB} ${
                       ${SYSTEM_SERVICES_ACTIVE_CONFIG}"

 #Python environment
-ENV PYTHONUNBUFFERED=1 
+ENV PYTHONUNBUFFERED=1
 ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
 ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${NETALERTX_PLUGINS}:${VIRTUAL_ENV}/lib/python3.12/site-packages
-ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" 
+ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH"

 # App Environment
 ENV LISTEN_ADDR=0.0.0.0
@@ -110,17 +128,17 @@ ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt
 ENV ENVIRONMENT=alpine
 ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly
 ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx
-ENV LANG=C.UTF-8 
+ENV LANG=C.UTF-8


-RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \
+RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap fping \
    nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \
    sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \
-    nginx supercronic shadow && \
+    nginx supercronic shadow su-exec && \
    rm -Rf /var/cache/apk/*  && \
    rm -Rf /etc/nginx && \
-    addgroup -g 20211 ${NETALERTX_GROUP} && \
-    adduser -u 20211 -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
+    addgroup -g ${NETALERTX_GID} ${NETALERTX_GROUP} && \
+    adduser -u ${NETALERTX_UID} -D -h ${NETALERTX_APP} -G ${NETALERTX_GROUP} ${NETALERTX_USER} && \
    apk del shadow


@@ -138,79 +156,91 @@ RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FO

 # Copy version information into the image
 COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION
+COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION_PREV

-# Copy the virtualenv from the builder stage
-COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}
+# Copy the virtualenv from the builder stage (owned by readonly lock owner)
+COPY --from=builder --chown=${READONLY_UID}:${READONLY_GID} ${VIRTUAL_ENV} ${VIRTUAL_ENV}


 # Initialize each service with the dockerfiles/init-*.sh scripts, once.
 # This is done after the copy of the venv to ensure the venv is in place
 # although it may be quicker to do it before the copy, it keeps the image
 # layers smaller to do it after.
-RUN if [ -f .VERSION ]; then \
-        cp .VERSION ${NETALERTX_APP}/.VERSION; \
-    else \
-        echo "DEVELOPMENT 00000000" > ${NETALERTX_APP}/.VERSION; \
-    fi && \
-    chown 20212:20212 ${NETALERTX_APP}/.VERSION && \
-    apk add libcap && \
-    setcap cap_net_raw+ep /bin/busybox && \
+# hadolint ignore=DL3018
+RUN for vfile in .VERSION .VERSION_PREV; do \
+        if [ ! -f "${NETALERTX_APP}/${vfile}" ]; then \
+            echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/${vfile}"; \
+        fi; \
+        chown ${READONLY_UID}:${READONLY_GID} "${NETALERTX_APP}/${vfile}"; \
+    done && \
+    apk add --no-cache libcap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
    setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
    setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
+    setcap cap_net_raw,cap_net_admin+eip "$(readlink -f ${VIRTUAL_ENV_BIN}/python)" && \
    /bin/sh /build/init-nginx.sh && \
    /bin/sh /build/init-php-fpm.sh && \
    /bin/sh /build/init-cron.sh && \
    /bin/sh /build/init-backend.sh && \
    rm -rf /build && \
    apk del libcap && \
-    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
+    date +%s > "${NETALERTX_FRONT}/buildtimestamp.txt"


-ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
+ENTRYPOINT ["/bin/bash","/entrypoint.sh"]

 # Final hardened stage to improve security by setting least possible permissions and removing sudo access.
 # When complete, if the image is compromised, there's not much that can be done with it.
 # This stage is separate from Runner stage so that devcontainer can use the Runner stage.
 FROM runner AS hardened

+# Re-declare UID/GID args for this stage
+ARG NETALERTX_UID=20211
+ARG NETALERTX_GID=20211
+ARG READONLY_UID=20212
+ARG READONLY_GID=20212
+
 ENV UMASK=0077

 # Create readonly user and group with no shell access.
 # Readonly user marks folders that are created by NetAlertX, but should not be modified.
-# AI may claim this is stupid, but it's actually least possible permissions as 
+# AI may claim this is stupid, but it's actually least possible permissions as
 # read-only user cannot login, cannot sudo, has no write permission, and cannot even
 # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern.
-RUN addgroup -g 20212 ${READ_ONLY_GROUP} && \
-    adduser -u 20212 -G ${READ_ONLY_GROUP} -D -h /app ${READ_ONLY_USER}
+RUN addgroup -g ${READONLY_GID} "${READ_ONLY_GROUP}" && \
+    adduser -u ${READONLY_UID} -G "${READ_ONLY_GROUP}" -D -h /app "${READ_ONLY_USER}"


 # reduce permissions to minimum necessary for all NetAlertX files and folders
 # Permissions 005 and 004 are not typos, they enable read-only. Everyone can
 # read the read-only files, and nobody can write to them, even the readonly user.
+
+# hadolint ignore=SC2114
 RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 004 ${READ_ONLY_FOLDERS} && \
    find ${READ_ONLY_FOLDERS} -type d -exec chmod 005 {} + && \
-    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FOLDERS} && \
-    chown -R ${NETALERTX_USER}:${NETALERTX_GROUP} ${READ_WRITE_FOLDERS} && \
-    chmod -R 600 ${READ_WRITE_FOLDERS} && \
-    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
-    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
-    for dir in ${READ_WRITE_FOLDERS}; do \
-        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
-    done && \
+    install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 0777 ${READ_WRITE_FOLDERS} && \
+    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /root-entrypoint.sh /opt /opt/venv && \
+    chmod 005 /entrypoint.sh /root-entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
+    # Do not bake first-run artifacts into the image. If present, Docker volume copy-up
+    # will persist restrictive ownership/modes into fresh named volumes, breaking
+    # arbitrary non-root UID/GID runs.
+    rm -f \
+      "${NETALERTX_CONFIG}/app.conf" \
+      "${NETALERTX_DB_FILE}" \
+      "${NETALERTX_DB_FILE}-shm" \
+      "${NETALERTX_DB_FILE}-wal" || true && \
    apk del apk-tools && \
    rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
    /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
    /srv /media && \
-    sed -i "/^\(${READ_ONLY_USER}\|${NETALERTX_USER}\):/!d" /etc/passwd && \
-    sed -i "/^\(${READ_ONLY_GROUP}\|${NETALERTX_GROUP}\):/!d" /etc/group && \
-    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    # Preserve root and system identities so hardened entrypoint never needs to patch /etc/passwd or /etc/group at runtime.
+    printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+USER "0"

-USER netalertx
+# Call root-entrypoint.sh which drops priviliges to run entrypoint.sh.
+ENTRYPOINT ["/root-entrypoint.sh"]

 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
    CMD /services/healthcheck.sh
--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@@ -4,7 +4,7 @@
 # treat a container as an operating system, which is an anti-pattern and a common source of
 # security issues.
 #
-# The default Dockerfile/docker-compose image contains the following security improvements 
+# The default Dockerfile/docker-compose image contains the following security improvements
 # over the Debian image:
 # - read-only filesystem
 # - no sudo access
@@ -25,7 +25,7 @@
 # - minimal base image (Alpine Linux)
 # - minimal python environment (venv, no pip)
 # - minimal stripped web server
-# - minimal stripped php environment 
+# - minimal stripped php environment
 # - minimal services (nginx, php-fpm, crond, no unnecessary services or service managers)
 # - minimal users and groups (netalertx and readonly only, no others)
 # - minimal permissions (read-only for most files and folders, write-only for necessary folders)
@@ -36,8 +36,8 @@
 # - Uses the same services as the development environment (nginx, php-fpm, crond)
 # - Uses the same environment variables as the development environment (only necessary ones, no others)
 # - Uses the same file and folder structure as the development environment (only necessary ones, no others)
-# NetAlertX is designed to be run as an unattended network security monitoring appliance, which means it 
-# should be able to operate without human intervention. Overall, the hardened image is designed to be as 
+# NetAlertX is designed to be run as an unattended network security monitoring appliance, which means it
+# should be able to operate without human intervention. Overall, the hardened image is designed to be as
 # secure as possible while still being functional and is recommended because you cannot attack a surface
 # that isn't there.

@@ -92,7 +92,7 @@ ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf

 #Python environment
 ENV PYTHONPATH=${NETALERTX_SERVER}
-ENV PYTHONUNBUFFERED=1 
+ENV PYTHONUNBUFFERED=1
 ENV VIRTUAL_ENV=/opt/venv
 ENV VIRTUAL_ENV_BIN=/opt/venv/bin
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}:/services"
@@ -107,9 +107,9 @@ ENV NETALERTX_DEBUG=0

 #Container environment
 ENV ENVIRONMENT=debian
-ENV USER=netalertx 
+ENV USER=netalertx
 ENV USER_ID=1000
-ENV USER_GID=1000 
+ENV USER_GID=1000

 # Todo, figure out why using a workdir instead of full paths don't work
 # Todo, do we still need all these packages? I can already see sudo which isn't needed
@@ -127,30 +127,34 @@ RUN groupadd --gid "${USER_GID}" "${USER}" && \
    usermod -a -G ${USER_GID} root && \
    usermod -a -G ${USER_GID} www-data

-COPY --chmod=775 --chown=${USER_ID}:${USER_GID} install/production-filesystem/ /    
+COPY --chmod=775 --chown=${USER_ID}:${USER_GID} install/production-filesystem/ /
 COPY --chmod=775 --chown=${USER_ID}:${USER_GID} . ${INSTALL_DIR}/


-# ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗ 
-RUN apt update && apt-get install -y \
+# ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗
+# hadolint ignore=DL3008,DL3027
+RUN apt-get update && apt-get install -y --no-install-recommends \
    tini snmp ca-certificates curl libwww-perl arp-scan sudo gettext-base \
-    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools  \
-    python3 python3-dev iproute2 nmap python3-pip zip git systemctl usbutils traceroute nbtscan openrc \
-    busybox nginx nginx-core mtr python3-venv
+    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools   \
+    python3 python3-dev iproute2 nmap fping python3-pip zip git systemctl usbutils traceroute nbtscan openrc \
+    busybox nginx nginx-core mtr python3-venv && \
+    rm -rf /var/lib/apt/lists/*

 # While php8.3 is in debian bookworm repos, php-fpm is not included so we need to add sury.org repo
 # (Ondřej Surý maintains php packages for debian. This is temp until debian includes php-fpm in their
 # repos. Likely it will be in Debian Trixie.).  This keeps the image up-to-date with the alpine version.
+# hadolint ignore=DL3008
 RUN apt-get install -y --no-install-recommends \
    apt-transport-https \
    ca-certificates \
    lsb-release \
    wget && \
-    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
+    wget -q -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
    echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \
    apt-get update && \
-    apt-get install -y php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
-    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 # make it compatible with alpine version
+    apt-get install -y --no-install-recommends php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \
+    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 && \
+    rm -rf /var/lib/apt/lists/* # make it compatible with alpine version

 # Setup virtual python environment and use pip3 to install packages
 RUN python3 -m venv ${VIRTUAL_ENV} && \
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@

 # NetAlertX - Network, presence scanner and alert framework

-Get visibility of what's going on on your WIFI/LAN network and enable presence detection of important devices. Schedule scans for devices, port changes and get alerts if unknown devices or changes are found. Write your own [Plugin](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) with auto-generated UI and in-build notification system. Build out and easily maintain your network source of truth (NSoT) and device inventory.
+Get visibility of what's going on on your WIFI/LAN network and enable presence detection of important devices. Schedule scans for devices, port changes and get alerts if unknown devices or changes are found. Write your own [Plugin](https://docs.netalertx.com/PLUGINS#readme) with auto-generated UI and in-build notification system. Build out and easily maintain your network source of truth (NSoT) and device inventory.

 ## 📋 Table of Contents

@@ -34,23 +34,24 @@ Get visibility of what's going on on your WIFI/LAN network and enable presence d
 ## 🚀 Quick Start

 > [!WARNING]
-> ⚠️ **Important:** The documentation has been recently updated and some instructions may have changed.  
-> If you are using the currently live production image, please follow the instructions on [Docker Hub](https://hub.docker.com/r/jokobsk/netalertx) for building and running the container.  
-> These docs reflect the latest development version and may differ from the production image.
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://docs.netalertx.com/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.

 Start NetAlertX in seconds with Docker:

 ```bash
-docker run -d --rm --network=host \
-  -v /local_data_dir/config:/data/config \
-  -v /local_data_dir/db:/data/db \
-  -v /etc/localtime:/etc/localtime \
-  --mount type=tmpfs,target=/tmp/api \
+docker run -d \
+  --network=host \
+  --restart unless-stopped \
+  -v /local_data_dir:/data \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
  -e PORT=20211 \
-  -e APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20214"} \
+  -e APP_CONF_OVERRIDE='{"GRAPHQL_PORT":"20214"}' \
  ghcr.io/jokob-sk/netalertx:latest
 ```

+Note: Your `/local_data_dir` should contain a `config` and `db` folder.
+
 To deploy a containerized instance directly from the source repository, execute the following BASH sequence:
 ```bash
 git clone https://github.com/jokob-sk/NetAlertX.git
@@ -59,17 +60,17 @@ docker compose up --force-recreate --build
 # To customize: edit docker-compose.yaml and run that last command again
 ```

-Need help configuring it? Check the [usage guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/README.md) or [full documentation](https://jokob-sk.github.io/NetAlertX/).
+Need help configuring it? Check the [usage guide](https://docs.netalertx.com/README) or [full documentation](https://docs.netalertx.com/).

 For Home Assistant users: [Click here to add NetAlertX](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Falexbelgium%2Fhassio-addons)

 For other install methods, check the [installation docs](#-documentation)


-| [📑 Docker guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://jokob-sk.github.io/NetAlertX/) | [🔌 Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
-|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------| 
+| [📑 Docker guide](https://docs.netalertx.com/DOCKER_INSTALLATION) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://docs.netalertx.com/) | [🔌 Plugins](https://docs.netalertx.com/PLUGINS) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
+|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------|

-![showcase][showcase] 
+![showcase][showcase]

 <details>
  <summary>📷 Click for more screenshots</summary>
@@ -87,20 +88,20 @@ For other install methods, check the [installation docs](#-documentation)

 ### Scanners

-The app scans your network for **New devices**, **New connections** (re-connections), **Disconnections**, **"Always Connected" devices down**, Devices **IP changes** and **Internet IP address changes**. Discovery & scan methods include: **arp-scan**,  **Pi-hole - DB import**,  **Pi-hole - DHCP leases import**, **Generic DHCP leases import**, **UNIFI controller import**, **SNMP-enabled router import**. Check the [Plugins](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) docs for a full list of avaliable plugins. 
+The app scans your network for **New devices**, **New connections** (re-connections), **Disconnections**, **"Always Connected" devices down**, Devices **IP changes** and **Internet IP address changes**. Discovery & scan methods include: **arp-scan**,  **Pi-hole - DB import**,  **Pi-hole - DHCP leases import**, **Generic DHCP leases import**, **UNIFI controller import**, **SNMP-enabled router import**. Check the [Plugins](https://docs.netalertx.com/PLUGINS#readme) docs for a full list of avaliable plugins.

 ### Notification gateways

-Send notifications to more than 80+ services, including Telegram via [Apprise](https://hub.docker.com/r/caronc/apprise), or use native [Pushsafer](https://www.pushsafer.com/), [Pushover](https://www.pushover.net/), or [NTFY](https://ntfy.sh/) publishers. 
+Send notifications to more than 80+ services, including Telegram via [Apprise](https://hub.docker.com/r/caronc/apprise), or use native [Pushsafer](https://www.pushsafer.com/), [Pushover](https://www.pushover.net/), or [NTFY](https://ntfy.sh/) publishers.

 ### Integrations and Plugins

-Feed your data and device changes into [Home Assistant](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HOME_ASSISTANT.md), read [API endpoints](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md), or use [Webhooks](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WEBHOOK_N8N.md) to setup custom automation flows. You can also 
-build your own scanners with the [Plugin system](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md#readme) in as little as [15 minutes](https://www.youtube.com/watch?v=cdbxlwiWhv8).
+Feed your data and device changes into [Home Assistant](https://docs.netalertx.com/HOME_ASSISTANT), read [API endpoints](https://docs.netalertx.com/API), or use [Webhooks](https://docs.netalertx.com/WEBHOOK_N8N) to setup custom automation flows. You can also
+build your own scanners with the [Plugin system](https://docs.netalertx.com/PLUGINS#readme) in as little as [15 minutes](https://www.youtube.com/watch?v=cdbxlwiWhv8).

 ### Workflows

-The [workflows module](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WORKFLOWS.md) allows to automate repetitive tasks, making network management more efficient. Whether you need to assign newly discovered devices to a specific Network Node, auto-group devices from a given vendor, unarchive a device if detected online, or automatically delete devices, this module provides the flexibility to tailor the automations to your needs.
+The [workflows module](https://docs.netalertx.com/WORKFLOWS) allows to automate repetitive tasks, making network management more efficient. Whether you need to assign newly discovered devices to a specific Network Node, auto-group devices from a given vendor, unarchive a device if detected online, or automatically delete devices, this module provides the flexibility to tailor the automations to your needs.


 ## 📚 Documentation
@@ -108,15 +109,15 @@ The [workflows module](https://github.com/jokob-sk/NetAlertX/blob/main/docs/WORK

 Supported browsers: Chrome, Firefox

- [[Installation] Docker](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) 
- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx) 
- [[Installation] Bare metal](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) 
- [[Installation] Unraid App](https://unraid.net/community/apps) 
- [[Setup] Usage and Configuration](https://github.com/jokob-sk/NetAlertX/blob/main/docs/README.md)
- [[Development] API docs](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md)
- [[Development] Custom Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS_DEV.md)
+- [[Installation] Docker](https://docs.netalertx.com/DOCKER_INSTALLATION)
+- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx)
+- [[Installation] Bare metal](https://docs.netalertx.com/HW_INSTALL)
+- [[Installation] Unraid App](https://unraid.net/community/apps)
+- [[Setup] Usage and Configuration](https://docs.netalertx.com/README)
+- [[Development] API docs](https://docs.netalertx.com/API)
+- [[Development] Custom Plugins](https://docs.netalertx.com/PLUGINS_DEV)

-...or explore all the [documentation here](https://jokob-sk.github.io/NetAlertX/).
+...or explore all the [documentation here](https://docs.netalertx.com/).

 ## 🔐 Security & Privacy

@@ -132,39 +133,39 @@ See [Security Best Practices](https://github.com/jokob-sk/NetAlertX/security) fo

 ## ❓ FAQ

-**Q: Why don’t I see any devices?**  
+**Q: Why don’t I see any devices?**
 A: Ensure the container has proper network access (e.g., use `--network host` on Linux). Also check that your scan method is properly configured in the UI.

-**Q: Does this work on Wi-Fi-only devices like Raspberry Pi?**  
+**Q: Does this work on Wi-Fi-only devices like Raspberry Pi?**
 A: Yes, but some scanners (e.g. ARP) work best on Ethernet. For Wi-Fi, try SNMP, DHCP, or Pi-hole import.

-**Q: Will this send any data to the internet?**  
+**Q: Will this send any data to the internet?**
 A: No. All scans and data remain local, unless you set up cloud-based notifications.

-**Q: Can I use this without Docker?**  
-A: Yes! You can install it bare-metal. See the [bare metal installation guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md).
+**Q: Can I use this without Docker?**
+A: Yes! You can install it bare-metal. See the [bare metal installation guide](https://docs.netalertx.com/HW_INSTALL).

-**Q: Where is the data stored?**  
+**Q: Where is the data stored?**
 A: In the `/data/config` and `/data/db` folders. Back up these folders regularly.


 ## 🐞 Known Issues

- Some scanners (e.g. ARP) may not detect devices on different subnets. See the [Remote networks guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/REMOTE_NETWORKS.md) for workarounds.
+- Some scanners (e.g. ARP) may not detect devices on different subnets. See the [Remote networks guide](https://docs.netalertx.com/REMOTE_NETWORKS) for workarounds.
 - Wi-Fi-only networks may require alternate scanners for accurate detection.
 - Notification throttling may be needed for large networks to prevent spam.
 - On some systems, elevated permissions (like `CAP_NET_RAW`) may be needed for low-level scanning.

-Check the [GitHub Issues](https://github.com/jokob-sk/NetAlertX/issues) for the latest bug reports and solutions and consult [the official documentation](https://jokob-sk.github.io/NetAlertX/).
+Check the [GitHub Issues](https://github.com/jokob-sk/NetAlertX/issues) for the latest bug reports and solutions and consult [the official documentation](https://docs.netalertx.com/).

 ## 📃 Everything else
 <!--- --------------------------------------------------------------------- --->

 ### 📧 Get notified what's new

-Get notified about a new release, what new functionality you can use and about breaking changes. 
+Get notified about a new release, what new functionality you can use and about breaking changes.

-![Follow and star][follow_star] 
+![Follow and star][follow_star]

 ### 🔀 Other Alternative Apps

@@ -175,15 +176,15 @@ Get notified about a new release, what new functionality you can use and about b

 ### 💙 Donations

-Thank you to everyone who appreciates this tool and donates. 
+Thank you to everyone who appreciates this tool and donates.

 <details>
  <summary>Click for more ways to donate</summary>
-  
+
  <hr>

-  | [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) | 
-| --- | --- | --- | 
+  | [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) |
+| --- | --- | --- |

  - Bitcoin: `1N8tupjeCK12qRVU2XrV17WvKK7LCawyZM`
  - Ethereum: `0x6e2749Cb42F4411bc98501406BdcD82244e3f9C7`
@@ -194,11 +195,11 @@ Thank you to everyone who appreciates this tool and donates.

 ### 🏗 Contributors

-This project would be nothing without the amazing work of the community, with special thanks to: 
+This project would be nothing without the amazing work of the community, with special thanks to:

-> [pucherot/Pi.Alert](https://github.com/pucherot/Pi.Alert) (the original creator of PiAlert), [leiweibau](https://github.com/leiweibau/Pi.Alert): Dark mode (and much more), [Macleykun](https://github.com/Macleykun) (Help with Dockerfile clean-up), [vladaurosh](https://github.com/vladaurosh) for Alpine re-base help, [Final-Hawk](https://github.com/Final-Hawk) (Help with NTFY, styling and other fixes), [TeroRERO](https://github.com/terorero) (Spanish translations), [Data-Monkey](https://github.com/Data-Monkey), (Split-up of the python.py file and more), [cvc90](https://github.com/cvc90) (Spanish translation and various UI work) to name a few. Check out all the [amazing contributors](https://github.com/jokob-sk/NetAlertX/graphs/contributors). 
+> [pucherot/Pi.Alert](https://github.com/pucherot/Pi.Alert) (the original creator of PiAlert), [leiweibau](https://github.com/leiweibau/Pi.Alert): Dark mode (and much more), [Macleykun](https://github.com/Macleykun) (Help with Dockerfile clean-up), [vladaurosh](https://github.com/vladaurosh) for Alpine re-base help, [Final-Hawk](https://github.com/Final-Hawk) (Help with NTFY, styling and other fixes), [TeroRERO](https://github.com/terorero) (Spanish translations), [Data-Monkey](https://github.com/Data-Monkey), (Split-up of the python.py file and more), [cvc90](https://github.com/cvc90) (Spanish translation and various UI work) to name a few. Check out all the [amazing contributors](https://github.com/jokob-sk/NetAlertX/graphs/contributors).

-### 🌍 Translations 
+### 🌍 Translations

 Proudly using [Weblate](https://hosted.weblate.org/projects/pialert/). Help out and suggest languages in the [online portal of Weblate](https://hosted.weblate.org/projects/pialert/core/).

--- a/back/app.conf
+++ b/back/app.conf
@@ -33,7 +33,7 @@ NSLOOKUP_RUN='before_name_updates'
 AVAHISCAN_RUN='before_name_updates'
 NBTSCAN_RUN='before_name_updates'

-# Email 
+# Email
 #-------------------------------------
 # (add SMTP to LOADED_PLUGINS to load)
 #-------------------------------------
@@ -48,20 +48,19 @@ SMTP_PASS='password'
 SMTP_SKIP_TLS=False


-# Webhook 
+# Webhook
 #-------------------------------------
 # (add WEBHOOK to LOADED_PLUGINS to load)
 #-------------------------------------
 WEBHOOK_RUN='disabled'  # use 'on_notification' to enable
 WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
-WEBHOOK_PAYLOAD='json'                 # webhook payload data format for the "body > attachements > text" attribute 
-                                       # in https://github.com/jokob-sk/NetAlertX/blob/main/docs/webhook_json_sample.json 
+WEBHOOK_PAYLOAD='json'                 # webhook payload data format for the "body > attachements > text" attribute
                                       #   supported values: 'json', 'html' or 'text'
                                       #   e.g.: for discord use 'html'
 WEBHOOK_REQUEST_METHOD='GET'


-# Apprise 
+# Apprise
 #-------------------------------------
 # (add APPRISE to LOADED_PLUGINS to load)
 #-------------------------------------
@@ -71,7 +70,7 @@ APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=app


 # NTFY
-#------------------------------------- 
+#-------------------------------------
 # (add NTFY to LOADED_PLUGINS to load)
 #-------------------------------------
 NTFY_RUN='disabled'  # use 'on_notification' to enable
@@ -81,7 +80,7 @@ NTFY_USER='user'
 NTFY_PASSWORD='passw0rd'


-# PUSHSAFER 
+# PUSHSAFER
 #-------------------------------------
 # (add PUSHSAFER to LOADED_PLUGINS to load)
 #-------------------------------------
@@ -89,7 +88,7 @@ PUSHSAFER_RUN='disabled'  # use 'on_notification' to enable
 PUSHSAFER_TOKEN='ApiKey'


-# MQTT 
+# MQTT
 #-------------------------------------
 # (add MQTT to LOADED_PLUGINS to load)
 #-------------------------------------
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,20 +1,24 @@
 services:
  netalertx:
-  #use an environmental variable to set host networking mode if needed
-    network_mode: ${NETALERTX_NETWORK_MODE:-host}   # Use host networking for ARP scanning and other services
+    network_mode: host   # Use host networking for ARP scanning and other services
    build:
      context: .                                    # Build context is the current directory
      dockerfile: Dockerfile                        # Specify the Dockerfile to use
    image: netalertx:latest
    container_name: netalertx                       # The name when you docker contiainer ls
    read_only: true                                 # Make the container filesystem read-only
+    
+    # It is most secure to start with user 20211, but then we lose provisioning capabilities.
+    # user: "${NETALERTX_UID:-20211}:${NETALERTX_GID:-20211}"
    cap_drop:                                       # Drop all capabilities for enhanced security
      - ALL
    cap_add:                                        # Add only the necessary capabilities
-      - NET_ADMIN                                   # Required for ARP scanning
-      - NET_RAW                                     # Required for raw socket operations
-      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)
-
+      - NET_ADMIN                                   # Required for scanning with arp-scan, nmap, nbtscan, traceroute, and zero-conf
+      - NET_RAW                                     # Required for raw socket operations with arp-scan, nmap, nbtscan, traceroute and zero-conf
+      - NET_BIND_SERVICE                            # Required to bind to privileged ports with nbtscan
+      - CHOWN                                       # Required for root-entrypoint to chown /data + /tmp before dropping privileges
+      - SETUID                                      # Required for root-entrypoint to switch to non-root user
+      - SETGID                                      # Required for root-entrypoint to switch to non-root group                  
    volumes:

      - type: volume                                # Persistent Docker-managed Named Volume for storage
@@ -35,22 +39,23 @@ services:
        target: /etc/localtime
        read_only: true

-  # Use a custom Enterprise-configured nginx config for ldap or other settings
-  # - /custom-enterprise.conf:/tmp/nginx/active-config/netalertx.conf:ro
+    # Use a custom Enterprise-configured nginx config for ldap or other settings
+    # - /custom-enterprise.conf:/tmp/nginx/active-config/netalertx.conf:ro

-      # Test your plugin on the production container
-      # - /path/on/host:/app/front/plugins/custom
+    # Test your plugin on the production container
+    # - /path/on/host:/app/front/plugins/custom

-  # Retain logs - comment out tmpfs /tmp/log if you want to retain logs between container restarts
-  # - /path/on/host/log:/tmp/log
+    # Retain logs - comment out tmpfs /tmp/log if you want to retain logs between container restarts
+    # - /path/on/host/log:/tmp/log

    # tmpfs mounts for writable directories in a read-only container and improve system performance
    # All writes now live under /tmp/* subdirectories which are created dynamically by entrypoint.d scripts
-    # uid=20211 and gid=20211 is the netalertx user inside the container
-    # mode=1700 gives rwx------ permissions to the netalertx user only
+    # mode=1700 gives rwx------ permissions; ownership is set by /root-entrypoint.sh
    tmpfs:
-      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/tmp:mode=1700,uid=0,gid=0,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
+      PUID: ${NETALERTX_UID:-20211}                             # Runtime UID after priming (Synology/no-copy-up safe)
+      PGID: ${NETALERTX_GID:-20211}                             # Runtime GID after priming (Synology/no-copy-up safe)
      LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0}                      # Listen for connections on all interfaces
      PORT: ${PORT:-20211}                                      # Application port
      GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                      # GraphQL API port
@@ -63,7 +68,6 @@ services:
    cpu_shares: 512             # Relative CPU weight for CPU contention scenarios
    pids_limit: 512             # Limit the number of processes/threads to prevent fork bombs
    logging:
-      driver: "json-file"       # Use JSON file logging driver
      options:
        max-size: "10m"         # Rotate log files after they reach 10MB
        max-file: "3"           # Keep a maximum of 3 log files
--- a/docker_build.log
+++ b/docker_build.log
@@ -1,534 +1,74 @@
 #0 building with "default" instance using docker driver

 #1 [internal] load build definition from Dockerfile
-#1 transferring dockerfile: 5.29kB done
+#1 DONE 0.0s
+
+#1 [internal] load build definition from Dockerfile
+#1 transferring dockerfile: 11.45kB done
 #1 DONE 0.1s

-#2 [auth] library/alpine:pull token for registry-1.docker.io
+#2 [internal] load metadata for docker.io/library/alpine:3.22
 #2 DONE 0.0s

-#3 [internal] load metadata for docker.io/library/alpine:3.22
-#3 DONE 0.4s
+#3 [internal] load .dockerignore
+#3 transferring context:
+#3 transferring context: 222B done
+#3 DONE 0.1s

-#4 [internal] load .dockerignore
-#4 transferring context: 216B done
-#4 DONE 0.1s
+#4 [builder 1/4] FROM docker.io/library/alpine:3.22
+#4 DONE 0.0s

-#5 [builder  1/15] FROM docker.io/library/alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
-#5 CACHED
+#5 [internal] load build context
+#5 transferring context: 46.63kB 0.1s done
+#5 DONE 0.2s

-#6 [internal] load build context
-#6 transferring context: 36.76kB 0.0s done
-#6 DONE 0.1s
+#6 [builder 3/4] RUN apk add --no-cache         bash         shadow         python3         python3-dev         gcc         musl-dev         libffi-dev         openssl-dev         git         rust         cargo     && python -m venv /opt/venv
+#6 CACHED

-#7 [builder  2/15] RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git     && python -m venv /opt/venv
-#7 0.443 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#7 0.688 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#7 1.107 (1/52) Upgrading libcrypto3 (3.5.1-r0 -> 3.5.3-r0)
-#7 1.358 (2/52) Upgrading libssl3 (3.5.1-r0 -> 3.5.3-r0)
-#7 1.400 (3/52) Installing ncurses-terminfo-base (6.5_p20250503-r0)
-#7 1.413 (4/52) Installing libncursesw (6.5_p20250503-r0)
-#7 1.444 (5/52) Installing readline (8.2.13-r1)
-#7 1.471 (6/52) Installing bash (5.2.37-r0)
-#7 1.570 Executing bash-5.2.37-r0.post-install
-#7 1.593 (7/52) Installing libgcc (14.2.0-r6)
-#7 1.605 (8/52) Installing jansson (2.14.1-r0)
-#7 1.613 (9/52) Installing libstdc++ (14.2.0-r6)
-#7 1.705 (10/52) Installing zstd-libs (1.5.7-r0)
-#7 1.751 (11/52) Installing binutils (2.44-r3)
-#7 2.041 (12/52) Installing libgomp (14.2.0-r6)
-#7 2.064 (13/52) Installing libatomic (14.2.0-r6)
-#7 2.071 (14/52) Installing gmp (6.3.0-r3)
-#7 2.097 (15/52) Installing isl26 (0.26-r1)
-#7 2.183 (16/52) Installing mpfr4 (4.2.1_p1-r0)
-#7 2.219 (17/52) Installing mpc1 (1.3.1-r1)
-#7 2.231 (18/52) Installing gcc (14.2.0-r6)
-#7 6.782 (19/52) Installing brotli-libs (1.1.0-r2)
-#7 6.828 (20/52) Installing c-ares (1.34.5-r0)
-#7 6.846 (21/52) Installing libunistring (1.3-r0)
-#7 6.919 (22/52) Installing libidn2 (2.3.7-r0)
-#7 6.937 (23/52) Installing nghttp2-libs (1.65.0-r0)
-#7 6.950 (24/52) Installing libpsl (0.21.5-r3)
-#7 6.960 (25/52) Installing libcurl (8.14.1-r1)
-#7 7.015 (26/52) Installing libexpat (2.7.2-r0)
-#7 7.029 (27/52) Installing pcre2 (10.43-r1)
-#7 7.069 (28/52) Installing git (2.49.1-r0)
-#7 7.397 (29/52) Installing git-init-template (2.49.1-r0)
-#7 7.404 (30/52) Installing linux-headers (6.14.2-r0)
-#7 7.572 (31/52) Installing libffi (3.4.8-r0)
-#7 7.578 (32/52) Installing pkgconf (2.4.3-r0)
-#7 7.593 (33/52) Installing libffi-dev (3.4.8-r0)
-#7 7.607 (34/52) Installing musl-dev (1.2.5-r10)
-#7 7.961 (35/52) Installing openssl-dev (3.5.3-r0)
-#7 8.021 (36/52) Installing libbz2 (1.0.8-r6)
-#7 8.045 (37/52) Installing gdbm (1.24-r0)
-#7 8.055 (38/52) Installing xz-libs (5.8.1-r0)
-#7 8.071 (39/52) Installing mpdecimal (4.0.1-r0)
-#7 8.090 (40/52) Installing libpanelw (6.5_p20250503-r0)
-#7 8.098 (41/52) Installing sqlite-libs (3.49.2-r1)
-#7 8.185 (42/52) Installing python3 (3.12.11-r0)
-#7 8.904 (43/52) Installing python3-pycache-pyc0 (3.12.11-r0)
-#7 9.292 (44/52) Installing pyc (3.12.11-r0)
-#7 9.292 (45/52) Installing python3-pyc (3.12.11-r0)
-#7 9.292 (46/52) Installing python3-dev (3.12.11-r0)
-#7 10.71 (47/52) Installing libmd (1.1.0-r0)
-#7 10.72 (48/52) Installing libbsd (0.12.2-r0)
-#7 10.73 (49/52) Installing skalibs-libs (2.14.4.0-r0)
-#7 10.75 (50/52) Installing utmps-libs (0.1.3.1-r0)
-#7 10.76 (51/52) Installing linux-pam (1.7.0-r4)
-#7 10.82 (52/52) Installing shadow (4.17.3-r0)
-#7 10.88 Executing busybox-1.37.0-r18.trigger
-#7 10.90 OK: 274 MiB in 66 packages
-#7 DONE 14.4s
+#7 [runner  6/11] COPY --chown=netalertx:netalertx --chmod=755 server /app/server
+#7 CACHED

-#8 [builder  3/15] RUN mkdir -p /app
-#8 DONE 0.5s
+#8 [runner  5/11] COPY --chown=netalertx:netalertx --chmod=755 front /app/front
+#8 CACHED

-#9 [builder  4/15] COPY api /app/api
-#9 DONE 0.3s
+#9 [runner  2/11] RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap     nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates     sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst     nginx supercronic shadow su-exec &&     rm -Rf /var/cache/apk/*  &&     rm -Rf /etc/nginx &&     addgroup -g 20211 netalertx &&     adduser -u 20211 -D -h /app -G netalertx netalertx &&     apk del shadow
+#9 CACHED

-#10 [builder  5/15] COPY back /app/back
-#10 DONE 0.3s
+#10 [runner  4/11] COPY --chown=netalertx:netalertx --chmod=755 back /app/back
+#10 CACHED

-#11 [builder  6/15] COPY config /app/config
-#11 DONE 0.3s
+#11 [builder 2/4] COPY requirements.txt /tmp/requirements.txt
+#11 CACHED

-#12 [builder  7/15] COPY db /app/db
-#12 DONE 0.3s
+#12 [runner  7/11] RUN install -d -o netalertx -g netalertx -m 700 /data /data/config /data/db /tmp/api                        /tmp/log /tmp/log/plugins /tmp/run                        /tmp/run/tmp /tmp/run/logs                        /tmp/nginx/active-config &&     sh -c "find /app -type f \( -name '*.sh' -o -name 'speedtest-cli' \)     -exec chmod 750 {} \;"
+#12 CACHED

-#13 [builder  8/15] COPY dockerfiles /app/dockerfiles
-#13 DONE 0.3s
+#13 [hardened 1/2] RUN addgroup -g 20212 "readonly" &&     adduser -u 20212 -G "readonly" -D -h /app "readonly"
+#13 CACHED

-#14 [builder  9/15] COPY front /app/front
-#14 DONE 0.4s
+#14 [runner  8/11] COPY --chown=netalertx:netalertx .[V]ERSION /app/.VERSION
+#14 CACHED

-#15 [builder 10/15] COPY server /app/server
-#15 DONE 0.3s
+#15 [runner  9/11] COPY --chown=netalertx:netalertx .[V]ERSION /app/.VERSION_PREV
+#15 CACHED

-#16 [builder 11/15] COPY install/crontab /etc/crontabs/root
-#16 DONE 0.3s
+#16 [runner 11/11] RUN for vfile in .VERSION .VERSION_PREV; do         if [ ! -f "/app/${vfile}" ]; then             echo "DEVELOPMENT 00000000" > "/app/${vfile}";         fi;         chown 20212:20212 "/app/${vfile}";     done &&     apk add --no-cache libcap &&     setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap &&     setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan &&     setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan &&     setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute &&     setcap cap_net_raw,cap_net_admin+eip "$(readlink -f /opt/venv/bin/python)" &&     /bin/sh /build/init-nginx.sh &&     /bin/sh /build/init-php-fpm.sh &&     /bin/sh /build/init-cron.sh &&     /bin/sh /build/init-backend.sh &&     rm -rf /build &&     apk del libcap &&     date +%s > "/app/front/buildtimestamp.txt"
+#16 CACHED

-#17 [builder 12/15] COPY dockerfiles/start* /start*.sh
-#17 DONE 0.3s
+#17 [builder 4/4] RUN python -m pip install --no-cache-dir --upgrade pip setuptools wheel &&     pip install --prefer-binary --no-cache-dir -r /tmp/requirements.txt &&     chmod -R u-rwx,g-rwx /opt
+#17 CACHED

-#18 [builder 13/15] RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag git+https://github.com/foreign-sub/aiofreepybox.git
-#18 0.737 Collecting git+https://github.com/foreign-sub/aiofreepybox.git
-#18 0.737   Cloning https://github.com/foreign-sub/aiofreepybox.git to /tmp/pip-req-build-waf5_npl
-#18 0.738   Running command git clone --filter=blob:none --quiet https://github.com/foreign-sub/aiofreepybox.git /tmp/pip-req-build-waf5_npl
-#18 1.617   Resolved https://github.com/foreign-sub/aiofreepybox.git to commit 4ee18ea0f3e76edc839c48eb8df1da59c1baee3d
-#18 1.620   Installing build dependencies: started
-#18 3.337   Installing build dependencies: finished with status 'done'
-#18 3.337   Getting requirements to build wheel: started
-#18 3.491   Getting requirements to build wheel: finished with status 'done'
-#18 3.492   Preparing metadata (pyproject.toml): started
-#18 3.650   Preparing metadata (pyproject.toml): finished with status 'done'
-#18 3.724 Collecting openwrt-luci-rpc
-#18 3.753   Downloading openwrt_luci_rpc-1.1.17-py2.py3-none-any.whl.metadata (4.9 kB)
-#18 3.892 Collecting asusrouter
-#18 3.900   Downloading asusrouter-1.21.0-py3-none-any.whl.metadata (33 kB)
-#18 3.999 Collecting asyncio
-#18 4.007   Downloading asyncio-4.0.0-py3-none-any.whl.metadata (994 bytes)
-#18 4.576 Collecting aiohttp
-#18 4.582   Downloading aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (7.7 kB)
-#18 4.729 Collecting graphene
-#18 4.735   Downloading graphene-3.4.3-py2.py3-none-any.whl.metadata (6.9 kB)
-#18 4.858 Collecting flask
-#18 4.866   Downloading flask-3.1.2-py3-none-any.whl.metadata (3.2 kB)
-#18 4.963 Collecting flask-cors
-#18 4.972   Downloading flask_cors-6.0.1-py3-none-any.whl.metadata (5.3 kB)
-#18 5.055 Collecting unifi-sm-api
-#18 5.065   Downloading unifi_sm_api-0.2.1-py3-none-any.whl.metadata (2.3 kB)
-#18 5.155 Collecting tplink-omada-client
-#18 5.166   Downloading tplink_omada_client-1.4.4-py3-none-any.whl.metadata (3.5 kB)
-#18 5.262 Collecting wakeonlan
-#18 5.274   Downloading wakeonlan-3.1.0-py3-none-any.whl.metadata (4.3 kB)
-#18 5.500 Collecting pycryptodome
-#18 5.505   Downloading pycryptodome-3.23.0-cp37-abi3-musllinux_1_2_x86_64.whl.metadata (3.4 kB)
-#18 5.653 Collecting requests
-#18 5.660   Downloading requests-2.32.5-py3-none-any.whl.metadata (4.9 kB)
-#18 5.764 Collecting paho-mqtt
-#18 5.775   Downloading paho_mqtt-2.1.0-py3-none-any.whl.metadata (23 kB)
-#18 5.890 Collecting scapy
-#18 5.902   Downloading scapy-2.6.1-py3-none-any.whl.metadata (5.6 kB)
-#18 6.002 Collecting cron-converter
-#18 6.013   Downloading cron_converter-1.2.2-py3-none-any.whl.metadata (8.1 kB)
-#18 6.187 Collecting pytz
-#18 6.193   Downloading pytz-2025.2-py2.py3-none-any.whl.metadata (22 kB)
-#18 6.285 Collecting json2table
-#18 6.294   Downloading json2table-1.1.5-py2.py3-none-any.whl.metadata (6.0 kB)
-#18 6.381 Collecting dhcp-leases
-#18 6.387   Downloading dhcp_leases-0.1.6-py3-none-any.whl.metadata (5.9 kB)
-#18 6.461 Collecting pyunifi
-#18 6.471   Downloading pyunifi-2.21-py3-none-any.whl.metadata (274 bytes)
-#18 6.582 Collecting speedtest-cli
-#18 6.596   Downloading speedtest_cli-2.1.3-py2.py3-none-any.whl.metadata (6.8 kB)
-#18 6.767 Collecting chardet
-#18 6.780   Downloading chardet-5.2.0-py3-none-any.whl.metadata (3.4 kB)
-#18 6.878 Collecting python-nmap
-#18 6.886   Downloading python-nmap-0.7.1.tar.gz (44 kB)
-#18 6.937   Installing build dependencies: started
-#18 8.245   Installing build dependencies: finished with status 'done'
-#18 8.246   Getting requirements to build wheel: started
-#18 8.411   Getting requirements to build wheel: finished with status 'done'
-#18 8.412   Preparing metadata (pyproject.toml): started
-#18 8.575   Preparing metadata (pyproject.toml): finished with status 'done'
-#18 8.648 Collecting dnspython
-#18 8.654   Downloading dnspython-2.8.0-py3-none-any.whl.metadata (5.7 kB)
-#18 8.741 Collecting librouteros
-#18 8.752   Downloading librouteros-3.4.1-py3-none-any.whl.metadata (1.6 kB)
-#18 8.869 Collecting yattag
-#18 8.881   Downloading yattag-1.16.1.tar.gz (29 kB)
-#18 8.925   Installing build dependencies: started
-#18 10.23   Installing build dependencies: finished with status 'done'
-#18 10.23   Getting requirements to build wheel: started
-#18 10.38   Getting requirements to build wheel: finished with status 'done'
-#18 10.39   Preparing metadata (pyproject.toml): started
-#18 10.55   Preparing metadata (pyproject.toml): finished with status 'done'
-#18 10.60 Collecting Click>=6.0 (from openwrt-luci-rpc)
-#18 10.60   Downloading click-8.3.0-py3-none-any.whl.metadata (2.6 kB)
-#18 10.70 Collecting packaging>=19.1 (from openwrt-luci-rpc)
-#18 10.71   Downloading packaging-25.0-py3-none-any.whl.metadata (3.3 kB)
-#18 10.87 Collecting urllib3>=1.26.14 (from asusrouter)
-#18 10.88   Downloading urllib3-2.5.0-py3-none-any.whl.metadata (6.5 kB)
-#18 10.98 Collecting xmltodict>=0.12.0 (from asusrouter)
-#18 10.98   Downloading xmltodict-1.0.2-py3-none-any.whl.metadata (15 kB)
-#18 11.09 Collecting aiohappyeyeballs>=2.5.0 (from aiohttp)
-#18 11.10   Downloading aiohappyeyeballs-2.6.1-py3-none-any.whl.metadata (5.9 kB)
-#18 11.19 Collecting aiosignal>=1.4.0 (from aiohttp)
-#18 11.20   Downloading aiosignal-1.4.0-py3-none-any.whl.metadata (3.7 kB)
-#18 11.32 Collecting attrs>=17.3.0 (from aiohttp)
-#18 11.33   Downloading attrs-25.3.0-py3-none-any.whl.metadata (10 kB)
-#18 11.47 Collecting frozenlist>=1.1.1 (from aiohttp)
-#18 11.47   Downloading frozenlist-1.7.0-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (18 kB)
-#18 11.76 Collecting multidict<7.0,>=4.5 (from aiohttp)
-#18 11.77   Downloading multidict-6.6.4-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (5.3 kB)
-#18 11.87 Collecting propcache>=0.2.0 (from aiohttp)
-#18 11.88   Downloading propcache-0.3.2-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (12 kB)
-#18 12.19 Collecting yarl<2.0,>=1.17.0 (from aiohttp)
-#18 12.20   Downloading yarl-1.20.1-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (73 kB)
-#18 12.31 Collecting graphql-core<3.3,>=3.1 (from graphene)
-#18 12.32   Downloading graphql_core-3.2.6-py3-none-any.whl.metadata (11 kB)
-#18 12.41 Collecting graphql-relay<3.3,>=3.1 (from graphene)
-#18 12.42   Downloading graphql_relay-3.2.0-py3-none-any.whl.metadata (12 kB)
-#18 12.50 Collecting python-dateutil<3,>=2.7.0 (from graphene)
-#18 12.51   Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl.metadata (8.4 kB)
-#18 12.61 Collecting typing-extensions<5,>=4.7.1 (from graphene)
-#18 12.61   Downloading typing_extensions-4.15.0-py3-none-any.whl.metadata (3.3 kB)
-#18 12.71 Collecting blinker>=1.9.0 (from flask)
-#18 12.72   Downloading blinker-1.9.0-py3-none-any.whl.metadata (1.6 kB)
-#18 12.84 Collecting itsdangerous>=2.2.0 (from flask)
-#18 12.85   Downloading itsdangerous-2.2.0-py3-none-any.whl.metadata (1.9 kB)
-#18 12.97 Collecting jinja2>=3.1.2 (from flask)
-#18 12.98   Downloading jinja2-3.1.6-py3-none-any.whl.metadata (2.9 kB)
-#18 13.15 Collecting markupsafe>=2.1.1 (from flask)
-#18 13.15   Downloading MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (4.0 kB)
-#18 13.28 Collecting werkzeug>=3.1.0 (from flask)
-#18 13.29   Downloading werkzeug-3.1.3-py3-none-any.whl.metadata (3.7 kB)
-#18 13.42 Collecting awesomeversion>=22.9.0 (from tplink-omada-client)
-#18 13.42   Downloading awesomeversion-25.8.0-py3-none-any.whl.metadata (9.8 kB)
-#18 13.59 Collecting charset_normalizer<4,>=2 (from requests)
-#18 13.59   Downloading charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_x86_64.whl.metadata (36 kB)
-#18 13.77 Collecting idna<4,>=2.5 (from requests)
-#18 13.78   Downloading idna-3.10-py3-none-any.whl.metadata (10 kB)
-#18 13.94 Collecting certifi>=2017.4.17 (from requests)
-#18 13.94   Downloading certifi-2025.8.3-py3-none-any.whl.metadata (2.4 kB)
-#18 14.06 Collecting toml<0.11.0,>=0.10.2 (from librouteros)
-#18 14.07   Downloading toml-0.10.2-py2.py3-none-any.whl.metadata (7.1 kB)
-#18 14.25 Collecting six>=1.5 (from python-dateutil<3,>=2.7.0->graphene)
-#18 14.26   Downloading six-1.17.0-py2.py3-none-any.whl.metadata (1.7 kB)
-#18 14.33 Downloading openwrt_luci_rpc-1.1.17-py2.py3-none-any.whl (9.5 kB)
-#18 14.37 Downloading asusrouter-1.21.0-py3-none-any.whl (131 kB)
-#18 14.43 Downloading asyncio-4.0.0-py3-none-any.whl (5.6 kB)
-#18 14.47 Downloading aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl (1.7 MB)
-#18 14.67    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.7/1.7 MB 8.3 MB/s eta 0:00:00
-#18 14.68 Downloading graphene-3.4.3-py2.py3-none-any.whl (114 kB)
-#18 14.73 Downloading flask-3.1.2-py3-none-any.whl (103 kB)
-#18 14.78 Downloading flask_cors-6.0.1-py3-none-any.whl (13 kB)
-#18 14.84 Downloading unifi_sm_api-0.2.1-py3-none-any.whl (16 kB)
-#18 14.88 Downloading tplink_omada_client-1.4.4-py3-none-any.whl (46 kB)
-#18 14.93 Downloading wakeonlan-3.1.0-py3-none-any.whl (5.0 kB)
-#18 14.99 Downloading pycryptodome-3.23.0-cp37-abi3-musllinux_1_2_x86_64.whl (2.3 MB)
-#18 15.23    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.3/2.3 MB 8.9 MB/s eta 0:00:00
-#18 15.24 Downloading requests-2.32.5-py3-none-any.whl (64 kB)
-#18 15.30 Downloading paho_mqtt-2.1.0-py3-none-any.whl (67 kB)
-#18 15.34 Downloading scapy-2.6.1-py3-none-any.whl (2.4 MB)
-#18 15.62    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.4/2.4 MB 8.5 MB/s eta 0:00:00
-#18 15.63 Downloading cron_converter-1.2.2-py3-none-any.whl (13 kB)
-#18 15.67 Downloading pytz-2025.2-py2.py3-none-any.whl (509 kB)
-#18 15.76 Downloading json2table-1.1.5-py2.py3-none-any.whl (8.7 kB)
-#18 15.81 Downloading dhcp_leases-0.1.6-py3-none-any.whl (11 kB)
-#18 15.86 Downloading pyunifi-2.21-py3-none-any.whl (11 kB)
-#18 15.90 Downloading speedtest_cli-2.1.3-py2.py3-none-any.whl (23 kB)
-#18 15.95 Downloading chardet-5.2.0-py3-none-any.whl (199 kB)
-#18 16.01 Downloading dnspython-2.8.0-py3-none-any.whl (331 kB)
-#18 16.10 Downloading librouteros-3.4.1-py3-none-any.whl (16 kB)
-#18 16.14 Downloading aiohappyeyeballs-2.6.1-py3-none-any.whl (15 kB)
-#18 16.20 Downloading aiosignal-1.4.0-py3-none-any.whl (7.5 kB)
-#18 16.24 Downloading attrs-25.3.0-py3-none-any.whl (63 kB)
-#18 16.30 Downloading awesomeversion-25.8.0-py3-none-any.whl (15 kB)
-#18 16.34 Downloading blinker-1.9.0-py3-none-any.whl (8.5 kB)
-#18 16.39 Downloading certifi-2025.8.3-py3-none-any.whl (161 kB)
-#18 16.45 Downloading charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_x86_64.whl (153 kB)
-#18 16.50 Downloading click-8.3.0-py3-none-any.whl (107 kB)
-#18 16.55 Downloading frozenlist-1.7.0-cp312-cp312-musllinux_1_2_x86_64.whl (237 kB)
-#18 16.62 Downloading graphql_core-3.2.6-py3-none-any.whl (203 kB)
-#18 16.69 Downloading graphql_relay-3.2.0-py3-none-any.whl (16 kB)
-#18 16.73 Downloading idna-3.10-py3-none-any.whl (70 kB)
-#18 16.79 Downloading itsdangerous-2.2.0-py3-none-any.whl (16 kB)
-#18 16.84 Downloading jinja2-3.1.6-py3-none-any.whl (134 kB)
-#18 16.96 Downloading MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_x86_64.whl (23 kB)
-#18 17.02 Downloading multidict-6.6.4-cp312-cp312-musllinux_1_2_x86_64.whl (251 kB)
-#18 17.09 Downloading packaging-25.0-py3-none-any.whl (66 kB)
-#18 17.14 Downloading propcache-0.3.2-cp312-cp312-musllinux_1_2_x86_64.whl (222 kB)
-#18 17.21 Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)
-#18 17.28 Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
-#18 17.33 Downloading typing_extensions-4.15.0-py3-none-any.whl (44 kB)
-#18 17.39 Downloading urllib3-2.5.0-py3-none-any.whl (129 kB)
-#18 17.44 Downloading werkzeug-3.1.3-py3-none-any.whl (224 kB)
-#18 17.51 Downloading xmltodict-1.0.2-py3-none-any.whl (13 kB)
-#18 17.56 Downloading yarl-1.20.1-cp312-cp312-musllinux_1_2_x86_64.whl (374 kB)
-#18 17.65 Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
-#18 17.77 Building wheels for collected packages: python-nmap, yattag, aiofreepybox
-#18 17.77   Building wheel for python-nmap (pyproject.toml): started
-#18 17.95   Building wheel for python-nmap (pyproject.toml): finished with status 'done'
-#18 17.96   Created wheel for python-nmap: filename=python_nmap-0.7.1-py2.py3-none-any.whl size=20679 sha256=ecd9b14109651cfaa5bf035f90076b9442985cc254fa5f8a49868fc896e86edb
-#18 17.96   Stored in directory: /root/.cache/pip/wheels/06/fc/d4/0957e1d9942e696188208772ea0abf909fe6eb3d9dff6e5a9e
-#18 17.96   Building wheel for yattag (pyproject.toml): started
-#18 18.14   Building wheel for yattag (pyproject.toml): finished with status 'done'
-#18 18.14   Created wheel for yattag: filename=yattag-1.16.1-py3-none-any.whl size=15930 sha256=2135fc2034a3847c81eb6a0d7b85608e8272339fa5c1961f87b02dfe6d74d0ad
-#18 18.14   Stored in directory: /root/.cache/pip/wheels/d2/2f/52/049ff4f7c8c9c932b2ece7ec800d7facf2a141ac5ab0ce7e51
-#18 18.15   Building wheel for aiofreepybox (pyproject.toml): started
-#18 18.36   Building wheel for aiofreepybox (pyproject.toml): finished with status 'done'
-#18 18.36   Created wheel for aiofreepybox: filename=aiofreepybox-6.0.0-py3-none-any.whl size=60051 sha256=dbdee5350b10b6550ede50bc779381b7f39f1e5d5da889f2ee98cb5a869d3425
-#18 18.36   Stored in directory: /tmp/pip-ephem-wheel-cache-93bgc4e2/wheels/3c/d3/ae/fb97a84a29a5fbe8517de58d67e66586505440af35981e0dd3
-#18 18.36 Successfully built python-nmap yattag aiofreepybox
-#18 18.45 Installing collected packages: yattag, speedtest-cli, pytz, python-nmap, json2table, dhcp-leases, xmltodict, wakeonlan, urllib3, typing-extensions, toml, six, scapy, pycryptodome, propcache, paho-mqtt, packaging, multidict, markupsafe, itsdangerous, idna, graphql-core, frozenlist, dnspython, Click, charset_normalizer, chardet, certifi, blinker, awesomeversion, attrs, asyncio, aiohappyeyeballs, yarl, werkzeug, requests, python-dateutil, librouteros, jinja2, graphql-relay, aiosignal, unifi-sm-api, pyunifi, openwrt-luci-rpc, graphene, flask, cron-converter, aiohttp, tplink-omada-client, flask-cors, asusrouter, aiofreepybox
-#18 24.35 Successfully installed Click-8.3.0 aiofreepybox-6.0.0 aiohappyeyeballs-2.6.1 aiohttp-3.12.15 aiosignal-1.4.0 asusrouter-1.21.0 asyncio-4.0.0 attrs-25.3.0 awesomeversion-25.8.0 blinker-1.9.0 certifi-2025.8.3 chardet-5.2.0 charset_normalizer-3.4.3 cron-converter-1.2.2 dhcp-leases-0.1.6 dnspython-2.8.0 flask-3.1.2 flask-cors-6.0.1 frozenlist-1.7.0 graphene-3.4.3 graphql-core-3.2.6 graphql-relay-3.2.0 idna-3.10 itsdangerous-2.2.0 jinja2-3.1.6 json2table-1.1.5 librouteros-3.4.1 markupsafe-3.0.2 multidict-6.6.4 openwrt-luci-rpc-1.1.17 packaging-25.0 paho-mqtt-2.1.0 propcache-0.3.2 pycryptodome-3.23.0 python-dateutil-2.9.0.post0 python-nmap-0.7.1 pytz-2025.2 pyunifi-2.21 requests-2.32.5 scapy-2.6.1 six-1.17.0 speedtest-cli-2.1.3 toml-0.10.2 tplink-omada-client-1.4.4 typing-extensions-4.15.0 unifi-sm-api-0.2.1 urllib3-2.5.0 wakeonlan-3.1.0 werkzeug-3.1.3 xmltodict-1.0.2 yarl-1.20.1 yattag-1.16.1
-#18 24.47 
-#18 24.47 [notice] A new release of pip is available: 25.0.1 -> 25.2
-#18 24.47 [notice] To update, run: pip install --upgrade pip
-#18 DONE 25.1s
+#18 [runner 10/11] COPY --from=builder --chown=20212:20212 /opt/venv /opt/venv
+#18 CACHED

-#19 [builder 14/15] RUN bash -c "find /app -type d -exec chmod 750 {} \;"     && bash -c "find /app -type f -exec chmod 640 {} \;"     && bash -c "find /app -type f \( -name '*.sh' -o -name '*.py'  -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
-#19 DONE 11.9s
+#19 [runner  3/11] COPY --chown=netalertx:netalertx install/production-filesystem/ /
+#19 CACHED

-#20 [builder 15/15] COPY install/freebox_certificate.pem /opt/venv/lib/python3.12/site-packages/aiofreepybox/freebox_certificates.pem
-#20 DONE 0.4s
+#20 [hardened 2/2] RUN chown -R readonly:readonly /app/back /app/front /app/server /services                        /services/config /entrypoint.d &&     chmod -R 004 /app/back /app/front /app/server /services                        /services/config /entrypoint.d &&     find /app/back /app/front /app/server /services                        /services/config /entrypoint.d -type d -exec chmod 005 {} + &&     install -d -o netalertx -g netalertx -m 0777 /data /data/config /data/db /tmp/api                        /tmp/log /tmp/log/plugins /tmp/run                        /tmp/run/tmp /tmp/run/logs                        /tmp/nginx/active-config &&     chown readonly:readonly /entrypoint.sh /root-entrypoint.sh /opt /opt/venv &&     chmod 005 /entrypoint.sh /root-entrypoint.sh /services/*.sh /services/scripts/* /entrypoint.d/* /app /opt /opt/venv &&     rm -f       "/data/config/app.conf"       "/data/db/app.db"       "/data/db/app.db-shm"       "/data/db/app.db-wal" || true &&     apk del apk-tools &&     rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers     /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root     /srv /media &&     printf '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+#20 CACHED

-#21 [runner  2/14] COPY --from=builder /opt/venv /opt/venv
-#21 DONE 0.8s
-
-#22 [runner  3/14] COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
-#22 DONE 0.4s
-
-#23 [runner  4/14] RUN apk update --no-cache     && apk add --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata s6-overlay     && apk add --no-cache curl arp-scan iproute2 iproute2-ss nmap nmap-scripts traceroute nbtscan avahi avahi-tools openrc dbus net-tools net-snmp-tools bind-tools awake ca-certificates     && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session     && apk add --no-cache python3 nginx     && ln -s /usr/bin/awake /usr/bin/wakeonlan     && bash -c "install -d -m 750 -o nginx -g www-data /app /app"     && rm -f /etc/nginx/http.d/default.conf
-#23 0.487 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#23 0.696 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#23 1.156 v3.22.1-472-ga67443520d6 [https://dl-cdn.alpinelinux.org/alpine/v3.22/main]
-#23 1.156 v3.22.1-473-gcd551a4e006 [https://dl-cdn.alpinelinux.org/alpine/v3.22/community]
-#23 1.156 OK: 26326 distinct packages available
-#23 1.195 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#23 1.276 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#23 1.568 (1/38) Installing ncurses-terminfo-base (6.5_p20250503-r0)
-#23 1.580 (2/38) Installing libncursesw (6.5_p20250503-r0)
-#23 1.629 (3/38) Installing readline (8.2.13-r1)
-#23 1.659 (4/38) Installing bash (5.2.37-r0)
-#23 1.723 Executing bash-5.2.37-r0.post-install
-#23 1.740 (5/38) Installing libintl (0.24.1-r0)
-#23 1.749 (6/38) Installing gettext-envsubst (0.24.1-r0)
-#23 1.775 (7/38) Installing libmd (1.1.0-r0)
-#23 1.782 (8/38) Installing libbsd (0.12.2-r0)
-#23 1.807 (9/38) Installing libeconf (0.6.3-r0)
-#23 1.812 (10/38) Installing libblkid (2.41-r9)
-#23 1.831 (11/38) Installing libmount (2.41-r9)
-#23 1.857 (12/38) Installing libsmartcols (2.41-r9)
-#23 1.872 (13/38) Installing lsblk (2.41-r9)
-#23 1.886 (14/38) Installing libcap2 (2.76-r0)
-#23 1.897 (15/38) Installing jansson (2.14.1-r0)
-#23 1.910 (16/38) Installing mtr (0.96-r0)
-#23 1.948 (17/38) Installing skalibs-libs (2.14.4.0-r0)
-#23 1.966 (18/38) Installing execline-libs (2.9.7.0-r0)
-#23 1.974 (19/38) Installing execline (2.9.7.0-r0)
-#23 1.996 Executing execline-2.9.7.0-r0.post-install
-#23 2.004 (20/38) Installing s6-ipcserver (2.13.2.0-r0)
-#23 2.010 (21/38) Installing s6-libs (2.13.2.0-r0)
-#23 2.016 (22/38) Installing s6 (2.13.2.0-r0)
-#23 2.033 Executing s6-2.13.2.0-r0.pre-install
-#23 2.159 (23/38) Installing s6-rc-libs (0.5.6.0-r0)
-#23 2.164 (24/38) Installing s6-rc (0.5.6.0-r0)
-#23 2.175 (25/38) Installing s6-linux-init (1.1.3.0-r0)
-#23 2.185 (26/38) Installing s6-portable-utils (2.3.1.0-r0)
-#23 2.193 (27/38) Installing s6-linux-utils (2.6.3.0-r0)
-#23 2.200 (28/38) Installing s6-dns-libs (2.4.1.0-r0)
-#23 2.208 (29/38) Installing s6-dns (2.4.1.0-r0)
-#23 2.222 (30/38) Installing bearssl-libs (0.6_git20241009-r0)
-#23 2.254 (31/38) Installing s6-networking-libs (2.7.1.0-r0)
-#23 2.264 (32/38) Installing s6-networking (2.7.1.0-r0)
-#23 2.286 (33/38) Installing s6-overlay-helpers (0.1.2.0-r0)
-#23 2.355 (34/38) Installing s6-overlay (3.2.0.3-r0)
-#23 2.380 (35/38) Installing sudo (1.9.17_p2-r0)
-#23 2.511 (36/38) Installing tzdata (2025b-r0)
-#23 2.641 (37/38) Installing unzip (6.0-r15)
-#23 2.659 (38/38) Installing zip (3.0-r13)
-#23 2.694 Executing busybox-1.37.0-r18.trigger
-#23 2.725 OK: 16 MiB in 54 packages
-#23 2.778 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#23 2.918 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#23 3.218 (1/77) Installing libpcap (1.10.5-r1)
-#23 3.234 (2/77) Installing arp-scan (1.10.0-r2)
-#23 3.289 (3/77) Installing dbus-libs (1.16.2-r1)
-#23 3.307 (4/77) Installing avahi-libs (0.8-r21)
-#23 3.315 (5/77) Installing libdaemon (0.14-r6)
-#23 3.322 (6/77) Installing libevent (2.1.12-r8)
-#23 3.355 (7/77) Installing libexpat (2.7.2-r0)
-#23 3.368 (8/77) Installing avahi (0.8-r21)
-#23 3.387 Executing avahi-0.8-r21.pre-install
-#23 3.465 (9/77) Installing gdbm (1.24-r0)
-#23 3.477 (10/77) Installing avahi-tools (0.8-r21)
-#23 3.483 (11/77) Installing libbz2 (1.0.8-r6)
-#23 3.490 (12/77) Installing libffi (3.4.8-r0)
-#23 3.496 (13/77) Installing xz-libs (5.8.1-r0)
-#23 3.517 (14/77) Installing libgcc (14.2.0-r6)
-#23 3.529 (15/77) Installing libstdc++ (14.2.0-r6)
-#23 3.613 (16/77) Installing mpdecimal (4.0.1-r0)
-#23 3.628 (17/77) Installing libpanelw (6.5_p20250503-r0)
-#23 3.634 (18/77) Installing sqlite-libs (3.49.2-r1)
-#23 3.783 (19/77) Installing python3 (3.12.11-r0)
-#23 4.494 (20/77) Installing python3-pycache-pyc0 (3.12.11-r0)
-#23 4.915 (21/77) Installing pyc (3.12.11-r0)
-#23 4.915 (22/77) Installing py3-awake-pyc (1.0-r12)
-#23 4.922 (23/77) Installing python3-pyc (3.12.11-r0)
-#23 4.922 (24/77) Installing py3-awake (1.0-r12)
-#23 4.928 (25/77) Installing awake (1.0-r12)
-#23 4.932 (26/77) Installing fstrm (0.6.1-r4)
-#23 4.940 (27/77) Installing krb5-conf (1.0-r2)
-#23 5.017 (28/77) Installing libcom_err (1.47.2-r2)
-#23 5.026 (29/77) Installing keyutils-libs (1.6.3-r4)
-#23 5.033 (30/77) Installing libverto (0.3.2-r2)
-#23 5.039 (31/77) Installing krb5-libs (1.21.3-r0)
-#23 5.115 (32/77) Installing json-c (0.18-r1)
-#23 5.123 (33/77) Installing nghttp2-libs (1.65.0-r0)
-#23 5.136 (34/77) Installing protobuf-c (1.5.2-r0)
-#23 5.142 (35/77) Installing userspace-rcu (0.15.2-r0)
-#23 5.161 (36/77) Installing libuv (1.51.0-r0)
-#23 5.178 (37/77) Installing libxml2 (2.13.8-r0)
-#23 5.232 (38/77) Installing bind-libs (9.20.13-r0)
-#23 5.355 (39/77) Installing bind-tools (9.20.13-r0)
-#23 5.395 (40/77) Installing ca-certificates (20250619-r0)
-#23 5.518 (41/77) Installing brotli-libs (1.1.0-r2)
-#23 5.559 (42/77) Installing c-ares (1.34.5-r0)
-#23 5.573 (43/77) Installing libunistring (1.3-r0)
-#23 5.645 (44/77) Installing libidn2 (2.3.7-r0)
-#23 5.664 (45/77) Installing libpsl (0.21.5-r3)
-#23 5.676 (46/77) Installing zstd-libs (1.5.7-r0)
-#23 5.720 (47/77) Installing libcurl (8.14.1-r1)
-#23 5.753 (48/77) Installing curl (8.14.1-r1)
-#23 5.778 (49/77) Installing dbus (1.16.2-r1)
-#23 5.796 Executing dbus-1.16.2-r1.pre-install
-#23 5.869 Executing dbus-1.16.2-r1.post-install
-#23 5.887 (50/77) Installing dbus-daemon-launch-helper (1.16.2-r1)
-#23 5.896 (51/77) Installing libelf (0.193-r0)
-#23 5.908 (52/77) Installing libmnl (1.0.5-r2)
-#23 5.915 (53/77) Installing iproute2-minimal (6.15.0-r0)
-#23 5.954 (54/77) Installing libxtables (1.8.11-r1)
-#23 5.963 (55/77) Installing iproute2-tc (6.15.0-r0)
-#23 6.001 (56/77) Installing iproute2-ss (6.15.0-r0)
-#23 6.014 (57/77) Installing iproute2 (6.15.0-r0)
-#23 6.042 Executing iproute2-6.15.0-r0.post-install
-#23 6.047 (58/77) Installing nbtscan (1.7.2-r0)
-#23 6.053 (59/77) Installing net-snmp-libs (5.9.4-r1)
-#23 6.112 (60/77) Installing net-snmp-agent-libs (5.9.4-r1)
-#23 6.179 (61/77) Installing net-snmp-tools (5.9.4-r1)
-#23 6.205 (62/77) Installing mii-tool (2.10-r3)
-#23 6.211 (63/77) Installing net-tools (2.10-r3)
-#23 6.235 (64/77) Installing lua5.4-libs (5.4.7-r0)
-#23 6.258 (65/77) Installing libssh2 (1.11.1-r0)
-#23 6.279 (66/77) Installing nmap (7.97-r0)
-#23 6.524 (67/77) Installing nmap-nselibs (7.97-r0)
-#23 6.729 (68/77) Installing nmap-scripts (7.97-r0)
-#23 6.842 (69/77) Installing bridge (1.5-r5)
-#23 6.904 (70/77) Installing ifupdown-ng (0.12.1-r7)
-#23 6.915 (71/77) Installing ifupdown-ng-iproute2 (0.12.1-r7)
-#23 6.920 (72/77) Installing openrc-user (0.62.6-r0)
-#23 6.924 (73/77) Installing openrc (0.62.6-r0)
-#23 7.013 Executing openrc-0.62.6-r0.post-install
-#23 7.016 (74/77) Installing avahi-openrc (0.8-r21)
-#23 7.021 (75/77) Installing dbus-openrc (1.16.2-r1)
-#23 7.026 (76/77) Installing s6-openrc (2.13.2.0-r0)
-#23 7.032 (77/77) Installing traceroute (2.1.6-r0)
-#23 7.040 Executing busybox-1.37.0-r18.trigger
-#23 7.042 Executing ca-certificates-20250619-r0.trigger
-#23 7.101 Executing dbus-1.16.2-r1.trigger
-#23 7.104 OK: 102 MiB in 131 packages
-#23 7.156 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#23 7.243 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#23 7.543 (1/12) Installing php83-common (8.3.24-r0)
-#23 7.551 (2/12) Installing argon2-libs (20190702-r5)
-#23 7.557 (3/12) Installing libedit (20250104.3.1-r1)
-#23 7.568 (4/12) Installing pcre2 (10.43-r1)
-#23 7.600 (5/12) Installing php83 (8.3.24-r0)
-#23 7.777 (6/12) Installing php83-cgi (8.3.24-r0)
-#23 7.953 (7/12) Installing php83-curl (8.3.24-r0)
-#23 7.968 (8/12) Installing acl-libs (2.3.2-r1)
-#23 7.975 (9/12) Installing php83-fpm (8.3.24-r0)
-#23 8.193 (10/12) Installing php83-session (8.3.24-r0)
-#23 8.204 (11/12) Installing php83-sqlite3 (8.3.24-r0)
-#23 8.213 (12/12) Installing sqlite (3.49.2-r1)
-#23 8.309 Executing busybox-1.37.0-r18.trigger
-#23 8.317 OK: 129 MiB in 143 packages
-#23 8.369 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
-#23 8.449 fetch https://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
-#23 8.747 (1/2) Installing nginx (1.28.0-r3)
-#23 8.766 Executing nginx-1.28.0-r3.pre-install
-#23 8.863 Executing nginx-1.28.0-r3.post-install
-#23 8.865 (2/2) Installing nginx-openrc (1.28.0-r3)
-#23 8.870 Executing busybox-1.37.0-r18.trigger
-#23 8.873 OK: 130 MiB in 145 packages
-#23 DONE 9.5s
-
-#24 [runner  5/14] COPY --from=builder --chown=nginx:www-data /app/ /app/
-#24 DONE 0.5s
-
-#25 [runner  6/14] RUN mkdir -p /app/config /app/db /app/log/plugins
-#25 DONE 0.5s
-
-#26 [runner  7/14] COPY --chmod=600 --chown=root:root install/crontab /etc/crontabs/root
-#26 DONE 0.3s
-
-#27 [runner  8/14] COPY --chmod=755 dockerfiles/healthcheck.sh /usr/local/bin/healthcheck.sh
-#27 DONE 0.3s
-
-#28 [runner  9/14] RUN touch /app/log/app.log     && touch /app/log/execution_queue.log     && touch /app/log/app_front.log     && touch /app/log/app.php_errors.log     && touch /app/log/stderr.log     && touch /app/log/stdout.log     && touch /app/log/db_is_locked.log     && touch /app/log/IP_changes.log     && touch /app/log/report_output.txt     && touch /app/log/report_output.html     && touch /app/log/report_output.json     && touch /app/api/user_notifications.json
-#28 DONE 0.6s
-
-#29 [runner 10/14] COPY dockerfiles /app/dockerfiles
-#29 DONE 0.3s
-
-#30 [runner 11/14] RUN chmod +x /app/dockerfiles/*.sh
-#30 DONE 0.8s
-
-#31 [runner 12/14] RUN /app/dockerfiles/init-nginx.sh     && /app/dockerfiles/init-php-fpm.sh     && /app/dockerfiles/init-crond.sh     && /app/dockerfiles/init-backend.sh
-#31 0.417 Initializing nginx...
-#31 0.417 Setting webserver to address (0.0.0.0) and port (20211)
-#31 0.418 /app/dockerfiles/init-nginx.sh: line 5: /app/install/netalertx.template.conf: No such file or directory
-#31 0.611 nginx initialized.
-#31 0.612 Initializing php-fpm...
-#31 0.654 php-fpm initialized.
-#31 0.655 Initializing crond...
-#31 0.689 crond initialized.
-#31 0.690 Initializing backend...
-#31 12.19 Backend initialized.
-#31 DONE 12.3s
-
-#32 [runner 13/14] RUN rm -rf /app/dockerfiles
-#32 DONE 0.6s
-
-#33 [runner 14/14] RUN date +%s > /app/front/buildtimestamp.txt
-#33 DONE 0.6s
-
-#34 exporting to image
-#34 exporting layers
-#34 exporting layers 2.4s done
-#34 writing image sha256:0afcbc41473de559eff0dd93250595494fe4d8ea620861e9e90d50a248fcefda 0.0s done
-#34 naming to docker.io/library/netalertx 0.0s done
-#34 DONE 2.5s
+#21 exporting to image
+#21 exporting layers done
+#21 writing image sha256:7aac94268b770de42da767c06b8e9fecaeabf7ce1277cec1c83092484debd4c3 0.0s done
+#21 naming to docker.io/library/netalertx-test 0.0s done
+#21 DONE 0.1s
--- a/docs/API.md
+++ b/docs/API.md
@@ -1,4 +1,4 @@
-# NetAlertX API Documentation
+# API Documentation

 This API provides programmatic access to **devices, events, sessions, metrics, network tools, and sync** in NetAlertX. It is implemented as a **REST and GraphQL server**. All requests require authentication via **API Token** (`API_TOKEN` setting) unless explicitly noted. For example, to authorize a GraphQL request, you need to use a `Authorization: Bearer API_TOKEN` header as per example below:

@@ -36,9 +36,15 @@ Authorization: Bearer <API_TOKEN>
 If the token is missing or invalid, the server will return:

 ```json
-{ "error": "Forbidden" }
+{
+  "success": false,
+  "message": "ERROR: Not authorized",
+  "error": "Forbidden"
+}
 ```

+HTTP Status: **403 Forbidden**
+
 ---

 ## Base URL
@@ -54,6 +60,8 @@ http://<server>:<GRAPHQL_PORT>/
 > [!TIP]
 > When retrieving devices or settings try using the GraphQL API endpoint first as it is read-optimized.

+### Standard REST Endpoints
+
 * [Device API Endpoints](API_DEVICE.md) – Manage individual devices
 * [Devices Collection](API_DEVICES.md) – Bulk operations on multiple devices
 * [Events](API_EVENTS.md) – Device event logging and management
@@ -69,6 +77,18 @@ http://<server>:<GRAPHQL_PORT>/
 * [Logs](API_LOGS.md) – Purging of logs and adding to the event execution queue for user triggered events
 * [DB query](API_DBQUERY.md) (⚠ Internal) - Low level database access - use other endpoints if possible

+### MCP Server Bridge
+
+NetAlertX includes an **MCP (Model Context Protocol) Server Bridge** that provides AI assistants access to NetAlertX functionality through standardized tools. MCP endpoints are available at `/mcp/sse/*` paths and mirror the functionality of standard REST endpoints:
+
+* `/mcp/sse` - Server-Sent Events endpoint for MCP client connections
+* `/mcp/sse/openapi.json` - OpenAPI specification for available MCP tools
+* `/mcp/sse/device/*`, `/mcp/sse/devices/*`, `/mcp/sse/nettools/*`, `/mcp/sse/events/*` - MCP-enabled versions of REST endpoints
+
+MCP endpoints require the same Bearer token authentication as REST endpoints.
+
+**📖 See [MCP Server Bridge API](API_MCP.md) for complete documentation, tool specifications, and integration examples.**
+
 See [Testing](API_TESTS.md) for example requests and usage.

 ---
--- a/docs/API_DBQUERY.md
+++ b/docs/API_DBQUERY.md
@@ -2,7 +2,7 @@

 The **Database Query API** provides direct, low-level access to the NetAlertX database. It allows **read, write, update, and delete** operations against tables, using **base64-encoded** SQL or structured parameters.

-> [!Warning] 
+> [!Warning]
 > This API is primarily used internally to generate and render the application UI. These endpoints are low-level and powerful, and should be used with caution. Wherever possible, prefer the [standard API endpoints](API.md). Invalid or unsafe queries can corrupt data.
 > If you need data in a specific format that is not already provided, please open an issue or pull request with a clear, broadly useful use case. This helps ensure new endpoints benefit the wider community rather than relying on raw database queries.

@@ -16,10 +16,14 @@ All `/dbquery/*` endpoints require an API token in the HTTP headers:
 Authorization: Bearer <API_TOKEN>
 ```

-If the token is missing or invalid:
+If the token is missing or invalid (HTTP 403):

 ```json
-{ "error": "Forbidden" }
+{
+  "success": false,
+  "message": "ERROR: Not authorized",
+  "error": "Forbidden"
+}
 ```

 ---
--- a/docs/API_DEVICE.md
+++ b/docs/API_DEVICE.md
@@ -41,6 +41,8 @@ Manage a **single device** by its MAC address. Operations include retrieval, upd
 * Device not found → HTTP 404
 * Unauthorized → HTTP 403

+**MCP Integration**: Available as `get_device_info` and `set_device_alias` tools. See [MCP Server Bridge API](API_MCP.md).
+
 ---

 ## 2. Update Device Fields
--- a/docs/API_DEVICES.md
+++ b/docs/API_DEVICES.md
@@ -170,7 +170,7 @@ The Devices Collection API provides operations to **retrieve, manage, import/exp
 **Response**:

 ```json
-[ 
+[
  120,    // Total devices
  85,     // Connected
  5,      // Favorites
@@ -207,6 +207,93 @@ The Devices Collection API provides operations to **retrieve, manage, import/exp

 ---

+### 9. Search Devices
+
+* **POST** `/devices/search`
+  Search for devices by MAC, name, or IP address.
+
+**Request Body** (JSON):
+
+```json
+{
+  "query": ".50"
+}
+```
+
+**Response**:
+
+```json
+{
+  "success": true,
+  "devices": [
+    {
+      "devName": "Test Device",
+      "devMac": "AA:BB:CC:DD:EE:FF",
+      "devLastIP": "192.168.1.50"
+    }
+  ]
+}
+```
+
+---
+
+### 10. Get Latest Device
+
+* **GET** `/devices/latest`
+  Get the most recently connected device.
+
+**Response**:
+
+```json
+[
+  {
+    "devName": "Latest Device",
+    "devMac": "AA:BB:CC:DD:EE:FF",
+    "devLastIP": "192.168.1.100",
+    "devFirstConnection": "2025-12-07 10:30:00"
+  }
+]
+```
+
+---
+
+### 11. Get Network Topology
+
+* **GET** `/devices/network/topology`
+  Get network topology showing device relationships.
+
+**Response**:
+
+```json
+{
+  "nodes": [
+    {
+      "id": "AA:AA:AA:AA:AA:AA",
+      "name": "Router",
+      "vendor": "VendorA"
+    }
+  ],
+  "links": [
+    {
+      "source": "AA:AA:AA:AA:AA:AA",
+      "target": "BB:BB:BB:BB:BB:BB",
+      "port": "eth1"
+    }
+  ]
+}
+```
+
+---
+
+## MCP Tools
+
+These endpoints are also available as **MCP Tools** for AI assistant integration:
+- `list_devices`, `search_devices`, `get_latest_device`, `get_network_topology`, `set_device_alias`
+
+📖 See [MCP Server Bridge API](API_MCP.md) for AI integration details.
+
+---
+
 ## Example `curl` Requests

 **Get All Devices**:
@@ -247,3 +334,26 @@ curl -X GET "http://<server_ip>:<GRAPHQL_PORT>/devices/by-status?status=online"
  -H "Authorization: Bearer <API_TOKEN>"
 ```

+**Search Devices**:
+
+```sh
+curl -X POST "http://<server_ip>:<GRAPHQL_PORT>/devices/search" \
+  -H "Authorization: Bearer <API_TOKEN>" \
+  -H "Content-Type: application/json" \
+  --data '{"query": "192.168.1"}'
+```
+
+**Get Latest Device**:
+
+```sh
+curl -X GET "http://<server_ip>:<GRAPHQL_PORT>/devices/latest" \
+  -H "Authorization: Bearer <API_TOKEN>"
+```
+
+**Get Network Topology**:
+
+```sh
+curl -X GET "http://<server_ip>:<GRAPHQL_PORT>/devices/network/topology" \
+  -H "Authorization: Bearer <API_TOKEN>"
+```
+
--- a/docs/API_EVENTS.md
+++ b/docs/API_EVENTS.md
@@ -88,7 +88,56 @@ The Events API provides access to **device event logs**, allowing creation, retr

 ---

-### 4. Event Totals Over a Period
+### 4. Get Recent Events
+
+* **GET** `/events/recent` → Get events from the last 24 hours
+* **GET** `/events/<hours>` → Get events from the last N hours
+
+**Response** (JSON):
+
+```json
+{
+  "success": true,
+  "hours": 24,
+  "count": 5,
+  "events": [
+    {
+      "eve_DateTime": "2025-12-07 12:00:00",
+      "eve_EventType": "New Device",
+      "eve_MAC": "AA:BB:CC:DD:EE:FF",
+      "eve_IP": "192.168.1.100",
+      "eve_AdditionalInfo": "Device detected"
+    }
+  ]
+}
+```
+
+---
+
+### 5. Get Latest Events
+
+* **GET** `/events/last`
+  Get the 10 most recent events.
+
+**Response** (JSON):
+
+```json
+{
+  "success": true,
+  "count": 10,
+  "events": [
+    {
+      "eve_DateTime": "2025-12-07 12:00:00",
+      "eve_EventType": "Device Down",
+      "eve_MAC": "AA:BB:CC:DD:EE:FF"
+    }
+  ]
+}
+```
+
+---
+
+### 6. Event Totals Over a Period

 * **GET** `/sessions/totals?period=<period>`
  Return event and session totals over a given period.
@@ -116,12 +165,25 @@ The Events API provides access to **device event logs**, allowing creation, retr

 ---

+## MCP Tools
+
+Event endpoints are available as **MCP Tools** for AI assistant integration:
+- `get_recent_alerts`, `get_last_events`
+
+📖 See [MCP Server Bridge API](API_MCP.md) for AI integration details.
+
+---
+
 ## Notes

-* All endpoints require **authorization** (Bearer token). Unauthorized requests return:
+* All endpoints require **authorization** (Bearer token). Unauthorized requests return HTTP 403:

 ```json
-{ "error": "Forbidden" }
+{
+  "success": false,
+  "message": "ERROR: Not authorized",
+  "error": "Forbidden"
+}
 ```

 * Events are stored in the **Events table** with the following fields:
--- a/docs/API_LOGS.md
+++ b/docs/API_LOGS.md
@@ -18,7 +18,6 @@ Only specific, pre-approved log files can be purged for security and stability r

 ```
 app.log
-app_front.log
 IP_changes.log
 stdout.log
 stderr.log
--- a/docs/API_MCP.md
+++ b/docs/API_MCP.md
@@ -0,0 +1,418 @@
+# MCP Server Bridge API
+
+The **MCP (Model Context Protocol) Server Bridge** provides AI assistants with standardized access to NetAlertX functionality through tools and server-sent events. This enables AI systems to interact with your network monitoring data in real-time.
+
+---
+
+## Overview
+
+The MCP Server Bridge exposes NetAlertX functionality as **MCP Tools** that AI assistants can call to:
+
+- Search and retrieve device information
+- Trigger network scans
+- Get network topology and events
+- Wake devices via Wake-on-LAN
+- Access open port information
+- Set device aliases
+
+All MCP endpoints mirror the functionality of standard REST endpoints but are optimized for AI assistant integration.
+
+---
+
+## Architecture Overview
+
+### MCP Connection Flow
+
+```mermaid
+graph TB
+    A[AI Assistant<br/>Claude Desktop] -->|SSE Connection| B[NetAlertX MCP Server<br/>:20212/mcp/sse]
+    B -->|JSON-RPC Messages| C[MCP Bridge<br/>api_server_start.py]
+    C -->|Tool Calls| D[NetAlertX Tools<br/>Device/Network APIs]
+    D -->|Response Data| C
+    C -->|JSON Response| B
+    B -->|Stream Events| A
+
+    style A fill:#e1f5fe
+    style B fill:#f3e5f5
+    style C fill:#fff3e0
+    style D fill:#e8f5e8
+```
+
+### MCP Tool Integration
+
+```mermaid
+sequenceDiagram
+    participant AI as AI Assistant
+    participant MCP as MCP Server (:20212)
+    participant API as NetAlertX API (:20211)
+    participant DB as SQLite Database
+
+    AI->>MCP: 1. Connect via SSE
+    MCP-->>AI: 2. Session established
+    AI->>MCP: 3. tools/list request
+    MCP->>API: 4. GET /mcp/sse/openapi.json
+    API-->>MCP: 5. Available tools spec
+    MCP-->>AI: 6. Tool definitions
+    AI->>MCP: 7. tools/call: search_devices
+    MCP->>API: 8. POST /mcp/sse/devices/search
+    API->>DB: 9. Query devices
+    DB-->>API: 10. Device data
+    API-->>MCP: 11. JSON response
+    MCP-->>AI: 12. Tool result
+```
+
+### Component Architecture
+
+```mermaid
+graph LR
+    subgraph "AI Client"
+        A[Claude Desktop]
+        B[Custom MCP Client]
+    end
+
+    subgraph "NetAlertX MCP Server (:20212)"
+        C[SSE Endpoint<br/>/mcp/sse]
+        D[Message Handler<br/>/mcp/messages]
+        E[OpenAPI Spec<br/>/mcp/sse/openapi.json]
+    end
+
+    subgraph "NetAlertX API Server (:20211)"
+        F[Device APIs<br/>/mcp/sse/devices/*]
+        G[Network Tools<br/>/mcp/sse/nettools/*]
+        H[Events API<br/>/mcp/sse/events/*]
+    end
+
+    subgraph "Backend"
+        I[SQLite Database]
+        J[Network Scanners]
+        K[Plugin System]
+    end
+
+    A -.->|Bearer Auth| C
+    B -.->|Bearer Auth| C
+    C --> D
+    C --> E
+    D --> F
+    D --> G
+    D --> H
+    F --> I
+    G --> J
+    H --> I
+
+    style A fill:#e1f5fe
+    style B fill:#e1f5fe
+    style C fill:#f3e5f5
+    style D fill:#f3e5f5
+    style E fill:#f3e5f5
+    style F fill:#fff3e0
+    style G fill:#fff3e0
+    style H fill:#fff3e0
+```
+
+---
+
+## Authentication
+
+MCP endpoints use the same **Bearer token authentication** as REST endpoints:
+
+```http
+Authorization: Bearer <API_TOKEN>
+```
+
+Unauthorized requests return HTTP 403:
+
+```json
+{
+  "success": false,
+  "message": "ERROR: Not authorized",
+  "error": "Forbidden"
+}
+```
+
+---
+
+## MCP Connection Endpoint
+
+### Server-Sent Events (SSE)
+
+* **GET/POST** `/mcp/sse`
+
+  Main MCP connection endpoint for AI clients. Establishes a persistent connection using Server-Sent Events for real-time communication between AI assistants and NetAlertX.
+
+**Connection Example**:
+
+```javascript
+const eventSource = new EventSource('/mcp/sse', {
+  headers: {
+    'Authorization': 'Bearer <API_TOKEN>'
+  }
+});
+
+eventSource.onmessage = function(event) {
+  const response = JSON.parse(event.data);
+  console.log('MCP Response:', response);
+};
+```
+
+---
+
+## OpenAPI Specification
+
+### Get MCP Tools Specification
+
+* **GET** `/mcp/sse/openapi.json`
+
+  Returns the OpenAPI specification for all available MCP tools, describing the parameters and schemas for each tool.
+
+**Response**:
+
+```json
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "NetAlertX Tools",
+    "version": "1.1.0"
+  },
+  "servers": [{"url": "/"}],
+  "paths": {
+    "/devices/by-status": {
+      "post": {"operationId": "list_devices"}
+    },
+    "/device/{mac}": {
+      "post": {"operationId": "get_device_info"}
+    },
+    "/devices/search": {
+      "post": {"operationId": "search_devices"}
+    }
+  }
+}
+```
+
+---
+
+## Available MCP Tools
+
+### Device Management Tools
+
+| Tool | Endpoint | Description |
+|------|----------|-------------|
+| `list_devices` | `/mcp/sse/devices/by-status` | List devices by online status |
+| `get_device_info` | `/mcp/sse/device/<mac>` | Get detailed device information |
+| `search_devices` | `/mcp/sse/devices/search` | Search devices by MAC, name, or IP |
+| `get_latest_device` | `/mcp/sse/devices/latest` | Get most recently connected device |
+| `set_device_alias` | `/mcp/sse/device/<mac>/set-alias` | Set device friendly name |
+
+### Network Tools
+
+| Tool | Endpoint | Description |
+|------|----------|-------------|
+| `trigger_scan` | `/mcp/sse/nettools/trigger-scan` | Trigger network discovery scan |
+| `get_open_ports` | `/mcp/sse/device/open_ports` | Get stored NMAP open ports for device |
+| `wol_wake_device` | `/mcp/sse/nettools/wakeonlan` | Wake device using Wake-on-LAN |
+| `get_network_topology` | `/mcp/sse/devices/network/topology` | Get network topology map |
+
+### Event & Monitoring Tools
+
+| Tool | Endpoint | Description |
+|------|----------|-------------|
+| `get_recent_alerts` | `/mcp/sse/events/recent` | Get events from last 24 hours |
+| `get_last_events` | `/mcp/sse/events/last` | Get 10 most recent events |
+
+---
+
+## Tool Usage Examples
+
+### Search Devices Tool
+
+**Tool Call**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "1",
+  "method": "tools/call",
+  "params": {
+    "name": "search_devices",
+    "arguments": {
+      "query": "192.168.1"
+    }
+  }
+}
+```
+
+**Response**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "1",
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "{\n  \"success\": true,\n  \"devices\": [\n    {\n      \"devName\": \"Router\",\n      \"devMac\": \"AA:BB:CC:DD:EE:FF\",\n      \"devLastIP\": \"192.168.1.1\"\n    }\n  ]\n}"
+      }
+    ],
+    "isError": false
+  }
+}
+```
+
+### Trigger Network Scan Tool
+
+**Tool Call**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "2",
+  "method": "tools/call",
+  "params": {
+    "name": "trigger_scan",
+    "arguments": {
+      "type": "ARPSCAN"
+    }
+  }
+}
+```
+
+**Response**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "2",
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "{\n  \"success\": true,\n  \"message\": \"Scan triggered for type: ARPSCAN\"\n}"
+      }
+    ],
+    "isError": false
+  }
+}
+```
+
+### Wake-on-LAN Tool
+
+**Tool Call**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "3",
+  "method": "tools/call",
+  "params": {
+    "name": "wol_wake_device",
+    "arguments": {
+      "devMac": "AA:BB:CC:DD:EE:FF"
+    }
+  }
+}
+```
+
+---
+
+## Integration with AI Assistants
+
+### Claude Desktop Integration
+
+Add to your Claude Desktop `mcp.json` configuration:
+
+```json
+{
+  "mcp": {
+    "servers": {
+      "netalertx": {
+        "command": "node",
+        "args": ["/path/to/mcp-client.js"],
+        "env": {
+          "NETALERTX_URL": "http://your-server:<GRAPHQL_PORT>",
+          "NETALERTX_TOKEN": "your-api-token"
+        }
+      }
+    }
+  }
+}
+```
+
+### Generic MCP Client
+
+```python
+import asyncio
+import json
+from mcp import ClientSession, StdioServerParameters
+from mcp.client.stdio import stdio_client
+
+async def main():
+    # Connect to NetAlertX MCP server
+    server_params = StdioServerParameters(
+        command="curl",
+        args=[
+            "-N", "-H", "Authorization: Bearer <API_TOKEN>",
+            "http://your-server:<GRAPHQL_PORT>/mcp/sse"
+        ]
+    )
+
+    async with stdio_client(server_params) as (read, write):
+        async with ClientSession(read, write) as session:
+            # Initialize connection
+            await session.initialize()
+
+            # List available tools
+            tools = await session.list_tools()
+            print(f"Available tools: {[t.name for t in tools.tools]}")
+
+            # Call a tool
+            result = await session.call_tool("search_devices", {"query": "router"})
+            print(f"Search result: {result}")
+
+if __name__ == "__main__":
+    asyncio.run(main())
+```
+
+---
+
+## Error Handling
+
+MCP tool calls return structured error information:
+
+**Error Response**:
+```json
+{
+  "jsonrpc": "2.0",
+  "id": "1",
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "Error calling tool: Device not found"
+      }
+    ],
+    "isError": true
+  }
+}
+```
+
+**Common Error Types**:
+- `401/403` - Authentication failure
+- `400` - Invalid parameters or missing required fields
+- `404` - Resource not found (device, scan results, etc.)
+- `500` - Internal server error
+
+---
+
+## Notes
+
+* MCP endpoints require the same API token authentication as REST endpoints
+* All MCP tools return JSON responses wrapped in MCP protocol format
+* Server-Sent Events maintain persistent connections for real-time updates
+* Tool parameters match their REST endpoint equivalents
+* Error responses include both HTTP status codes and descriptive messages
+* MCP bridge automatically handles request/response serialization
+
+---
+
+## Related Documentation
+
+* [Main API Overview](API.md) - Core REST API documentation
+* [Device API](API_DEVICE.md) - Individual device management
+* [Devices Collection API](API_DEVICES.md) - Bulk device operations
+* [Network Tools API](API_NETTOOLS.md) - Wake-on-LAN, scans, network utilities
+* [Events API](API_EVENTS.md) - Event logging and monitoring
--- a/docs/API_NETTOOLS.md
+++ b/docs/API_NETTOOLS.md
@@ -1,6 +1,6 @@
 # Net Tools API Endpoints

-The Net Tools API provides **network diagnostic utilities**, including Wake-on-LAN, traceroute, speed testing, DNS resolution, nmap scanning, and internet connection information.
+The Net Tools API provides **network diagnostic utilities**, including Wake-on-LAN, traceroute, speed testing, DNS resolution, nmap scanning, internet connection information, and network interface info.

 All endpoints require **authorization** via Bearer token.

@@ -190,6 +190,51 @@ All endpoints require **authorization** via Bearer token.

 ---

+### 7. Network Interfaces
+
+* **GET** `/nettools/interfaces`
+  Fetches the list of network interfaces on the system, including IPv4/IPv6 addresses, MAC, MTU, state (up/down), and RX/TX byte counters.
+
+**Response** (success):
+
+```json
+{
+  "success": true,
+  "interfaces": {
+    "eth0": {
+      "name": "eth0",
+      "short": "eth0",
+      "type": "ethernet",
+      "state": "up",
+      "mtu": 1500,
+      "mac": "00:11:32:EF:A5:6B",
+      "ipv4": ["192.168.1.82/24"],
+      "ipv6": ["fe80::211:32ff:feef:a56c/64"],
+      "rx_bytes": 18488221,
+      "tx_bytes": 1443944
+    },
+    "lo": {
+      "name": "lo",
+      "short": "lo",
+      "type": "loopback",
+      "state": "up",
+      "mtu": 65536,
+      "mac": null,
+      "ipv4": ["127.0.0.1/8"],
+      "ipv6": ["::1/128"],
+      "rx_bytes": 123456,
+      "tx_bytes": 123456
+    }
+  }
+}
+```
+
+**Error Responses**:
+
+* Command failure or parsing error → HTTP 500
+
+---
+
 ## Example `curl` Requests

 **Wake-on-LAN**:
@@ -241,3 +286,21 @@ curl -X POST "http://<server_ip>:<GRAPHQL_PORT>/nettools/nmap" \
 curl "http://<server_ip>:<GRAPHQL_PORT>/nettools/internetinfo" \
  -H "Authorization: Bearer <API_TOKEN>"
 ```
+
+**Network Interfaces**:
+
+```sh
+curl "http://<server_ip>:<GRAPHQL_PORT>/nettools/interfaces" \
+  -H "Authorization: Bearer <API_TOKEN>"
+```
+
+---
+
+## MCP Tools
+
+Network tools are available as **MCP Tools** for AI assistant integration:
+
+* `wol_wake_device`, `trigger_scan`, `get_open_ports`
+
+📖 See [MCP Server Bridge API](API_MCP.md) for AI integration details.
+
--- a/docs/API_OLD.md
+++ b/docs/API_OLD.md
@@ -1,7 +1,7 @@
 # [Deprecated] API endpoints

-> [!WARNING] 
-> Some of these endpoints will be deprecated soon. Please refere to the new [API](API.md) endpoints docs for details on the new API layer. 
+> [!WARNING]
+> Some of these endpoints will be deprecated soon. Please refere to the new [API](API.md) endpoints docs for details on the new API layer.

 NetAlertX comes with a couple of API endpoints. All requests need to be authorized (executed in a logged in browser session) or you have to pass the value of the `API_TOKEN` settings as authorization bearer, for example:

@@ -56,7 +56,7 @@ See also: [Debugging GraphQL issues](./DEBUG_API_SERVER.md)

 ### `curl` Command

-You can use the following `curl` command to execute the query. 
+You can use the following `curl` command to execute the query.

 ```sh
 curl 'http://host:GRAPHQL_PORT/graphql'   -X POST   -H 'Authorization: Bearer API_TOKEN'  -H 'Content-Type: application/json'   --data '{
@@ -127,9 +127,9 @@ The response will be in JSON format, similar to the following:
 }
 ```

-## API Endpoint: JSON files 
+## API Endpoint: JSON files

-This API endpoint retrieves static files, that are periodically updated. 
+This API endpoint retrieves static files, that are periodically updated.

 - Endpoint URL: `php/server/query_json.php?file=<file name>`
 - Host: `same as front end (web ui)`
@@ -147,18 +147,18 @@ In the container, these files are located under the API directory (default: `/tm

 You can access the following files:

-  | File name | Description | 
-  |----------------------|----------------------| 
+  | File name | Description |
+  |----------------------|----------------------|
  | `notification_json_final.json` | The json version of the last notification (e.g. used for webhooks - [sample JSON](https://github.com/jokob-sk/NetAlertX/blob/main/front/report_templates/webhook_json_sample.json)). |
-  | `table_devices.json` | All of the available Devices detected by the app. |  
+  | `table_devices.json` | All of the available Devices detected by the app. |
  | `table_plugins_events.json` | The list of the unprocessed (pending) notification events (plugins_events DB table). |
-  | `table_plugins_history.json` | The list of notification events history. |  
-  | `table_plugins_objects.json` | The content of the plugins_objects table. Find more info on the [Plugin system here](https://github.com/jokob-sk/NetAlertX/tree/main/docs/PLUGINS.md)|
-  | `language_strings.json` | The content of the language_strings table, which in turn is loaded from the plugins `config.json` definitions. |  
+  | `table_plugins_history.json` | The list of notification events history. |
+  | `table_plugins_objects.json` | The content of the plugins_objects table. Find more info on the [Plugin system here](https://docs.netalertx.com/PLUGINS)|
+  | `language_strings.json` | The content of the language_strings table, which in turn is loaded from the plugins `config.json` definitions. |
  | `table_custom_endpoint.json` | A custom endpoint generated by the SQL query specified by the `API_CUSTOM_SQL` setting. |
  | `table_settings.json` | The content of the settings table. |
  | `app_state.json` | Contains the current application state. |
-  
+

 ### JSON Data format

@@ -169,11 +169,11 @@ The endpoints starting with the `table_` prefix contain most, if not all, data c
  "data": [
        {
          "db_column_name": "data",
-          "db_column_name2": "data2"      
-        }, 
+          "db_column_name2": "data2"
+        },
        {
          "db_column_name": "data3",
-          "db_column_name2": "data4" 
+          "db_column_name2": "data4"
        }
    ]
 }
@@ -201,7 +201,7 @@ Example JSON of the `table_devices.json` endpoint with two Devices (database row
          "devParentMAC": "",
          "devParentPort": "",
          "devIcon": "globe"
-        }, 
+        },
        {
          "devMac": "a4:8f:ff:aa:ba:1f",
          "devName": "Net - USG",
@@ -332,7 +332,7 @@ Grafana template sample: [Download json](./samples/API/Grafana_Dashboard.json)

 ## API Endpoint: /log files

-This API endpoint retrieves files from the `/tmp/log` folder. 
+This API endpoint retrieves files from the `/tmp/log` folder.

 - Endpoint URL: `php/server/query_logs.php?file=<file name>`
 - Host: `same as front end (web ui)`
@@ -357,7 +357,7 @@ This API endpoint retrieves files from the `/tmp/log` folder.

 ## API Endpoint: /config files

-To retrieve files from the `/data/config` folder. 
+To retrieve files from the `/data/config` folder.

 - Endpoint URL: `php/server/query_config.php?file=<file name>`
 - Host: `same as front end (web ui)`
--- a/docs/API_SESSIONS.md
+++ b/docs/API_SESSIONS.md
@@ -118,11 +118,14 @@ curl -X DELETE "http://<server_ip>:<GRAPHQL_PORT>/sessions/delete" \
  ```
 #### `curl` Example

+**get sessions for mac**
+
 ```bash
 curl -X GET "http://<server_ip>:<GRAPHQL_PORT>/sessions/list?mac=AA:BB:CC:DD:EE:FF&start_date=2025-08-01&end_date=2025-08-21" \
  -H "Authorization: Bearer <API_TOKEN>" \
  -H "Accept: application/json"
 ```
+
 ---

 ### Calendar View of Sessions
--- a/docs/API_SSE.md
+++ b/docs/API_SSE.md
@@ -0,0 +1,78 @@
+# SSE (Server-Sent Events)
+
+Real-time app state updates via Server-Sent Events. Reduces server load ~95% vs polling.
+
+## Endpoints
+
+| Endpoint | Method | Purpose |
+|----------|--------|---------|
+| `/sse/state` | GET | Stream state updates (requires Bearer token) |
+| `/sse/stats` | GET | Debug: connected clients, queued events |
+
+## Usage
+
+### Connect to SSE Stream
+```bash
+curl -H "Authorization: Bearer YOUR_API_TOKEN" \
+  http://localhost:5000/sse/state
+```
+
+### Check Connection Stats
+```bash
+curl -H "Authorization: Bearer YOUR_API_TOKEN" \
+  http://localhost:5000/sse/stats
+```
+
+## Event Types
+
+- `state_update` - App state changed (e.g., "Scanning", "Processing")
+- `unread_notifications_count_update` - Number of unread notifications changed (count: int)
+
+## Backend Integration
+
+Broadcasts automatically triggered in `app_state.py` via `broadcast_state_update()`:
+
+```python
+from api_server.sse_broadcast import broadcast_state_update
+
+# Called on every state change - no additional code needed
+broadcast_state_update(current_state="Scanning", settings_imported=time.time())
+```
+
+## Frontend Integration
+
+Auto-enabled via `sse_manager.js`:
+
+```javascript
+// In browser console:
+netAlertXStateManager.getStats().then(stats => {
+  console.log("Connected clients:", stats.connected_clients);
+});
+```
+
+## Fallback Behavior
+
+- If SSE fails after 3 attempts, automatically switches to polling
+- Polling starts at 1s, backs off to 30s max
+- No user-visible difference in functionality
+
+## Files
+
+| File | Purpose |
+|------|---------|
+| `server/api_server/sse_endpoint.py` | SSE endpoints & event queue |
+| `server/api_server/sse_broadcast.py` | Broadcast helper functions |
+| `front/js/sse_manager.js` | Client-side SSE connection manager |
+
+## Troubleshooting
+
+| Issue | Solution |
+|-------|----------|
+| Connection refused | Check backend running, API token correct |
+| No events received | Verify `broadcast_state_update()` is called on state changes |
+| High memory | Events not processed fast enough, check client logs |
+| Using polling instead of SSE | Normal fallback - check browser console for errors |
+
+---
+
+
--- a/docs/AUTHELIA.md
+++ b/docs/AUTHELIA.md
@@ -1,8 +1,8 @@
 ## Authelia support

-> [!WARNING] 
->
-> This is community contributed content and work in progress. Contributions are welcome. 
+> [!NOTE]
+> This is community-contributed. Due to environment, setup, or networking differences, results may vary. Please open a PR to improve it instead of creating an issue, as the maintainer is not actively maintaining it.
+

 ```yaml
 theme: dark
@@ -274,4 +274,4 @@ notifier:
    subject: "[Authelia] {title}"
    startup_check_address: postmaster@MYOTHERDOMAIN.LTD

-```
+```
--- a/docs/CNAME
+++ b/docs/CNAME
@@ -0,0 +1 @@
+docs.netalertx.com
--- a/docs/COMMON_ISSUES.md
+++ b/docs/COMMON_ISSUES.md
@@ -1,66 +1,122 @@
-### Loading...
+# Troubleshooting Common Issues

-Often if the application is misconfigured the `Loading...` dialog is continuously displayed. This is most likely caused by the backed failing to start. The **Maintenance -> Logs** section should give you more details on what's happening. If there is no exception, check the Portainer log, or start the container in the foreground (without the `-d` parameter) to observe any exceptions. It's advisable to enable `trace` or `debug`. Check the [Debug tips](./DEBUG_TIPS.md) on detailed instructions. 
+> [!TIP]
+> Before troubleshooting, ensure you have set the correct [Debugging and LOG_LEVEL](./DEBUG_TIPS.md).

-The issue might be related to the backend server, so please check [Debugging GraphQL issues](./DEBUG_API_SERVER.md). 
+---

-Please also check the browser logs (usually accessible by pressing `F12`):
+## Docker Container Doesn't Start

-1. Switch to the Console tab and refresh the page
-2. Switch to teh Network tab and refresh the page
-
-If you are not sure how to resolve the errors yourself, please post screenshots of the above into the issue, or discord discussion, where your problem is being solved. 
-
-### Incorrect SCAN_SUBNETS
-
-One of the most common issues is not configuring `SCAN_SUBNETS` correctly. If this setting is misconfigured you will only see one or two devices in your devices list after a scan. Please read the [subnets docs](./SUBNETS.md) carefully to resolve this.
-
-### Duplicate devices and notifications
-
-The app uses the MAC address as an unique identifier for devices. If a new MAC is detected a new device is added to the application and corresponding notifications are triggered. This means that if the MAC of an existing device changes, the device will be logged as a new device. You can usually prevent this from happening by changing the device configuration (in Android, iOS, or Windows) for your network. See the [Random Macs](./RANDOM_MAC.md) guide for details. 
+Initial setup issues are often caused by **missing permissions** or **incorrectly mapped volumes**. Always double-check your `docker run` or `docker-compose.yml` against the [official setup guide](./DOCKER_INSTALLATION.md) before proceeding.

 ### Permissions

-Make sure you [File permissions](./FILE_PERMISSIONS.md) are set correctly.
+Make sure your [file permissions](./FILE_PERMISSIONS.md) are correctly set:

-* If facing issues (AJAX errors, can't write to DB, empty screen, etc,) make sure permissions are set correctly, and check the logs under `/tmp/log`. 
-* To solve permission issues you can try setting the owner and group of the `app.db` by executing the following on the host system: `docker exec netalertx chown -R www-data:www-data /data/db/app.db`. 
-* If still facing issues, try to map the app.db file (⚠ not folder) to `:/data/db/app.db` (see [docker-compose Examples](https://github.com/jokob-sk/NetAlertX/blob/main/dockerfiles/README.md#-docker-composeyml-examples) for details)
+* If you encounter AJAX errors, cannot write to the database, or see an empty screen, check that permissions are correct and review the logs under `/tmp/log`.
+* To fix permission issues with the database, update the owner and group of `app.db` as described in the [File Permissions guide](./FILE_PERMISSIONS.md).

-### Container restarts / crashes
+### Container Restarts / Crashes

-* Check the logs for details. Often a required setting for a notification method is missing. 
+* Check the logs for details. Often, required settings are missing.
+* For more detailed troubleshooting, see [Debug and Troubleshooting Tips](./DEBUG_TIPS.md).
+* To observe errors directly, run the container in the foreground instead of `-d`:

-### unable to resolve host
+```bash
+docker run --rm -it <your_image>
+```

-* Check that your `SCAN_SUBNETS` variable is using the correct mask and `--interface`. See the [subnets docs for details](./SUBNETS.md).  
+---

-### Invalid JSON
+## Docker Container Starts, But the Application Misbehaves

-Check the [Invalid JSON errors debug help](./DEBUG_INVALID_JSON.md) docs on how to proceed.
+If the container starts but the app shows unexpected behavior, the cause is often **data corruption**, **incorrect configuration**, or **unexpected input data**.

-### sudo execution failing (e.g.: on arpscan) on a Raspberry Pi 4 
+### Continuous "Loading..." Screen

-> sudo: unexpected child termination condition: 0
+A misconfigured application may display a persistent `Loading...` dialog. This is usually caused by the backend failing to start.

-Resolution based on [this issue](https://github.com/linuxserver/docker-papermerge/issues/4#issuecomment-1003657581)
+**Steps to troubleshoot:**
+
+1. Check **Maintenance → Logs** for exceptions.
+2. If no exception is visible, check the Portainer logs.
+3. Start the container in the foreground to observe exceptions.
+4. Enable `trace` or `debug` logging for detailed output (see [Debug Tips](./DEBUG_TIPS.md)).
+5. Verify that `GRAPHQL_PORT` is correctly configured.
+6. Check browser logs (press `F12`):
+
+   * **Console tab** → refresh the page
+   * **Network tab** → refresh the page
+
+If you are unsure how to resolve errors, provide screenshots or log excerpts in your issue report or Discord discussion.
+
+---
+
+### Common Configuration Issues
+
+#### Incorrect `SCAN_SUBNETS`
+
+If `SCAN_SUBNETS` is misconfigured, you may see only a few devices in your device list after a scan. See the [Subnets Documentation](./SUBNETS.md) for proper configuration.
+
+#### Duplicate Devices and Notifications
+
+* Devices are identified by their **MAC address**.
+* If a device's MAC changes, it will be treated as a new device, triggering notifications.
+* Prevent this by adjusting your device configuration for Android, iOS, or Windows. See the [Random MACs Guide](./RANDOM_MAC.md).
+
+#### Unable to Resolve Host
+
+* Ensure `SCAN_SUBNETS` uses the correct mask and `--interface`.
+* Refer to the [Subnets Documentation](./SUBNETS.md) for detailed guidance.
+
+#### Invalid JSON Errors
+
+* Follow the steps in [Invalid JSON Errors Debug Help](./DEBUG_INVALID_JSON.md).
+
+#### Sudo Execution Fails (e.g., on arpscan on Raspberry Pi 4)
+
+Error:

 ```
+sudo: unexpected child termination condition: 0
+```
+
+**Resolution**:
+
+```bash
 wget ftp.us.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.5.3-2_armhf.deb
 sudo dpkg -i libseccomp2_2.5.3-2_armhf.deb
 ```

-The link above will probably break in time too. Go to https://packages.debian.org/sid/armhf/libseccomp2/download to find the new version number and put that in the url.
+> ⚠️ The link may break over time. Check [Debian Packages](https://packages.debian.org/sid/armhf/libseccomp2/download) for the latest version.

-### Only Router and own device show up
+#### Only Router and Own Device Show Up

-Make sure that the subnet and interface in `SCAN_SUBNETS` are correct. If your device/NAS has multiple ethernet ports, you probably need to change `eth0` to something else.
+* Verify the subnet and interface in `SCAN_SUBNETS`.
+* On devices with multiple Ethernet ports, you may need to change `eth0` to the correct interface.

-### Losing my settings and devices after an update
+#### Losing Settings or Devices After Update

-If you lose your devices and/or settings after an update that means you don't have the `/data/db` and `/data/config` folders mapped to a permanent storage. That means every time you update these folders are re-created. Make sure you have the [volumes specified correctly](./DOCKER_COMPOSE.md) in your `docker-compose.yml` or run command.
+* Ensure `/data/db` and `/data/config` are mapped to persistent storage.
+* Without persistent volumes, these folders are recreated on every update.
+* See [Docker Volumes Setup](./DOCKER_COMPOSE.md) for proper configuration.
+
+#### Application Performance Issues
+
+Slowness can be caused by:
+
+* Incorrect settings (causing app restarts) → check `app.log`.
+* Too many background processes → disable unnecessary scanners.
+* Long scans → limit the number of scanned devices.
+* Excessive disk operations or failing maintenance plugins.
+
+> See [Performance Tips](./PERFORMANCE.md) for detailed optimization steps.


-### The application is slow
+#### IP flipping

-Slowness is usually caused by incorrect settings (the app might restart, so check the `app.log`), too many background processes (disable unnecessary scanners), too long scans (limit the number of scanned devices), too many disk operations, or some maintenance plugins might have failed. See the [Performance tips](./PERFORMANCE.md) docs for details.
+With `ARPSCAN` scans some devices might flip IP addresses after each scan triggering false notifications. This is because some devices respond to broadcast calls and thus different IPs after scans are logged.
+
+See how to prevent IP flipping in the [ARPSCAN plugin guide](/front/plugins/arp_scan/README.md).
+
+Alternatively adjust your [notification settings](./NOTIFICATIONS.md) to prevent false positives by filtering out events or devices.
--- a/docs/COMMUNITY_GUIDES.md
+++ b/docs/COMMUNITY_GUIDES.md
@@ -1,15 +1,21 @@
 # Community Guides

-Use the official installation guides at first and use community content as supplementary material. Open an issue or PR if you'd like to add your link to the list 🙏 (Ordered by last update time)
+> [!NOTE]
+> This is community-contributed. Due to environment, setup, or networking differences, results may vary. Please open a PR to improve it instead of creating an issue, as the maintainer is not actively maintaining it.
+
+
+Use the official installation guides at first and use community content as supplementary material. (Ordered by last update time)

 - ▶ [Discover & Monitor Your Network with This Self-Hosted Open Source Tool - Lawrence Systems](https://www.youtube.com/watch?v=R3b5cxLZMpo) (June 2025)
 - ▶ [Home Lab Network Monitoring - Scotti-BYTE Enterprise Consulting Services](https://www.youtube.com/watch?v=0DryhzrQSJA) (July 2024)
 - 📄 [How to Install NetAlertX on Your Synology NAS - Marius hosting](https://mariushosting.com/how-to-install-pi-alert-on-your-synology-nas/) (Updated frequently)
 - 📄 [Using the PiAlert Network Security Scanner on a Raspberry Pi - PiMyLifeUp](https://pimylifeup.com/raspberry-pi-pialert/)
- ▶ [How to Setup Pi.Alert on Your Synology NAS - Digital Aloha](https://www.youtube.com/watch?v=M4YhpuRFaUg) 
+- ▶ [How to Setup Pi.Alert on Your Synology NAS - Digital Aloha](https://www.youtube.com/watch?v=M4YhpuRFaUg)
 - 📄 [防蹭网神器，网络安全助手 | 极空间部署网络扫描和通知系统『NetAlertX』](https://blog.csdn.net/qq_63499861/article/details/141105273)
 - 📄 [시놀/헤놀에서 네트워크 스캐너 Pi.Alert Docker로 설치 및 사용하기](https://blog.dalso.org/article/%EC%8B%9C%EB%86%80-%ED%97%A4%EB%86%80%EC%97%90%EC%84%9C-%EB%84%A4%ED%8A%B8%EC%9B%8C%ED%81%AC-%EC%8A%A4%EC%BA%90%EB%84%88-pi-alert-docker%EB%A1%9C-%EC%84%A4%EC%B9%98-%EB%B0%8F-%EC%82%AC%EC%9A%A9) (July 2023)
 - 📄 [网络入侵探测器Pi.Alert (Chinese)](https://codeantenna.com/a/VgUvIAjZ7J) (May 2023)
 - ▶ [Pi.Alert auf Synology & Docker by - Jürgen Barth](https://www.youtube.com/watch?v=-ouvA2UNu-A) (March 2023)
 - ▶ [Top Docker Container for Home Server Security - VirtualizationHowto](https://www.youtube.com/watch?v=tY-w-enLF6Q) (March 2023)
 - ▶ [Pi.Alert or WatchYourLAN can alert you to unknown devices appearing on your WiFi or LAN network - Danie van der Merwe](https://www.youtube.com/watch?v=v6an9QG2xF0) (November 2022)
+
+
--- a/docs/CUSTOM_PROPERTIES.md
+++ b/docs/CUSTOM_PROPERTIES.md
@@ -13,31 +13,6 @@ This functionality allows you to define **custom properties** for devices, which

 ---

-## Defining Custom Properties
-
-Custom properties are structured as a list of objects, where each property includes the following fields:
-
-| Field             | Description                                                                 |
-|--------------------|-----------------------------------------------------------------------------|
-| `CUSTPROP_icon`    | The icon (Base64-encoded HTML) displayed for the property.                 |
-| `CUSTPROP_type`    | The action type (e.g., `show_notes`, `link`, `delete_dev`).                |
-| `CUSTPROP_name`    | A short name or title for the property.                                    |
-| `CUSTPROP_args`    | Arguments for the action (e.g., URL or modal text).                        |
-| `CUSTPROP_notes`   | Additional notes or details displayed when applicable.                    |
-| `CUSTPROP_show`    | A boolean to control visibility (`true` to show on the listing page).      |
-
---
-
-## Available Action Types
-
- **Show Notes**: Displays a modal with a title and additional notes.
-  - **Example**: Show firmware details or custom messages.
- **Link**: Redirects to a specified URL in the current browser tab. (**Arguments** Needs to contain the full URL.)
- **Link (New Tab)**: Opens a specified URL in a new browser tab. (**Arguments** Needs to contain the full URL.)
- **Delete Device**: Deletes the device using its MAC address.
- **Run Plugin**: Placeholder for executing custom plugins (not implemented yet).
-
---

 ## Usage on the Device Listing Page

@@ -74,12 +49,39 @@ Visible properties (`CUSTPROP_show: true`) are displayed as interactive icons in
 3. **Device Removal**:
   - Enable device removal functionality using `CUSTPROP_type: delete_dev`.

+---
+
+## Defining Custom Properties
+
+Custom properties are structured as a list of objects, where each property includes the following fields:
+
+| Field             | Description                                                                 |
+|--------------------|-----------------------------------------------------------------------------|
+| `CUSTPROP_icon`    | The icon (Base64-encoded HTML) displayed for the property.                 |
+| `CUSTPROP_type`    | The action type (e.g., `show_notes`, `link`, `delete_dev`).                |
+| `CUSTPROP_name`    | A short name or title for the property.                                    |
+| `CUSTPROP_args`    | Arguments for the action (e.g., URL or modal text).                        |
+| `CUSTPROP_notes`   | Additional notes or details displayed when applicable.                    |
+| `CUSTPROP_show`    | A boolean to control visibility (`true` to show on the listing page).      |
+
+---
+
+## Available Action Types
+
+- **Show Notes**: Displays a modal with a title and additional notes.
+  - **Example**: Show firmware details or custom messages.
+- **Link**: Redirects to a specified URL in the current browser tab. (**Arguments** Needs to contain the full URL.)
+- **Link (New Tab)**: Opens a specified URL in a new browser tab. (**Arguments** Needs to contain the full URL.)
+- **Delete Device**: Deletes the device using its MAC address.
+- **Run Plugin**: Placeholder for executing custom plugins (not implemented yet).
+
+
 ---

 ## Notes

 - **Plugin Functionality**: The `run_plugin` action type is currently not implemented and will show an alert if used.
- **Custom Icons (Experimental 🧪)**: Use Base64-encoded HTML to provide custom icons for each property. You can add your icons in Setttings via the `CUSTPROP_icon` settings 
+- **Custom Icons (Experimental 🧪)**: Use Base64-encoded HTML to provide custom icons for each property. You can add your icons in Setttings via the `CUSTPROP_icon` settings
 - **Visibility Control**: Only properties with `CUSTPROP_show: true` will appear on the listing page.

 This feature provides a flexible way to enhance device management and display with interactive elements tailored to your needs.
--- a/docs/DEBUG_API_SERVER.md
+++ b/docs/DEBUG_API_SERVER.md
@@ -1,12 +1,12 @@
 # Debugging GraphQL server issues

-The GraphQL server is an API middle layer, running on it's own port specified by `GRAPHQL_PORT`, to retrieve and show the data in the UI. It can also be used to retrieve data for custom third party integarions. Check the [API documentation](./API.md) for details. 
+The GraphQL server is an API middle layer, running on it's own port specified by `GRAPHQL_PORT`, to retrieve and show the data in the UI. It can also be used to retrieve data for custom third party integarions. Check the [API documentation](./API.md) for details.

 The most common issue is that the GraphQL server doesn't start properly, usually due to a **port conflict**. If you are running multiple NetAlertX instances, make sure to use **unique ports** by changing the `GRAPHQL_PORT` setting. The default is `20212`.

 ## How to update the `GRAPHQL_PORT` in case of issues

-As a first troubleshooting step try changing the default `GRAPHQL_PORT` setting. Please remember NetAlertX is running on the host so any application uising the same port will cause issues.  
+As a first troubleshooting step try changing the default `GRAPHQL_PORT` setting. Please remember NetAlertX is running on the host so any application uising the same port will cause issues.

 ### Updating the setting via the Settings UI

@@ -14,7 +14,7 @@ Ideally use the Settings UI to update the setting under General -> Core -> Graph

 ![GrapQL settings](./img/DEBUG_API_SERVER/graphql_settings_port_token.png)

-You might need to temporarily stop other applications or NetAlertX instances causing conflicts to update the setting. The `API_TOKEN` is used to authenticate any API calls, including GraphQL requests. 
+You might need to temporarily stop other applications or NetAlertX instances causing conflicts to update the setting. The `API_TOKEN` is used to authenticate any API calls, including GraphQL requests.

 ### Updating the `app.conf` file

@@ -24,7 +24,7 @@ If the UI is not accessible, you can directly edit the `app.conf` file in your `

 ### Using a docker variable

-All application settings can also be initialized via the `APP_CONF_OVERRIDE` docker env variable. 
+All application settings can also be initialized via the `APP_CONF_OVERRIDE` docker env variable.

 ```yaml
 ...
@@ -40,7 +40,7 @@ There are several ways to check if the GraphQL server is running.

 ### Init Check

-You can navigate to Maintenance -> Init Check to see if `isGraphQLServerRunning` is ticked:
+You can navigate to System Info -> Init Check to see if `isGraphQLServerRunning` is ticked:

 ![Init Check](./img/DEBUG_API_SERVER/Init_check.png)

--- a/docs/DEBUG_INVALID_JSON.md
+++ b/docs/DEBUG_INVALID_JSON.md
@@ -3,13 +3,12 @@
 Check the the HTTP response of the failing backend call by following these steps:

 - Open developer console in your browser (usually, e. g. for Chrome, key F12 on the keyboard).
- Follow the steps in this screenshot: 
+- Follow the steps in this screenshot:

 ![F12DeveloperConsole][F12DeveloperConsole]

 - Copy the URL causing the error and enter it in the address bar of your browser directly and hit enter. The copied URLs could look something like this (notice the query strings at the end):
-  - `http://<NetAlertX URL>:20211/api/table_devices.json?nocache=1704141103121`
-  - `http://<NetAlertX URL>:20211/php/server/devices.php?action=getDevicesTotals`
+  - `http://<server>:20211/api/table_devices.json?nocache=1704141103121`


 - Post the error response in the existing issue thread on GitHub or create a new issue and include the redacted response of the failing query.
--- a/docs/DEBUG_PLUGINS.md
+++ b/docs/DEBUG_PLUGINS.md
@@ -1,15 +1,18 @@
 # Troubleshooting plugins

+> [!TIP]
+> Before troubleshooting, please ensure you have the right [Debugging and LOG_LEVEL set](./DEBUG_TIPS.md).
+
 ## High-level overview

 If a Plugin supplies data to the main app it's done either vie a SQL query or via a script that updates the `last_result.log` file in the plugin log folder (`app/log/plugins/`).

-For a more in-depth overview on how plugins work check the [Plugins development docs](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md).
+For a more in-depth overview on how plugins work check the [Plugins development docs](./PLUGINS_DEV.md).

 ### Prerequisites

 - Make sure you read and followed the specific plugin setup instructions.
- Ensure you have [debug enabled (see More Logging)](./DEBUG_TIPS.md) 
+- Ensure you have [debug enabled (see More Logging)](./DEBUG_TIPS.md)

 ### Potential issues

@@ -47,9 +50,9 @@ Input data from the plugin might cause mapping issues in specific edge cases. Lo
 17:31:05 [Plugins] history_to_insert count: 4
 17:31:05 [Plugins] objects_to_insert count: 0
 17:31:05 [Plugins] objects_to_update count: 4
-17:31:05 [Plugin utils] In pluginEvents there are 2 events with the status "watched-not-changed" 
-17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "missing-in-last-scan" 
-17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "watched-not-changed" 
+17:31:05 [Plugin utils] In pluginEvents there are 2 events with the status "watched-not-changed"
+17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "missing-in-last-scan"
+17:31:05 [Plugin utils] In pluginObjects there are 2 events with the status "watched-not-changed"
 17:31:05 [Plugins] Mapping objects to database table: CurrentScan
 17:31:05 [Plugins] SQL query for mapping: INSERT into CurrentScan ( "cur_MAC", "cur_IP", "cur_LastQuery", "cur_Name", "cur_Vendor", "cur_ScanMethod") VALUES ( ?, ?, ?, ?, ?, ?)
 17:31:05 [Plugins] SQL sqlParams for mapping: [('01:01:01:01:01:01', '172.30.0.1', 0, 'aaaa', 'vvvvvvvvv', 'PIHOLE'), ('02:42:ac:1e:00:02', '172.30.0.2', 0, 'dddd', 'vvvvv2222', 'PIHOLE')]
@@ -80,7 +83,7 @@ These values, if formatted correctly, will also show up in the UI:

 ### Sharing application state

-Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong. 
+Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong.

 1. Please set `LOG_LEVEL` to `trace` (Disable it once you have the info as this produces big log files).
 2. Wait for the issue to occur.
--- a/docs/DEBUG_TIPS.md
+++ b/docs/DEBUG_TIPS.md
@@ -1,30 +1,36 @@
 # Debugging and troubleshooting

-Please follow tips 1 - 4 to get a more detailed error. 
+Please follow tips 1 - 4 to get a more detailed error.

-## 1. More Logging 
+## 1. More Logging

 When debugging an issue always set the highest log level:

 `LOG_LEVEL='trace'`

-## 2. Surfacing errors when container restarts 
+## 2. Surfacing errors when container restarts

 Start the container via the **terminal** with a command similar to this one:

 ```bash
-docker run --rm --network=host \
-  -v /local_data_dir/netalertx/config:/data/config \
-  -v /local_data_dir/netalertx/db:/data/db \
-  -v /etc/localtime:/etc/localtime \
+docker run \
+  --network=host \
+  --restart unless-stopped \
+  -v /local_data_dir:/data \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
  -e PORT=20211 \
+  -e APP_CONF_OVERRIDE='{"GRAPHQL_PORT":"20214"}' \
  ghcr.io/jokob-sk/netalertx:latest

 ```

-> ⚠ Please note, don't use the `-d` parameter so you see the error when the container crashes. Use this error in your issue description.
+Note: Your `/local_data_dir` should contain a `config` and `db` folder.

-## 3. Check the _dev image and open issues 
+> [!NOTE]
+> ⚠ The most important part is NOT to use the `-d` parameter so you see the error when the container crashes. Use this error in your issue description.
+
+## 3. Check the _dev image and open issues

 If possible, check if your issue got fixed in the `_dev` image before opening a new issue. The container is:

@@ -34,7 +40,7 @@ If possible, check if your issue got fixed in the `_dev` image before opening a

 Please also search [open issues](https://github.com/jokob-sk/NetAlertX/issues).

-## 4. Disable restart behavior 
+## 4. Disable restart behavior

 To prevent a Docker container from automatically restarting in a Docker Compose file, specify the restart policy as `no`:

@@ -48,9 +54,14 @@ services:
    # Other service configurations...
 ```

-## 5. Sharing application state
+## 5. TMP mount directories to rule host out permission issues

-Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong. 
+Try starting the container with all data to be in non-persistent volumes. If this works, the issue might be related to the permissions of your persistent data mount locations on your server. See teh [Permissions guide](./FILE_PERMISSIONS.md) for details.
+
+
+## 6. Sharing application state
+
+Sometimes specific log sections are needed to debug issues. The Devices and CurrentScan table data is sometimes needed to figure out what's wrong.

 1. Please set `LOG_LEVEL` to `trace` (Disable it once you have the info as this produces big log files).
 2. Wait for the issue to occur.
@@ -61,4 +72,4 @@ Sometimes specific log sections are needed to debug issues. The Devices and Curr

 ## Common issues

-See [Common issues](./COMMON_ISSUES.md) for details. 
+See [Common issues](./COMMON_ISSUES.md) for additional troubleshooting tips.
--- a/docs/DEVICES_BULK_EDITING.md
+++ b/docs/DEVICES_BULK_EDITING.md
@@ -4,8 +4,8 @@ NetAlertX allows you to mass-edit devices via a CSV export and import feature, o

 ## UI multi edit

-> [!NOTE] 
-> Make sure you have your backups saved and restorable before doing any mass edits. Check [Backup strategies](./BACKUPS.md). 
+> [!NOTE]
+> Make sure you have your backups saved and restorable before doing any mass edits. Check [Backup strategies](./BACKUPS.md).

 You can select devices in the _Devices_ view by selecting devices to edit and then clicking the _Multi-edit_ button or via the _Maintenance_ > _Multi-Edit_ section.

@@ -16,23 +16,23 @@ You can select devices in the _Devices_ view by selecting devices to edit and th

 The database and device structure may change with new releases. When using the CSV import functionality, ensure the format matches what the application expects. To avoid issues, you can first export the devices and review the column formats before importing any custom data.

-> [!NOTE] 
+> [!NOTE]
 > As always, backup everything, just in case.

-1. In _Maintenance_ > _Backup / Restore_ click the _CSV Export_ button.  
+1. In _Maintenance_ > _Backup / Restore_ click the _CSV Export_ button.
 2. A `devices.csv` is generated in the `/config` folder
-3. Edit the `devices.csv` file however you like. 
+3. Edit the `devices.csv` file however you like.

 ![Maintenance > CSV Export](./img/DEVICES_BULK_EDITING/MAINTENANCE_CSV_EXPORT.png)

-> [!NOTE] 
-> The file containing a list of Devices including the Network relationships between Network Nodes and connected devices. You can also trigger this by acessing this URL: `<your netalertx url>/php/server/devices.php?action=ExportCSV` or via the `CSV Backup` plugin. (💡 You can schedule this)
+> [!NOTE]
+> The file containing a list of Devices including the Network relationships between Network Nodes and connected devices. You can also trigger this with the `CSV Backup` plugin. (💡 You can schedule this)

 ![Settings > CSV Backup](./img/DEVICES_BULK_EDITING/CSV_BACKUP_SETTINGS.png)

 ### File encoding format

-> [!NOTE] 
+> [!NOTE]
 > Keep Linux line endings (suggested editors: Nano, Notepad++)

 ![Nodepad++ line endings](./img/DEVICES_BULK_EDITING/NOTEPAD++.png)
--- a/docs/DEVICE_MANAGEMENT.md
+++ b/docs/DEVICE_MANAGEMENT.md
@@ -1,8 +1,8 @@
-# NetAlertX - Device Management
+# Device Management

 The Main Info section is where most of the device identifiable information is stored and edited. Some of the information is autodetected via various plugins. Initial values for most of the fields can be specified in the `NEWDEV` plugin.

-> [!NOTE] 
+> [!NOTE]
 >
 > You can multi-edit devices by selecting them in the main Devices view, from the Mainetence section, or via the CSV Export functionality under Maintenance. More info can be found in the [Devices Bulk-editing docs](./DEVICES_BULK_EDITING.md).

@@ -13,24 +13,24 @@ The Main Info section is where most of the device identifiable information is st

  - **MAC**: MAC addres of the device. Not editable, unless creating a new dummy device.
  - **Last IP**: IP addres of the device. Not editable, unless creating a new dummy device.
-  - **Name**: Friendly device name. Autodetected via various 🆎 Name discovery [plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md). The app attaches `(IP match)` if the name is discovered via an IP match and not MAC match which could mean the name could be incorrect as IPs might change.
-  - **Icon**: Partially autodetected. Select an existing or [add a custom icon](./ICONS.md). You can also auto-apply the same icon on all devices of the same type. 
+  - **Name**: Friendly device name. Autodetected via various 🆎 Name discovery [plugins](https://docs.netalertx.com/PLUGINS). The app attaches `(IP match)` if the name is discovered via an IP match and not MAC match which could mean the name could be incorrect as IPs might change.
+  - **Icon**: Partially autodetected. Select an existing or [add a custom icon](./ICONS.md). You can also auto-apply the same icon on all devices of the same type.
  - **Owner**: Device owner (The list is self-populated with existing owners and you can add custom values).
  - **Type**: Select a device type from the dropdown list (`Smartphone`, `Tablet`,
-      `Laptop`, `TV`, `router`, etc.) or add a new device type. If you want the device to act as a **Network device** (and be able to be a network node in the Network view), select a type under Network Devices or add a new Network Device type in Settings. More information can be found in the [Network Setup docs](./NETWORK_TREE.md). 
+      `Laptop`, `TV`, `router`, etc.) or add a new device type. If you want the device to act as a **Network device** (and be able to be a network node in the Network view), select a type under Network Devices or add a new Network Device type in Settings. More information can be found in the [Network Setup docs](./NETWORK_TREE.md).
  - **Vendor**: The manufacturing vendor. Automatically updated by NetAlertX when empty or unknown, can be edited.
  - **Group**: Select a group (`Always on`, `Personal`, `Friends`, etc.) or type
      your own Group name.
-  - **Location**: Select the location, usually a room, where the device is located (`Kitchen`, `Attic`, `Living room`, etc.) or add a custom Location.  
+  - **Location**: Select the location, usually a room, where the device is located (`Kitchen`, `Attic`, `Living room`, etc.) or add a custom Location.
  - **Comments**: Add any comments for the device, such as a serial number, or maintenance information.

-> [!NOTE] 
+> [!NOTE]
 >
-> Please note the above usage of the fields are only suggestions. You can use most of these fields for other purposes, such as storing the network interface, company owning a device, or similar. 
+> Please note the above usage of the fields are only suggestions. You can use most of these fields for other purposes, such as storing the network interface, company owning a device, or similar.

 ## Dummy devices

-You can create dummy devices from the Devices listing screen. 
+You can create dummy devices from the Devices listing screen.

 ![Create Dummy Device](./img/DEVICE_MANAGEMENT/Devices_CreateDummyDevice.png)

@@ -39,12 +39,12 @@ The **MAC** field and the **Last IP** field will then become editable.
 ![Save Dummy Device](./img/DEVICE_MANAGEMENT/DeviceEdit_SaveDummyDevice.png)


-> [!NOTE] 
+> [!NOTE]
 >
 > You can couple this with the `ICMP` plugin which can be used to monitor the status of these devices, if they are actual devices reachable with the `ping` command. If not, you can use a loopback IP address so they appear online, such as `0.0.0.0` or `127.0.0.1`.

-## Copying data from an existing device. 
+## Copying data from an existing device.

-To speed up device population you can also copy data from an existing device. This can be done from the **Tools** tab on the Device details. 
+To speed up device population you can also copy data from an existing device. This can be done from the **Tools** tab on the Device details.


--- a/docs/DOCKER_COMPOSE.md
+++ b/docs/DOCKER_COMPOSE.md
@@ -1,25 +1,23 @@
 # NetAlertX and Docker Compose

 > [!WARNING]
-> ⚠️ **Important:** The documentation has been recently updated and some instructions may have changed.  
-> If you are using the currently live production image, please follow the instructions on [Docker Hub](https://hub.docker.com/r/jokobsk/netalertx) for building and running the container.  
-> These docs reflect the latest development version and may differ from the production image.
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://docs.netalertx.com/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.

-Great care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system.Good care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system. 
+Great care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system.Good care is taken to ensure NetAlertX meets the needs of everyone while being flexible enough for anyone. This document outlines how you can configure your docker-compose. There are many settings, so we recommend using the Baseline Docker Compose as-is, or modifying it for your system.

-> [!NOTE] 
-> The container needs to run in `network_mode:"host"` to access Layer 2 networking such as arp, nmap and others. Due to lack of support for this feature, Windows host is not a supported operating system. 
+> [!NOTE]
+> The container needs to run in `network_mode:"host"` to access Layer 2 networking such as arp, nmap and others. Due to lack of support for this feature, Windows host is not a supported operating system.

 ## Baseline Docker Compose

-There is one baseline for NetAlertX. That's the default security-enabled official distribution. 
+There is one baseline for NetAlertX. That's the default security-enabled official distribution.

 ```yaml
 services:
  netalertx:
  #use an environmental variable to set host networking mode if needed
    container_name: netalertx                       # The name when you docker contiainer ls
-    image: ghcr.io/jokob-sk/netalertx-dev:latest
+    image: ghcr.io/jokob-sk/netalertx:latest
    network_mode: ${NETALERTX_NETWORK_MODE:-host}   # Use host networking for ARP scanning and other services

    read_only: true                                 # Make the container filesystem read-only
@@ -45,7 +43,7 @@ services:
    # - /home/user/netalertx_data:/data:rw

      - type: bind                                  # Bind mount for timezone consistency
-        source: /etc/localtime                      
+        source: /etc/localtime
        target: /etc/localtime
        read_only: true

@@ -53,24 +51,26 @@ services:
      # - path/on/host/to/dhcp.file:/resources/dhcp.file

    # tmpfs mount consolidates writable state for a read-only container and improves performance
-    # uid=20211 and gid=20211 is the netalertx user inside the container
-    # mode=1700 grants rwx------ permissions to the netalertx user only
+    # uid/gid default to the service user (NETALERTX_UID/GID, default 20211)
+    # mode=1700 grants rwx------ permissions to the runtime user only
    tmpfs:
      # Comment out to retain logs between container restarts - this has a server performance impact.
-      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/tmp:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

      # Retain logs - comment out tmpfs /tmp if you want to retain logs between container restarts
      # Please note if you remove the /tmp mount, you must create and maintain sub-folder mounts.
      # - /path/on/host/log:/tmp/log
-      # - "/tmp/api:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
-      # - "/tmp/nginx:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
-      # - "/tmp/run:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # - "/tmp/api:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # - "/tmp/nginx:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      # - "/tmp/run:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

    environment:
      LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0}                   # Listen for connections on all interfaces
      PORT: ${PORT:-20211}                                   # Application port
      GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                   # GraphQL API port (passed into APP_CONF_OVERRIDE at runtime)
  #    NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0}                 # 0=kill all services and restart if any dies. 1 keeps running dead services.
+  #    PUID: 20211                             # Runtime PUID override, set to 0 to run as root
+  #    PGID: 20211                             # Runtime PGID override

    # Resource limits to prevent resource exhaustion
    mem_limit: 2048m            # Maximum memory usage
@@ -96,6 +96,9 @@ Run or re-run it:
 docker compose up --force-recreate
 ```

+> [!TIP]
+> Runtime UID/GID: The image ships with a service user `netalertx` (UID/GID 20211) and a readonly lock owner also at 20211 for 004/005 immutability. If you override the runtime user (compose `user:` or `NETALERTX_UID/GID` vars), ensure your `/data` volume and tmpfs mounts use matching `uid/gid` so startup checks and writable paths succeed.
+
 ### Customize with Environmental Variables

 You can override the default settings by passing environmental variables to the `docker compose up` command.
@@ -125,9 +128,9 @@ docker compose up

 ### Modification 1: Use a Local Folder (Bind Mount)

-By default, the baseline compose file uses a single named volume (netalertx_data) mounted at /data. This single-volume layout is preferred because NetAlertX manages both configuration and the database under /data (for example, /data/config and /data/db) via its web UI. Using one named volume simplifies permissions and portability: Docker manages the storage and NetAlertX manages the files inside /data.
+By default, the baseline compose file uses a single named volume (netalertx_data) mounted at `/data`. This single-volume layout is preferred because NetAlertX manages both configuration and the database under `/data` (for example, `/data/config` and `/data/db`) via its web UI. Using one named volume simplifies permissions and portability: Docker manages the storage and NetAlertX manages the files inside `/data`.

-A two-volume layout that mounts /data/config and /data/db separately (for example, netalertx_config and netalertx_db) is supported for backward compatibility and some advanced workflows, but it is an abnormal/legacy layout and not recommended for new deployments. 
+A two-volume layout that mounts `/data/config` and `/data/db` separately (for example, `netalertx_config` and `netalertx_db`) is supported for backward compatibility and some advanced workflows, but it is an abnormal/legacy layout and not recommended for new deployments.

 However, if you prefer to have direct, file-level access to your configuration for manual editing, a "bind mount" is a simple alternative. This tells Docker to use a specific folder from your computer (the "host") inside the container.

@@ -170,10 +173,6 @@ Now, any files created by NetAlertX in `/data/config` will appear in your `/loca

 This same method works for mounting other things, like custom plugins or enterprise NGINX files, as shown in the commented-out examples in the baseline file.

-## Example Configuration Summaries
-
-Here are the essential modifications for common alternative setups.
-
 ### Example 2: External `.env` File for Paths

 This method is useful for keeping your paths and other settings separate from your main compose file, making it more portable.
@@ -187,7 +186,7 @@ services:
    environment:
      - PORT=${PORT}
      - GRAPHQL_PORT=${GRAPHQL_PORT}
-      
+
 ...
 ```

--- a/docs/DOCKER_INSTALLATION.md
+++ b/docs/DOCKER_INSTALLATION.md
@@ -6,8 +6,8 @@

 # NetAlertX - Network scanner & notification framework

-| [📑 Docker guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://jokob-sk.github.io/NetAlertX/) | [🔌 Plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
-|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------| 
+| [📑 Docker guide](https://docs.netalertx.com/DOCKER_INSTALLATION) | [🚀 Releases](https://github.com/jokob-sk/NetAlertX/releases) | [📚 Docs](https://docs.netalertx.com/) | [🔌 Plugins](https://docs.netalertx.com/PLUGINS) | [🤖 Ask AI](https://gurubase.io/g/netalertx)
+|----------------------| ----------------------|  ----------------------| ----------------------| ----------------------|

 <a href="https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/docs/img/GENERAL/github_social_image.jpg" target="_blank">
  <img src="https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/docs/img/GENERAL/github_social_image.jpg" width="1000px" />
@@ -16,25 +16,26 @@
 Head to [https://netalertx.com/](https://netalertx.com/) for more gifs and screenshots 📷.

 > [!NOTE]
-> There is also an experimental 🧪 [bare-metal install](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) method available. 
+> There is also an experimental 🧪 [bare-metal install](https://docs.netalertx.com/HW_INSTALL) method available.

-## 📕 Basic Usage 
+## 📕 Basic Usage

 > [!WARNING]
-> You will have to run the container on the `host` network and specify `SCAN_SUBNETS` unless you use other [plugin scanners](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md). The initial scan can take a few minutes, so please wait 5-10 minutes for the initial discovery to finish.
+> You will have to run the container on the `host` network and specify `SCAN_SUBNETS` unless you use other [plugin scanners](https://docs.netalertx.com/PLUGINS). The initial scan can take a few minutes, so please wait 5-10 minutes for the initial discovery to finish.

 ```bash
 docker run -d --rm --network=host \
-  -v /local_data_dir/config:/data/config \
-  -v /local_data_dir/db:/data/db \
+  -v /local_data_dir:/data \
  -v /etc/localtime:/etc/localtime \
-  --mount type=tmpfs,target=/tmp/api \
+  --tmpfs /tmp:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700 \
  -e PORT=20211 \
  -e APP_CONF_OVERRIDE={"GRAPHQL_PORT":"20214"} \
  ghcr.io/jokob-sk/netalertx:latest
 ```

-See alternative [docked-compose examples](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md).
+> Runtime UID/GID: The image defaults to a service user `netalertx` (UID/GID 20211). A separate readonly lock owner also uses UID/GID 20211 for 004/005 immutability. You can override the runtime UID/GID at build (ARG) or run (`--user` / compose `user:`) but must align writable mounts (`/data`, `/tmp*`) and tmpfs `uid/gid` to that choice.
+
+See alternative [docked-compose examples](https://docs.netalertx.com/DOCKER_COMPOSE).

 ### Default ports

@@ -45,11 +46,13 @@ See alternative [docked-compose examples](https://github.com/jokob-sk/NetAlertX/

 ### Docker environment variables

-| Variable | Description | Example Value |
+| Variable | Description | Example/Default Value |
 | :------------- |:------------------------| -----:|
+| `PUID`      |Runtime UID override, set to `0` to run as root. |  `20211` |
+| `PGID`      |Runtime GID override  |  `20211` |
 | `PORT`      |Port of the web interface  |  `20211` |
 | `LISTEN_ADDR`      |Set the specific IP Address for the listener address for the nginx webserver (web interface). This could be useful when using multiple subnets to hide the web interface from all untrusted networks. |  `0.0.0.0` |
-|`LOADED_PLUGINS` | Default [plugins](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md) to load. Plugins cannot be loaded with `APP_CONF_OVERRIDE`, you need to use this variable instead and then specify the plugins settings with `APP_CONF_OVERRIDE`. |  `["PIHOLE","ASUSWRT"]` |
+|`LOADED_PLUGINS` | Default [plugins](https://docs.netalertx.com/PLUGINS) to load. Plugins cannot be loaded with `APP_CONF_OVERRIDE`, you need to use this variable instead and then specify the plugins settings with `APP_CONF_OVERRIDE`. |  `["PIHOLE","ASUSWRT"]` |
 |`APP_CONF_OVERRIDE` | JSON override for settings (except `LOADED_PLUGINS`).   |  `{"SCAN_SUBNETS":"['192.168.1.0/24 --interface=eth1']","GRAPHQL_PORT":"20212"}` |
 |`ALWAYS_FRESH_INSTALL` | ⚠ If `true` will delete the content of the `/db` & `/config` folders. For testing purposes. Can be coupled with [watchtower](https://github.com/containrrr/watchtower) to have an always freshly installed `netalertx`/`netalertx-dev` image.   |    `true` |

@@ -58,49 +61,67 @@ See alternative [docked-compose examples](https://github.com/jokob-sk/NetAlertX/
 ### Docker paths

 > [!NOTE]
-> See also [Backup strategies](https://github.com/jokob-sk/NetAlertX/blob/main/docs/BACKUPS.md).   
+> See also [Backup strategies](https://docs.netalertx.com/BACKUPS).

 | Required | Path | Description |
-| :------------- | :------------- | :-------------| 
-| ✅ | `:/data/config` | Folder which will contain the `app.conf` & `devices.csv` ([read about devices.csv](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEVICES_BULK_EDITING.md)) files  | 
-| ✅ | `:/data/db` | Folder which will contain the `app.db` database file  | 
-| ✅ | `/etc/localtime:/etc/localtime:ro` | Ensuring the timezone is teh same as on teh server.  | 
-| | `:/tmp/log` |  Logs folder useful for debugging if you have issues setting up the container  | 
-| | `:/tmp/api` |  The [API endpoint](https://github.com/jokob-sk/NetAlertX/blob/main/docs/API.md) containing static (but regularly updated) json and other files. Path configurable via `NETALERTX_API` environment variable.   | 
-| | `:/app/front/plugins/<plugin>/ignore_plugin` | Map a file `ignore_plugin` to ignore a plugin. Plugins can be soft-disabled via settings. More in the [Plugin docs](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md).  | 
-| | `:/etc/resolv.conf` | Use a custom `resolv.conf` file for [better name resolution](https://github.com/jokob-sk/NetAlertX/blob/main/docs/REVERSE_DNS.md).  | 
+| :------------- | :------------- | :-------------|
+| ✅ | `:/data` | Folder which needs to contain a `/db` and `/config` sub-folders. |
+| ✅ | `/etc/localtime:/etc/localtime:ro` | Ensuring the timezone is the same as on the server.  |
+| | `:/tmp/log` |  Logs folder useful for debugging if you have issues setting up the container  |
+| | `:/tmp/api` |  The [API endpoint](https://docs.netalertx.com/API) containing static (but regularly updated) json and other files. Path configurable via `NETALERTX_API` environment variable.   |
+| | `:/app/front/plugins/<plugin>/ignore_plugin` | Map a file `ignore_plugin` to ignore a plugin. Plugins can be soft-disabled via settings. More in the [Plugin docs](https://docs.netalertx.com/PLUGINS).  |
+| | `:/etc/resolv.conf` | Use a custom `resolv.conf` file for [better name resolution](https://docs.netalertx.com/REVERSE_DNS).  |

-> Use separate `db` and `config` directories, do not nest them.
+### Folder structure
+
+Use separate `db` and `config` directories, do not nest them:
+
+```
+data
+├── config
+└── db
+```
+
+### Permissions
+
+If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+
+```bash
+# Use the runtime UID/GID you intend to run with (default 20211:20211)
+sudo chown -R ${NETALERTX_UID:-20211}:${NETALERTX_GID:-20211} /local_data_dir
+sudo chmod -R a+rwx /local_data_dir
+```

 ### Initial setup

 - If unavailable, the app generates a default `app.conf` and `app.db` file on the first run.
- The preferred way is to manage the configuration via the Settings section in the UI, if UI is inaccessible you can modify [app.conf](https://github.com/jokob-sk/NetAlertX/tree/main/back) in the `/data/config/` folder directly 
+- The preferred way is to manage the configuration via the Settings section in the UI, if UI is inaccessible you can modify [app.conf](https://github.com/jokob-sk/NetAlertX/tree/main/back) in the `/data/config/` folder directly
+

 #### Setting up scanners

-You have to specify which network(s) should be scanned. This is done by entering subnets that are accessible from the host. If you use the default `ARPSCAN` plugin, you have to specify at least one valid subnet and interface in the `SCAN_SUBNETS` setting. See the documentation on [How to set up multiple SUBNETS, VLANs and what are limitations](https://github.com/jokob-sk/NetAlertX/blob/main/docs/SUBNETS.md) for troubleshooting and more advanced scenarios. 
+You have to specify which network(s) should be scanned. This is done by entering subnets that are accessible from the host. If you use the default `ARPSCAN` plugin, you have to specify at least one valid subnet and interface in the `SCAN_SUBNETS` setting. See the documentation on [How to set up multiple SUBNETS, VLANs and what are limitations](https://docs.netalertx.com/SUBNETS) for troubleshooting and more advanced scenarios.

-If you are running PiHole you can synchronize devices directly. Check the [PiHole configuration guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PIHOLE_GUIDE.md) for details. 
+If you are running PiHole you can synchronize devices directly. Check the [PiHole configuration guide](https://docs.netalertx.com/PIHOLE_GUIDE) for details.

 > [!NOTE]
-> You can bulk-import devices via the [CSV import method](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEVICES_BULK_EDITING.md).
+> You can bulk-import devices via the [CSV import method](https://docs.netalertx.com/DEVICES_BULK_EDITING).

 #### Community guides

-You can read or watch several [community configuration guides](https://github.com/jokob-sk/NetAlertX/blob/main/docs/COMMUNITY_GUIDES.md) in Chinese, Korean, German, or French. 
+You can read or watch several [community configuration guides](https://docs.netalertx.com/COMMUNITY_GUIDES) in Chinese, Korean, German, or French.
+
+> Please note these might be outdated. Rely on official documentation first.

-> Please note these might be outdated. Rely on official documentation first. 
- 
 #### Common issues

- Before creating a new issue, please check if a similar issue was [already resolved](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed). 
- Check also common issues and [debugging tips](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DEBUG_TIPS.md). 
+- Before creating a new issue, please check if a similar issue was [already resolved](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed).
+- Check also common issues and [debugging tips](https://docs.netalertx.com/DEBUG_TIPS).

-## 💙 Support me 
+## 💙 Support me

-| [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) | 
-| --- | --- | --- | 
+| [![GitHub](https://i.imgur.com/emsRCPh.png)](https://github.com/sponsors/jokob-sk) | [![Buy Me A Coffee](https://i.imgur.com/pIM6YXL.png)](https://www.buymeacoffee.com/jokobsk) | [![Patreon](https://i.imgur.com/MuYsrq1.png)](https://www.patreon.com/user?u=84385063) |
+| --- | --- | --- |

 - Bitcoin: `1N8tupjeCK12qRVU2XrV17WvKK7LCawyZM`
 - Ethereum: `0x6e2749Cb42F4411bc98501406BdcD82244e3f9C7`
--- a/docs/DOCKER_MAINTENANCE.md
+++ b/docs/DOCKER_MAINTENANCE.md
@@ -1,20 +1,18 @@
 # The NetAlertX Container Operator's Guide

 > [!WARNING]
-> ⚠️ **Important:** The documentation has been recently updated and some instructions may have changed.  
-> If you are using the currently live production image, please follow the instructions on [Docker Hub](https://hub.docker.com/r/jokobsk/netalertx) for building and running the container.  
-> These docs reflect the latest development version and may differ from the production image.
+> ⚠️ **Important:** The docker-compose has recently changed. Carefully read the [Migration guide](https://docs.netalertx.com/MIGRATION/?h=migrat#12-migration-from-netalertx-v25524) for detailed instructions.

 This guide assumes you are starting with the official `docker-compose.yml` file provided with the project. We strongly recommend you start with or migrate to this file as your baseline and modify it to suit your specific needs (e.g., changing file paths). While there are many ways to configure NetAlertX, the default file is designed to meet the mandatory security baseline with layer-2 networking capabilities while operating securely and without startup warnings.

 This guide provides direct, concise solutions for common NetAlertX administrative tasks. It is structured to help you identify a problem, implement the solution, and understand the details.

 ## Guide Contents
- 
- Using a Local Folder for Configuration  
- Migrating from a Local Folder to a Docker Volume  
- Applying a Custom Nginx Configuration  
- Mounting Additional Files for Plugins  
+
+- Using a Local Folder for Configuration
+- Migrating from a Local Folder to a Docker Volume
+- Applying a Custom Nginx Configuration
+- Mounting Additional Files for Plugins


 > [!NOTE]
--- a/docs/DOCKER_PORTAINER.md
+++ b/docs/DOCKER_PORTAINER.md
@@ -34,30 +34,26 @@ Copy and paste the following YAML into the **Web editor**:
 services:
  netalertx:
    container_name: netalertx
-
    # Use this line for stable release
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-
+    image: "ghcr.io/jokob-sk/netalertx:latest"
    # Or, use this for the latest development build
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
    network_mode: "host"
    restart: unless-stopped
-
+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
    volumes:
      - ${APP_FOLDER}/netalertx/config:/data/config
      - ${APP_FOLDER}/netalertx/db:/data/db
-      # Optional: logs (useful for debugging setup issues, comment out for performance)
-      - ${APP_FOLDER}/netalertx/log:/tmp/log
-
-      # API storage options:
-      # (Option 1) tmpfs (default, best performance)
-      - type: tmpfs
-        target: /tmp/api
-
-      # (Option 2) bind mount (useful for debugging)
-      # - ${APP_FOLDER}/netalertx/api:/tmp/api
-
+      # to sync with system time
+      - /etc/localtime:/etc/localtime:ro
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
      - PORT=${PORT}
      - APP_CONF_OVERRIDE=${APP_CONF_OVERRIDE}
@@ -78,11 +74,12 @@ In the **Environment variables** section of Portainer, add the following:
 ## 5. Ensure permissions

 > [!TIP]
-> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located). 
->  ```bash
->  sudo chown -R 20211:20211 /local_data_dir
->  sudo chmod -R a+rwx  /local_data_dir
->  ```
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>


 ---
@@ -104,4 +101,4 @@ http://<your-docker-host-ip>:22022
 * Check logs via Portainer → **Containers** → `netalertx` → **Logs**.
 * Logs are stored under `${APP_FOLDER}/netalertx/log` if you enabled that volume.

-Once the application is running, configure it by reading the [initial setup](INITIAL_SETUP.md) guide, or [troubleshoot common issues](COMMON_ISSUES.md). 
+Once the application is running, configure it by reading the [initial setup](INITIAL_SETUP.md) guide, or [troubleshoot common issues](COMMON_ISSUES.md).
--- a/docs/DOCKER_SWARM.md
+++ b/docs/DOCKER_SWARM.md
@@ -1,5 +1,9 @@
 # Docker Swarm Deployment Guide (IPvlan)

+> [!NOTE]
+> This is community-contributed. Due to environment, setup, or networking differences, results may vary. Please open a PR to improve it instead of creating an issue, as the maintainer is not actively maintaining it.
+
+
 This guide describes how to deploy **NetAlertX** in a **Docker Swarm** environment using an `ipvlan` network. This enables the container to receive a LAN IP address directly, which is ideal for network monitoring.

 ---
@@ -41,15 +45,7 @@ Use the following Compose snippet to deploy NetAlertX with a **static LAN IP** a
 services:
  netalertx:
    image: ghcr.io/jokob-sk/netalertx:latest
-    ports:
-      - 20211:20211
-    volumes:
-      - /mnt/YOUR_SERVER/netalertx/config:/data/config:rw
-      - /mnt/YOUR_SERVER/netalertx/db:/netalertx/data/db:rw
-      - /mnt/YOUR_SERVER/netalertx/logs:/netalertx/tmp/log:rw
-      - /etc/localtime:/etc/localtime:ro
-    environment:
-      - PORT=20211
+...
    networks:
      swarm-ipvlan:
        ipv4_address: 192.168.1.240     # ⚠️ Choose a free IP from your LAN
@@ -76,4 +72,3 @@ networks:
 * Make sure the assigned IP (`192.168.1.240` above) is not in use or managed by DHCP.
 * You may also use a node label constraint instead of `node.role == manager` for more control.

-
--- a/docs/FILE_PERMISSIONS.md
+++ b/docs/FILE_PERMISSIONS.md
@@ -1,8 +1,23 @@
 # Managing File Permissions for NetAlertX on a Read-Only Container

+Sometimes, permission issues arise if your existing host directories were created by a previous container running as root or another UID. The container will fail to start with "Permission Denied" errors.
+
 > [!TIP]
 > NetAlertX runs in a **secure, read-only Alpine-based container** under a dedicated `netalertx` user (UID 20211, GID 20211). All writable paths are either mounted as **persistent volumes** or **`tmpfs` filesystems**. This ensures consistent file ownership and prevents privilege escalation.

+Try starting the container with all data to be in non-persistent volumes. If this works, the issue might be related to the permissions of your persistent data mount locations on your server.
+
+```bash
+docker run --rm --network=host \
+  -v /etc/localtime:/etc/localtime:ro \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  -e PORT=20211 \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+> [!WARNING]
+> The above should be only used as a test - once the container restarts, all data is lost.
+
 ---

 ## Writable Paths
@@ -23,11 +38,27 @@ NetAlertX requires certain paths to be writable at runtime. These paths should b

 > All these paths will have **UID 20211 / GID 20211** inside the container. Files on the host will appear owned by `20211:20211`.

---
+## Running as `root`

-## Fixing Permission Problems
+You can override the default PUID and PGID using environment variables:

-Sometimes, permission issues arise if your existing host directories were created by a previous container running as root or another UID. The container will fail to start with "Permission Denied" errors.
+```yaml
+...
+  environment:
+      PUID: 20211                             # Runtime PUID override, set to 0 to run as root
+      PGID: 20211                             # Runtime PGID override
+...
+```
+
+To run as the root user, it usually looks like this (verify the IDs on your server first by executing `id root`):
+
+```yaml
+...
+  environment:
+      PUID: 0                             # Runtime PUID override, set to 0 to run as root
+      PGID: 100                           # Runtime PGID override
+...
+```

 ### Solution

@@ -35,8 +66,8 @@ Sometimes, permission issues arise if your existing host directories were create

 ```bash
 docker run -it --rm --name netalertx --user "0" \
-  -v /local_data_dir/config:/data/config \
-  -v /local_data_dir/db:/data/db \
+  -v /local_data_dir:/data \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
  ghcr.io/jokob-sk/netalertx:latest
 ```

@@ -47,11 +78,12 @@ docker run -it --rm --name netalertx --user "0" \
 > The container startup script detects `root` and runs `chown -R 20211:20211` on all volumes, fixing ownership for the secure `netalertx` user.

 > [!TIP]
-> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located). 
->  ```bash
->  sudo chown -R 20211:20211 /local_data_dir
->  sudo chmod -R a+rwx  /local_data_dir
->  ```
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>

 ---

@@ -59,22 +91,21 @@ docker run -it --rm --name netalertx --user "0" \

 ```yaml
 services:
-  netalertx:                                  
-    container_name: netalertx                
-    image: "ghcr.io/jokob-sk/netalertx"  
-    network_mode: "host"      
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx"
+    network_mode: "host"
    cap_drop:                                       # Drop all capabilities for enhanced security
-      - ALL 
+      - ALL
    cap_add:                                        # Add only the necessary capabilities
      - NET_ADMIN                                   # Required for ARP scanning
      - NET_RAW                                     # Required for raw socket operations
      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         
-      - /local_data_dir/db:/data/db       
-      - /etc/localtime:/etc/localtime          
-    environment: 
+      - /local_data_dir:/data
+      - /etc/localtime:/etc/localtime
+    environment:
      - PORT=20211
    tmpfs:
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
--- a/docs/HELPER_SCRIPTS.md
+++ b/docs/HELPER_SCRIPTS.md
@@ -1,4 +1,4 @@
-# NetAlertX Community Helper Scripts Overview
+# Community Helper Scripts Overview

 This page provides an overview of community-contributed scripts for NetAlertX. These scripts are not actively maintained and are provided as-is.

@@ -14,8 +14,8 @@ You can find all scripts in this [scripts GitHub folder](https://github.com/joko

 ## Important Notes

-> [!NOTE]  
-> These scripts are community-supplied and not actively maintained. Use at your own discretion.  
+> [!NOTE]
+> These scripts are community-supplied and not actively maintained. Use at your own discretion.

 For detailed usage instructions, refer to each script's documentation in each [scripts GitHub folder](https://github.com/jokob-sk/NetAlertX/tree/main/scripts).

--- a/docs/HW_INSTALL.md
+++ b/docs/HW_INSTALL.md
@@ -5,7 +5,7 @@ To download and install NetAlertX on the hardware/server directly use the `curl`
 > [!NOTE]
 > This is an Experimental feature 🧪 and it relies on community support.
 >
-> 🙏 Looking for maintainers for this installation method 🙂 Current community volunteers: 
+> 🙏 Looking for maintainers for this installation method 🙂 Current community volunteers:
 >   - [slammingprogramming](https://github.com/slammingprogramming)
 >   - [ingoratsdorf](https://github.com/ingoratsdorf)
 >
@@ -13,8 +13,7 @@ To download and install NetAlertX on the hardware/server directly use the `curl`
 > Data loss is a possibility, **it is recommended to install NetAlertX using the supplied Docker image**.

 > [!WARNING]
-> A warning to the installation method below: Piping to bash is [controversial](https://pi-hole.net/2016/07/25/curling-and-piping-to-bash) and may
-be dangerous, as you cannot see the code that's about to be executed on your system.
+> A warning to the installation method below: Piping to bash is [controversial](https://pi-hole.net/2016/07/25/curling-and-piping-to-bash) and may be dangerous, as you cannot see the code that's about to be executed on your system.

 If you trust this repo, you can download the install script via one of the methods (curl/wget) below and it will fo its best to install NetAlertX on your system.

@@ -40,7 +39,7 @@ Some facts about what and where something will be changed/installed by the HW in
 - Only tested to work on the system listed in the install directory.
 - **EXPERIMENTAL** and not recommended way to install NetAlertX.

-> [!TIP]  
+> [!TIP]
 > If the below fails try grabbing and installing one of the [previous releases](https://github.com/jokob-sk/NetAlertX/releases) and run the installation from the zip package.

 These commands will download the `install.debian12.sh` script from the GitHub repository, make it executable with `chmod`, and then run it using `./install.debian12.sh`.
@@ -81,7 +80,7 @@ wget https://raw.githubusercontent.com/jokob-sk/NetAlertX/main/install/ubuntu24/

 > [!NOTE]
 > Use this on a clean LXC/VM for Debian 13 OR Ubuntu 24.
-> The Scipt will detect OS and build acordingly. 
+> The Scipt will detect OS and build acordingly.
 > Maintained by [JVKeller](https://github.com/JVKeller)

 ### Installation via wget
--- a/docs/INSTALLATION.md
+++ b/docs/INSTALLATION.md
@@ -2,24 +2,24 @@

 ## Installation options

-NetAlertX can be installed several ways. The best supported option is Docker, followed by a supervised Home Assistant instance, as an Unraid app, and lastly, on bare metal. 
+NetAlertX can be installed several ways. The best supported option is Docker, followed by a supervised Home Assistant instance, as an Unraid app, and lastly, on bare metal.

- [[Installation] Docker (recommended)](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_INSTALLATION.md) 
- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx) 
- [[Installation] Unraid App](https://unraid.net/community/apps) 
- [[Installation] Bare metal (experimental - looking for maintainers)](https://github.com/jokob-sk/NetAlertX/blob/main/docs/HW_INSTALL.md) 
+- [[Installation] Docker (recommended)](https://docs.netalertx.com/DOCKER_INSTALLATION)
+- [[Installation] Home Assistant](https://github.com/alexbelgium/hassio-addons/tree/master/netalertx)
+- [[Installation] Unraid App](https://unraid.net/community/apps)
+- [[Installation] Bare metal (experimental - looking for maintainers)](https://docs.netalertx.com/HW_INSTALL)


 ## Help

-If facing issues, please spend a few minutes seraching. 
+If facing issues, please spend a few minutes seraching.

 - Check [common issues](./COMMON_ISSUES.md)
- Have a look at [Community guides](./COMMUNITY_GUIDES.md) 
- [Search closed or open issues or discussions](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue) 
+- Have a look at [Community guides](./COMMUNITY_GUIDES.md)
+- [Search closed or open issues or discussions](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue)
 - Check [Discord](https://discord.gg/NczTUTWyRr)

 > [!NOTE]
-> If you can't find a solution anywhere, ask in Discord if you think it's a quick question, otherwise open a new [issue](https://github.com/jokob-sk/NetAlertX/issues/new?template=setup-help.yml). Please fill in as much as possible to speed up the help process. 
+> If you can't find a solution anywhere, ask in Discord if you think it's a quick question, otherwise open a new [issue](https://github.com/jokob-sk/NetAlertX/issues/new?template=setup-help.yml). Please fill in as much as possible to speed up the help process.
 >

--- a/docs/MIGRATION.md
+++ b/docs/MIGRATION.md
@@ -1,10 +1,4 @@
-# Migration 
-
-> [!WARNING]
-> ⚠️ **Important:** The documentation has been recently updated and some instructions may have changed.  
-> If you are using the currently live production image, please follow the instructions on [Docker Hub](https://hub.docker.com/r/jokobsk/netalertx) for building and running the container.  
-> These docs reflect the latest development version and may differ from the production image.
-
+# Migration

 When upgrading from older versions of NetAlertX (or PiAlert by jokob-sk), follow the migration steps below to ensure your data and configuration are properly transferred.

@@ -13,13 +7,13 @@ When upgrading from older versions of NetAlertX (or PiAlert by jokob-sk), follow

 ## Migration scenarios

- You are running PiAlert (by jokob-sk)  
+- You are running PiAlert (by jokob-sk)
  → [Read the 1.1 Migration from PiAlert to NetAlertX `v25.5.24`](#11-migration-from-pialert-to-netalertx-v25524)

- You are running NetAlertX (by jokob-sk) `25.5.24` or older  
+- You are running NetAlertX (by jokob-sk) `25.5.24` or older
  → [Read the 1.2 Migration from NetAlertX `v25.5.24`](#12-migration-from-netalertx-v25524)

- You are running NetAlertX (by jokob-sk) (`v25.6.7` to `v25.10.1`)  
+- You are running NetAlertX (by jokob-sk) (`v25.6.7` to `v25.10.1`)
  → [Read the 1.3 Migration from NetAlertX `v25.10.1`](#13-migration-from-netalertx-v25101)


@@ -30,40 +24,40 @@ You can migrate data manually, for example by exporting and importing devices us

 ### 1.1 Migration from PiAlert to NetAlertX `v25.5.24`

-#### STEPS: 
+#### STEPS:

 The application will automatically migrate the database, configuration, and all device information.
 A banner message will appear at the top of the web UI reminding you to update your Docker mount points.

-1. Stop the container 
-2. [Back up your setup](./BACKUPS.md) 
-3. Update the Docker file mount locations in your `docker-compose.yml` or docker run command (See below **New Docker mount locations**). 
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
+3. Update the Docker file mount locations in your `docker-compose.yml` or docker run command (See below **New Docker mount locations**).
 4. Rename the DB and conf files to `app.db` and `app.conf` and place them in the appropriate location.
 5. Start the container


-> [!TIP] 
-> If you have trouble accessing past backups, config or database files you can copy them into the newly mapped directories, for example by running this command in the container:  `cp -r /data/config /home/pi/pialert/config/old_backup_files`. This should create a folder in the `config` directory called `old_backup_files` containing all the files in that location. Another approach is to map the old location and the new one at the same time to copy things over. 
+> [!TIP]
+> If you have trouble accessing past backups, config or database files you can copy them into the newly mapped directories, for example by running this command in the container:  `cp -r /data/config /home/pi/pialert/config/old_backup_files`. This should create a folder in the `config` directory called `old_backup_files` containing all the files in that location. Another approach is to map the old location and the new one at the same time to copy things over.

 #### New Docker mount locations

 The internal application path in the container has changed from `/home/pi/pialert` to `/app`. Update your volume mounts as follows:

- | Old mount point | New mount point | 
- |----------------------|---------------| 
+ | Old mount point | New mount point |
+ |----------------------|---------------|
 | `/home/pi/pialert/config` | `/data/config` |
 | `/home/pi/pialert/db` | `/data/db` |


 If you were mounting files directly, please note the file names have changed:

- | Old file name | New file name | 
- |----------------------|---------------| 
+ | Old file name | New file name |
+ |----------------------|---------------|
 | `pialert.conf` | `app.conf` |
 | `pialert.db` | `app.db` |


-> [!NOTE] 
+> [!NOTE]
 > The application automatically creates symlinks from the old database and config locations to the new ones, so data loss should not occur. Read the [backup strategies](./BACKUPS.md) guide to backup your setup.


@@ -80,17 +74,17 @@ services:
  pialert:
    container_name: pialert
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "jokobsk/pialert:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "jokobsk/pialert:latest"
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/home/pi/pialert/config  
-      - /local_data_dir/db:/home/pi/pialert/db         
+      - /local_data_dir/config:/home/pi/pialert/config
+      - /local_data_dir/db:/home/pi/pialert/db
      # (optional) useful for debugging if you have issues setting up the container
      - /local_data_dir/logs:/home/pi/pialert/front/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

@@ -98,26 +92,26 @@ services:

 ```yaml
 services:
-  netalertx:                                  # 🆕 This has changed  
-    container_name: netalertx                 # 🆕 This has changed  
-    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed  
-    network_mode: "host"        
+  netalertx:                                  # 🆕 This has changed
+    container_name: netalertx                 # 🆕 This has changed
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         # 🆕 This has changed  
-      - /local_data_dir/db:/data/db                 # 🆕 This has changed  
+      - /local_data_dir/config:/data/config         # 🆕 This has changed
+      - /local_data_dir/db:/data/db                 # 🆕 This has changed
      # (optional) useful for debugging if you have issues setting up the container
-      - /local_data_dir/logs:/tmp/log        # 🆕 This has changed  
+      - /local_data_dir/logs:/tmp/log        # 🆕 This has changed
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```


 ##### Example 2: Mapping files

-> [!NOTE] 
-> The recommendation is to map folders as in Example 1, map files directly only when needed. 
+> [!NOTE]
+> The recommendation is to map folders as in Example 1, map files directly only when needed.

 ###### Old docker-compose.yml

@@ -126,17 +120,17 @@ services:
  pialert:
    container_name: pialert
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "jokobsk/pialert:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "jokobsk/pialert:latest"
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config/pialert.conf:/home/pi/pialert/config/pialert.conf  
-      - /local_data_dir/db/pialert.db:/home/pi/pialert/db/pialert.db         
+      - /local_data_dir/config/pialert.conf:/home/pi/pialert/config/pialert.conf
+      - /local_data_dir/db/pialert.db:/home/pi/pialert/db/pialert.db
      # (optional) useful for debugging if you have issues setting up the container
      - /local_data_dir/logs:/home/pi/pialert/front/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

@@ -144,18 +138,18 @@ services:

 ```yaml
 services:
-  netalertx:                                  # 🆕 This has changed  
-    container_name: netalertx                 # 🆕 This has changed  
-    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed  
-    network_mode: "host"        
+  netalertx:                                  # 🆕 This has changed
+    container_name: netalertx                 # 🆕 This has changed
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This has changed
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config/app.conf:/data/config/app.conf # 🆕 This has changed  
-      - /local_data_dir/db/app.db:/data/db/app.db             # 🆕 This has changed  
+      - /local_data_dir/config/app.conf:/data/config/app.conf # 🆕 This has changed
+      - /local_data_dir/db/app.db:/data/db/app.db             # 🆕 This has changed
      # (optional) useful for debugging if you have issues setting up the container
-      - /local_data_dir/logs:/tmp/log                  # 🆕 This has changed  
+      - /local_data_dir/logs:/tmp/log                  # 🆕 This has changed
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

@@ -164,13 +158,13 @@ services:

 Versions before `v25.10.1` require an intermediate migration through `v25.5.24` to ensure database compatibility. Skipping this step may cause compatibility issues due to database schema changes introduced after `v25.5.24`.

-#### STEPS: 
+#### STEPS:

-1. Stop the container 
-2. [Back up your setup](./BACKUPS.md) 
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
 3. Upgrade to `v25.5.24` by pinning the release version (See Examples below)
 4. Start the container and verify everything works as expected.
-5. Stop the container 
+5. Stop the container
 6. Upgrade to `v25.10.1` by pinning the release version (See Examples below)
 7. Start the container and verify everything works as expected.

@@ -184,109 +178,84 @@ Examples of docker files with the tagged version.

 ```yaml
 services:
-  netalertx:                                  
-    container_name: netalertx                
-    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This is important  
-    network_mode: "host"        
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.5.24"         # 🆕 This is important
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         
-      - /local_data_dir/db:/data/db                 
+      - /local_data_dir/config:/data/config
+      - /local_data_dir/db:/data/db
      # (optional) useful for debugging if you have issues setting up the container
-      - /local_data_dir/logs:/tmp/log        
+      - /local_data_dir/logs:/tmp/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

 ```yaml
 services:
-  netalertx:                                  
-    container_name: netalertx                
-    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important  
-    network_mode: "host"        
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         
-      - /local_data_dir/db:/data/db                 
+      - /local_data_dir/config:/data/config
+      - /local_data_dir/db:/data/db
      # (optional) useful for debugging if you have issues setting up the container
-      - /local_data_dir/logs:/tmp/log        
+      - /local_data_dir/logs:/tmp/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

 ### 1.3 Migration from NetAlertX `v25.10.1`

-Starting from v25.10.1, the container uses a [more secure, read-only runtime environment](./SECURITY_FEATURES.md), which requires all writable paths (e.g., logs, API cache, temporary data) to be mounted as `tmpfs` or permanent writable volumes, with sufficient access [permissions](./FILE_PERMISSIONS.md). 
+Starting from v25.10.1, the container uses a [more secure, read-only runtime environment](./SECURITY_FEATURES.md), which requires all writable paths (e.g., logs, API cache, temporary data) to be mounted as `tmpfs` or permanent writable volumes, with sufficient access [permissions](./FILE_PERMISSIONS.md). The data location has also hanged from `/app/db` and `/app/config` to `/data/db` and `/data/config`. See detailed steps below.

-#### STEPS: 
+#### STEPS:

-1. Stop the container 
-2. [Back up your setup](./BACKUPS.md) 
+1. Stop the container
+2. [Back up your setup](./BACKUPS.md)
 3. Upgrade to `v25.10.1` by pinning the release version (See the example below)

 ```yaml
 services:
-  netalertx:                                  
-    container_name: netalertx                
-    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important  
-    network_mode: "host"        
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx:25.10.1"         # 🆕 This is important
+    network_mode: "host"
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         
-      - /local_data_dir/db:/data/db                 
+      - /local_data_dir/config:/app/config
+      - /local_data_dir/db:/app/db
      # (optional) useful for debugging if you have issues setting up the container
-      - /local_data_dir/logs:/tmp/log        
+      - /local_data_dir/logs:/tmp/log
    environment:
-      - TZ=Europe/Berlin      
+      - TZ=Europe/Berlin
      - PORT=20211
 ```

 4. Start the container and verify everything works as expected.
 5. Stop the container.
-6. Perform a one-off migration to the latest `netalertx` image and `20211` user:
-
-> [!NOTE]
-> The example below assumes your `/config` and `/db` folders are stored in `local_data_dir`.  
-> Replace this path with your actual configuration directory. `netalertx` is the container name, which might differ from your setup.
-
-```sh
-docker run -it --rm --name netalertx --user "0" \
-  -v /local_data_dir/config:/data/config \
-  -v /local_data_dir/db:/data/db \
-  ghcr.io/jokob-sk/netalertx:latest
-```
-
-..or alternatively execute:
-
-```bash
-sudo chown -R 20211:20211 /local_data_dir/config
-sudo chown -R 20211:20211 /local_data_dir/db
-sudo chmod -R a+rwx /local_data_dir/
-```
-
-7. Stop the container
-8. Update the `docker-compose.yml` as per example below.
+6. Update the `docker-compose.yml` as per example below.

 ```yaml
 services:
-  netalertx:                                  
-    container_name: netalertx                
-    image: "ghcr.io/jokob-sk/netalertx"  # 🆕 This is important  
-    network_mode: "host"  
+  netalertx:
+    container_name: netalertx
+    image: "ghcr.io/jokob-sk/netalertx"  # 🆕 This has changed
+    network_mode: "host"
    cap_drop:                # 🆕 New line
      - ALL                  # 🆕 New line
    cap_add:                 # 🆕 New line
-      - NET_RAW              # 🆕 New line 
+      - NET_RAW              # 🆕 New line
      - NET_ADMIN            # 🆕 New line
-      - NET_BIND_SERVICE     # 🆕 New line 
+      - NET_BIND_SERVICE     # 🆕 New line
    restart: unless-stopped
    volumes:
-      - /local_data_dir/config:/data/config         
-      - /local_data_dir/db:/data/db                 
-      # (optional) useful for debugging if you have issues setting up the container
-      #- /local_data_dir/logs:/tmp/log  
+      - /local_data_dir:/data  # 🆕 This folder contains your /db and /config directories and the parent changed from /app to /data
      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
      - /etc/localtime:/etc/localtime:ro    # 🆕 New line
    environment:
@@ -297,5 +266,36 @@ services:
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    # 🆕 New "tmpfs" section END  🔼
 ```
+7. Perform a one-off migration to the latest `netalertx` image and `20211` user.
+
+> [!NOTE]
+> The examples below assumes your `/config` and `/db` folders are stored in `local_data_dir`.
+> Replace this path with your actual configuration directory. `netalertx` is the container name, which might differ from your setup.
+
+**Automated approach**:
+
+Run the container with the `--user "0"` parameter. Please note, some systems will require the manual approach below.
+
+```sh
+docker run -it --rm --name netalertx --user "0" \
+  -v /local_data_dir/config:/app/config \
+  -v /local_data_dir/db:/app/db \
+  -v /local_data_dir:/data \
+  --tmpfs /tmp:uid=20211,gid=20211,mode=1700 \
+  ghcr.io/jokob-sk/netalertx:latest
+```
+
+Stop the container and run it as you would normally.
+
+**Manual approach**:
+
+Use the manual approach if the Automated approach fails. Execute the below commands:
+
+```bash
+sudo chown -R 20211:20211 /local_data_dir
+sudo chmod -R a+rwx /local_data_dir
+```
+
+8. Start the container and verify everything works as expeexpected.
+9. Check the [Permissions -> Writable-paths](https://docs.netalertx.com/FILE_PERMISSIONS/#writable-paths) what directories to mount if you'd like to access the API or log files.

-9. Start the container and verify everything works as expected.
--- a/docs/NETWORK_TREE.md
+++ b/docs/NETWORK_TREE.md
@@ -1,6 +1,6 @@
-## How to Set Up Your Network Page
+# How to Set Up Your Network Page

-The **Network** page lets you map how devices connect — visually and logically.  
+The **Network** page lets you map how devices connect — visually and logically.
 It’s especially useful for planning infrastructure, assigning parent-child relationships, and spotting gaps.

 ![Network tree details](./img/NETWORK_TREE/Network_Sample.png)
@@ -9,11 +9,11 @@ To get started, you’ll need to define at least one root node and mark certain

 ---

-Start by creating a root device with the MAC address `Internet`, if the application didn’t create one already.  
-This special MAC address (`Internet`) is required for the root network node — no other value is currently supported.  
+Start by creating a root device with the MAC address `Internet`, if the application didn’t create one already.
+This special MAC address (`Internet`) is required for the root network node — no other value is currently supported.
 Set its **Type** to a valid network type — such as `Router` or `Gateway`.

-> [!TIP]  
+> [!TIP]
 > If you don’t have one, use the [Create new device](./DEVICE_MANAGEMENT.md#dummy-devices) button on the **Devices** page to add a root device.

 ---
@@ -21,15 +21,15 @@ Set its **Type** to a valid network type — such as `Router` or `Gateway`.
 ## ⚡ Quick Setup

 1. Open the device you want to use as a network node (e.g. a Switch).
-2. Set its **Type** to one of the following:  
-   `AP`, `Firewall`, `Gateway`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`  
+2. Set its **Type** to one of the following:
+   `AP`, `Firewall`, `Gateway`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`
   *(Or add custom types under **Settings → General → `NETWORK_DEVICE_TYPES`**.)*
 3. Save the device.
 4. Go to the **Network** page — supported device types will appear as tabs.
 5. Use the **Assign** button to connect unassigned devices to a network node.
 6. If the **Port** is `0` or empty, a Wi-Fi icon is shown. Otherwise, an Ethernet icon appears.

-> [!NOTE]  
+> [!NOTE]
 > Use [bulk editing](./DEVICES_BULK_EDITING.md) with _CSV Export_ to fix `Internet` root assignments or update many devices at once.

 ---
@@ -42,20 +42,22 @@ Let’s walk through setting up a device named `raspberrypi` to act as a network

 ### 1. Set Device Type and Parent

- Go to the **Devices** page  
+- Go to the **Devices** page
 - Open the device detail view for `raspberrypi`
 - In the **Type** dropdown, select `Switch`

 ![Device details](./img/NETWORK_TREE/Network_Device_Details.png)

- Optionally assign a **Parent Node** (where this device connects to) and the **Relationship type** of the connection.  
+- Optionally assign a **Parent Node** (where this device connects to) and the **Relationship type** of the connection.
  The `nic` relationship type can affect parent notifications — see the setting description and [Notifications documentation](./NOTIFICATIONS.md) for more.
+- A device’s parent MAC will be overwritten by plugins if its current value is any of the following: "null", "(unknown)" "(Unknown)".
+- If you want plugins to be able to overwrite the parent value (for example, when mixing plugins that do not provide parent MACs like `ARPSCAN` with those that do, like `UNIFIAPI`), you must set the setting `NEWDEV_devParentMAC` to None.

-![Device details](./img/NETWORK_TREE/Network_Device_Details_Parent.png)  
+![Device details](./img/NETWORK_TREE/Network_Device_Details_Parent.png)

-> [!NOTE]  
-> Only certain device types can act as network nodes:  
-> `AP`, `Firewall`, `Gateway`, `Hypervisor`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`  
+> [!NOTE]
+> Only certain device types can act as network nodes:
+> `AP`, `Firewall`, `Gateway`, `Hypervisor`, `PLC`, `Powerline`, `Router`, `Switch`, `USB LAN Adapter`, `USB WIFI Adapter`, `WLAN`
 > You can add custom types via the `NETWORK_DEVICE_TYPES` setting.

 - Click **Save**
@@ -81,7 +83,7 @@ You can confirm that `raspberrypi` now acts as a network device in two places:
 ### 3. Assign Connected Devices

 - Use the **Assign** button to link other devices (e.g. PCs) to `raspberrypi`.
- After assigning, connected devices will appear beneath the `raspberrypi` switch node.  
+- After assigning, connected devices will appear beneath the `raspberrypi` switch node.

 ![Assigned nodes](./img/NETWORK_TREE/Network_Assigned_Nodes.png)

@@ -92,11 +94,31 @@ You can confirm that `raspberrypi` now acts as a network device in two places:
 > Hovering over devices in the tree reveals connection details and tooltips for quick inspection.

 > [!NOTE]
-> Selecting certain relationship types hides the device in the default device views.  
-> You can change this behavior by adjusting the `UI_hide_rel_types` setting, which by default is set to `["nic","virtual"]`.  
-> This means devices with `devParentRelType` set to `nic` or `virtual` will not be shown.  
+> Selecting certain relationship types hides the device in the default device views.
+> You can change this behavior by adjusting the `UI_hide_rel_types` setting, which by default is set to `["nic","virtual"]`.
+> This means devices with `devParentRelType` set to `nic` or `virtual` will not be shown.
 > All devices, regardless of relationship type, are always accessible in the **All devices** view.

+
+## Troubleshooting
+
+If the Network page doesn't load re-set your parent nodes. This can be done with [bulk-edit](./DEVICES_BULK_EDITING.md).
+
+1. [Backup your setup just in case](./BACKUPS.md)
+2. Navigate to **Maintenance -> Multi edit** ( (1), (2) )
+3. Add all devices (3) (clear the cache with the refresh button if you seem to be missing devices in the dropdown (4))
+4. Select None as parent node (5) and save (6)
+
+![Hover detail](./img/NETWORK_TREE/Network_tree_RESET.png)
+
+5. Find now your root Internet Node by searching for "Internet" in the My Devices view
+6. If not found, make sure the `INTRNT` plugin runs and creates the internet device
+7. If above fails, [create a manual device](./DEVICE_MANAGEMENT.md) with the MAC set to `Internet`
+
+![Hover detail](./img/NETWORK_TREE/Network_tree_MANUAL_INTERNET_NODE.png)
+
+7. You should be able to start again to configure your Network view.
+
 ---

 ## ✅ Summary
--- a/docs/PERFORMANCE.md
+++ b/docs/PERFORMANCE.md
@@ -1,47 +1,50 @@
 # Performance Optimization Guide

-There are several ways to improve the application's performance. The application has been tested on a range of devices, from a Raspberry Pi 4 to NAS and NUC systems. If you are running the application on a lower-end device, carefully fine-tune the performance settings to ensure an optimal user experience.
+There are several ways to improve the application's performance. The application has been tested on a range of devices, from Raspberry Pi 4 units to NAS and NUC systems. If you are running the application on a lower-end device, fine-tuning the performance settings can significantly improve the user experience.

 ## Common Causes of Slowness

 Performance issues are usually caused by:

- **Incorrect settings** – The app may restart unexpectedly. Check `app.log` under **Maintenance → Logs** for details.
- **Too many background processes** – Disable unnecessary scanners.
- **Long scan durations** – Limit the number of scanned devices.
- **Excessive disk operations** – Optimize scanning and logging settings.
- **Failed maintenance plugins** – Ensure maintenance tasks are running properly.
+* **Incorrect settings** – The app may restart unexpectedly. Check `app.log` under **Maintenance → Logs** for details.
+* **Too many background processes** – Disable unnecessary scanners.
+* **Long scan durations** – Limit the number of scanned devices.
+* **Excessive disk operations** – Optimize scanning and logging settings.
+* **Maintenance plugin failures** – If cleanup tasks fail, performance can degrade over time.

-The application performs regular maintenance and database cleanup. If these tasks fail, performance may degrade.
+The application performs regular maintenance and database cleanup. If these tasks are failing, you will see slowdowns.

 ### Database and Log File Size

-A large database or oversized log files can slow down performance. You can check database and table sizes on the **Maintenance** page.
+A large database or oversized log files can impact performance. You can check database and table sizes on the **Maintenance** page.

 ![DB size check](./img/PERFORMANCE/db_size_check.png)

 > [!NOTE]
-> - For **~100 devices**, the database should be around **50MB**.
-> - No table should exceed **10,000 rows** in a healthy system.
-> - These numbers vary based on network activity and settings.
+>
+> * For **~100 devices**, the database should be around **50 MB**.
+> * No table should exceed **10,000 rows** in a healthy system.
+> * Actual values vary based on network activity and plugin settings.

 ---

 ## Maintenance Plugins

-Two plugins help maintain the application’s performance:
+Two plugins help maintain the system’s performance:

 ### **1. Database Cleanup (DBCLNP)**
- Responsible for database maintenance.
- Check settings in the [DB Cleanup Plugin Docs](/front/plugins/db_cleanup/README.md).
- Ensure it’s not failing by checking logs.
- Adjust the schedule (`DBCLNP_RUN_SCHD`) and timeout (`DBCLNP_RUN_TIMEOUT`) if needed.
+
+* Handles database maintenance and cleanup.
+* See the [DB Cleanup Plugin Docs](/front/plugins/db_cleanup/README.md).
+* Ensure it’s not failing by checking logs.
+* Adjust the schedule (`DBCLNP_RUN_SCHD`) and timeout (`DBCLNP_RUN_TIMEOUT`) if necessary.

 ### **2. Maintenance (MAINT)**
- Handles log cleanup and other maintenance tasks.
- Check settings in the [Maintenance Plugin Docs](/front/plugins/maintenance/README.md).
- Ensure it’s running correctly by checking logs.
- Adjust the schedule (`MAINT_RUN_SCHD`) and timeout (`MAINT_RUN_TIMEOUT`) if needed.
+
+* Cleans logs and performs general maintenance tasks.
+* See the [Maintenance Plugin Docs](/front/plugins/maintenance/README.md).
+* Verify proper operation via logs.
+* Adjust the schedule (`MAINT_RUN_SCHD`) and timeout (`MAINT_RUN_TIMEOUT`) if needed.

 ---

@@ -50,48 +53,56 @@ Two plugins help maintain the application’s performance:
 Frequent scans increase resource usage, network traffic, and database read/write cycles.

 ### **Optimizations**
- **Increase scan intervals** (`<PLUGIN>_RUN_SCHD`) on busy networks or low-end hardware.
- **Extend scan timeouts** (`<PLUGIN>_RUN_TIMEOUT`) to prevent failures.
- **Reduce the subnet size** – e.g., from `/16` to `/24` to lower scan loads.

-Some plugins have additional options to limit the number of scanned devices. If certain plugins take too long to complete, check if you can optimize scan times by selecting a scan range. 
+* **Increase scan intervals** (`<PLUGIN>_RUN_SCHD`) on busy networks or low-end hardware.
+* **Increase timeouts** (`<PLUGIN>_RUN_TIMEOUT`) to avoid plugin failures.
+* **Reduce subnet size** – e.g., use `/24` instead of `/16` to reduce scan load.

-For example, the **ICMP plugin** allows you to specify a regular expression to scan only IPs that match a specific pattern.
+Some plugins also include options to limit which devices are scanned. If certain plugins consistently run long, consider narrowing their scope.
+
+For example, the **ICMP plugin** allows scanning only IPs that match a specific regular expression.

 ---

 ## Storing Temporary Files in Memory

-On systems with slower I/O speeds, you can optimize performance by storing temporary files in memory. This primarily applies to the API directory (default: `/tmp/api`, configurable via `NETALERTX_API`) and `/tmp/log` folders.
+On devices with slower I/O, you can improve performance by storing temporary files (and optionally the database) in memory using `tmpfs`.

-Using `tmpfs` reduces disk writes and improves performance. However, it should be **disabled** if persistent logs or API data storage are required.
+> [!WARNING]
+> Storing the **database** in `tmpfs` is generally discouraged. Use this only if device data and historical records are not required to persist. If needed, you can pair this setup with the `SYNC` plugin to store important persistent data on another node. See the [Plugins docs](./PLUGINS.md) for details.

-Below is an optimized `docker-compose.yml` snippet:
+Using `tmpfs` reduces disk writes and speeds up I/O, but **all data stored in memory will be lost on restart**.

+Below is an optimized `docker-compose.yml` snippet using non-persistent logs, API data, and DB:

 ```yaml
-version: "3"
 services:
  netalertx:
    container_name: netalertx
-    # Uncomment the line below to test the latest dev image
+    # Use this line for the stable release
+    image: "ghcr.io/jokob-sk/netalertx:latest"
+    # Or use this line for the latest development build
    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
+    network_mode: "host"
    restart: unless-stopped
-    volumes:
-      - /local_data_dir/config:/data/config
-      - /local_data_dir/db:/data/db      
-      # (Optional) Useful for debugging setup issues
-      - /local_data_dir/logs:/tmp/log
-      # (API: OPTION 1) Store temporary files in memory (recommended for performance)
-      - type: tmpfs              # ◀ 🔺
-        target: /tmp/api         # ◀ 🔺
-      # (API: OPTION 2) Store API data on disk (useful for debugging)
-      # - /local_data_dir/api:/tmp/api
-      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
-      - /etc/localtime:/etc/localtime:ro    
-    environment: 
-      - PORT=20211

+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
+
+    volumes:
+      - ${APP_FOLDER}/netalertx/config:/data/config
+      - /etc/localtime:/etc/localtime:ro
+
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
+      - "/data/db:uid=20211,gid=20211,mode=1700"  # ⚠ You will lose historical data on restart
+
+    environment:
+      - PORT=${PORT}
+      - APP_CONF_OVERRIDE=${APP_CONF_OVERRIDE}
 ```
--- a/docs/PIHOLE_GUIDE.md
+++ b/docs/PIHOLE_GUIDE.md
@@ -1,8 +1,29 @@
 # Integration with PiHole

-NetAlertX comes with 2 plugins suitable for integrating with your existing PiHole instance. One plugin is using a direct SQLite DB connection, the other leverages the DHCP.leases file generated by PiHole. You can combine both approaches and also supplement it with other [plugins](/docs/PLUGINS.md). 
+NetAlertX comes with 3 plugins suitable for integrating with your existing PiHole instance. The first plugin uses the v6 API, the second plugin is using a direct SQLite DB connection, the other leverages the `DHCP.leases` file generated by PiHole. You can combine multiple approaches and also supplement scans with other [plugins](/docs/PLUGINS.md).

-## Approach 1: `DHCPLSS` Plugin - Import devices from the PiHole DHCP leases file
+## Approach 1: `PIHOLEAPI` Plugin - Import devices directly from PiHole v6 API
+
+![PIHOLEAPI sample settings](./img/PIHOLE_GUIDE/PIHOLEAPI_settings.png)
+
+To use this approach make sure the Web UI password in **Pi-hole** is set.
+
+| Setting | Description | Recommended value |
+| :------------- | :------------- | :-------------|
+| `PIHOLEAPI_URL` | Your Pi-hole base URL including port.  | `http://192.168.1.82:9880/` |
+| `PIHOLEAPI_RUN_SCHD` | If you run multiple device scanner plugins, align the schedules of all plugins to the same value.  | `*/5 * * * *` |
+| `PIHOLEAPI_PASSWORD` | The Web UI base64 encoded (en-/decoding handled by the app) admin password. | `passw0rd` |
+| `PIHOLEAPI_SSL_VERIFY` | Whether to verify HTTPS certificates. Disable only for self-signed certificates. | `False` |
+| `PIHOLEAPI_API_MAXCLIENTS` | Maximum number of devices to request from Pi-hole. Defaults are usually fine. | `500` |
+| `PIHOLEAPI_FAKE_MAC` | Generate FAKE MAC from IP. | `False` |
+
+Check the [PiHole API plugin readme](https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/pihole_api_scan/) for details and troubleshooting.
+
+### docker-compose changes
+
+No changes needed
+
+## Approach 2: `DHCPLSS` Plugin - Import devices from the PiHole DHCP leases file

 ![DHCPLSS sample settings](./img/PIHOLE_GUIDE/DHCPLSS_pihole_settings.png)

@@ -23,12 +44,12 @@ Check the [DHCPLSS plugin readme](https://github.com/jokob-sk/NetAlertX/tree/mai
 | `:/etc/pihole/dhcp.leases` |  PiHole's `dhcp.leases` file. Required if you want to use PiHole `dhcp.leases` file. This has to be matched with a corresponding `DHCPLSS_paths_to_check` setting entry (the path in the container must contain `pihole`) |


-## Approach 2: `PIHOLE` Plugin - Import devices directly from the PiHole database
+## Approach 3: `PIHOLE` Plugin - Import devices directly from the PiHole database

 ![DHCPLSS sample settings](./img/PIHOLE_GUIDE/PIHOLE_settings.png)

 | Setting | Description | Recommended value |
-| :------------- | :------------- | :-------------| 
+| :------------- | :------------- | :-------------|
 | `PIHOLE_RUN` | When the plugin should run.  | `schedule` |
 | `PIHOLE_RUN_SCHD` | If you run multiple device scanner plugins, align the schedules of all plugins to the same value.  | `*/5 * * * *` |
 | `PIHOLE_DB_PATH` | You need to map the value in this setting in the `docker-compose.yml` file. | `/etc/pihole/pihole-FTL.db` |
--- a/docs/PLUGINS_DEV.md
+++ b/docs/PLUGINS_DEV.md
--- a/docs/PLUGINS_DEV_DATASOURCES.md
+++ b/docs/PLUGINS_DEV_DATASOURCES.md
@@ -0,0 +1,378 @@
+# Plugin Data Sources
+
+Learn how to configure different data sources for your plugin.
+
+## Overview
+
+Data sources determine **where the plugin gets its data** and **what format it returns**. NetAlertX supports multiple data source types, each suited for different use cases.
+
+| Data Source | Type | Purpose | Returns | Example |
+|-------------|------|---------|---------|---------|
+| `script` | Code Execution | Execute Linux commands or Python scripts | Pipeline | Scan network, collect metrics, call APIs |
+| `app-db-query` | Database Query | Query the NetAlertX database | Result set | Show devices, open ports, recent events |
+| `sqlite-db-query` | External DB | Query external SQLite databases | Result set | PiHole database, external logs |
+| `template` | Template | Generate values from templates | Values | Initialize default settings |
+
+## Data Source: `script`
+
+Execute any Linux command or Python script and capture its output.
+
+### Configuration
+
+```json
+{
+  "data_source": "script",
+  "show_ui": true,
+  "mapped_to_table": "CurrentScan"
+}
+```
+
+### How It Works
+
+1. Command specified in `CMD` setting is executed
+2. Script writes results to `/tmp/log/plugins/last_result.<PREFIX>.log`
+3. Core reads file and parses pipe-delimited results
+4. Results inserted into database
+
+### Example: Simple Python Script
+
+```json
+{
+  "function": "CMD",
+  "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+  "default_value": "python3 /app/front/plugins/my_plugin/script.py",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Command"}]
+}
+```
+
+### Example: Bash Script
+
+```json
+{
+  "function": "CMD",
+  "default_value": "bash /app/front/plugins/my_plugin/script.sh",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Command"}]
+}
+```
+
+### Best Practices
+
+- **Always use absolute paths** (e.g., `/app/front/plugins/...`)
+- **Use `plugin_helper.py`** for output formatting
+- **Add timeouts** via `RUN_TIMEOUT` setting (default: 60s)
+- **Log errors** to `/tmp/log/plugins/<PREFIX>.log`
+- **Handle missing dependencies gracefully**
+
+### Output Format
+
+Must write to: `/tmp/log/plugins/last_result.<PREFIX>.log`
+
+Format: Pipe-delimited, 9 or 13 columns
+
+See [Plugin Data Contract](PLUGINS_DEV_DATA_CONTRACT.md) for exact format
+
+---
+
+## Data Source: `app-db-query`
+
+Query the NetAlertX SQLite database and display results.
+
+### Configuration
+
+```json
+{
+  "data_source": "app-db-query",
+  "show_ui": true,
+  "mapped_to_table": "CurrentScan"
+}
+```
+
+### How It Works
+
+1. SQL query specified in `CMD` setting is executed against `app.db`
+2. Results parsed according to column definitions
+3. Inserted into plugin display/database
+
+### SQL Query Requirements
+
+- Must return exactly **9 or 13 columns** matching the [data contract](PLUGINS_DEV_DATA_CONTRACT.md)
+- Column names must match (order matters!)
+- Must be **readable SQLite SQL** (not vendor-specific)
+
+### Example: Open Ports from Nmap
+
+```json
+{
+  "function": "CMD",
+  "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+  "default_value": "SELECT dv.devName as Object_PrimaryID, cast(dv.devLastIP as VARCHAR(100)) || ':' || cast(SUBSTR(ns.Port, 0, INSTR(ns.Port, '/')) as VARCHAR(100)) as Object_SecondaryID, datetime() as DateTime, ns.Service as Watched_Value1, ns.State as Watched_Value2, null as Watched_Value3, null as Watched_Value4, ns.Extra as Extra, dv.devMac as ForeignKey FROM (SELECT * FROM Nmap_Scan) ns LEFT JOIN (SELECT devName, devMac, devLastIP FROM Devices) dv ON ns.MAC = dv.devMac",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "SQL to run"}],
+  "description": [{"language_code": "en_us", "string": "This SQL query populates the plugin table"}]
+}
+```
+
+### Example: Recent Device Events
+
+```sql
+SELECT
+  e.EventValue as Object_PrimaryID,
+  d.devName as Object_SecondaryID,
+  e.EventDateTime as DateTime,
+  e.EventType as Watched_Value1,
+  d.devLastIP as Watched_Value2,
+  null as Watched_Value3,
+  null as Watched_Value4,
+  e.EventDetails as Extra,
+  d.devMac as ForeignKey
+FROM
+  Events e
+LEFT JOIN
+  Devices d ON e.DeviceMac = d.devMac
+WHERE
+  e.EventDateTime > datetime('now', '-24 hours')
+ORDER BY
+  e.EventDateTime DESC
+```
+
+See the [Database documentation](./DATABASE.md) for a list of common columns.
+
+---
+
+## Data Source: `sqlite-db-query`
+
+Query an **external SQLite database** mounted in the container.
+
+### Configuration
+
+First, define the database path in a setting:
+
+```json
+{
+  "function": "DB_PATH",
+  "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+  "default_value": "/etc/pihole/pihole-FTL.db",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Database path"}],
+  "description": [{"language_code": "en_us", "string": "Path to external SQLite database"}]
+}
+```
+
+Then set data source and query:
+
+```json
+{
+  "data_source": "sqlite-db-query",
+  "show_ui": true
+}
+```
+
+### How It Works
+
+1. External database file path specified in `DB_PATH` setting
+2. Database mounted at that path (e.g., via Docker volume)
+3. SQL query executed against external database using `EXTERNAL_<PREFIX>.` prefix
+4. Results returned in standard format
+
+### SQL Query Example: PiHole Data
+
+```json
+{
+  "function": "CMD",
+  "default_value": "SELECT hwaddr as Object_PrimaryID, cast('http://' || (SELECT ip FROM EXTERNAL_PIHOLE.network_addresses WHERE network_id = id ORDER BY lastseen DESC LIMIT 1) as VARCHAR(100)) || ':' || cast(SUBSTR((SELECT name FROM EXTERNAL_PIHOLE.network_addresses WHERE network_id = id ORDER BY lastseen DESC LIMIT 1), 0, INSTR((SELECT name FROM EXTERNAL_PIHOLE.network_addresses WHERE network_id = id ORDER BY lastseen DESC LIMIT 1), '/')) as VARCHAR(100)) as Object_SecondaryID, datetime() as DateTime, macVendor as Watched_Value1, lastQuery as Watched_Value2, (SELECT name FROM EXTERNAL_PIHOLE.network_addresses WHERE network_id = id ORDER BY lastseen DESC LIMIT 1) as Watched_Value3, null as Watched_Value4, '' as Extra, hwaddr as ForeignKey FROM EXTERNAL_PIHOLE.network WHERE hwaddr NOT LIKE 'ip-%' AND hwaddr <> '00:00:00:00:00:00'",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "SQL to run"}]
+}
+```
+
+### Key Points
+
+- **Prefix all external tables** with `EXTERNAL_<PREFIX>.`
+  - For PiHole (`PIHOLE` prefix): `EXTERNAL_PIHOLE.network`
+  - For custom database (`CUSTOM` prefix): `EXTERNAL_CUSTOM.my_table`
+- **Database must be valid SQLite**
+- **Path must be accessible** inside the container
+- **No columns beyond the data contract** required
+
+### Docker Volume Setup
+
+To mount external database in docker-compose:
+
+```yaml
+services:
+  netalertx:
+    volumes:
+      - /path/on/host/pihole-FTL.db:/etc/pihole/pihole-FTL.db:ro
+```
+
+---
+
+## Data Source: `template`
+
+Generate values from a template. Usually used for initialization and default settings.
+
+### Configuration
+
+```json
+{
+  "data_source": "template"
+}
+```
+
+### How It Works
+
+- **Not widely used** in standard plugins
+- Used internally for generating default values
+- Check `newdev_template` plugin for implementation example
+
+### Example: Default Device Template
+
+```json
+{
+  "function": "DEFAULT_DEVICE_PROPERTIES",
+  "type": {"dataType": "string", "elements": [{"elementType": "textarea", "elementOptions": [], "transformers": []}]},
+  "default_value": "type=Unknown|vendor=Unknown",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Default properties"}]
+}
+```
+
+---
+
+## Data Source: `plugin_type`
+
+Declare the plugin category. Controls where settings appear in the UI.
+
+### Configuration
+
+```json
+{
+  "data_source": "plugin_type",
+  "value": "scanner"
+}
+```
+
+### Supported Values
+
+| Value | Section | Purpose |
+|-------|---------|---------|
+| `scanner` | Device Scanners | Discovers devices on network |
+| `system` | System Plugins | Core system functionality |
+| `publisher` | Notification/Alert Plugins | Sends notifications/alerts |
+| `importer` | Data Importers | Imports devices from external sources |
+| `other` | Other Plugins | Miscellaneous functionality |
+
+### Example
+
+```json
+{
+  "settings": [
+    {
+      "function": "plugin_type",
+      "type": {"dataType": "string", "elements": []},
+      "default_value": "scanner",
+      "options": ["scanner"],
+      "data_source": "plugin_type",
+      "value": "scanner",
+      "localized": []
+    }
+  ]
+}
+```
+
+---
+
+## Execution Order
+
+Control plugin execution priority. Higher priority plugins run first.
+
+```json
+{
+  "execution_order": "Layer_0"
+}
+```
+
+### Levels (highest to lowest priority)
+
+- `Layer_0` - Highest priority (run first)
+- `Layer_1`
+- `Layer_2`
+- ...
+
+### Example: Device Discovery
+
+
+```json
+{
+  "code_name": "device_scanner",
+  "unique_prefix": "DEVSCAN",
+  "execution_order": "Layer_0",
+  "data_source": "script",
+  "mapped_to_table": "CurrentScan"
+}
+```
+
+---
+
+## Performance Considerations
+
+### Script Source
+- **Pros:** Flexible, can call external tools
+- **Cons:** Slower than database queries
+- **Optimization:** Add caching, use timeouts
+- **Default timeout:** 60 seconds (set `RUN_TIMEOUT`)
+
+### Database Query Source
+- **Pros:** Fast, native query optimization
+- **Cons:** Limited to SQL capabilities
+- **Optimization:** Use indexes, avoid complex joins
+- **Timeout:** Usually instant
+
+### External DB Query Source
+- **Pros:** Direct access to external data
+- **Cons:** Network latency, external availability
+- **Optimization:** Use indexes in external DB, selective queries
+- **Timeout:** Depends on DB response time
+
+---
+
+## Debugging Data Sources
+
+### Check Script Output
+
+```bash
+# Run script manually
+python3 /app/front/plugins/my_plugin/script.py
+
+# Check result file
+cat /tmp/log/plugins/last_result.MYPREFIX.log
+```
+
+### Test SQL Query
+
+```bash
+# Connect to app database
+sqlite3 /data/db/app.db
+
+# Run query
+sqlite> SELECT ... ;
+```
+
+### Monitor Execution
+
+```bash
+# Watch backend logs
+tail -f /tmp/log/stdout.log | grep -i "data_source\|MYPREFIX"
+```
+
+---
+
+## See Also
+
+- [Plugin Data Contract](PLUGINS_DEV_DATA_CONTRACT.md) - Output format specification
+- [Plugin Settings System](PLUGINS_DEV_SETTINGS.md) - How to define settings
+- [Quick Start Guide](PLUGINS_DEV_QUICK_START.md) - Create your first plugin
+- [Database Schema](DATABASE.md) - Available tables and columns
+- [Debugging Plugins](DEBUG_PLUGINS.md) - Troubleshooting data issues
--- a/docs/PLUGINS_DEV_DATA_CONTRACT.md
+++ b/docs/PLUGINS_DEV_DATA_CONTRACT.md
@@ -0,0 +1,253 @@
+# Plugin Data Contract
+
+This document specifies the exact interface between plugins and the NetAlertX core.
+
+> [!IMPORTANT]
+> Every plugin must output data in this exact format to be recognized and processed correctly.
+
+## Overview
+
+Plugins communicate with NetAlertX by writing results to a **pipe-delimited log file**. The core reads this file, parses the data, and processes it for notifications, device discovery, and data integration.
+
+**File Location:** `/tmp/log/plugins/last_result.<PREFIX>.log`
+
+**Format:** Pipe-delimited (`|`), one record per line
+
+**Required Columns:** 9 (mandatory) + up to 4 optional helper columns = 13 total
+
+## Column Specification
+
+> [!NOTE]
+> The order of columns is **FIXED** and cannot be changed. All 9 mandatory columns must be provided. If you use any optional column (`HelpVal1`), you must supply all optional columns (`HelpVal1` through `HelpVal4`).
+
+### Mandatory Columns (0–8)
+
+| Order | Column Name | Type | Required | Description |
+|-------|-------------|------|----------|-------------|
+| 0 | `Object_PrimaryID` | string | **YES** | The primary identifier for grouping. Examples: device MAC, hostname, service name, or any unique ID |
+| 1 | `Object_SecondaryID` | string | no | Secondary identifier for relationships (e.g., IP address, port, sub-ID). Use `null` if not needed |
+| 2 | `DateTime` | string | **YES** | Timestamp when the event/data was collected. Format: `YYYY-MM-DD HH:MM:SS` |
+| 3 | `Watched_Value1` | string | **YES** | Primary watched value. Changes trigger notifications. Examples: IP address, status, version |
+| 4 | `Watched_Value2` | string | no | Secondary watched value. Use `null` if not needed |
+| 5 | `Watched_Value3` | string | no | Tertiary watched value. Use `null` if not needed |
+| 6 | `Watched_Value4` | string | no | Quaternary watched value. Use `null` if not needed |
+| 7 | `Extra` | string | no | Any additional metadata to display in UI and notifications. Use `null` if not needed |
+| 8 | `ForeignKey` | string | no | Foreign key linking to parent object (usually MAC address for device relationship). Use `null` if not needed |
+
+### Optional Columns (9–12)
+
+| Order | Column Name | Type | Required | Description |
+|-------|-------------|------|----------|-------------|
+| 9 | `HelpVal1` | string | *conditional* | Helper value 1. If used, all help values must be supplied |
+| 10 | `HelpVal2` | string | *conditional* | Helper value 2. If used, all help values must be supplied |
+| 11 | `HelpVal3` | string | *conditional* | Helper value 3. If used, all help values must be supplied |
+| 12 | `HelpVal4` | string | *conditional* | Helper value 4. If used, all help values must be supplied |
+
+## Usage Guide
+
+### Empty/Null Values
+
+- Represent empty values as the literal string `null` (not Python `None`, SQL `NULL`, or empty string)
+- Example: `device_id|null|2023-01-02 15:56:30|status|null|null|null|null|null`
+
+### Watched Values
+
+**What are Watched Values?**
+
+Watched values are fields that the NetAlertX core monitors for **changes between scans**. When a watched value differs from the previous scan, it can trigger notifications.
+
+**How to use them:**
+
+- `Watched_Value1`: Always required; primary indicator of status/state
+- `Watched_Value2–4`: Optional; use for secondary/tertiary state information
+- Leave unused ones as `null`
+
+**Example:**
+
+- Device scanner: `Watched_Value1 = "online"` or `"offline"`
+- Port scanner: `Watched_Value1 = "80"` (port number), `Watched_Value2 = "open"` (state)
+- Service monitor: `Watched_Value1 = "200"` (HTTP status), `Watched_Value2 = "0.45"` (response time)
+
+### Foreign Key
+
+Use the `ForeignKey` column to link objects to a parent device by MAC address:
+
+```
+device_name|192.168.1.100|2023-01-02 15:56:30|online|null|null|null|Found on network|aa:bb:cc:dd:ee:ff
+                                                                                              ↑
+                                                                                        ForeignKey (MAC)
+```
+
+This allows NetAlertX to:
+
+- Display the object on the device details page
+- Send notifications when the parent device is involved
+- Link events across plugins
+
+## Examples
+
+### Valid Data (9 columns, minimal)
+
+```csv
+https://example.com|null|2023-01-02 15:56:30|200|null|null|null|null|null
+printer-hp-1|192.168.1.50|2023-01-02 15:56:30|online|50%|null|null|Last seen in office|aa:11:22:33:44:55
+gateway.local|null|2023-01-02 15:56:30|active|v2.1.5|null|null|Firmware version|null
+```
+
+### Valid Data (13 columns, with helpers)
+
+```csv
+service-api|192.168.1.100:8080|2023-01-02 15:56:30|200|45ms|true|null|Responding normally|aa:bb:cc:dd:ee:ff|extra1|extra2|extra3|extra4
+host-web-1|10.0.0.20|2023-01-02 15:56:30|active|256GB|online|ok|Production server|null|cpu:80|mem:92|disk:45|alerts:0
+```
+
+### Invalid Data (Common Errors)
+
+❌ **Missing required column** (only 8 separators instead of 8):
+```csv
+https://google.com|null|2023-01-02 15:56:30|200|0.7898||null|null
+                                                      ↑
+                                                  Missing pipe
+```
+
+❌ **Missing mandatory Watched_Value1** (column 3):
+```csv
+https://duckduckgo.com|192.168.1.1|2023-01-02 15:56:30|null|0.9898|null|null|Best|null
+                                                         ↑
+                                          Must not be null
+```
+
+❌ **Incomplete optional columns** (has HelpVal1 but missing HelpVal2–4):
+```csv
+device|null|2023-01-02 15:56:30|status|null|null|null|null|null|helper1
+                                                                    ↑
+                                                    Has helper but incomplete
+```
+
+✅ **Complete with helpers** (all 4 helpers provided):
+```csv
+device|null|2023-01-02 15:56:30|status|null|null|null|null|null|h1|h2|h3|h4
+```
+
+✅ **Complete without helpers** (9 columns exactly):
+```csv
+device|null|2023-01-02 15:56:30|status|null|null|null|null|null
+```
+
+## Using `plugin_helper.py`
+
+The easiest way to ensure correct output is to use the [`plugin_helper.py`](../front/plugins/plugin_helper.py) library:
+
+```python
+from plugin_helper import Plugin_Objects
+
+# Initialize with your plugin's prefix
+plugin_objects = Plugin_Objects("YOURPREFIX")
+
+# Add objects
+plugin_objects.add_object(
+    Object_PrimaryID="device_id",
+    Object_SecondaryID="192.168.1.1",
+    DateTime="2023-01-02 15:56:30",
+    Watched_Value1="online",
+    Watched_Value2=None,
+    Watched_Value3=None,
+    Watched_Value4=None,
+    Extra="Additional data",
+    ForeignKey="aa:bb:cc:dd:ee:ff",
+    HelpVal1=None,
+    HelpVal2=None,
+    HelpVal3=None,
+    HelpVal4=None
+)
+
+# Write results (handles formatting, sanitization, and file creation)
+plugin_objects.write_result_file()
+```
+
+The library automatically:
+
+- Validates data types
+- Sanitizes string values
+- Normalizes MAC addresses
+- Writes to the correct file location
+- Creates the file in `/tmp/log/plugins/last_result.<PREFIX>.log`
+
+## De-duplication
+
+The core runs **de-duplication once per hour** on the `Plugins_Objects` table:
+
+- **Duplicate Detection Key:** Combination of `Object_PrimaryID`, `Object_SecondaryID`, `Plugin` (auto-filled from `unique_prefix`), and `UserData`
+- **Resolution:** Oldest duplicate entries are removed, newest are kept
+- **Use Case:** Prevents duplicate notifications when the same object is detected multiple times
+
+## DateTime Format
+
+**Required Format:** `YYYY-MM-DD HH:MM:SS`
+
+**Examples:**
+- `2023-01-02 15:56:30` ✅
+- `2023-1-2 15:56:30` ❌ (missing leading zeros)
+- `2023-01-02T15:56:30` ❌ (wrong separator)
+- `15:56:30 2023-01-02` ❌ (wrong order)
+
+**Python Helper:**
+```python
+from datetime import datetime
+
+# Current time in correct format
+now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+# Output: "2023-01-02 15:56:30"
+```
+
+**Bash Helper:**
+```bash
+# Current time in correct format
+date '+%Y-%m-%d %H:%M:%S'
+# Output: 2023-01-02 15:56:30
+```
+
+## Validation Checklist
+
+Before writing your plugin's `script.py`, ensure:
+
+- [ ] **9 or 13 columns** in each output line (8 or 12 pipe separators)
+- [ ] **Mandatory columns filled:**
+  - Column 0: `Object_PrimaryID` (not null)
+  - Column 2: `DateTime` in `YYYY-MM-DD HH:MM:SS` format
+  - Column 3: `Watched_Value1` (not null)
+- [ ] **Null values as literal string** `null` (not empty string or special chars)
+- [ ] **No extra pipes or misaligned columns**
+- [ ] **If using optional helpers** (columns 9–12), all 4 must be present
+- [ ] **File written to** `/tmp/log/plugins/last_result.<PREFIX>.log`
+- [ ] **One record per line** (newline-delimited)
+- [ ] **No header row** (data only)
+
+## Debugging
+
+**View raw plugin output:**
+```bash
+cat /tmp/log/plugins/last_result.YOURPREFIX.log
+```
+
+**Check line count:**
+```bash
+wc -l /tmp/log/plugins/last_result.YOURPREFIX.log
+```
+
+**Validate column count (should be 8 or 12 pipes per line):**
+```bash
+cat /tmp/log/plugins/last_result.YOURPREFIX.log | awk -F'|' '{print NF}' | sort | uniq
+# Output: 9 (for minimal) or 13 (for with helpers)
+```
+
+**Check core processing in logs:**
+```bash
+tail -f /tmp/log/stdout.log | grep -i "YOURPREFIX\|Plugins_Objects"
+```
+
+## See Also
+
+- [Plugin Settings System](PLUGINS_DEV_SETTINGS.md) - How to accept user input
+- [Data Sources](PLUGINS_DEV_DATASOURCES.md) - Different data source types
+- [Debugging Plugins](DEBUG_PLUGINS.md) - Troubleshooting plugin issues
--- a/docs/PLUGINS_DEV_QUICK_START.md
+++ b/docs/PLUGINS_DEV_QUICK_START.md
@@ -0,0 +1,175 @@
+# Plugin Development Quick Start
+
+Get a working plugin up and running in 5 minutes.
+
+## Prerequisites
+
+- Read [Development Environment Setup Guide](./DEV_ENV_SETUP.md) to set up your local environment
+- Understand [Plugin Architecture Overview](PLUGINS_DEV.md)
+
+## Quick Start Steps
+
+### 1. Create Your Plugin Folder
+
+Start from the template to get the basic structure:
+
+```bash
+cd /workspaces/NetAlertX/front/plugins
+cp -r __template my_plugin
+cd my_plugin
+```
+
+### 2. Update `config.json` Identifiers
+
+Edit `my_plugin/config.json` and update these critical fields:
+
+```json
+{
+  "code_name": "my_plugin",
+  "unique_prefix": "MYPLN",
+  "display_name": [{"language_code": "en_us", "string": "My Plugin"}],
+  "description": [{"language_code": "en_us", "string": "My custom plugin"}]
+}
+```
+
+**Important:**
+- `code_name` must match the folder name
+- `unique_prefix` must be unique and uppercase (check existing plugins to avoid conflicts)
+- `unique_prefix` is used as a prefix for all generated settings (e.g., `MYPLN_RUN`, `MYPLN_CMD`)
+
+### 3. Implement Your Script
+
+Edit `my_plugin/script.py` and implement your data collection logic:
+
+```python
+#!/usr/bin/env python3
+
+import sys
+import os
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../../server'))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../plugins'))
+
+from plugin_helper import Plugin_Objects, mylog
+from helper import get_setting_value
+from const import logPath
+
+pluginName = "MYPLN"
+
+LOG_PATH = logPath + "/plugins"
+LOG_FILE = os.path.join(LOG_PATH, f"script.{pluginName}.log")
+RESULT_FILE = os.path.join(LOG_PATH, f"last_result.{pluginName}.log")
+
+# Initialize
+plugin_objects = Plugin_Objects(RESULT_FILE)
+
+try:
+    # Your data collection logic here
+    # For example, scan something and collect results
+
+    # Add an object to results
+    plugin_objects.add_object(
+        Object_PrimaryID="example_id",
+        Object_SecondaryID=None,
+        DateTime="2023-01-02 15:56:30",
+        Watched_Value1="value1",
+        Watched_Value2=None,
+        Watched_Value3=None,
+        Watched_Value4=None,
+        Extra="additional_data",
+        ForeignKey=None
+    )
+
+    # Write results to the log file
+    plugin_objects.write_result_file()
+
+except Exception as e:
+    mylog("none", f"Error: {e}")
+    sys.exit(1)
+```
+
+### 4. Configure Execution
+
+Edit the `RUN` and `CMD` settings in `config.json`:
+
+```json
+{
+  "function": "RUN",
+  "type": {"dataType":"string", "elements": [{"elementType": "select", "elementOptions": [], "transformers": []}]},
+  "default_value": "disabled",
+  "options": ["disabled", "once", "schedule"],
+  "localized": ["name", "description"],
+  "name": [{"language_code":"en_us", "string": "When to run"}],
+  "description": [{"language_code":"en_us", "string": "Enable plugin execution"}]
+},
+{
+  "function": "CMD",
+  "type": {"dataType":"string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+  "default_value": "python3 /app/front/plugins/my_plugin/script.py",
+  "localized": ["name", "description"],
+  "name": [{"language_code":"en_us", "string": "Command"}],
+  "description": [{"language_code":"en_us", "string": "Command to execute"}]
+}
+```
+
+### 5. Test Your Plugin
+
+#### In Dev Container
+
+```bash
+# Test the script directly
+python3 /workspaces/NetAlertX/front/plugins/my_plugin/script.py
+
+# Check the results
+cat /tmp/log/plugins/last_result.MYPLN.log
+```
+
+#### Via UI
+
+1. Restart backend: Run task `[Dev Container] Start Backend (Python)`
+2. Open Settings → Plugin Settings → My Plugin
+3. Set `My Plugin - When to run` to `once`
+4. Click Save
+5. Check `/tmp/log/plugins/last_result.MYPLN.log` for output
+
+### 6. Check Results
+
+Verify your plugin is working:
+
+```bash
+# Check if result file was generated
+ls -la /tmp/log/plugins/last_result.MYPLN.log
+
+# View contents
+cat /tmp/log/plugins/last_result.MYPLN.log
+
+# Check backend logs for errors
+tail -f /tmp/log/stdout.log | grep "my_plugin\|MYPLN"
+```
+
+## Next Steps
+
+Now that you have a working basic plugin:
+
+1. **Add Settings**: Customize behavior via user-configurable settings (see [PLUGINS_DEV_SETTINGS.md](PLUGINS_DEV_SETTINGS.md))
+2. **Implement Data Contract**: Structure your output correctly (see [PLUGINS_DEV_DATA_CONTRACT.md](PLUGINS_DEV_DATA_CONTRACT.md))
+3. **Configure UI**: Display plugin results in the web interface (see [PLUGINS_DEV_UI_COMPONENTS.md](PLUGINS_DEV_UI_COMPONENTS.md))
+4. **Map to Database**: Import data into NetAlertX tables like `CurrentScan` or `Devices`
+5. **Set Schedules**: Run your plugin on a schedule (see [PLUGINS_DEV_CONFIG.md](PLUGINS_DEV_CONFIG.md))
+
+## Common Issues
+
+| Issue | Solution |
+|-------|----------|
+| "Module not found" errors | Ensure `sys.path` includes `/app/server` and `/app/front/plugins` |
+| Settings not appearing | Restart backend and clear browser cache |
+| Results not showing up | Check `/tmp/log/plugins/*.log` and `/tmp/log/stdout.log` for errors |
+| Permission denied | Plugin runs in container, use absolute paths like `/app/front/plugins/...` |
+
+## Resources
+
+- [Full Plugin Development Guide](PLUGINS_DEV.md)
+- [Plugin Data Contract](PLUGINS_DEV_DATA_CONTRACT.md)
+- [Plugin Settings System](PLUGINS_DEV_SETTINGS.md)
+- [Data Sources](PLUGINS_DEV_DATASOURCES.md)
+- [UI Components](PLUGINS_DEV_UI_COMPONENTS.md)
+- [Debugging Plugins](DEBUG_PLUGINS.md)
--- a/docs/PLUGINS_DEV_SETTINGS.md
+++ b/docs/PLUGINS_DEV_SETTINGS.md
@@ -0,0 +1,518 @@
+# Plugin Settings System
+
+Learn how to let users configure your plugin via the NetAlertX UI Settings page.
+
+> [!TIP]
+> For the higher-level settings flow and lifecycle, see [Settings System Documentation](./SETTINGS_SYSTEM.md).
+
+## Overview
+
+Plugin settings allow users to configure:
+
+- **Execution schedule** (when the plugin runs)
+- **Runtime parameters** (API keys, URLs, thresholds)
+- **Behavior options** (which features to enable/disable)
+- **Command overrides** (customize the executed script)
+
+All settings are defined in your plugin's `config.json` file under the `"settings"` array.
+
+## Setting Definition Structure
+
+Each setting is a JSON object with required and optional properties:
+
+```json
+{
+  "function": "UNIQUE_CODE",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "input",
+        "elementOptions": [],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": "default_value_here",
+  "options": [],
+  "localized": ["name", "description"],
+  "name": [
+    {
+      "language_code": "en_us",
+      "string": "Display Name"
+    }
+  ],
+  "description": [
+    {
+      "language_code": "en_us",
+      "string": "Help text describing the setting"
+    }
+  ]
+}
+```
+
+## Required Properties
+
+| Property | Type | Description | Example |
+|----------|------|-------------|---------|
+| `function` | string | Unique identifier for the setting. Used in manifest and when reading values. See [Reserved Function Names](#reserved-function-names) for special values | `"MY_CUSTOM_SETTING"` |
+| `type` | object | Defines the UI component and data type | See [Component Types](#component-types) |
+| `default_value` | varies | Initial value shown in UI | `"https://example.com"` |
+| `localized` | array | Which properties have translations | `["name", "description"]` |
+| `name` | array | Display name in Settings UI (localized) | See [Localized Strings](#localized-strings) |
+| `description` | array | Help text in Settings UI (localized) | See [Localized Strings](#localized-strings) |
+
+## Optional Properties
+
+| Property | Type | Description | Example |
+|----------|------|-------------|---------|
+| `options` | array | Valid values for select/checkbox controls | `["option1", "option2"]` |
+| `events` | string | Trigger action button: `"test"` or `"run"` | `"test"` for notifications |
+| `maxLength` | number | Character limit for input fields | `100` |
+| `readonly` | boolean | Make field read-only | `true` |
+| `override_value` | object | Template-based value override (WIP) | Work in Progress |
+
+## Reserved Function Names
+
+These function names have special meaning and control core plugin behavior:
+
+### Core Execution Settings
+
+| Function | Purpose | Type | Required | Options |
+|----------|---------|------|----------|---------|
+| `RUN` | **When to execute the plugin** | select | **YES** | `"disabled"`, `"once"`, `"schedule"`, `"always_after_scan"`, `"before_name_updates"`, `"on_new_device"`, `"before_config_save"` |
+| `RUN_SCHD` | **Cron schedule** | input | If `RUN="schedule"` | Cron format: `"0 * * * *"` (hourly) |
+| `CMD` | **Command/script to execute** | input | **YES** | Linux command or path to script |
+| `RUN_TIMEOUT` | **Maximum execution time in seconds** | input | optional | Numeric: `"60"`, `"120"`, etc. |
+
+### Data & Filtering Settings
+
+| Function | Purpose | Type | Required | Options |
+|----------|---------|------|----------|---------|
+| `WATCH` | **Which columns to monitor for changes** | multi-select | optional | Column names from data contract |
+| `REPORT_ON` | **When to send notifications** | select | optional | `"new"`, `"watched-changed"`, `"watched-not-changed"`, `"missing-in-last-scan"` |
+| `DB_PATH` | **External database path** | input | If using SQLite plugin | File path: `"/etc/pihole/pihole-FTL.db"` |
+
+### API & Data Settings
+
+| Function | Purpose | Type | Required | Options |
+|----------|---------|------|----------|---------|
+| `API_SQL` | **Generate API JSON file** | (reserved) | Not implemented | — |
+
+## Component Types
+
+### Text Input
+
+Simple text field for API keys, URLs, thresholds, etc.
+
+```json
+{
+  "function": "URL",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "input",
+        "elementOptions": [],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": "https://api.example.com",
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "API URL"}],
+  "description": [{"language_code": "en_us", "string": "The API endpoint to query"}]
+}
+```
+
+### Password Input
+
+Secure field with SHA256 hashing transformer.
+
+```json
+{
+  "function": "API_KEY",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "input",
+        "elementOptions": [{"type": "password"}],
+        "transformers": ["sha256"]
+      }
+    ]
+  },
+  "default_value": "",
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "API Key"}],
+  "description": [{"language_code": "en_us", "string": "Stored securely with SHA256 hashing"}]
+}
+```
+
+### Dropdown/Select
+
+Choose from predefined options.
+
+```json
+{
+  "function": "RUN",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "select",
+        "elementOptions": [],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": "disabled",
+  "options": ["disabled", "once", "schedule", "always_after_scan"],
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "When to run"}],
+  "description": [{"language_code": "en_us", "string": "Select execution trigger"}]
+}
+```
+
+### Multi-Select
+
+Select multiple values (returns array).
+
+```json
+{
+  "function": "WATCH",
+  "type": {
+    "dataType": "array",
+    "elements": [
+      {
+        "elementType": "select",
+        "elementOptions": [{"isMultiSelect": true}],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": [],
+  "options": ["Status", "IP_Address", "Response_Time"],
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "Watch columns"}],
+  "description": [{"language_code": "en_us", "string": "Which columns trigger notifications on change"}]
+}
+```
+
+### Checkbox
+
+Boolean toggle.
+
+```json
+{
+  "function": "ENABLED",
+  "type": {
+    "dataType": "boolean",
+    "elements": [
+      {
+        "elementType": "input",
+        "elementOptions": [{"type": "checkbox"}],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": false,
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "Enable feature"}],
+  "description": [{"language_code": "en_us", "string": "Toggle this feature on/off"}]
+}
+```
+
+### Textarea
+
+Multi-line text input.
+
+```json
+{
+  "function": "CUSTOM_CONFIG",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "textarea",
+        "elementOptions": [],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": "",
+  "localized": ["name", "description"],
+  "name": [{"language_code": "en_us", "string": "Custom Configuration"}],
+  "description": [{"language_code": "en_us", "string": "Enter configuration (one per line)"}]
+}
+```
+
+### Read-Only Label
+
+Display information without user input.
+
+```json
+{
+  "function": "STATUS_DISPLAY",
+  "type": {
+    "dataType": "string",
+    "elements": [
+      {
+        "elementType": "input",
+        "elementOptions": [{"readonly": true}],
+        "transformers": []
+      }
+    ]
+  },
+  "default_value": "Ready",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Status"}]
+}
+```
+
+## Using Settings in Your Script
+
+### Method 1: Via `get_setting_value()` Helper
+
+**Recommended approach** — clean and simple:
+
+```python
+from helper import get_setting_value
+
+# Read the setting by function name with plugin prefix
+api_url = get_setting_value('MYPLN_API_URL')
+api_key = get_setting_value('MYPLN_API_KEY')
+watch_columns = get_setting_value('MYPLN_WATCH')  # Returns list if multi-select
+
+# Use in your script
+mylog("none", f"Connecting to {api_url} with key {api_key}")
+```
+
+### Method 2: Via Command Parameters
+
+For more complex scenarios where you need to **pass settings as command-line arguments**:
+
+Define `params` in your `config.json`:
+
+```json
+{
+  "params": [
+    {
+      "name": "api_url",
+      "type": "setting",
+      "value": "MYPLN_API_URL"
+    },
+    {
+      "name": "timeout",
+      "type": "setting",
+      "value": "MYPLN_RUN_TIMEOUT"
+    }
+  ]
+}
+```
+
+Update your `CMD` setting:
+
+```json
+{
+  "function": "CMD",
+  "default_value": "python3 /app/front/plugins/my_plugin/script.py --url={api_url} --timeout={timeout}"
+}
+```
+
+The framework will replace `{api_url}` and `{timeout}` with actual values before execution.
+
+### Method 3: Via Environment Variables (check with maintainer)
+
+Settings are also available as environment variables:
+
+```bash
+# Environment variable format: <PREFIX>_<FUNCTION>
+MY_PLUGIN_API_URL
+MY_PLUGIN_API_KEY
+MY_PLUGIN_RUN
+```
+
+In Python:
+```python
+import os
+
+api_url = os.environ.get('MYPLN_API_URL', 'default_value')
+```
+
+## Localized Strings
+
+Settings and UI text support multiple languages. Define translations in the `name` and `description` arrays:
+
+```json
+{
+  "localized": ["name", "description"],
+  "name": [
+    {
+      "language_code": "en_us",
+      "string": "API URL"
+    },
+    {
+      "language_code": "es_es",
+      "string": "URL de API"
+    },
+    {
+      "language_code": "de_de",
+      "string": "API-URL"
+    }
+  ],
+  "description": [
+    {
+      "language_code": "en_us",
+      "string": "Enter the API endpoint URL"
+    },
+    {
+      "language_code": "es_es",
+      "string": "Ingrese la URL del endpoint de API"
+    },
+    {
+      "language_code": "de_de",
+      "string": "Geben Sie die API-Endpunkt-URL ein"
+    }
+  ]
+}
+```
+
+- `en_us` - English (required)
+
+
+## Examples
+
+### Example 1: Website Monitor Plugin
+
+```json
+{
+  "settings": [
+    {
+      "function": "RUN",
+      "type": {"dataType": "string", "elements": [{"elementType": "select", "elementOptions": [], "transformers": []}]},
+      "default_value": "disabled",
+      "options": ["disabled", "once", "schedule"],
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "When to run"}],
+      "description": [{"language_code": "en_us", "string": "Enable website monitoring"}]
+    },
+    {
+      "function": "RUN_SCHD",
+      "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+      "default_value": "*/5 * * * *",
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "Schedule"}],
+      "description": [{"language_code": "en_us", "string": "Cron format (default: every 5 minutes)"}]
+    },
+    {
+      "function": "CMD",
+      "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+      "default_value": "python3 /app/front/plugins/website_monitor/script.py urls={urls}",
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "Command"}],
+      "description": [{"language_code": "en_us", "string": "Command to execute"}]
+    },
+    {
+      "function": "RUN_TIMEOUT",
+      "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+      "default_value": "60",
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "Timeout"}],
+      "description": [{"language_code": "en_us", "string": "Maximum execution time in seconds"}]
+    },
+    {
+      "function": "URLS",
+      "type": {"dataType": "array", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+      "default_value": ["https://example.com"],
+      "maxLength": 200,
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "URLs to monitor"}],
+      "description": [{"language_code": "en_us", "string": "One URL per line"}]
+    },
+    {
+      "function": "WATCH",
+      "type": {"dataType": "array", "elements": [{"elementType": "select", "elementOptions": [{"isMultiSelect": true}], "transformers": []}]},
+      "default_value": ["Status_Code"],
+      "options": ["Status_Code", "Response_Time", "Certificate_Expiry"],
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "Watch columns"}],
+      "description": [{"language_code": "en_us", "string": "Which changes trigger notifications"}]
+    }
+  ]
+}
+```
+
+### Example 2: PiHole Integration Plugin
+
+```json
+{
+  "settings": [
+    {
+      "function": "RUN",
+      "type": {"dataType": "string", "elements": [{"elementType": "select", "elementOptions": [], "transformers": []}]},
+      "default_value": "disabled",
+      "options": ["disabled", "schedule"],
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "When to run"}],
+      "description": [{"language_code": "en_us", "string": "Enable PiHole integration"}]
+    },
+    {
+      "function": "DB_PATH",
+      "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [], "transformers": []}]},
+      "default_value": "/etc/pihole/pihole-FTL.db",
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "Database path"}],
+      "description": [{"language_code": "en_us", "string": "Path to pihole-FTL.db inside container"}]
+    },
+    {
+      "function": "API_KEY",
+      "type": {"dataType": "string", "elements": [{"elementType": "input", "elementOptions": [{"type": "password"}], "transformers": ["sha256"]}]},
+      "default_value": "",
+      "localized": ["name", "description"],
+      "name": [{"language_code": "en_us", "string": "API Key"}],
+      "description": [{"language_code": "en_us", "string": "PiHole API key (optional, stored securely)"}]
+    }
+  ]
+}
+```
+
+## Validation & Testing
+
+### Check Settings Are Recognized
+
+After saving your `config.json`:
+
+1. Restart the backend: Run task `[Dev Container] Start Backend (Python)`
+2. Open Settings page in UI
+3. Navigate to Plugin Settings
+4. Look for your plugin's settings
+
+### Read Setting Values in Script
+
+Test that values are accessible:
+
+```python
+from helper import get_setting_value
+
+# Try to read a setting
+value = get_setting_value('MYPLN_API_URL')
+mylog('none', f"Setting value: {value}")
+
+# Should print the user-configured value or default
+```
+
+### Debug Settings
+
+Check backend logs:
+
+```bash
+tail -f /tmp/log/stdout.log | grep -i "setting\|MYPLN"
+```
+
+## See Also
+
+- [Settings System Documentation](./SETTINGS_SYSTEM.md) - Full settings flow and lifecycle
+- [Quick Start Guide](PLUGINS_DEV_QUICK_START.md) - Get a working plugin quickly
+- [Plugin Data Contract](PLUGINS_DEV_DATA_CONTRACT.md) - Output data format
+- [UI Components](PLUGINS_DEV_UI_COMPONENTS.md) - Display plugin results
--- a/docs/PLUGINS_DEV_UI_COMPONENTS.md
+++ b/docs/PLUGINS_DEV_UI_COMPONENTS.md
@@ -0,0 +1,646 @@
+# Plugin UI Components
+
+Configure how your plugin's data is displayed in the NetAlertX web interface.
+
+## Overview
+
+Plugin results are displayed in the UI via the **Plugins page** and **Device details tabs**. You control the appearance and functionality of these displays by defining `database_column_definitions` in your plugin's `config.json`.
+
+Each column definition specifies:
+- Which data field to display
+- How to render it (label, link, color-coded badge, etc.)
+- What CSS classes to apply
+- What transformations to apply (regex, string replacement, etc.)
+
+## Column Definition Structure
+
+```json
+{
+  "column": "Object_PrimaryID",
+  "mapped_to_column": "devMac",
+  "mapped_to_column_data": null,
+  "css_classes": "col-sm-2",
+  "show": true,
+  "type": "device_mac",
+  "default_value": "",
+  "options": [],
+  "options_params": [],
+  "localized": ["name"],
+  "name": [
+    {
+      "language_code": "en_us",
+      "string": "MAC Address"
+    }
+  ]
+}
+```
+
+## Properties
+
+| Property | Type | Required | Description |
+|----------|------|----------|-------------|
+| `column` | string | **YES** | Source column name from data contract (e.g., `Object_PrimaryID`, `Watched_Value1`) |
+| `mapped_to_column` | string | no | Target database column if mapping to a table like `CurrentScan` |
+| `mapped_to_column_data` | object | no | Static value to map instead of using column data |
+| `css_classes` | string | no | Bootstrap CSS classes for width/spacing (e.g., `"col-sm-2"`, `"col-sm-6"`) |
+| `show` | boolean | **YES** | Whether to display in UI (must be `true` to appear) |
+| `type` | string | **YES** | How to render the value (see [Render Types](#render-types)) |
+| `default_value` | varies | **YES** | Default if column is empty |
+| `options` | array | no | Options for `select`/`threshold`/`replace`/`regex` types |
+| `options_params` | array | no | Dynamic options from SQL or settings |
+| `localized` | array | **YES** | Which properties need translations (e.g., `["name", "description"]`) |
+| `name` | array | **YES** | Display name in UI (localized strings) |
+| `description` | array | no | Help text in UI (localized strings) |
+| `maxLength` | number | no | Character limit for input fields |
+
+## Render Types
+
+### Display-Only Types
+
+These render as read-only display elements:
+
+#### `label`
+Plain text display (read-only).
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "label",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Status"}]
+}
+```
+
+**Output:** `online`
+
+---
+
+#### `device_mac`
+Renders as a clickable link to the device with the given MAC address.
+
+```json
+{
+  "column": "ForeignKey",
+  "show": true,
+  "type": "device_mac",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Device"}]
+}
+```
+
+**Input:** `aa:bb:cc:dd:ee:ff`
+**Output:** Clickable link to device details page
+
+---
+
+#### `device_ip`
+Resolves an IP address to a MAC address and creates a device link.
+
+```json
+{
+  "column": "Object_SecondaryID",
+  "show": true,
+  "type": "device_ip",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Host"}]
+}
+```
+
+**Input:** `192.168.1.100`
+**Output:** Link to device with that IP (if known)
+
+---
+
+#### `device_name_mac`
+Creates a device link with the target device's name as the link label.
+
+```json
+{
+  "column": "Object_PrimaryID",
+  "show": true,
+  "type": "device_name_mac",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Device Name"}]
+}
+```
+
+**Input:** `aa:bb:cc:dd:ee:ff`
+**Output:** Device name (clickable link to device)
+
+---
+
+#### `url`
+Renders as a clickable HTTP/HTTPS link.
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "url",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Endpoint"}]
+}
+```
+
+**Input:** `https://example.com/api`
+**Output:** Clickable link
+
+---
+
+#### `url_http_https`
+Creates two links (HTTP and HTTPS) as lock icons for the given IP/hostname.
+
+```json
+{
+  "column": "Object_SecondaryID",
+  "show": true,
+  "type": "url_http_https",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Web Links"}]
+}
+```
+
+**Input:** `192.168.1.50`
+**Output:** 🔓 HTTP link | 🔒 HTTPS link
+
+---
+
+#### `textarea_readonly`
+Multi-line read-only display with newlines preserved.
+
+```json
+{
+  "column": "Extra",
+  "show": true,
+  "type": "textarea_readonly",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Details"}]
+}
+```
+
+---
+
+### Interactive Types
+
+#### `textbox_save`
+User-editable text box that persists changes to the database (typically `UserData` column).
+
+```json
+{
+  "column": "UserData",
+  "show": true,
+  "type": "textbox_save",
+  "default_value": "",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Notes"}]
+}
+```
+
+---
+
+### Styled/Transformed Types
+
+#### `label` with `threshold`
+
+Color-codes values based on ranges. Useful for status codes, latency, capacity percentages.
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "threshold",
+  "options": [
+    {
+      "maximum": 199,
+      "hexColor": "#792D86"  // Purple for <199
+    },
+    {
+      "maximum": 299,
+      "hexColor": "#5B862D"  // Green for 200-299
+    },
+    {
+      "maximum": 399,
+      "hexColor": "#7D862D"  // Orange for 300-399
+    },
+    {
+      "maximum": 499,
+      "hexColor": "#BF6440"  // Red-orange for 400-499
+    },
+    {
+      "maximum": 999,
+      "hexColor": "#D33115"  // Dark red for 500+
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "HTTP Status"}]
+}
+```
+
+**How it works:**
+
+- Value `150` → Purple (≤199)
+- Value `250` → Green (≤299)
+- Value `350` → Orange (≤399)
+- Value `450` → Red-orange (≤499)
+- Value `550` → Dark red (>500)
+
+---
+
+#### `replace`
+Replaces specific values with display strings or HTML.
+
+```json
+{
+  "column": "Watched_Value2",
+  "show": true,
+  "type": "replace",
+  "options": [
+    {
+      "equals": "online",
+      "replacement": "<i class='fa-solid fa-circle' style='color: green;'></i> Online"
+    },
+    {
+      "equals": "offline",
+      "replacement": "<i class='fa-solid fa-circle' style='color: red;'></i> Offline"
+    },
+    {
+      "equals": "idle",
+      "replacement": "<i class='fa-solid fa-circle' style='color: yellow;'></i> Idle"
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Status"}]
+}
+```
+
+**Output Examples:**
+- `"online"` → 🟢 Online
+- `"offline"` → 🔴 Offline
+- `"idle"` → 🟡 Idle
+
+---
+
+#### `regex`
+Applies a regular expression to extract/transform values.
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "regex",
+  "options": [
+    {
+      "type": "regex",
+      "param": "([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "IP Address"}]
+}
+```
+
+- **Input:** `Host: 192.168.1.100 Port: 8080`
+- **Output:** `192.168.1.100`
+
+---
+
+#### `eval`
+Evaluates JavaScript code with access to the column value (use `${value}` or `{value}`).
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "eval",
+  "default_value": "",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Formatted Value"}]
+}
+```
+
+**Example with custom formatting:**
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "eval",
+  "options": [
+    {
+      "type": "eval",
+      "param": "`<b>${value}</b> units`"
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Value with Units"}]
+}
+```
+
+- **Input:** `42`
+- **Output:** **42** units
+
+---
+
+### Chaining Types
+
+You can chain multiple transformations with dot notation:
+
+```json
+{
+  "column": "Watched_Value3",
+  "show": true,
+  "type": "regex.url_http_https",
+  "options": [
+    {
+      "type": "regex",
+      "param": "([\\d.:]+)"  // Extract IP/host
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "HTTP/S Links"}]
+}
+```
+
+**Flow:**
+
+1. Apply regex to extract `192.168.1.50` from input
+2. Create HTTP/HTTPS links for that host
+
+---
+
+## Dynamic Options
+
+### SQL-Driven Select
+
+Use SQL query results to populate dropdown options:
+
+```json
+{
+  "column": "Watched_Value2",
+  "show": true,
+  "type": "select",
+  "options": ["{value}"],
+  "options_params": [
+    {
+      "name": "value",
+      "type": "sql",
+      "value": "SELECT devType as id, devType as name FROM Devices UNION SELECT 'Unknown' as id, 'Unknown' as name ORDER BY id"
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Device Type"}]
+}
+```
+
+The SQL query must return exactly **2 columns:**
+
+- **First column (id):** Option value
+- **Second column (name):** Display label
+
+---
+
+### Setting-Driven Select
+
+Use plugin settings to populate options:
+
+```json
+{
+  "column": "Watched_Value1",
+  "show": true,
+  "type": "select",
+  "options": ["{value}"],
+  "options_params": [
+    {
+      "name": "value",
+      "type": "setting",
+      "value": "MYPLN_AVAILABLE_STATUSES"
+    }
+  ],
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Status"}]
+}
+```
+
+---
+
+## Mapping to Database Tables
+
+### Mapping to `CurrentScan`
+
+To import plugin data into the device scan pipeline (for notifications, heuristics, etc.):
+
+1. Add `"mapped_to_table": "CurrentScan"` at the root level of `config.json`
+2. Add `"mapped_to_column"` property to each column definition
+
+```json
+{
+  "code_name": "my_device_scanner",
+  "unique_prefix": "MYSCAN",
+  "mapped_to_table": "CurrentScan",
+  "database_column_definitions": [
+    {
+      "column": "Object_PrimaryID",
+      "mapped_to_column": "cur_MAC",
+      "show": true,
+      "type": "device_mac",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "MAC Address"}]
+    },
+    {
+      "column": "Object_SecondaryID",
+      "mapped_to_column": "cur_IP",
+      "show": true,
+      "type": "device_ip",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "IP Address"}]
+    },
+    {
+      "column": "NameDoesntMatter",
+      "mapped_to_column": "cur_ScanMethod",
+      "mapped_to_column_data": {
+        "value": "MYSCAN"
+      },
+      "show": true,
+      "type": "label",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "Scan Method"}]
+    }
+  ]
+}
+```
+
+---
+
+### Using Static Values
+
+Use `mapped_to_column_data` to map a static value instead of reading from a column:
+
+```json
+{
+  "column": "NameDoesntMatter",
+  "mapped_to_column": "cur_ScanMethod",
+  "mapped_to_column_data": {
+    "value": "MYSCAN"
+  },
+  "show": true,
+  "type": "label",
+  "localized": ["name"],
+  "name": [{"language_code": "en_us", "string": "Discovery Method"}]
+}
+```
+
+This always sets `cur_ScanMethod` to `"MYSCAN"` regardless of column data.
+
+---
+
+## Filters
+
+Control which rows are displayed based on filter conditions. Filters are applied on the client-side in JavaScript.
+
+```json
+{
+  "data_filters": [
+    {
+      "compare_column": "Object_PrimaryID",
+      "compare_operator": "==",
+      "compare_field_id": "txtMacFilter",
+      "compare_js_template": "'{value}'.toString()",
+      "compare_use_quotes": true
+    }
+  ]
+}
+```
+
+| Property | Description |
+|----------|-------------|
+| `compare_column` | The column from plugin results to compare (left side) |
+| `compare_operator` | JavaScript operator: `==`, `!=`, `<`, `>`, `<=`, `>=`, `includes`, `startsWith` |
+| `compare_field_id` | HTML input field ID containing the filter value (right side) |
+| `compare_js_template` | JavaScript template to transform values. Use `{value}` placeholder |
+| `compare_use_quotes` | If `true`, wrap result in quotes for string comparison |
+
+**Example: Filter by MAC address**
+
+```json
+{
+  "data_filters": [
+    {
+      "compare_column": "ForeignKey",
+      "compare_operator": "==",
+      "compare_field_id": "txtMacFilter",
+      "compare_js_template": "'{value}'.toString()",
+      "compare_use_quotes": true
+    }
+  ]
+}
+```
+
+When viewing a device detail page, the `txtMacFilter` field is populated with that device's MAC, and only rows where `ForeignKey == MAC` are shown.
+
+---
+
+## Example: Complete Column Definitions
+
+```json
+{
+  "database_column_definitions": [
+    {
+      "column": "Object_PrimaryID",
+      "mapped_to_column": "cur_MAC",
+      "css_classes": "col-sm-2",
+      "show": true,
+      "type": "device_mac",
+      "default_value": "",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "MAC Address"}]
+    },
+    {
+      "column": "Object_SecondaryID",
+      "mapped_to_column": "cur_IP",
+      "css_classes": "col-sm-2",
+      "show": true,
+      "type": "device_ip",
+      "default_value": "unknown",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "IP Address"}]
+    },
+    {
+      "column": "DateTime",
+      "css_classes": "col-sm-2",
+      "show": true,
+      "type": "label",
+      "default_value": "",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "Last Seen"}]
+    },
+    {
+      "column": "Watched_Value1",
+      "css_classes": "col-sm-2",
+      "show": true,
+      "type": "threshold",
+      "options": [
+        {"maximum": 199, "hexColor": "#792D86"},
+        {"maximum": 299, "hexColor": "#5B862D"},
+        {"maximum": 399, "hexColor": "#7D862D"},
+        {"maximum": 499, "hexColor": "#BF6440"},
+        {"maximum": 999, "hexColor": "#D33115"}
+      ],
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "HTTP Status"}]
+    },
+    {
+      "column": "Watched_Value2",
+      "css_classes": "col-sm-1",
+      "show": true,
+      "type": "label",
+      "default_value": "",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "Response Time"}]
+    },
+    {
+      "column": "Extra",
+      "css_classes": "col-sm-3",
+      "show": true,
+      "type": "textarea_readonly",
+      "default_value": "",
+      "localized": ["name"],
+      "name": [{"language_code": "en_us", "string": "Additional Info"}]
+    }
+  ]
+}
+```
+
+---
+
+## CSS Classes
+
+Use Bootstrap grid classes to control column widths in tables:
+
+| Class | Width | Usage |
+|-------|-------|-------|
+| `col-sm-1` | ~8% | Very narrow (icons, status) |
+| `col-sm-2` | ~16% | Narrow (MACs, IPs) |
+| `col-sm-3` | ~25% | Medium (names, URLs) |
+| `col-sm-4` | ~33% | Medium-wide (descriptions) |
+| `col-sm-6` | ~50% | Wide (large content) |
+
+---
+
+## Validation Checklist
+
+- [ ] All columns have `"show": true` or `false`
+- [ ] Display columns with `"type"` specified from supported types
+- [ ] Localized strings include at least `en_us`
+- [ ] `mapped_to_column` matches target table schema (if using mapping)
+- [ ] Options/thresholds have correct structure
+- [ ] CSS classes are valid Bootstrap grid classes
+- [ ] Chaining types (e.g., `regex.url_http_https`) are supported combinations
+
+---
+
+## See Also
+
+- [Plugin Data Contract](PLUGINS_DEV_DATA_CONTRACT.md) - What data fields are available
+- [Plugin Settings System](PLUGINS_DEV_SETTINGS.md) - Configure user input
+- [Database Mapping](PLUGINS_DEV.md#-mapping-the-plugin-results-into-a-database-table) - Map data to core tables
+- [Debugging Plugins](DEBUG_PLUGINS.md) - Troubleshoot display issues
--- a/docs/PUID_PGID_SECURITY.md
+++ b/docs/PUID_PGID_SECURITY.md
@@ -0,0 +1,30 @@
+# PUID/PGID Security — Why the entrypoint requires numeric IDs
+
+## Purpose
+
+This short document explains the security rationale behind the root-priming entrypoint's validation of runtime user IDs (`PUID`) and group IDs (`PGID`). The validation is intentionally strict and is a safety measure to prevent environment-variable-based command injection when running as root during the initial priming stage.
+
+## Key points
+
+- The entrypoint accepts only values that are strictly numeric (digits only). Non-numeric values are treated as malformed and are a fatal error.
+- The fatal check exists to prevent *injection* or accidental shell interpretation of environment values while the container runs as root (e.g., `PUID="20211 && rm -rf /"`).
+- There is **no artificial upper bound** enforced by the validation — any numeric UID/GID is valid (for example, `100000` is acceptable).
+
+## Behavior on malformed input
+
+- If `PUID` or `PGID` cannot be parsed as numeric (digits-only), the entrypoint prints an explicit security message to stderr and exits with a non-zero status.
+- This is a deliberate, conservative safety measure — we prefer failing fast on potentially dangerous input rather than continuing with root-privileged operations.
+
+## Operator guidance
+
+- Always supply numeric values for `PUID` and `PGID` in your environment (via `docker-compose.yml`, `docker run -e`, or equivalent). Example: `PUID=20211`.
+- If you need to run with a high-numbered UID/GID (e.g., `100000`), that is fine — the entrypoint allows it as long as the value is numeric.
+- Don’t pass shell meta-characters, spaces, or compound commands in `PUID` or `PGID` — those will be rejected as malformed and cause the container to exit.
+
+## Related docs
+
+- See `docs/docker-troubleshooting/file-permissions.md` for general permission troubleshooting and guidance about setting `PUID`/`PGID`.
+
+---
+
+*Document created to clarify the security behavior of the root-priming entrypoint (PUID/PGID validation).*
--- a/docs/README.md
+++ b/docs/README.md
@@ -13,13 +13,13 @@ There is also an in-app Help / FAQ section that should be answering frequently a

 #### 🐳 Docker (Fully supported)

- The main installation method is as a [docker container - follow these instructions here](./DOCKER_INSTALLATION.md). 
+- The main installation method is as a [docker container - follow these instructions here](./DOCKER_INSTALLATION.md).

 #### 💻 Bare-metal / On-server (Experimental/community supported 🧪)

- [(Experimental 🧪) On-hardware instructions](./HW_INSTALL.md) 
+- [(Experimental 🧪) On-hardware instructions](./HW_INSTALL.md)

- Alternative bare-metal install forks: 
+- Alternative bare-metal install forks:
  - [leiweibau's fork](https://github.com/leiweibau/Pi.Alert/) (maintained)
  - [pucherot's original code](https://github.com/pucherot/Pi.Alert/) (un-maintained)

@@ -63,7 +63,6 @@ There is also an in-app Help / FAQ section that should be answering frequently a

 #### ♻ Misc

- [Version history (legacy)](./VERSIONS_HISTORY.md)
 - [Reverse proxy (Nginx, Apache, SWAG)](./REVERSE_PROXY.md)
 - [Installing Updates](./UPDATES.md)
 - [Setting up Authelia](./AUTHELIA.md) (DRAFT)
@@ -80,27 +79,27 @@ There is also an in-app Help / FAQ section that should be answering frequently a
 - [Frontend development tips](./FRONTEND_DEVELOPMENT.md)
 - [Webhook secrets](./WEBHOOK_SECRET.md)

-Feel free to suggest or submit new docs via a PR. 
+Feel free to suggest or submit new docs via a PR.

 ## 👨‍💻 Development priorities

 Priorities from highest to lowest:

 * 🔼 Fixing core functionality bugs not solvable with workarounds
-* 🔵 New core functionality unlocking other opportunities (e.g.: plugins) 
-* 🔵 Refactoring enabling faster implementation of future functionality 
+* 🔵 New core functionality unlocking other opportunities (e.g.: plugins)
+* 🔵 Refactoring enabling faster implementation of future functionality
 * 🔽 (low) UI functionality & improvements (PRs welcome 😉)

-Design philosophy: Focus on core functionality and leverage existing apps and tools to make NetAlertX integrate into other workflows. 
+Design philosophy: Focus on core functionality and leverage existing apps and tools to make NetAlertX integrate into other workflows.

-Examples: 
+Examples:

    1. Supporting apprise makes more sense than implementing multiple individual notification gateways
-    2. Implementing regular expression support across settings for validation makes more sense than validating one setting with a specific expression. 
+    2. Implementing regular expression support across settings for validation makes more sense than validating one setting with a specific expression.

 UI-specific requests are a low priority as the framework picked by the original developer is not very extensible (and afaik doesn't support components) and has limited mobile support. Also, I argue the value proposition is smaller than working on something else.

-Feel free to submit PRs if interested. try to **keep the PRs small/on-topic** so they are easier to review and approve. 
+Feel free to submit PRs if interested. try to **keep the PRs small/on-topic** so they are easier to review and approve.

 That being said, I'd reconsider if more people and or recurring sponsors file a request 😉.

@@ -112,8 +111,8 @@ Please be as detailed as possible with **workarounds** you considered and why a

 If you submit a PR please:

-1. Check that your changes are backward compatible with existing installations and with a blank setup. 
-2. Existing features should always be preserved. 
+1. Check that your changes are backward compatible with existing installations and with a blank setup.
+2. Existing features should always be preserved.
 3. Keep the PR small, on-topic and don't change code that is not necessary for the PR to work
 4. New features code should ideally be re-usable for different purposes, not for a very narrow use case.
 5. New functionality should ideally be implemented via the Plugins system, if possible.
@@ -131,13 +130,13 @@ Suggested test cases:
 Some additional context:

 * Permanent settings/config is stored in the `app.conf` file
-* Currently temporary (session?) settings are stored in the `Parameters` DB table as key-value pairs. This table is wiped during a container rebuild/restart and its values are re-initialized from cookies/session data from the browser. 
+* Currently temporary (session?) settings are stored in the `Parameters` DB table as key-value pairs. This table is wiped during a container rebuild/restart and its values are re-initialized from cookies/session data from the browser.

 ## 🐛 Submitting an issue or bug

 Before submitting a new issue please spend a couple of minutes on research:

-* Check [🛑 Common issues](./DEBUG_TIPS.md#common-issues) 
+* Check [🛑 Common issues](./DEBUG_TIPS.md#common-issues)
 * Check [💡 Closed issues](https://github.com/jokob-sk/NetAlertX/issues?q=is%3Aissue+is%3Aclosed) if a similar issue was solved in the past.
 * When submitting an issue ❗[enable debug](./DEBUG_TIPS.md)❗

--- a/docs/REVERSE_DNS.md
+++ b/docs/REVERSE_DNS.md
@@ -2,21 +2,21 @@

 If you are running a DNS server, such as **AdGuard**, set up **Private reverse DNS servers** for a better name resolution on your network. Enabling this setting will enable NetAlertX to execute dig and nslookup commands to automatically resolve device names based on their IP addresses.

-> [!TIP]  
-> Before proceeding, ensure that [name resolution plugins](/local_data_dir/NAME_RESOLUTION.md) are enabled.  
-> You can customize how names are cleaned using the `NEWDEV_NAME_CLEANUP_REGEX` setting.  
+> [!TIP]
+> Before proceeding, ensure that [name resolution plugins](/local_data_dir/NAME_RESOLUTION.md) are enabled.
+> You can customize how names are cleaned using the `NEWDEV_NAME_CLEANUP_REGEX` setting.
 > To auto-update Fully Qualified Domain Names (FQDN), enable the `REFRESH_FQDN` setting.


 > Example 1: Reverse DNS `disabled`
-> 
+>
 > ```
 > jokob@Synology-NAS:/$ nslookup 192.168.1.58
 > ** server can't find 58.1.168.192.in-addr.arpa: NXDOMAIN
 > ```

 > Example 2: Reverse DNS `enabled`
-> 
+>
 > ```
 > jokob@Synology-NAS:/$ nslookup 192.168.1.58
 > 45.1.168.192.in-addr.arpa       name = jokob-NUC.localdomain.
@@ -33,23 +33,14 @@ If you are running a DNS server, such as **AdGuard**, set up **Private reverse D

 ### Specifying the DNS in the container

-You can specify the DNS server in the docker-compose to improve name resolution on your network. 
+You can specify the DNS server in the docker-compose to improve name resolution on your network.

 ```yaml
 services:
  netalertx:
    container_name: netalertx
    image: "ghcr.io/jokob-sk/netalertx:latest"
-    restart: unless-stopped
-    volumes:
-      -  /local_data_dir/config:/data/config
-      -  /local_data_dir/db:/data/db
-      # -  /local_data_dir/log:/tmp/log
-      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
-      - /etc/localtime:/etc/localtime:ro    
-    environment:
-      - PORT=20211
-    network_mode: host
+...
    dns:           # specifying the DNS servers used for the container
      - 10.8.0.1
      - 10.8.0.17
@@ -57,27 +48,18 @@ services:

 ### Using a custom resolv.conf file

-You can configure a custom **/etc/resolv.conf** file in **docker-compose.yml** and set the nameserver to your LAN DNS server (e.g.: Pi-Hole). See the relevant [resolv.conf man](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) entry for details. 
+You can configure a custom **/etc/resolv.conf** file in **docker-compose.yml** and set the nameserver to your LAN DNS server (e.g.: Pi-Hole). See the relevant [resolv.conf man](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) entry for details.

 #### docker-compose.yml:

 ```yaml
-version: "3"
 services:
  netalertx:
    container_name: netalertx
-    image: "ghcr.io/jokob-sk/netalertx:latest"
-    restart: unless-stopped
    volumes:
-      - /local_data_dir/config/app.conf:/data/config/app.conf
-      - /local_data_dir/db:/data/db
-      - /local_data_dir/log:/tmp/log
+...
      - /local_data_dir/config/resolv.conf:/etc/resolv.conf                          # ⚠ Mapping the /resolv.conf file for better name resolution
-      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
-      - /etc/localtime:/etc/localtime:ro    
-    environment:
-      - PORT=20211
-    network_mode: host
+...
 ```

 #### /local_data_dir/config/resolv.conf:
--- a/docs/REVERSE_PROXY.md
+++ b/docs/REVERSE_PROXY.md
--- a/docs/SESSION_INFO.md
+++ b/docs/SESSION_INFO.md
@@ -1,62 +1,64 @@
-# Sessions Section in Device View
+# Sessions Section – Device View

-The **Sessions Section** provides details about a device's connection history. This data is automatically detected and cannot be edited by the user.
+The **Sessions Section** shows a device’s connection history. All data is automatically detected and **cannot be edited**.

- ![Session info](./img/SESSION_INFO/DeviceDetails_SessionInfo.png)
+![Session info](./img/SESSION_INFO/DeviceDetails_SessionInfo.png)

 ---

 ## Key Fields

-1. **Date and Time of First Connection**
-   - **Description:** Displays the first detected connection time for the device.
-   - **Editability:** Uneditable (auto-detected).
-   - **Source:** Automatically captured when the device is first added to the system.
-
-2. **Date and Time of Last Connection**
-   - **Description:** Shows the most recent time the device was online.
-   - **Editability:** Uneditable (auto-detected).
-   - **Source:** Updated with every new connection event.
-
-3. **Offline Devices with Missing or Conflicting Data**
-   - **Description:** Handles cases where a device is offline but has incomplete or conflicting session data (e.g., missing start times).
-   - **Handling:** The system flags these cases for review and attempts to infer missing details.
+| Field                          | Description                                                                                      | Editable?       |
+| ------------------------------ | ------------------------------------------------------------------------------------------------ | --------------- |
+| **First Connection**           | The first time the device was detected on the network.                                           | ❌ Auto-detected |
+| **Last Connection**            | The most recent time the device was online.                                                      | ❌ Auto-detected |

 ---

-## How Sessions are Discovered and Calculated
+## How Session Information Works

 ### 1. Detecting New Devices
-When a device is first detected in the network, the system logs it in the events table:

-`INSERT INTO Events (eve_MAC, eve_IP, eve_DateTime, eve_EventType, eve_AdditionalInfo, eve_PendingAlertEmail) SELECT cur_MAC, cur_IP, '{startTime}', 'New Device', cur_Vendor, 1 FROM CurrentScan WHERE NOT EXISTS (SELECT 1 FROM Devices WHERE devMac = cur_MAC)`
+* New devices are automatically detected when they first appear on the network.
+* A **New Device** record is created, capturing the MAC, IP, vendor, and detection time.

- Devices scanned in the current cycle (**CurrentScan**) are checked against the **Devices** table.
- If a device is new:
-  - A **New Device** event is logged.
-  - The device’s MAC, IP, vendor, and detection time are recorded.
+### 2. Recording Connection Sessions

-### 2. Logging Connection Sessions
-When a new connection is detected, the system creates a session record:
+* Every time a device connects, a session entry is created.
+* Captured details include:

-`INSERT INTO Sessions (ses_MAC, ses_IP, ses_EventTypeConnection, ses_DateTimeConnection, ses_EventTypeDisconnection, ses_DateTimeDisconnection, ses_StillConnected, ses_AdditionalInfo) SELECT cur_MAC, cur_IP, 'Connected', '{startTime}', NULL, NULL, 1, cur_Vendor FROM CurrentScan WHERE NOT EXISTS (SELECT 1 FROM Sessions WHERE ses_MAC = cur_MAC)`
-
- A new session is logged in the **Sessions** table if no prior session exists.
- Fields like `MAC`, `IP`, `Connection Type`, and `Connection Time` are populated.
- The `Still Connected` flag is set to `1` (active connection).
+  * Connection type (wired or wireless)
+  * Connection time
+  * Device details (MAC, IP, vendor)

 ### 3. Handling Missing or Conflicting Data
- Devices with incomplete or conflicting session data (e.g., missing start times) are detected.
- The system flags these records and attempts corrections by inferring details from available data.
+
+* **Triggers:**
+  Devices are flagged when session data is incomplete, inconsistent, or conflicting. Examples include:
+
+  * Missing first or last connection timestamps
+  * Overlapping session records
+  * Sessions showing a device as connected and disconnected at the same time
+
+* **System response:**
+
+  * Automatically highlights affected devices in the **Sessions Section**.
+  * Attempts to **infer missing information** from available data, such as:
+
+    * Estimating first or last connection times from nearby session events
+    * Correcting overlapping session periods
+    * Reconciling conflicting connection statuses
+
+* **User impact:**
+
+  * Users do **not** need to manually fix session data.
+  * The system ensures the device’s connection history remains as accurate as possible for monitoring and reporting.

 ### 4. Updating Sessions
- When a device reconnects, its session is updated with a new connection timestamp.
- When a device disconnects:
-  - The **Disconnection Time** is recorded.
-  - The `Still Connected` flag is set to `0`.

-The session information is then used to display the device presence under **Monitoring** -> **Presence**.
+* **Reconnect:** Updates session with the new connection timestamp.
+* **Disconnect:** Records disconnection time and marks the device as offline.
+
+This session information feeds directly into **Monitoring → Presence**, providing a live view of which devices are currently online.

 ![Monitoring Device Presence](./img/SESSION_INFO/Monitoring_Presence.png)
-
-
--- a/docs/SETTINGS_SYSTEM.md
+++ b/docs/SETTINGS_SYSTEM.md
@@ -1,16 +1,16 @@
 ## ⚙ Setting system

-This is an explanation how settings are handled intended for anyone thinking about writing their own plugin or contributing to the project. 
+This is an explanation how settings are handled intended for anyone thinking about writing their own plugin or contributing to the project.

-If you are a user of the app, settings have a detailed description in the _Settings_ section of the app. Open an issue if you'd like to clarify any of the settings. 
+If you are a user of the app, settings have a detailed description in the _Settings_ section of the app. Open an issue if you'd like to clarify any of the settings.

 ### 🛢 Data storage

-The source of truth for user-defined values is the `app.conf` file. Editing the file makes the App overwrite values in the `Settings` database table and in the `table_settings.json` file. 
+The source of truth for user-defined values is the `app.conf` file. Editing the file makes the App overwrite values in the `Settings` database table and in the `table_settings.json` file.

 #### Settings database table

-The `Settings` database table contains settings for App run purposes. The table is recreated every time the App restarts. The settings are loaded from the source-of-truth, that is the `app.conf` file. A high-level overview on the database structure can be found in the [database documentation](./DATABASE.md). 
+The `Settings` database table contains settings for App run purposes. The table is recreated every time the App restarts. The settings are loaded from the source-of-truth, that is the `app.conf` file. A high-level overview on the database structure can be found in the [database documentation](./DATABASE.md).

 #### table_settings.json

@@ -22,23 +22,23 @@ The json file is also cached on the client-side local storage of the browser.

 #### app.conf

-> [!NOTE] 
+> [!NOTE]
 > This is the source of truth for settings. User-defined values in this files always override default values specified in the Plugin definition.

 The App generates two `app.conf` entries for every setting (Since version 23.8+). One entry is the setting value, the second is the `__metadata` associated with the setting. This `__metadata` entry contains the full setting definition in JSON format. Currently unused, but intended to be used in future to extend the Settings system.

 #### Plugin settings

-> [!NOTE] 
+> [!NOTE]
 > This is the preferred way adding settings going forward. I'll be likely migrating all app settings into plugin-based settings.

-Plugin settings are loaded dynamically from the `config.json` of individual plugins. If a setting isn't defined in the `app.conf` file, it is initialized via the `default_value` property of a setting from the `config.json` file. Check the [Plugins documentation](https://github.com/jokob-sk/NetAlertX/blob/main/docs/PLUGINS.md#-setting-object-structure), section `⚙ Setting object structure` for details on the structure of the setting.
+Plugin settings are loaded dynamically from the `config.json` of individual plugins. If a setting isn't defined in the `app.conf` file, it is initialized via the `default_value` property of a setting from the `config.json` file. Check the [Plugins documentation](https://docs.netalertx.com/PLUGINS#-setting-object-structure), section `⚙ Setting object structure` for details on the structure of the setting.

 ![Screen 1][screen1]

 ### Settings Process flow

-The process flow is mostly managed by the [initialise.py](/server/initialise.py) file. 
+The process flow is mostly managed by the [initialise.py](/server/initialise.py) file.

 The script is responsible for reading user-defined values from a configuration file (`app.conf`), initializing settings, and importing them into a database. It also handles plugins and their configurations.

--- a/docs/SYNOLOGY_GUIDE.md
+++ b/docs/SYNOLOGY_GUIDE.md
@@ -1,75 +1,122 @@
 # Installation on a Synology NAS

-There are different ways to install NetAlertX on a Synology, including SSH-ing into the machine and using the command line. For this guide, we will use the Project option in Container manager. 
+There are different ways to install NetAlertX on a Synology, including SSH-ing into the machine and using the command line. For this guide, we will use the Project option in Container manager.

 ## Create the folder structure

-The folders you are creating below will contain the configuration and the database. Back them up regularly. 
+The folders you are creating below will contain the configuration and the database. Back them up regularly.

 1. Create a parent folder named `netalertx`
 2. Create a `db` sub-folder

-![Folder structure](./img/SYNOLOGY/01_Create_folder_structure.png)
-![Folder structure](./img/SYNOLOGY/02_Create_folder_structure_db.png)
-![Folder structure](./img/SYNOLOGY/03_Create_folder_structure_db.png)
+  ![Folder structure](./img/SYNOLOGY/01_Create_folder_structure.png)
+  ![Folder structure](./img/SYNOLOGY/02_Create_folder_structure_db.png)
+  ![Folder structure](./img/SYNOLOGY/03_Create_folder_structure_db.png)

 3. Create a `config` sub-folder

-![Folder structure](./img/SYNOLOGY/04_Create_folder_structure_config.png)
+  ![Folder structure](./img/SYNOLOGY/04_Create_folder_structure_config.png)

 4. Note down the folders Locations:

-![Getting the location](./img/SYNOLOGY/05_Access_folder_properties.png)
-![Getting the location](./img/SYNOLOGY/06_Note_location.png)
+  ![Getting the location](./img/SYNOLOGY/05_Access_folder_properties.png)
+  ![Getting the location](./img/SYNOLOGY/06_Note_location.png)

-5. Open **Container manager** -> **Project** and click **Create**.
-6. Fill in the details:
+## Creating the Project
+
+1. Open **Container manager** -> **Project** and click **Create**.
+2. Fill in the details:

 - Project name: `netalertx`
 - Path: `/app_storage/netalertx` (will differ from yours)
 - Paste in the following template:

+
 ```yaml
-version: "3"
 services:
  netalertx:
    container_name: netalertx
    # use the below line if you want to test the latest dev image
-    # image: "ghcr.io/jokob-sk/netalertx-dev:latest" 
-    image: "ghcr.io/jokob-sk/netalertx:latest"      
-    network_mode: "host"        
+    # image: "ghcr.io/jokob-sk/netalertx-dev:latest"
+    image: "ghcr.io/jokob-sk/netalertx:latest"
+    network_mode: "host"
    restart: unless-stopped
+    cap_drop:       # Drop all capabilities for enhanced security
+      - ALL
+    cap_add:        # Re-add necessary capabilities
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
    volumes:
-      - local/path/config:/data/config
-      - local/path/db:/data/db      
-      # (optional) useful for debugging if you have issues setting up the container
-      - local/path/logs:/tmp/log
-      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
-      - /etc/localtime:/etc/localtime:ro    
+      - /app_storage/netalertx:/data
+      # to sync with system time
+      - /etc/localtime:/etc/localtime:ro
+    tmpfs:
+      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
+      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    environment:
      - PORT=20211
 ```

-![Project settings](./img/SYNOLOGY/07_Create_project.png)
+  ![Project settings](./img/SYNOLOGY/07_Create_project.png)

-7. Replace the paths to your volume and comment out unnecessary line(s):
+3. Replace the paths to your volume and comment out unnecessary line(s).

- This is only an example, your paths will differ.
+> This is only an example, your paths will differ.

 ```yaml
- volumes:
-      - /volume1/app_storage/netalertx/config:/data/config
-      - /volume1/app_storage/netalertx/db:/data/db      
-      # (optional) useful for debugging if you have issues setting up the container
-      # - local/path/logs:/tmp/log <- commented out with # ⚠
+volumes:
+      - /volume1/app_storage/netalertx:/data
 ```

-![Adjusting docker-compose](./img/SYNOLOGY/08_Adjust_docker_compose_volumes.png)
+  ![Adjusting docker-compose](./img/SYNOLOGY/08_Adjust_docker_compose_volumes.png)

-8. (optional) Change the port number from `20211` to an unused port if this port is already used.
-9. Build the project:
+4. (optional) Change the port number from `20211` to an unused port if this port is already used.
+5. Build the project:

-![Build](./img/SYNOLOGY/09_Run_and_build.png)
+  ![Build](./img/SYNOLOGY/09_Run_and_build.png)

 10. Navigate to `<Synology URL>:20211` (or your custom port).
-11. Read the [Subnets](./SUBNETS.md) and [Plugins](/docs/PLUGINS.md) docs to complete your setup. 
+11. Read the [Subnets](./SUBNETS.md) and [Plugins](/docs/PLUGINS.md) docs to complete your setup.
+
+## Solving permission issues
+
+  See also the [Permission overview guide](./FILE_PERMISSIONS.md).
+
+### Configuring the permissions via SSH
+
+> [!TIP]
+> If you are facing permissions issues run the following commands on your server. This will change the owner and assure sufficient access to the database and config files that are stored in the `/local_data_dir/db` and `/local_data_dir/config` folders (replace `local_data_dir` with the location where your `/db` and `/config` folders are located).
+>
+>  `sudo chown -R 20211:20211 /local_data_dir`
+>
+>  `sudo chmod -R a+rwx  /local_data_dir`
+>
+
+### Configuring the permissions via the Synology UI
+
+You can also execute the above bash commands via the UI by creating a one-off scheduled task.
+
+1. Control panel -> Task Scheduler
+2. Create -> Scheduled Task -> User-defined Script
+
+  ![User-defined Script](./img/SYNOLOGY/11_permissions_create_scheduled_task.png)
+
+3. Give your task a name.
+
+  ![User-defined task_general](./img/SYNOLOGY/12_permissions_task_general.png)
+
+4. Specify one-off execution time (e.g. 5 minutes from now).
+
+  ![task_schedule](./img/SYNOLOGY/13_permissions_task_schedule.png)
+
+5. Paste the commands from the above SSH section and replace the `/local_data_dir` with the parent fodler of your `/db` and `/config` folders.
+
+  ![task_settings](./img/SYNOLOGY/14_permissions_task_settings.png)
+
+6. Wait until the execution time passes and verify the new ownership.
+
+  ![permissions_after](./img/SYNOLOGY/15_permissions_after.png)
+
+
+In case of issues, double-check the [Permission overview guide](./FILE_PERMISSIONS.md).
--- a/docs/UPDATES.md
+++ b/docs/UPDATES.md
@@ -1,7 +1,8 @@
 # Docker Update Strategies to upgrade NetAlertX

-> [!WARNING] 
+> [!WARNING]
 > For versions prior to `v25.6.7` upgrade to version `v25.5.24` first (`docker pull ghcr.io/jokob-sk/netalertx:25.5.24`) as later versions don't support a full upgrade. Alternatively, devices and settings can be migrated manually, e.g. via [CSV import](./DEVICES_BULK_EDITING.md).
+> See the [Migration guide](./MIGRATION.md) for details.

 This guide outlines approaches for updating Docker containers, usually when upgrading to a newer version of NetAlertX. Each method offers different benefits depending on the situation. Here are the methods:

@@ -15,7 +16,7 @@ You can choose any approach that fits your workflow.
 > In the examples I assume that the container name is `netalertx` and the image name is `netalertx` as well.

 > [!NOTE]
-> See also [Backup strategies](./BACKUPS.md) to be on the safe side.  
+> See also [Backup strategies](./BACKUPS.md) to be on the safe side.

 ## 1. Manual Updates

@@ -48,7 +49,7 @@ sudo docker-compose up --pull always -d

 ## 2. Dockcheck for Bulk Container Updates

-Always check the [Dockcheck](https://github.com/mag37/dockcheck) docs if encountering issues with the guide below. 
+Always check the [Dockcheck](https://github.com/mag37/dockcheck) docs if encountering issues with the guide below.

 Dockcheck is a useful tool if you have multiple containers to update and some flexibility for handling potential issues that might arise during mass updates. Dockcheck allows you to inspect each container and decide when to update.

@@ -74,7 +75,7 @@ sudo ./dockcheck.sh

 ## 3. Automated Updates with Watchtower

-Always check the [watchtower](https://github.com/containrrr/watchtower) docs if encountering issues with the guide below. 
+Always check the [watchtower](https://github.com/containrrr/watchtower) docs if encountering issues with the guide below.

 Watchtower monitors your Docker containers and automatically updates them when new images are available. This is ideal for ongoing updates without manual intervention.

@@ -96,7 +97,7 @@ docker run -d \
  --interval 300 # Check for updates every 5 minutes
 ```

-#### 3. Run Watchtower to update only NetAlertX: 
+#### 3. Run Watchtower to update only NetAlertX:

 You can specify which containers to monitor by listing them. For example, to monitor netalertx only:

--- a/docs/WEBHOOK_SECRET.md
+++ b/docs/WEBHOOK_SECRET.md
@@ -1,7 +1,11 @@
 # Webhook Secrets

 > [!NOTE]
-> You need to enable the `WEBHOOK` plugin first in order to follow this guide. See the [Plugins guide](./PLUGINS.md) for details.  
+> This is community-contributed. Due to environment, setup, or networking differences, results may vary. Please open a PR to improve it instead of creating an issue, as the maintainer is not actively maintaining it.
+
+
+> [!NOTE]
+> You need to enable the `WEBHOOK` plugin first in order to follow this guide. See the [Plugins guide](./PLUGINS.md) for details.

 ## How does the signing work?

@@ -39,3 +43,5 @@ If your implementation is correct, the signature you generated should match the
 If you want to learn more about webhook security, take a look at [GitHub's webhook documentation](https://docs.github.com/en/webhooks/about-webhooks).

 You can find examples for validating a webhook delivery [here](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#examples).
+
+
--- a/docs/WEB_UI_PORT_DEBUG.md
+++ b/docs/WEB_UI_PORT_DEBUG.md
@@ -2,7 +2,7 @@

 The application uses the following default ports:

- **Web UI**: `20211`  
+- **Web UI**: `20211`
 - **GraphQL API**: `20212`

 The **Web UI** is served by an **nginx** server, while the **API backend** runs on a **Flask (Python)** server.
@@ -25,8 +25,8 @@ Follow all of the below in order to disqualify potential causes of issues and to

 When opening an issue or debugging:

-1. Include a screenshot of what you see when accessing `HTTP://<your rpi IP>/20211` (or your custom port)
-1. [Follow steps 1, 2, 3, 4  on this page](./DEBUG_TIPS.md) 
+1. Include a screenshot of what you see when accessing `HTTP://<your_server>:20211` (or your custom port)
+1. [Follow steps 1, 2, 3, 4  on this page](./DEBUG_TIPS.md)
 1. Execute the following in the container to see the processes and their ports and submit a screenshot of the result:
   - `sudo apk add lsof`
   - `sudo lsof -i`
@@ -36,21 +36,21 @@ When opening an issue or debugging:

 ![lsof ports](./img/WEB_UI_PORT_DEBUG/container_port.png)

-### 2. JavaScript issues 
+### 2. JavaScript issues

 Check for browser console (F12 browser dev console) errors + check different browsers.

 ### 3. Clear the app cache and cached JavaScript files

-Refresh the browser cache (usually shoft + refresh), try a private window, or different browsers. Please also refresh the app cache by clicking the 🔃 (reload) button in the header of the application. 
+Refresh the browser cache (usually shoft + refresh), try a private window, or different browsers. Please also refresh the app cache by clicking the 🔃 (reload) button in the header of the application.

 ### 4. Disable proxies

-If you have any reverse proxy or similar, try disabling it. 
+If you have any reverse proxy or similar, try disabling it.

 ### 5. Disable your firewall

-If you are using a firewall, try to temporarily disabling it. 
+If you are using a firewall, try to temporarily disabling it.

 ### 6. Post your docker start details

@@ -67,6 +67,6 @@ In the container execute and investigate:
 ### 8. Make sure permissions are correct

 > [!TIP]
-> You can try to start the container without mapping the `/data/config` and `/data/db` dirs and if the UI shows up then the issue is most likely related to your file system permissions or file ownership. 
+> You can try to start the container without mapping the `/data/config` and `/data/db` dirs and if the UI shows up then the issue is most likely related to your file system permissions or file ownership.

-Please read the [Permissions troubleshooting guide](./FILE_PERMISSIONS.md) and provide a screesnhot of the permissions and ownership in the `/data/db` and `app/config` directories. 
+Please read the [Permissions troubleshooting guide](./FILE_PERMISSIONS.md) and provide a screesnhot of the permissions and ownership in the `/data/db` and `app/config` directories.
--- a/docs/WORKFLOWS_DEBUGGING.md
+++ b/docs/WORKFLOWS_DEBUGGING.md
@@ -1,22 +1,22 @@
 # Workflows debugging and troubleshooting

 > [!TIP]
-> Before troubleshooting, please ensure you have [Debugging enabled](./DEBUG_TIPS.md).
+> Before troubleshooting, please ensure you have the right [Debugging and LOG_LEVEL set](./DEBUG_TIPS.md).

-Workflows are triggered by various events. These events are captured and listed in the _Integrations -> App Events_ section of the application. 
+Workflows are triggered by various events. These events are captured and listed in the _Integrations -> App Events_ section of the application.

 ## Troubleshooting triggers

 > [!NOTE]
-> Workflow events are processed once every 5 seconds. However, if a scan or other background tasks are running, this can cause a delay up to a few minutes. 
+> Workflow events are processed once every 5 seconds. However, if a scan or other background tasks are running, this can cause a delay up to a few minutes.

-If an event doesn't trigger a workflow as expected, check the _App Events_ section for the event. You can filter these by the ID of the device (`devMAC` or `devGUID`). 
+If an event doesn't trigger a workflow as expected, check the _App Events_ section for the event. You can filter these by the ID of the device (`devMAC` or `devGUID`).

 ![App events search](./img/WORKFLOWS/workflows_app_events_search.png)

-Once you find the _Event Guid_ and _Object GUID_, use them to find relevant debug entries. 
+Once you find the _Event Guid_ and _Object GUID_, use them to find relevant debug entries.

-Navigate to _Mainetenace -> Logs_ where you can filter the logs based on the _Event or Object GUID_. 
+Navigate to _Mainetenace -> Logs_ where you can filter the logs based on the _Event or Object GUID_.

 ![Log events search](./img/WORKFLOWS/workflows_logs_search.png)

@@ -24,9 +24,9 @@ Below you can find some example `app.log` entries that will help you understand

 ```bash
 16:27:03 [WF] Checking if '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggers the workflow 'Sample Device Update Workflow'
-16:27:03 [WF] self.triggered 'False' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "insert"}' 
+16:27:03 [WF] self.triggered 'False' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "insert"}'
 16:27:03 [WF] Checking if '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggers the workflow 'Location Change'
-16:27:03 [WF] self.triggered 'True' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "update"}' 
+16:27:03 [WF] self.triggered 'True' for event '[[155], ['13f0ce26-1835-4c48-ae03-cdaf38f328fe'], [0], ['2025-04-02 05:26:56'], ['Devices'], ['050b6980-7af6-4409-950d-08e9786b7b33'], ['DEVICES'], ['00:11:32:ef:a5:6c'], ['192.168.1.82'], ['050b6980-7af6-4409-950d-08e9786b7b33'], [None], [0], [0], ['devPresentLastScan'], ['online'], ['update'], [None], [None], [None], [None]] and trigger {"object_type": "Devices", "event_type": "update"}'
 16:27:03 [WF] Event with GUID '13f0ce26-1835-4c48-ae03-cdaf38f328fe' triggered the workflow 'Location Change'
 ```

--- a/docs/docker-troubleshooting/PUID_PGID_SECURITY.md
+++ b/docs/docker-troubleshooting/PUID_PGID_SECURITY.md
@@ -0,0 +1,43 @@
+# PUID/PGID Security — Why the entrypoint requires numeric IDs
+
+## Purpose
+
+This short document explains the security rationale behind the root-priming entrypoint's validation of runtime user IDs (`PUID`) and group IDs (`PGID`). The validation is intentionally strict and is a safety measure to prevent environment-variable-based command injection when running as root during the initial priming stage.
+
+## Key points
+
+- The entrypoint accepts only values that are strictly numeric (digits only). Non-numeric values are treated as malformed and are a fatal error.
+- The fatal check exists to prevent *injection* or accidental shell interpretation of environment values while the container runs as root (e.g., `PUID="20211 && rm -rf /"`).
+- There is **no artificial upper bound** enforced by the validation — any numeric UID/GID is valid (for example, `100000` is acceptable).
+
+## Behavior on malformed input
+
+- If `PUID` or `PGID` cannot be parsed as numeric (digits-only), the entrypoint prints an explicit security message to stderr and exits with a non-zero status.
+- This is a deliberate, conservative safety measure — we prefer failing fast on potentially dangerous input rather than continuing with root-privileged operations.
+
+## Operator guidance
+
+- Always supply numeric values for `PUID` and `PGID` in your environment (via `docker-compose.yml`, `docker run -e`, or equivalent). Example: `PUID=20211`.
+- If you need to run with a high-numbered UID/GID (e.g., `100000`), that is fine — the entrypoint allows it as long as the value is numeric.
+- Don’t pass shell meta-characters, spaces, or compound commands in `PUID` or `PGID` — those will be rejected as malformed and cause the container to exit.
+
+## Required Capabilities for Privilege Drop
+
+If you are hardening your container by dropping capabilities (e.g., `cap_drop: [ALL]`), you **must** explicitly grant the `SETUID` and `SETGID` capabilities.
+
+- **Why?** The entrypoint runs as root to set permissions, then uses `su-exec` to switch to the user specified by `PUID`/`PGID`. This switch requires the kernel to allow the process to change its own UID/GID.
+- **Symptom:** If these capabilities are missing, the container will log a warning ("su-exec failed") and continue running as **root** (UID 0), defeating the purpose of setting `PUID`/`PGID`.
+- **Fix:** Add `SETUID` and `SETGID` to your `cap_add` list.
+
+```yaml
+cap_drop:
+  - ALL
+cap_add:
+  - SETUID
+  - SETGID
+  # ... other required caps like CHOWN, NET_ADMIN, etc.
+```
+
+---
+
+*Document created to clarify the security behavior of the root-priming entrypoint (PUID/PGID validation).*
--- a/docs/docker-troubleshooting/aufs-capabilities.md
+++ b/docs/docker-troubleshooting/aufs-capabilities.md
@@ -0,0 +1,167 @@
+
+# AUFS Legacy Storage Driver Support
+
+## Issue Description
+
+NetAlertX automatically detects the legacy `aufs` storage driver, which is commonly found on older Synology NAS devices (DSM 6.x/7.0.x) or Linux systems where the underlying filesystem lacks `d_type` support. This occurs on older ext4 and other filesystems which did not support capabilites at time of last formatting.  While ext4 currently support capabilities and filesystem overlays, older variants of ext4 did not and require a reformat to enable the support.  Old variants result in docker choosing `aufs` and newer may use `overlayfs`.
+
+**The Technical Limitation:**
+AUFS (Another Union File System) does not support or preserve extended file attributes (`xattrs`) during Docker image extraction. NetAlertX relies on these attributes to grant granular privileges (`CAP_NET_RAW` and `CAP_NET_ADMIN`) to network scanning binaries like `arp-scan`, `nmap`, and `nbtscan`.
+
+**The Result:**
+When the container runs as a standard non-root user (default) on AUFS, these binaries are stripped of their capabilities. Consequently, layer-2 network discovery will fail silently, find zero devices, or exit with "Operation not permitted" errors.
+
+## Operational Logic
+
+The container is designed to inspect the runtime environment at startup (`/root-entrypoint.sh`). It respects user configuration first, falling back to safe defaults (with warnings) where necessary.
+
+**Behavior Matrix:**
+
+| Filesystem | PUID Config | Runtime User | Outcome |
+| :--- | :--- | :--- | :--- |
+| **Modern (Overlay2/Btrfs)** | Unset | `20211` | **Secure.** Full functionality via preserved `setcap`. |
+| **Legacy (AUFS)** | Unset | `20211` | **Degraded.** Logs warning. L2 scans fail due to missing perms. |
+| **Legacy (AUFS)** | `PUID=0` | `Root` | **Functional.** Root privileges bypass capability requirements. |
+| **Legacy (AUFS)** | `PUID=1000` | `1000` | **Degraded.** Logs warning. L2 scans fail due to missing perms. |
+
+### Warning Log
+When AUFS is detected without root privileges, the system emits the following warning during startup:
+> ⚠️  WARNING: Reduced functionality (AUFS + non-root user).
+>
+> AUFS strips Linux file capabilities, so tools like arp-scan, nmap, and nbtscan fail when NetAlertX runs as a non-root PUID.
+>
+> **Action:** Set PUID=0 on AUFS hosts for full functionality.
+
+
+## Security Ramifications
+
+To mitigate the AUFS limitation, the recommended fix is to run the application as the **root** user (`PUID=0`).
+
+* **Least Privilege:** Even when running as root, NetAlertX applies `cap_drop: - ALL` and re-adds only the strictly necessary capabilities (`NET_RAW`, `NET_ADMIN`). This maintains a "least privilege" posture, though it is inherently less secure than running as a specific UID.
+* **Attack Surface:** Running as UID 0 increases the theoretical attack surface. If the container were compromised, the attacker would have root access *inside* the container (though still isolated from the host by the Docker runtime).
+* **Legacy Risks:** Reliance on the deprecated AUFS driver often indicates an older OS kernel or filesystem configuration, which may carry its own unpatched vulnerabilities compared to modern `overlay2` or `btrfs` setups.
+
+
+## How to Correct the Issue
+
+Choose the scenario that best matches your environment and security requirements.
+
+### Scenario A: Modern Systems (Recommended)
+**Context:** Systems using `overlay2`, `btrfs`, or `zfs`.
+**Action:** No action required. The system auto-configures `PUID=20211`.
+
+```yaml
+services:
+  netalertx:
+    image: netalertx/netalertx
+    # No PUID/PGID needed; defaults to secure non-root
+
+```
+
+### Scenario B: Legacy/Synology AUFS (The Fix)
+
+**Context:** Synology DSM 6.x/7.x or Linux hosts using AUFS.
+**Action:** Explicitly elevate to root. This bypasses the need for file capabilities because Root inherits runtime capabilities directly from Docker.
+
+```yaml
+services:
+  netalertx:
+    image: netalertx/netalertx
+    environment:
+      - PUID=0  # Required for arp-scan/nmap on AUFS
+      - PGID=0
+
+```
+
+### Scenario C: Forced Non-Root on AUFS
+
+**Context:** Strict security compliance requires non-root, even if it breaks functionality.
+**Action:** The warning will persist. The Web UI and Database will function, but network discovery (ARP/Nmap) will be severely limited.
+
+```yaml
+services:
+  netalertx:
+    image: netalertx/netalertx
+    environment:
+      - PUID=1000
+      - PGID=1000
+    # Note: cap_add is ineffective here due to AUFS stripping the binary's file caps
+
+```
+
+
+## Infrastructure Upgrades (Long-term Fix)
+
+To solve the root cause and run securely as non-root, you must migrate off the AUFS driver.
+
+### 1. Switch to Btrfs (Synology Recommended)
+
+If your NAS supports it, creating a new volume formatted as **Btrfs** allows Docker to use the native `btrfs` storage driver.
+
+* **Benefit:** This driver fully supports extended attributes and Copy-on-Write (CoW), creating the most robust environment for Docker.
+
+### 2. Reformat Ext4 with `d_type` Support
+
+If you must use `ext4`, the issue is likely that your volume lacks `d_type` support (common on older volumes created before DSM 6).
+
+* **Fix:** Back up your data and reformat the volume.
+* **Result:** Modern formatting usually enables `d_type` by default. This allows Docker to automatically select the modern **`overlay2`** driver instead of failing back to AUFS.
+
+
+## Technical Implementation
+
+### Detection Mechanism
+
+The logic resides in `_detect_storage_driver()` within `/root-entrypoint.sh`. It parses the root mount point (`/`) to identify the underlying driver.
+
+```bash
+# Modern (overlay2) - Pass
+overlay / overlay rw,relatime,lowerdir=...
+
+# Legacy (AUFS) - Triggers Warning
+none / aufs rw,relatime,si=...
+
+```
+
+### Verification & Troubleshooting
+
+**1. Confirm Storage Driver**
+If your host is using ext4 you might be defaulting to aufs:
+
+```bash
+docker info | grep "Storage Driver"
+# OR inside the container:
+docker exec netalertx grep " / " /proc/mounts
+
+```
+
+**2. Verify Capability Loss**
+If scans fail, check if the binary permissions were stripped.
+
+* **Modern FS:** Returns `cap_net_admin,cap_net_raw+eip`
+* **AUFS:** Returns empty output (stripped)
+
+```bash
+docker exec netalertx getcap /usr/sbin/arp-scan
+
+```
+
+**3. Simulating AUFS (Dev/Test)**
+Developers can force the AUFS logic path on a modern machine by mocking the mounts file. Note: Docker often restricts direct bind-mounts of host `/proc` paths, so the test suite uses an environment-variable injection instead (see `test_puid_pgid.py`).
+
+```bash
+# Create mock mounts content and encode it as base64
+echo "none / aufs rw,relatime 0 0" | base64
+
+# Run the container passing the encoded mounts via NETALERTX_PROC_MOUNTS_B64
+# (the entrypoint decodes this and uses it instead of reading /proc/mounts directly)
+docker run --rm -e NETALERTX_PROC_MOUNTS_B64="bm9uZSAvIGF1ZnMgcncs..." netalertx/netalertx
+```
+
+## Additional Resources
+
+* **Docker Storage Drivers:** [Use the OverlayFS storage driver](https://docs.docker.com/storage/storagedriver/overlayfs-driver/)
+* **Synology Docker Guide:** [Synology Docker Storage Drivers](https://www.google.com/search?q=https://kb.synology.com/en-global/DSM/tutorial/How_to_use_Docker_on_Synology_NAS)
+* **Configuration Guidance:** [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
+
+
--- a/docs/docker-troubleshooting/excessive-capabilities.md
+++ b/docs/docker-troubleshooting/excessive-capabilities.md
@@ -29,4 +29,4 @@ Limit capabilities to only those required:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/file-permissions.md
+++ b/docs/docker-troubleshooting/file-permissions.md
@@ -24,4 +24,4 @@ Fix permissions on the host system for the mounted directories:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/incorrect-user.md
+++ b/docs/docker-troubleshooting/incorrect-user.md
@@ -2,27 +2,30 @@

 ## Issue Description

-NetAlertX is running as UID:GID other than the expected 20211:20211. This bypasses hardened permissions, file ownership, and runtime isolation safeguards.
+NetAlertX is running as a UID:GID that does not match the runtime service user configured for this container (default 20211:20211). Hardened ownership on writable paths may block writes if the UID/GID do not align with mounted volumes and tmpfs settings.

 ## Security Ramifications

-The application is designed with security hardening that depends on running under a dedicated, non-privileged service account. Using a different user account can silently fail future upgrades and removes crucial isolation between the container and host system.
+The image uses a dedicated service user for writes and a readonly lock owner (UID 20211) for code/venv with 004/005 permissions. Running as an arbitrary UID is supported, but only when writable mounts (`/data`, `/tmp/*`) are owned by that UID. Misalignment can cause startup failures or unexpected permission escalation attempts.

 ## Why You're Seeing This Issue

-This occurs when you override the container's default user with custom `user:` directives in docker-compose.yml or `--user` flags in docker run commands. The container expects to run as the netalertx user for proper security isolation.
+- A `user:` override in docker-compose.yml or `--user` flag on `docker run` changes the runtime UID/GID without updating mount ownership.
+- Tmpfs mounts still use `uid=20211,gid=20211` while the container runs as another UID.
+- Host bind mounts (e.g., `/data`) are owned by a different UID.

 ## How to Correct the Issue

-Restore the container to the default user:
+Option A: Use defaults (recommended)
+- Remove custom `user:` overrides and `--user` flags.
+- Let the container run as the built-in service user (UID/GID 20211) and keep tmpfs at `uid=20211,gid=20211`.

- Remove any `user:` overrides from docker-compose.yml
- Avoid `--user` flags in docker run commands
- Allow the container to run with its default UID:GID 20211:20211
- Recreate the container so volume ownership is reset automatically
+Option B: Run with a custom UID/GID
+- Set `user:` (or `NETALERTX_UID/NETALERTX_GID`) to your desired UID/GID.
+- Align mounts: ensure `/data` (and any `/tmp/*` tmpfs) use the same `uid=`/`gid=` and that host bind mounts are chowned to that UID/GID.
+- Recreate the container so ownership is consistent.

 ## Additional Resources

-Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
-
-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+- Default compose and tmpfs guidance: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
+- General Docker install and runtime notes: [DOCKER_INSTALLATION.md](https://docs.netalertx.com/DOCKER_INSTALLATION)
--- a/docs/docker-troubleshooting/missing-capabilities.md
+++ b/docs/docker-troubleshooting/missing-capabilities.md
@@ -29,4 +29,22 @@ Add the required capabilities to your container:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
+
+## CAP_CHOWN required when cap_drop: [ALL]
+
+When you start NetAlertX with `cap_drop: [ALL]`, the container loses `CAP_CHOWN`. The root priming step needs `CAP_CHOWN` to adjust ownership of `/data` and `/tmp` before dropping privileges to `PUID:PGID`. Without it, startup fails with a fatal `failed to chown` message and exits.
+
+To fix:
+- Add `CHOWN` back in `cap_add` when you also set `cap_drop: [ALL]`:
+
+  ```yaml
+  cap_drop:
+    - ALL
+  cap_add:
+    - CHOWN
+  ```
+
+- Or pre-chown the mounted host paths to your target `PUID:PGID` so the priming step does not need the capability.
+
+If you harden capabilities further, expect priming to fail until you restore the minimum set needed for ownership changes.
--- a/docs/docker-troubleshooting/mount-configuration-issues.md
+++ b/docs/docker-troubleshooting/mount-configuration-issues.md
@@ -33,4 +33,4 @@ volumes:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/network-mode.md
+++ b/docs/docker-troubleshooting/network-mode.md
@@ -24,4 +24,4 @@ Enable host networking mode:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/nginx-configuration-mount.md
+++ b/docs/docker-troubleshooting/nginx-configuration-mount.md
@@ -33,4 +33,4 @@ If you don't need a custom port, simply omit the PORT environment variable and t

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/port-conflicts.md
+++ b/docs/docker-troubleshooting/port-conflicts.md
@@ -83,4 +83,4 @@ services:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/read-only-filesystem.md
+++ b/docs/docker-troubleshooting/read-only-filesystem.md
@@ -24,4 +24,4 @@ Enable read-only mode:

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/running-as-root.md
+++ b/docs/docker-troubleshooting/running-as-root.md
@@ -26,4 +26,4 @@ After making these changes, restart the container. The application will automati

 Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.

-For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/docs/docker-troubleshooting/troubleshooting.md
+++ b/docs/docker-troubleshooting/troubleshooting.md
--- a/docs/img/DEBUG_API_SERVER/Init_check.png
+++ b/docs/img/DEBUG_API_SERVER/Init_check.png
--- a/docs/img/DEBUG_API_SERVER/app_conf_graphql_port.png
+++ b/docs/img/DEBUG_API_SERVER/app_conf_graphql_port.png
--- a/docs/img/DEBUG_API_SERVER/dev_console_graphql_json.png
+++ b/docs/img/DEBUG_API_SERVER/dev_console_graphql_json.png
--- a/docs/img/DEBUG_API_SERVER/graphql_running_logs.png
+++ b/docs/img/DEBUG_API_SERVER/graphql_running_logs.png
--- a/Show More
+++ b/Show More