chore: update CHANGELOG.md for v0.2.66 [skip ci]

Merge pull request 'feat: implement dynamic versioning from Git tags' (#42 ) from fix/version-dynamic-build into master
Reviewed-on: #42
2026-04-15 02:11:31 +00:00 · 2026-04-15 02:10:10 +00:00 · 2026-04-14 21:09:11 -05:00 · 2026-04-14 20:50:47 -05:00 · 2026-04-15 01:45:29 +00:00 · 2026-04-15 01:44:42 +00:00
51 changed files with 6513 additions and 790 deletions
--- a/.docker/Dockerfile.linux-amd64
+++ b/.docker/Dockerfile.linux-amd64
@ -1,11 +1,14 @@
 # Pre-baked builder for Linux amd64 Tauri releases.
 # All system dependencies are installed once here; CI jobs skip apt-get entirely.
 # Rebuild when: Rust toolchain version changes, webkit2gtk/gtk major version changes,
-# or Node.js major version changes.  Tag format: rust<VER>-node<VER>
+# Node.js major version changes, OpenSSL major version changes (used via OPENSSL_STATIC=1),
 # or Tauri CLI version changes that affect bundler system deps.
 # Tag format: rust<VER>-node<VER>
 FROM rust:1.88-slim
 RUN apt-get update -qq \
    && apt-get install -y -qq --no-install-recommends \
       ca-certificates \
       libwebkit2gtk-4.1-dev \
       libssl-dev \
       libgtk-3-dev \
@ -21,4 +24,5 @@ RUN apt-get update -qq \
    && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*
-RUN rustup target add x86_64-unknown-linux-gnu
+RUN rustup target add x86_64-unknown-linux-gnu \
    && rustup component add rustfmt clippy
--- a/.docker/Dockerfile.linux-arm64
+++ b/.docker/Dockerfile.linux-arm64
@ -1,7 +1,9 @@
 # Pre-baked cross-compiler for Linux arm64 Tauri releases (runs on Linux amd64).
 # Bakes in: amd64 cross-toolchain, arm64 multiarch dev libs, Node.js, and Rust.
 # This image takes ~15 min to build but is only rebuilt when deps change.
-# Rebuild when: Rust toolchain version, webkit2gtk/gtk major version, or Node.js changes.
+# Rebuild when: Rust toolchain version, webkit2gtk/gtk major version, Node.js major version,
 # OpenSSL major version (used via OPENSSL_STATIC=1), or Tauri CLI changes that affect
 # bundler system deps.
 # Tag format: rust<VER>-node<VER>
 FROM ubuntu:22.04
@ -10,7 +12,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 # Step 1: amd64 host tools and cross-compiler
 RUN apt-get update -qq \
    && apt-get install -y -qq --no-install-recommends \
-       curl git gcc g++ make patchelf pkg-config perl jq \
+       ca-certificates curl git gcc g++ make patchelf pkg-config perl jq \
       gcc-aarch64-linux-gnu g++-aarch64-linux-gnu \
    && rm -rf /var/lib/apt/lists/*
@ -40,6 +42,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
 # Step 4: Rust 1.88 with arm64 cross-compilation target
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
    --default-toolchain 1.88.0 --profile minimal --no-modify-path \
-    && /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu
+    && /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu \
    && /root/.cargo/bin/rustup component add rustfmt clippy
 ENV PATH="/root/.cargo/bin:${PATH}"
--- a/.docker/Dockerfile.windows-cross
+++ b/.docker/Dockerfile.windows-cross
@ -1,11 +1,14 @@
 # Pre-baked cross-compiler for Windows amd64 Tauri releases (runs on Linux amd64).
 # All MinGW and Node.js dependencies are installed once here; CI jobs skip apt-get entirely.
-# Rebuild when: Rust toolchain version changes or Node.js major version changes.
+# Rebuild when: Rust toolchain version changes, Node.js major version changes,
 # OpenSSL major version changes (used via OPENSSL_STATIC=1), or Tauri CLI changes
 # that affect bundler system deps.
 # Tag format: rust<VER>-node<VER>
 FROM rust:1.88-slim
 RUN apt-get update -qq \
    && apt-get install -y -qq --no-install-recommends \
       ca-certificates \
       mingw-w64 \
       curl \
       nsis \
--- a/.eslintrc.json
+++ b/.eslintrc.json
@ -0,0 +1,26 @@
 {
  "extends": ["eslint:recommended", "plugin:@typescript-eslint/recommended", "plugin:react/recommended", "plugin:react-hooks/recommended"],
  "parser": "@typescript-eslint/parser",
  "parserOptions": {
    "ecmaFeatures": {
      "jsx": true
    },
    "ecmaVersion": "latest",
    "sourceType": "module",
    "project": ["./tsconfig.json"]
  },
  "plugins": ["@typescript-eslint", "react", "react-hooks"],
  "settings": {
    "react": {
      "version": "detect"
    }
  },
  "rules": {
    "no-unused-vars": "off",
    "@typescript-eslint/no-unused-vars": ["error", { "argsIgnorePattern": "^_" }],
    "no-console": ["warn", { "allow": ["warn", "error"] }],
    "react/react-in-jsx-scope": "off",
    "react/prop-types": "off"
  },
  "ignorePatterns": ["dist/", "node_modules/", "src-tauri/", "target/", "coverage/"]
 }
--- a/.gitea/workflows/auto-tag.yml
+++ b/.gitea/workflows/auto-tag.yml
@ -65,6 +65,138 @@ jobs:
          echo "Tag $NEXT pushed successfully"
  changelog:
    needs: autotag
    runs-on: linux-amd64
    container:
      image: alpine:latest
    steps:
      - name: Install dependencies
        run: |
          set -eu
          apk add --no-cache git curl jq
      - name: Checkout (full history + all tags)
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -eu
          git init
          git remote add origin \
            "http://oauth2:${RELEASE_TOKEN}@172.0.0.29:3000/${GITHUB_REPOSITORY}.git"
          git fetch --tags --depth=2147483647 origin
          git checkout FETCH_HEAD
          git config user.name "gitea-actions[bot]"
          git config user.email "gitea-actions@local"
      - name: Install git-cliff
        run: |
          set -eu
          CLIFF_VER="2.7.0"
          curl -fsSL \
            "https://github.com/orhun/git-cliff/releases/download/v${CLIFF_VER}/git-cliff-${CLIFF_VER}-x86_64-unknown-linux-musl.tar.gz" \
            | tar -xz --strip-components=1 -C /usr/local/bin \
              "git-cliff-${CLIFF_VER}/git-cliff"
      - name: Generate changelog
        run: |
          set -eu
          git-cliff --config cliff.toml --output CHANGELOG.md
          git-cliff --config cliff.toml --latest --strip all > /tmp/release_body.md
          echo "=== Release body preview ==="
          cat /tmp/release_body.md
      - name: Update Gitea release body
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG=$(git describe --tags --abbrev=0)
          # Create release if it doesn't exist yet (build jobs may still be running)
          curl -sf -X POST "$API/releases" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Release $TAG\",\"draft\":false}" || true
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          curl -sf -X PATCH "$API/releases/$RELEASE_ID" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            --data-binary "{\"body\":$(jq -Rs . < /tmp/release_body.md)}"
          echo "✓ Release body updated"
      - name: Commit CHANGELOG.md to master
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -euo pipefail
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG=$(git describe --tags --abbrev=0)
          # Validate tag format to prevent shell injection in commit message / JSON
          if ! echo "$TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
            echo "ERROR: Unexpected tag format: $TAG"
            exit 1
          fi
          # Fetch current blob SHA from master; empty if file doesn't exist yet
          CURRENT_SHA=$(curl -sf \
            -H "Accept: application/json" \
            -H "Authorization: token $RELEASE_TOKEN" \
            "$API/contents/CHANGELOG.md?ref=master" 2>/dev/null \
            | jq -r '.sha // empty' 2>/dev/null || true)
          # Base64-encode content (no line wrapping)
          CONTENT=$(base64 -w 0 CHANGELOG.md)
          # Build JSON payload — omit "sha" when file doesn't exist yet (new repo)
          PAYLOAD=$(jq -n \
            --arg msg  "chore: update CHANGELOG.md for ${TAG} [skip ci]" \
            --arg body "$CONTENT" \
            --arg sha  "$CURRENT_SHA" \
            'if $sha == ""
             then {message: $msg, content: $body, branch: "master"}
             else {message: $msg, content: $body, sha: $sha, branch: "master"}
             end')
          # PUT atomically updates (or creates) the file on master — no fast-forward needed
          RESP_FILE=$(mktemp)
          HTTP_CODE=$(curl -s -o "$RESP_FILE" -w "%{http_code}" -X PUT \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -d "$PAYLOAD" \
            "$API/contents/CHANGELOG.md")
          if [ "$HTTP_CODE" -lt 200 ] || [ "$HTTP_CODE" -ge 300 ]; then
            echo "ERROR: Failed to update CHANGELOG.md (HTTP $HTTP_CODE)"
            cat "$RESP_FILE" >&2
            exit 1
          fi
          echo "✓ CHANGELOG.md committed to master"
      - name: Upload CHANGELOG.md as release asset
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          set -eu
          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
          TAG=$(git describe --tags --abbrev=0)
          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
            -H "Authorization: token $RELEASE_TOKEN" | jq -r '.id')
          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
            echo "ERROR: Failed to get release ID for $TAG"
            exit 1
          fi
          EXISTING=$(curl -sf "$API/releases/$RELEASE_ID" \
            -H "Authorization: token $RELEASE_TOKEN" \
            | jq -r '.assets[]? | select(.name=="CHANGELOG.md") | .id')
          [ -n "$EXISTING" ] && curl -sf -X DELETE \
            "$API/releases/$RELEASE_ID/assets/$EXISTING" \
            -H "Authorization: token $RELEASE_TOKEN"
          curl -sf -X POST "$API/releases/$RELEASE_ID/assets" \
            -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@CHANGELOG.md;filename=CHANGELOG.md"
          echo "✓ CHANGELOG.md uploaded"
  wiki-sync:
    runs-on: linux-amd64
    container:
@ -132,27 +264,36 @@ jobs:
    needs: autotag
    runs-on: linux-amd64
    container:
-      image: rust:1.88-slim
+      image: 172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD
-      - name: Install dependencies
+      - name: Cache cargo registry
-        run: |
+        uses: actions/cache@v4
-          apt-get update -qq && apt-get install -y -qq \
+        with:
-            libwebkit2gtk-4.1-dev libssl-dev libgtk-3-dev \
+          path: |
-            libayatana-appindicator3-dev librsvg2-dev patchelf \
+            ~/.cargo/registry/index
-            pkg-config curl perl jq
+            ~/.cargo/registry/cache
-          curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+            ~/.cargo/git/db
-          apt-get install -y nodejs
+          key: ${{ runner.os }}-cargo-linux-amd64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-linux-amd64-
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-
      - name: Build
        env:
          APPIMAGE_EXTRACT_AND_RUN: "1"
        run: |
          npm ci --legacy-peer-deps
          rustup target add x86_64-unknown-linux-gnu
          CI=true npx tauri build --target x86_64-unknown-linux-gnu
      - name: Upload artifacts
        env:
@ -181,7 +322,7 @@ jobs:
          fi
          echo "Release ID: $RELEASE_ID"
          ARTIFACTS=$(find src-tauri/target/x86_64-unknown-linux-gnu/release/bundle -type f \
-            \( -name "*.deb" -o -name "*.rpm" -o -name "*.AppImage" \))
+            \( -name "*.deb" -o -name "*.rpm" \))
          if [ -z "$ARTIFACTS" ]; then
            echo "ERROR: No Linux amd64 artifacts were found to upload."
            exit 1
@ -218,20 +359,31 @@ jobs:
    needs: autotag
    runs-on: linux-amd64
    container:
-      image: rust:1.88-slim
+      image: 172.0.0.29:3000/sarman/trcaa-windows-cross:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD
-      - name: Install dependencies
+      - name: Cache cargo registry
-        run: |
+        uses: actions/cache@v4
-          apt-get update -qq && apt-get install -y -qq mingw-w64 curl nsis perl make jq
+        with:
-          curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+          path: |
-          apt-get install -y nodejs
+            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: ${{ runner.os }}-cargo-windows-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-windows-
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-
      - name: Build
        env:
          CC_x86_64_pc_windows_gnu: x86_64-w64-mingw32-gcc
@ -242,7 +394,6 @@ jobs:
          OPENSSL_STATIC: "1"
        run: |
          npm ci --legacy-peer-deps
          rustup target add x86_64-pc-windows-gnu
          CI=true npx tauri build --target x86_64-pc-windows-gnu
      - name: Upload artifacts
        env:
@ -392,53 +543,31 @@ jobs:
    needs: autotag
    runs-on: linux-amd64
    container:
-      image: ubuntu:22.04
+      image: 172.0.0.29:3000/sarman/trcaa-linux-arm64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
          git checkout FETCH_HEAD
-      - name: Install dependencies
+      - name: Cache cargo registry
-        env:
+        uses: actions/cache@v4
-          DEBIAN_FRONTEND: noninteractive
+        with:
-        run: |
+          path: |
-          # Step 1: Host tools + cross-compiler (all amd64, no multiarch yet)
+            ~/.cargo/registry/index
-          apt-get update -qq
+            ~/.cargo/registry/cache
-          apt-get install -y -qq curl git gcc g++ make patchelf pkg-config perl jq \
+            ~/.cargo/git/db
-            gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
+          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
-
+          restore-keys: |
-          # Step 2: Multiarch — Ubuntu uses ports.ubuntu.com for arm64,
+            ${{ runner.os }}-cargo-arm64-
-          # keeping it on a separate mirror from amd64 (archive.ubuntu.com).
+      - name: Cache npm
-          # This avoids the binary-all index duplication and -dev package
+        uses: actions/cache@v4
-          # conflicts that plagued the Debian single-mirror approach.
+        with:
-          dpkg --add-architecture arm64
+          path: ~/.npm
-          sed -i 's|^deb http://archive.ubuntu.com|deb [arch=amd64] http://archive.ubuntu.com|g' /etc/apt/sources.list
+          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
-          sed -i 's|^deb http://security.ubuntu.com|deb [arch=amd64] http://security.ubuntu.com|g' /etc/apt/sources.list
+          restore-keys: |
-          printf '%s\n' \
+            ${{ runner.os }}-npm-
            'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted universe multiverse' \
            'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted universe multiverse' \
            'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted universe multiverse' \
            > /etc/apt/sources.list.d/arm64-ports.list
          apt-get update -qq
          # Step 3: ARM64 dev libs — libayatana omitted (no tray icon in this app)
          apt-get install -y -qq \
            libwebkit2gtk-4.1-dev:arm64 \
            libssl-dev:arm64 \
            libgtk-3-dev:arm64 \
            librsvg2-dev:arm64
          # Step 4: Node.js
          curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
          apt-get install -y nodejs
          # Step 5: Rust (not pre-installed in ubuntu:22.04)
          # source "$HOME/.cargo/env" in the Build step handles PATH — no GITHUB_PATH needed
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
            --default-toolchain 1.88.0 --profile minimal --no-modify-path
      - name: Build
        env:
          CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
@ -452,9 +581,7 @@ jobs:
          OPENSSL_STATIC: "1"
          APPIMAGE_EXTRACT_AND_RUN: "1"
        run: |
          . "$HOME/.cargo/env"
          npm ci --legacy-peer-deps
          rustup target add aarch64-unknown-linux-gnu
          CI=true npx tauri build --target aarch64-unknown-linux-gnu --bundles deb,rpm
      - name: Upload artifacts
        env:
--- a/.gitea/workflows/build-images.yml
+++ b/.gitea/workflows/build-images.yml
@ -37,11 +37,11 @@ jobs:
  linux-amd64:
    runs-on: linux-amd64
    container:
-      image: docker:24-cli
+      image: alpine:latest
    steps:
      - name: Checkout
        run: |
-          apk add --no-cache git
+          apk add --no-cache git docker-cli
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
@ -60,11 +60,11 @@ jobs:
  windows-cross:
    runs-on: linux-amd64
    container:
-      image: docker:24-cli
+      image: alpine:latest
    steps:
      - name: Checkout
        run: |
-          apk add --no-cache git
+          apk add --no-cache git docker-cli
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
@ -83,11 +83,11 @@ jobs:
  linux-arm64:
    runs-on: linux-amd64
    container:
-      image: docker:24-cli
+      image: alpine:latest
    steps:
      - name: Checkout
        run: |
-          apk add --no-cache git
+          apk add --no-cache git docker-cli
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          git fetch --depth=1 origin "$GITHUB_SHA"
--- a/.gitea/workflows/pr-review.yml
+++ b/.gitea/workflows/pr-review.yml
@ -0,0 +1,134 @@
 name: PR Review Automation
 on:
  pull_request:
    types: [opened, synchronize, reopened, edited]
 concurrency:
  group: pr-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    container:
      image: ubuntu:22.04
      options: --dns 8.8.8.8 --dns 1.1.1.1
    steps:
      - name: Install dependencies
        shell: bash
        run: |
          set -euo pipefail
          apt-get update -qq && apt-get install -y -qq git curl jq
      - name: Checkout code
        shell: bash
        env:
          REPOSITORY: ${{ github.repository }}
        run: |
          set -euo pipefail
          git init
          git remote add origin "https://gogs.tftsr.com/${REPOSITORY}.git"
          git fetch --depth=1 origin ${{ github.head_ref }}
          git checkout FETCH_HEAD
      - name: Get PR diff
        id: diff
        shell: bash
        run: |
          set -euo pipefail
          git fetch origin ${{ github.base_ref }}
          git diff origin/${{ github.base_ref }}..HEAD > /tmp/pr_diff.txt
          echo "diff_size=$(wc -l < /tmp/pr_diff.txt | tr -d ' ')" >> $GITHUB_OUTPUT
      - name: Analyze with Ollama
        id: analyze
        if: steps.diff.outputs.diff_size != '0'
        shell: bash
        env:
          OLLAMA_URL: https://ollama-ui.tftsr.com/ollama/v1
          OLLAMA_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          set -euo pipefail
          if grep -q "^Binary files" /tmp/pr_diff.txt; then
            echo "WARNING: Binary file changes detected — they will be excluded from analysis"
          fi
          DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \
            | grep -v -E '^[+-].*(password[[:space:]]*[=:"'"'"']|token[[:space:]]*[=:"'"'"']|secret[[:space:]]*[=:"'"'"']|api_key[[:space:]]*[=:"'"'"']|private_key[[:space:]]*[=:"'"'"']|Authorization:[[:space:]]|AKIA[A-Z0-9]{16}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|gh[opsu]_[A-Za-z0-9_]{36,}|https?://[^@[:space:]]+:[^@[:space:]]+@)' \
            | grep -v -E '^[+-].*[A-Za-z0-9+/]{40,}={0,2}([^A-Za-z0-9+/=]|$)')
          PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes."
          BODY=$(jq -cn \
            --arg model "qwen3-coder-next:latest" \
            --arg content "$PROMPT" \
            '{model: $model, messages: [{role: "user", content: $content}], stream: false}')
          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PR #${PR_NUMBER} - Calling Ollama API (${#BODY} bytes)..."
          HTTP_CODE=$(curl -s --max-time 120 --connect-timeout 30 \
            --retry 3 --retry-delay 5 --retry-connrefused --retry-max-time 120 \
            -o /tmp/ollama_response.json -w "%{http_code}" \
            -X POST "$OLLAMA_URL/chat/completions" \
            -H "Authorization: Bearer $OLLAMA_API_KEY" \
            -H "Content-Type: application/json" \
            -d "$BODY")
          echo "HTTP status: $HTTP_CODE"
          echo "Response file size: $(wc -c < /tmp/ollama_response.json) bytes"
          if [ "$HTTP_CODE" != "200" ]; then
            echo "ERROR: Ollama returned HTTP $HTTP_CODE"
            cat /tmp/ollama_response.json
            exit 1
          fi
          if ! jq empty /tmp/ollama_response.json 2>/dev/null; then
            echo "ERROR: Invalid JSON response from Ollama"
            cat /tmp/ollama_response.json
            exit 1
          fi
          REVIEW=$(jq -r '.choices[0].message.content // empty' /tmp/ollama_response.json)
          if [ -z "$REVIEW" ]; then
            echo "ERROR: No content in Ollama response"
            exit 1
          fi
          echo "Review length: ${#REVIEW} chars"
          echo "$REVIEW" > /tmp/pr_review.txt
      - name: Post review comment
        if: always() && steps.diff.outputs.diff_size != '0'
        shell: bash
        env:
          TF_TOKEN: ${{ secrets.TFT_GITEA_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY: ${{ github.repository }}
        run: |
          set -euo pipefail
          if [ -z "${TF_TOKEN:-}" ]; then
            echo "ERROR: TFT_GITEA_TOKEN secret is not set"
            exit 1
          fi
          if [ -f "/tmp/pr_review.txt" ] && [ -s "/tmp/pr_review.txt" ]; then
            REVIEW_BODY=$(head -c 65536 /tmp/pr_review.txt)
            BODY=$(jq -n \
              --arg body "🤖 Automated PR Review:\n\n${REVIEW_BODY}\n\n---\n*this is an automated review from Ollama*" \
              '{body: $body, event: "COMMENT"}')
          else
            BODY=$(jq -n \
              '{body: "⚠️ Automated PR Review could not be completed — Ollama analysis failed or produced no output.", event: "COMMENT"}')
          fi
          HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \
            -o /tmp/review_post_response.json -w "%{http_code}" \
            -X POST "https://gogs.tftsr.com/api/v1/repos/${REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
            -H "Authorization: Bearer $TF_TOKEN" \
            -H "Content-Type: application/json" \
            -d "$BODY")
          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"
          if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
            echo "ERROR: Failed to post review (HTTP $HTTP_CODE)"
            cat /tmp/review_post_response.json
            exit 1
          fi
      - name: Cleanup
        if: always()
        shell: bash
        run: rm -f /tmp/pr_diff.txt /tmp/ollama_response.json /tmp/pr_review.txt /tmp/review_post_response.json
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -7,12 +7,11 @@ jobs:
  rust-fmt-check:
    runs-on: ubuntu-latest
    container:
-      image: rust:1.88-slim
+      image: 172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          set -eux
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          if [ -n "${GITHUB_SHA:-}" ] && git fetch --depth=1 origin "$GITHUB_SHA"; then
@ -28,18 +27,31 @@ jobs:
            echo "Fetched fallback ref: master"
          fi
          git checkout FETCH_HEAD
-      - run: rustup component add rustfmt
+      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: ${{ runner.os }}-cargo-linux-amd64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-linux-amd64-
      - name: Install dependencies
        run: npm install --legacy-peer-deps
      - name: Update version from Git
        run: node scripts/update-version.mjs
      - run: cargo generate-lockfile --manifest-path src-tauri/Cargo.toml
      - run: cargo fmt --manifest-path src-tauri/Cargo.toml --check
  rust-clippy:
    runs-on: ubuntu-latest
    container:
-      image: rust:1.88-slim
+      image: 172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          set -eux
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          if [ -n "${GITHUB_SHA:-}" ] && git fetch --depth=1 origin "$GITHUB_SHA"; then
@ -55,19 +67,26 @@ jobs:
            echo "Fetched fallback ref: master"
          fi
          git checkout FETCH_HEAD
-      - run: apt-get update -qq && apt-get install -y -qq libwebkit2gtk-4.1-dev libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev patchelf pkg-config perl
+      - name: Cache cargo registry
-      - run: rustup component add clippy
+        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: ${{ runner.os }}-cargo-linux-amd64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-linux-amd64-
      - run: cargo clippy --manifest-path src-tauri/Cargo.toml -- -D warnings
  rust-tests:
    runs-on: ubuntu-latest
    container:
-      image: rust:1.88-slim
+      image: 172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22
    steps:
      - name: Checkout
        run: |
          set -eux
          apt-get update -qq && apt-get install -y -qq git
          git init
          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
          if [ -n "${GITHUB_SHA:-}" ] && git fetch --depth=1 origin "$GITHUB_SHA"; then
@ -83,7 +102,16 @@ jobs:
            echo "Fetched fallback ref: master"
          fi
          git checkout FETCH_HEAD
-      - run: apt-get update -qq && apt-get install -y -qq libwebkit2gtk-4.1-dev libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev patchelf pkg-config perl
+      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: ${{ runner.os }}-cargo-linux-amd64-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-linux-amd64-
      - run: cargo test --manifest-path src-tauri/Cargo.toml -- --test-threads=1
  frontend-typecheck:
@ -110,6 +138,13 @@ jobs:
            echo "Fetched fallback ref: master"
          fi
          git checkout FETCH_HEAD
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-
      - run: npm ci --legacy-peer-deps
      - run: npx tsc --noEmit
@ -137,5 +172,12 @@ jobs:
            echo "Fetched fallback ref: master"
          fi
          git checkout FETCH_HEAD
      - name: Cache npm
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-npm-
      - run: npm ci --legacy-peer-deps
      - run: npm run test:run
--- a/AGENTS.md
+++ b/AGENTS.md
@ -8,6 +8,7 @@
 | Frontend only (port 1420) | `npm run dev` |
 | Frontend production build | `npm run build` |
 | Rust fmt check | `cargo fmt --manifest-path src-tauri/Cargo.toml --check` |
 | Rust fmt fix | `cargo fmt --manifest-path src-tauri/Cargo.toml` |
 | Rust clippy | `cargo clippy --manifest-path src-tauri/Cargo.toml -- -D warnings` |
 | Rust tests | `cargo test --manifest-path src-tauri/Cargo.toml -- --test-threads=1` |
 | Rust single test module | `cargo test --manifest-path src-tauri/Cargo.toml -- --test-threads=1 pii::detector` |
@ -16,6 +17,9 @@
 | Frontend test (watch) | `npm run test` |
 | Frontend coverage | `npm run test:coverage` |
 | TypeScript type check | `npx tsc --noEmit` |
 | Frontend lint | `npx eslint . --quiet` |
 **Lint Policy**: **ALWAYS run `cargo fmt` and `cargo clippy` after any Rust code change**. Fix all issues before proceeding.
 **Note**: The build runs `npm run build` before Rust build (via `beforeBuildCommand` in `tauri.conf.json`). This ensures TS is type-checked before packaging.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,454 @@
 # Changelog
 All notable changes to TFTSR are documented here.
 Commit types shown: feat, fix, perf, docs, refactor.
 CI, chore, and build changes are excluded.
 ## [0.2.65] — 2026-04-15
 ### Bug Fixes
 - Add --locked to cargo commands and improve version update script
 - Remove invalid --locked flag from cargo commands and fix format string
 - **integrations**: Security and correctness improvements
 - Correct WIQL syntax and escape_wiql implementation
 ### Features
 - Implement dynamic versioning from Git tags
 - **integrations**: Implement query expansion for semantic search
 ### Security
 - Fix query expansion issues from PR review
 - Address all issues from automated PR review
 ## [0.2.63] — 2026-04-13
 ### Bug Fixes
 - Add Windows nsis target and update CHANGELOG to v0.2.61
 ## [0.2.61] — 2026-04-13
 ### Bug Fixes
 - Remove AppImage from upload artifact patterns
 ## [0.2.59] — 2026-04-13
 ### Bug Fixes
 - Remove AppImage bundling to fix linux-amd64 build
 ## [0.2.57] — 2026-04-13
 ### Bug Fixes
 - Add fuse dependency for AppImage support
 ### Refactoring
 - Remove custom linuxdeploy install per CI CI uses tauri-downloaded version
 - Revert to original Dockerfile without manual linuxdeploy installation
 ## [0.2.56] — 2026-04-13
 ### Bug Fixes
 - Add missing ai_providers columns and fix linux-amd64 build
 - Address AI review findings
 - Address critical AI review issues
 ## [0.2.55] — 2026-04-13
 ### Bug Fixes
 - **ci**: Use Gitea file API to push CHANGELOG.md — eliminates non-fast-forward rejection
 - **ci**: Harden CHANGELOG.md API push step per review
 ## [0.2.54] — 2026-04-13
 ### Bug Fixes
 - **ci**: Correct git-cliff archive path in tar extraction
 ## [0.2.53] — 2026-04-13
 ### Features
 - **ci**: Add automated changelog generation via git-cliff
 ## [0.2.52] — 2026-04-13
 ### Bug Fixes
 - **ci**: Add APPIMAGE_EXTRACT_AND_RUN to build-linux-amd64
 ## [0.2.51] — 2026-04-13
 ### Bug Fixes
 - **ci**: Address AI review — rustup idempotency and cargo --locked
 - **ci**: Replace docker:24-cli with alpine + docker-cli in build-images
 - **docker**: Add ca-certificates to arm64 base image step 1
 - **ci**: Resolve test.yml failures — Cargo.lock, updated test assertions
 - **ci**: Address second AI review — || true, ca-certs, cache@v4, key suffixes
 ### Documentation
 - **docker**: Expand rebuild trigger comments to include OpenSSL and Tauri CLI
 ### Performance
 - **ci**: Use pre-baked images and add cargo/npm caching
 ## [0.2.50] — 2026-04-12
 ### Bug Fixes
 - Rename GITEA_TOKEN to TF_TOKEN to comply with naming restrictions
 - Remove actions/checkout to avoid Node.js dependency
 - Use ubuntu container with git installed
 - Use actions/checkout with token auth and self-hosted runner
 - Use IP addresses for internal services
 - Simplified workflow syntax
 - Add debugging output for Ollamaresponse
 - Correct Ollama URL, API endpoint, and JSON construction in pr-review workflow
 - Add diagnostics to identify empty Ollama response root cause
 - Use bash shell and remove bash-only substring expansion in pr-review
 - Restore migration 014, bump version to 0.2.50, harden pr-review workflow
 - Harden pr-review workflow and sync versions to 0.2.50
 - Configure container DNS to resolve ollama-ui.tftsr.com
 - Harden pr-review workflow — URLs, DNS, correctness and reliability
 - Resolve AI review false positives and address high/medium issues
 - Replace github.server_url with hardcoded gogs.tftsr.com for container access
 - Revert to two-dot diff — three-dot requires merge base unavailable in shallow clone
 - Harden pr-review workflow — secret redaction, log safety, auth header
 ### Features
 - Add automated PR review workflow with Ollama AI
 ## [0.2.49] — 2026-04-10
 ### Bug Fixes
 - Add missing ai_providers migration (014)
 ## [0.2.48] — 2026-04-10
 ### Bug Fixes
 - Lint fixes and formatting cleanup
 ### Features
 - Support GenAI datastore file uploads and fix paste image upload
 ## [0.2.47] — 2026-04-09
 ### Bug Fixes
 - Use 'provider' argument name to match Rust command signature
 ## [0.2.46] — 2026-04-09
 ### Bug Fixes
 - Add @types/testing-library__react for TypeScript compilation
 ### Update
 - Node_modules from npm install
 ## [0.2.45] — 2026-04-09
 ### Bug Fixes
 - Force single test thread for Rust tests to eliminate race conditions
 ## [0.2.43] — 2026-04-09
 ### Bug Fixes
 - Fix encryption test race condition with parallel tests
 - OpenWebUI provider connection and missing command registrations
 ### Features
 - Add image attachment support with PII detection
 ## [0.2.42] — 2026-04-07
 ### Documentation
 - Add AGENTS.md and SECURITY_AUDIT.md
 ## [0.2.41] — 2026-04-07
 ### Bug Fixes
 - **db,auth**: Auto-generate encryption keys for release builds
 - **lint**: Use inline format args in auth.rs
 - **lint**: Resolve all clippy warnings for CI compliance
 - **fmt**: Apply rustfmt formatting to webview_fetch.rs
 - **types**: Replace normalizeApiFormat() calls with direct value
 ### Documentation
 - **architecture**: Add C4 diagrams, ADRs, and architecture overview
 ### Features
 - **ai**: Add tool-calling and integration search as AI data source
 ## [0.2.40] — 2026-04-06
 ### Bug Fixes
 - **ci**: Remove explicit docker.sock mount — act_runner mounts it automatically
 ## [0.2.36] — 2026-04-06
 ### Features
 - **ci**: Add persistent pre-baked Docker builder images
 ## [0.2.35] — 2026-04-06
 ### Bug Fixes
 - **ci**: Skip Ollama download on macOS build — runner has no access to GitHub binary assets
 - **ci**: Remove all Ollama bundle download steps — use UI download button instead
 ### Refactoring
 - **ollama**: Remove download/install buttons — show plain install instructions only
 ## [0.2.34] — 2026-04-06
 ### Bug Fixes
 - **security**: Add path canonicalization and actionable permission error in install_ollama_from_bundle
 ### Features
 - **ui**: Fix model dropdown, auth prefill, PII persistence, theme toggle, and Ollama bundle
 ## [0.2.33] — 2026-04-05
 ### Features
 - **rebrand**: Rename binary to trcaa and auto-generate DB key
 ## [0.2.32] — 2026-04-05
 ### Bug Fixes
 - **ci**: Restrict arm64 bundles to deb,rpm — skip AppImage
 ## [0.2.31] — 2026-04-05
 ### Bug Fixes
 - **ci**: Set APPIMAGE_EXTRACT_AND_RUN=1 for arm64 AppImage bundling
 ## [0.2.30] — 2026-04-05
 ### Bug Fixes
 - **ci**: Add make to arm64 host tools for OpenSSL vendored build
 ## [0.2.28] — 2026-04-05
 ### Bug Fixes
 - **ci**: Use POSIX dot instead of source in arm64 build step
 ## [0.2.27] — 2026-04-05
 ### Bug Fixes
 - **ci**: Remove GITHUB_PATH append that was breaking arm64 install step
 ## [0.2.26] — 2026-04-05
 ### Bug Fixes
 - **ci**: Switch build-linux-arm64 to Ubuntu 22.04 with ports mirror
 ### Documentation
 - Update CI pipeline wiki and add ticket summary for arm64 fix
 ## [0.2.25] — 2026-04-05
 ### Bug Fixes
 - **ci**: Rebuild apt sources with per-arch entries before arm64 cross-compile install
 - **ci**: Add workflow_dispatch and concurrency guard to auto-tag
 - **ci**: Replace heredoc with printf in arm64 install step
 ## [0.2.24] — 2026-04-05
 ### Bug Fixes
 - **ci**: Fix arm64 cross-compile, drop cargo install tauri-cli, move wiki-sync
 ## [0.2.23] — 2026-04-05
 ### Bug Fixes
 - **ci**: Unblock release jobs and namespace linux artifacts by arch
 - **security**: Harden secret handling and audit integrity
 - **pii**: Remove lookahead from hostname regex, fix fmt in analysis test
 - **security**: Enforce PII redaction before AI log transmission
 - **ci**: Unblock release jobs and namespace linux artifacts by arch
 ## [0.2.22] — 2026-04-05
 ### Bug Fixes
 - **ci**: Run linux arm release natively and enforce arm artifacts
 ## [0.2.21] — 2026-04-05
 ### Bug Fixes
 - **ci**: Force explicit linux arm64 target for release artifacts
 ## [0.2.20] — 2026-04-05
 ### Refactoring
 - **ci**: Remove standalone release workflow
 ## [0.2.19] — 2026-04-05
 ### Bug Fixes
 - **ci**: Guarantee release jobs run after auto-tag
 - **ci**: Use stable auto-tag job outputs for release fanout
 - **ci**: Run post-tag release builds without job-output gating
 - **ci**: Repair auto-tag workflow yaml so jobs trigger
 ## [0.2.18] — 2026-04-05
 ### Bug Fixes
 - **ci**: Trigger release workflow from auto-tag pushes
 ## [0.2.17] — 2026-04-05
 ### Bug Fixes
 - **ci**: Harden release asset uploads for reruns
 ## [0.2.16] — 2026-04-05
 ### Bug Fixes
 - **ci**: Make release artifacts reliable across platforms
 ## [0.2.14] — 2026-04-04
 ### Bug Fixes
 - Resolve macOS bundle path after app rename
 ## [0.2.13] — 2026-04-04
 ### Bug Fixes
 - Resolve clippy uninlined_format_args in integrations and related modules
 - Resolve clippy format-args failures and OpenSSL vendoring issue
 ### Features
 - Add custom_rest provider mode and rebrand application name
 ## [0.2.12] — 2026-04-04
 ### Bug Fixes
 - ARM64 build uses native target instead of cross-compile
 ## [0.2.11] — 2026-04-04
 ### Bug Fixes
 - Persist integration settings and implement persistent browser windows
 ## [0.2.10] — 2026-04-03
 ### Features
 - Complete webview cookie extraction implementation
 ## [0.2.9] — 2026-04-03
 ### Features
 - Add multi-mode authentication for integrations (v0.2.10)
 ## [0.2.8] — 2026-04-03
 ### Features
 - Add temperature and max_tokens support for Custom REST providers (v0.2.9)
 ## [0.2.7] — 2026-04-03
 ### Bug Fixes
 - Use Wiki secret for authenticated wiki sync (v0.2.8)
 ### Documentation
 - Update wiki for v0.2.6 - integrations and Custom REST provider
 ### Features
 - Add automatic wiki sync to CI workflow (v0.2.7)
 ## [0.2.6] — 2026-04-03
 ### Bug Fixes
 - Add user_id support and OAuth shell permission (v0.2.6)
 ## [0.2.5] — 2026-04-03
 ### Documentation
 - Add Custom REST provider documentation
 ### Features
 - Implement Confluence, ServiceNow, and Azure DevOps REST API clients
 - Add Custom REST provider support
 ## [0.2.4] — 2026-04-03
 ### Features
 - Implement OAuth2 token exchange and AES-256-GCM encryption
 - Add OAuth2 Tauri commands for integration authentication
 - Implement OAuth2 callback server with automatic token exchange
 - Add OAuth2 frontend UI and complete integration flow
 ## [0.2.3] — 2026-04-03
 ### Bug Fixes
 - Improve Cancel button contrast in AI disclaimer modal
 ### Features
 - Add database schema for integration credentials and config
 ## [0.2.1] — 2026-04-03
 ### Bug Fixes
 - Implement native DOCX export without pandoc dependency
 ### Features
 - Add AI disclaimer modal before creating new issues
 ## [0.1.0] — 2026-04-03
 ### Bug Fixes
 - Resolve all clippy lints (uninlined format args, range::contains, push_str single chars)
 - Inline format args for Rust 1.88 clippy compatibility
 - Retain GPU-VRAM-eligible models in recommender even when RAM is low
 - Use alpine/git with explicit checkout for tag-based release builds
 - Set CI=true for cargo tauri build — Woodpecker sets CI=woodpecker which Tauri CLI rejects
 - Arm64 cross-compilation — add multiarch pkg-config sysroot setup
 - Remove arm64 from release pipeline — webkit2gtk multiarch conflict on x86_64 host
 - Write artifacts to workspace (shared between steps), not /artifacts/
 - Upload step needs gogs_default network to reach Gogs API (host firewall blocks default bridge)
 - Use bundled-sqlcipher-vendored-openssl for portable Windows cross-compilation
 - Add make to windows build step (required by vendored OpenSSL)
 - Replace empty icon placeholder files with real app icons
 - Suppress MinGW auto-export to resolve Windows DLL ordinal overflow
 - Use when: platform: for arm64 step routing (Woodpecker 0.15.4 compat)
 - Remove unused tauri-plugin-cli causing startup crash
 - Use $GITHUB_REF_NAME env var instead of ${{ github.ref_name }} expression
 - Remove unused tauri-plugin-updater + SQLCipher 16KB page size
 - Prevent WebKit/GTK system theme from overriding input text colors on Linux
 - Set SQLCipher cipher_page_size BEFORE first database access
 - Button text visibility, toggle contrast, create_issue IPC, ad-hoc codesign
 - Dropdown text invisible on macOS + correct codesign order for DMG
 - Add explicit text-foreground to SelectTrigger, SelectValue, and SelectItem
 - Ollama detection, install guide UI, and AI Providers auto-fill
 - Provider test FK error, model pull white screen, RECOMMENDED badge
 - Provider routing uses provider_type, Active badge, fmt
 - Navigate to /logs after issue creation, fix dashboard category display
 - Dashboard shows — while loading, exposes errors, adds refresh button
 - ListIssuesCmd was sending {query} but Rust expects {filter} — caused dashboard to always show 0 open issues
 - Arm64 linux cross-compilation — add multiarch and pkg-config env vars
 - Close from chat works before issue loads; save user reason as resolution step; dynamic version
 - DomainPrompts closing brace too early; arm64 use native platform image
 - UI contrast issues and ARM64 build failure
 - Remove Woodpecker CI and fix Gitea Actions ARM64 build
 - UI visibility issues, export errors, filtering, and audit log enhancement
 - ARM64 build native compilation instead of cross-compilation
 - Improve release artifact upload error handling
 - Install jq in Linux/Windows build containers
 - Improve download button visibility and add DOCX export
 ### Documentation
 - Update PLAN.md with accurate implementation status
 - Add CLAUDE.md with development guidance
 - Add wiki source files and CI auto-sync pipeline
 - Update PLAN.md - Phase 11 complete, redact token references
 - Update README and wiki for v0.1.0-alpha release
 - Remove broken arm64 CI step, document Woodpecker 0.15.4 limitation
 - Update README and wiki for Gitea Actions migration
 - Update README, wiki, and UI version to v0.1.1
 - Add LiteLLM + AWS Bedrock integration guide
 ### Features
 - Initial implementation of TFTSR IT Triage & RCA application
 - Add Windows amd64 cross-compile to release pipeline; add arm64 QEMU agent
 - Add native linux/arm64 release build step
 - Add macOS arm64 act_runner and release build job
 - Auto-increment patch tag on every merge to master
 - Inline file/screenshot attachment in triage chat
 - Close issues, restore history, auto-save resolution steps
 - Expand domains to 13 — add Telephony, Security/Vault, Public Safety, Application, Automation/CI-CD
 - Add HPE, Dell, Identity domains + expand k8s/security/observability/VESTA NXT
 ### Security
 - Rotate exposed token, redact from PLAN.md, add secret patterns to .gitignore
--- a/cliff.toml
+++ b/cliff.toml
@ -0,0 +1,41 @@
 [changelog]
 header = """
 # Changelog
 All notable changes to TFTSR are documented here.
 Commit types shown: feat, fix, perf, docs, refactor.
 CI, chore, and build changes are excluded.
 """
 body = """
 {% if version -%}
 ## [{{ version | trim_start_matches(pat="v") }}] — {{ timestamp | date(format="%Y-%m-%d") }}
 {% else -%}
 ## [Unreleased]
 {% endif -%}
 {% for group, commits in commits | group_by(attribute="group") -%}
 ### {{ group | upper_first }}
 {% for commit in commits -%}
 - {% if commit.scope %}**{{ commit.scope }}**: {% endif %}{{ commit.message | upper_first }}
 {% endfor %}
 {% endfor %}
 """
 footer = ""
 trim = true
 [git]
 conventional_commits = true
 filter_unconventional = true
 tag_pattern = "v[0-9].*"
 ignore_tags = "rc|alpha|beta"
 sort_commits = "oldest"
 commit_parsers = [
  { message = "^feat",     group = "Features" },
  { message = "^fix",      group = "Bug Fixes" },
  { message = "^perf",     group = "Performance" },
  { message = "^docs",     group = "Documentation" },
  { message = "^refactor", group = "Refactoring" },
  { message = "^ci|^chore|^build|^test|^style", skip = true },
 ]
--- a/docs/wiki/CICD-Pipeline.md
+++ b/docs/wiki/CICD-Pipeline.md
@ -27,12 +27,77 @@ macOS runner runs jobs **directly on the host** (no Docker container) — macOS
 ---
-## Test Pipeline (`.woodpecker/test.yml`)
+## Pre-baked Builder Images
 CI build and test jobs use pre-baked Docker images pushed to the local Gitea registry
 at `172.0.0.29:3000`. These images bake in all system dependencies (Tauri libs, Node.js,
 Rust toolchain, cross-compilers) so that CI jobs skip package installation entirely.
 | Image | Used by jobs | Contents |
 |-------|-------------|----------|
 | `172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22` | `rust-fmt-check`, `rust-clippy`, `rust-tests`, `build-linux-amd64` | Rust 1.88 + rustfmt + clippy + Tauri amd64 libs + Node.js 22 |
 | `172.0.0.29:3000/sarman/trcaa-windows-cross:rust1.88-node22` | `build-windows-amd64` | Rust 1.88 + mingw-w64 + NSIS + Node.js 22 |
 | `172.0.0.29:3000/sarman/trcaa-linux-arm64:rust1.88-node22` | `build-linux-arm64` | Rust 1.88 + aarch64 cross-toolchain + arm64 multiarch libs + Node.js 22 |
 **Rebuild triggers:** Rust toolchain version bump, webkit2gtk/gtk major version change, Node.js major version change.
 **How to rebuild images:**
 1. Trigger `build-images.yml` via `workflow_dispatch` in the Gitea Actions UI
 2. Confirm all 3 images appear in the Gitea package/container registry at `172.0.0.29:3000`
 3. Only then merge workflow changes that depend on the new image contents
 **Server prerequisite — insecure registry** (one-time, on 172.0.0.29):
 ```sh
 echo '{"insecure-registries":["172.0.0.29:3000"]}' | sudo tee /etc/docker/daemon.json
 sudo systemctl restart docker
 ```
 This must be configured on every machine running an act_runner for the runner's Docker
 daemon to pull from the local HTTP registry.
 ---
 ## Cargo and npm Caching
 All Rust and build jobs use `actions/cache@v3` to cache downloaded package artifacts.
 Gitea 1.22 implements the GitHub Actions cache API natively.
 **Cargo cache** (Rust jobs):
 ```yaml
 - name: Cache cargo registry
  uses: actions/cache@v3
  with:
    path: |
      ~/.cargo/registry/index
      ~/.cargo/registry/cache
      ~/.cargo/git/db
    key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
    restore-keys: |
      ${{ runner.os }}-cargo-
 ```
 **npm cache** (frontend and build jobs):
 ```yaml
 - name: Cache npm
  uses: actions/cache@v3
  with:
    path: ~/.npm
    key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
    restore-keys: |
      ${{ runner.os }}-npm-
 ```
 Cache keys for cross-compile jobs use a suffix to avoid collisions:
 - Windows build: `${{ runner.os }}-cargo-windows-${{ hashFiles('**/Cargo.lock') }}`
 - arm64 build: `${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}`
 ---
 ## Test Pipeline (`.gitea/workflows/test.yml`)
 **Triggers:** Pull requests only.
 ```
-Pipeline steps:
+Pipeline jobs (run in parallel):
  1. rust-fmt-check     → cargo fmt --check
  2. rust-clippy        → cargo clippy -- -D warnings
  3. rust-tests         → cargo test  (64 tests)
@ -41,28 +106,9 @@ Pipeline steps:
 ```
 **Docker images used:**
- `rust:1.88-slim` — Rust steps (minimum for cookie_store + time + darling)
+- `172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22` — Rust steps (replaces `rust:1.88-slim`)
 - `node:22-alpine` — Frontend steps
 **Pipeline YAML format (Woodpecker 2.x — steps list format):**
 ```yaml
 clone:
  git:
    image: woodpeckerci/plugin-git
    network_mode: gogs_default     # requires repo_trusted=1
    environment:
      - CI_REPO_CLONE_URL=http://gitea_app:3000/sarman/tftsr-devops_investigation.git
 steps:
  - name: step-name                 # LIST format (- name:)
    image: rust:1.88-slim
    commands:
      - cargo test
 ```
 > ⚠️ Woodpecker 2.x uses the `steps:` list format. The legacy `pipeline:` map format from
 > Woodpecker 0.15.4 is no longer supported.
 ---
 ## Release Pipeline (`.gitea/workflows/auto-tag.yml`)
@ -73,14 +119,16 @@ Auto tags are created by `.gitea/workflows/auto-tag.yml` using `git tag` + `git
 Release jobs are executed in the same workflow and depend on `autotag` completion.
 ```
-Jobs (run in parallel):
+Jobs (run in parallel after autotag):
-  build-linux-amd64   → cargo tauri build (x86_64-unknown-linux-gnu)
+  build-linux-amd64   → image: trcaa-linux-amd64:rust1.88-node22
                         → cargo tauri build (x86_64-unknown-linux-gnu)
                         → {.deb, .rpm, .AppImage} uploaded to Gitea release
                         → fails fast if no Linux artifacts are produced
-  build-windows-amd64 → cargo tauri build (x86_64-pc-windows-gnu) via mingw-w64
+  build-windows-amd64 → image: trcaa-windows-cross:rust1.88-node22
                         → cargo tauri build (x86_64-pc-windows-gnu) via mingw-w64
                         → {.exe, .msi} uploaded to Gitea release
                         → fails fast if no Windows artifacts are produced
-  build-linux-arm64   → Ubuntu 22.04 base (ports.ubuntu.com for arm64 packages)
+  build-linux-arm64   → image: trcaa-linux-arm64:rust1.88-node22 (ubuntu:22.04-based)
                         → cargo tauri build (aarch64-unknown-linux-gnu)
                         → {.deb, .rpm, .AppImage} uploaded to Gitea release
                         → fails fast if no Linux artifacts are produced
@ -209,6 +257,52 @@ UPDATE protect_branch SET protected=true, require_pull_request=true WHERE repo_i
 ---
 ## Changelog Generation
 Changelogs are generated automatically by **git-cliff** on every release.
 Configuration lives in `cliff.toml` at the repo root.
 ### How it works
 A `changelog` job in `auto-tag.yml` runs in parallel with the build jobs, immediately
 after `autotag` completes:
 1. Clones the full repo history with all tags (`--depth=2147483647` — git-cliff needs
   every tag to compute version boundaries).
 2. Downloads the git-cliff v2.7.0 static musl binary (~5 MB, no image change needed).
 3. Runs `git-cliff --output CHANGELOG.md` to regenerate the full cumulative changelog.
 4. Runs `git-cliff --latest --strip all` to produce release notes for the new tag only.
 5. PATCHes the Gitea release body with those notes (replaces the static `"Release vX.Y.Z"`).
 6. Commits `CHANGELOG.md` to master with `[skip ci]` appended to the message.
   The `[skip ci]` token prevents `auto-tag.yml` from re-triggering on the CHANGELOG commit.
 7. Uploads `CHANGELOG.md` as a release asset (replaces any previous version).
 ### cliff.toml reference
 | Setting | Value |
 |---------|-------|
 | `tag_pattern` | `v[0-9].*` |
 | `ignore_tags` | `rc\|alpha\|beta` |
 | `filter_unconventional` | `true` — non-conventional commits are dropped |
 | Included types | `feat`, `fix`, `perf`, `docs`, `refactor` |
 | Excluded types | `ci`, `chore`, `build`, `test`, `style` |
 ### Loop prevention
 The `[skip ci]` suffix on the CHANGELOG commit message is recognised by Gitea Actions
 and causes the workflow to be skipped for that push. Without it, the CHANGELOG commit
 would trigger `auto-tag.yml` again, incrementing the patch version forever.
 ### Bootstrap
 The initial `CHANGELOG.md` was generated locally before the first PR:
 ```sh
 git-cliff --config cliff.toml --output CHANGELOG.md
 ```
 Subsequent runs are fully automated by CI.
 ---
 ## Known Issues & Fixes
 ### Debian Multiarch Breaks arm64 Cross-Compile (`held broken packages`)
--- a/eslint.config.js
+++ b/eslint.config.js
@ -0,0 +1,142 @@
 import globals from "globals";
 import pluginReact from "eslint-plugin-react";
 import pluginReactHooks from "eslint-plugin-react-hooks";
 import pluginTs from "@typescript-eslint/eslint-plugin";
 import parserTs from "@typescript-eslint/parser";
 export default [
  {
    files: ["src/**/*.{ts,tsx}"],
    languageOptions: {
      ecmaVersion: "latest",
      sourceType: "module",
      globals: {
        ...globals.browser,
        ...globals.node,
      },
      parser: parserTs,
      parserOptions: {
        ecmaFeatures: {
          jsx: true,
        },
        project: "./tsconfig.json",
      },
    },
    plugins: {
      react: pluginReact,
      "react-hooks": pluginReactHooks,
      "@typescript-eslint": pluginTs,
    },
    settings: {
      react: {
        version: "detect",
      },
    },
    rules: {
      ...pluginReact.configs.recommended.rules,
      ...pluginReactHooks.configs.recommended.rules,
      ...pluginTs.configs.recommended.rules,
      "no-unused-vars": "off",
      "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
      "no-console": ["warn", { allow: ["warn", "error"] }],
      "react/react-in-jsx-scope": "off",
      "react/prop-types": "off",
      "react/no-unescaped-entities": "off",
    },
  },
  {
    files: ["tests/unit/**/*.test.{ts,tsx}"],
    languageOptions: {
      ecmaVersion: "latest",
      sourceType: "module",
      globals: {
        ...globals.browser,
        ...globals.node,
        ...globals.vitest,
      },
      parser: parserTs,
      parserOptions: {
        ecmaFeatures: {
          jsx: true,
        },
        project: "./tsconfig.json",
      },
    },
    plugins: {
      react: pluginReact,
      "react-hooks": pluginReactHooks,
      "@typescript-eslint": pluginTs,
    },
    settings: {
      react: {
        version: "detect",
      },
    },
    rules: {
      ...pluginReact.configs.recommended.rules,
      ...pluginReactHooks.configs.recommended.rules,
      ...pluginTs.configs.recommended.rules,
      "no-unused-vars": "off",
      "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
      "no-console": ["warn", { allow: ["warn", "error"] }],
      "react/react-in-jsx-scope": "off",
      "react/prop-types": "off",
      "react/no-unescaped-entities": "off",
    },
  },
  {
    files: ["tests/e2e/**/*.ts", "tests/e2e/**/*.tsx"],
    languageOptions: {
      ecmaVersion: "latest",
      sourceType: "module",
      globals: {
        ...globals.node,
      },
      parser: parserTs,
      parserOptions: {
        ecmaFeatures: {
          jsx: false,
        },
      },
    },
    plugins: {
      "@typescript-eslint": pluginTs,
    },
    rules: {
      ...pluginTs.configs.recommended.rules,
      "no-unused-vars": "off",
      "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
      "no-console": ["warn", { allow: ["warn", "error"] }],
    },
  },
  {
    files: ["cli/**/*.{ts,tsx}"],
    languageOptions: {
      ecmaVersion: "latest",
      sourceType: "module",
      globals: {
        ...globals.node,
      },
      parser: parserTs,
      parserOptions: {
        ecmaFeatures: {
          jsx: false,
        },
      },
    },
    plugins: {
      "@typescript-eslint": pluginTs,
    },
    rules: {
      ...pluginTs.configs.recommended.rules,
      "no-unused-vars": "off",
      "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
      "no-console": ["warn", { allow: ["warn", "error"] }],
      "react/no-unescaped-entities": "off",
    },
  },
  {
    files: ["**/*.ts", "**/*.tsx"],
    ignores: ["dist/", "node_modules/", "src-tauri/", "target/", "coverage/", "tailwind.config.ts"],
  },
 ];
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,11 +1,12 @@
 {
  "name": "tftsr",
  "private": true,
-  "version": "0.1.0",
+  "version": "0.2.62",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "tsc && vite build",
    "version:update": "node scripts/update-version.mjs",
    "preview": "vite preview",
    "tauri": "tauri",
    "test": "vitest",
@ -37,11 +38,17 @@
    "@testing-library/user-event": "^14",
    "@types/react": "^18",
    "@types/react-dom": "^18",
    "@types/testing-library__react": "^10",
    "@typescript-eslint/eslint-plugin": "^8.58.1",
    "@typescript-eslint/parser": "^8.58.1",
    "@vitejs/plugin-react": "^4",
    "@vitest/coverage-v8": "^2",
    "@wdio/cli": "^9",
    "@wdio/mocha-framework": "^9",
    "autoprefixer": "^10",
    "eslint": "^9.39.4",
    "eslint-plugin-react": "^7.37.5",
    "eslint-plugin-react-hooks": "^7.0.1",
    "jsdom": "^26",
    "postcss": "^8",
    "typescript": "^5",
--- a/scripts/update-version.mjs
+++ b/scripts/update-version.mjs
@ -0,0 +1,111 @@
 #!/usr/bin/env node
 import { execSync } from 'child_process';
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
 import { resolve, dirname } from 'path';
 import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const projectRoot = resolve(__dirname, '..');
 /**
 * Validate version is semver-compliant (X.Y.Z)
 */
 function isValidSemver(version) {
  return /^[0-9]+\.[0-9]+\.[0-9]+$/.test(version);
 }
 function validateGitRepo(root) {
  if (!existsSync(resolve(root, '.git'))) {
    throw new Error(`Not a Git repository: ${root}`);
  }
 }
 function getVersionFromGit() {
  validateGitRepo(projectRoot);
  try {
    const output = execSync('git describe --tags --abbrev=0', { 
      encoding: 'utf-8',
      cwd: projectRoot,
      shell: false
    });
    let version = output.trim();
    // Remove v prefix
    version = version.replace(/^v/, '');
    // Validate it's a valid semver
    if (!isValidSemver(version)) {
      const pkgJsonVersion = getFallbackVersion();
      console.warn(`Invalid version format "${version}" from git describe, using package.json fallback: ${pkgJsonVersion}`);
      return pkgJsonVersion;
    }
    return version;
  } catch (e) {
    const pkgJsonVersion = getFallbackVersion();
    console.warn(`Failed to get version from Git tags, using package.json fallback: ${pkgJsonVersion}`);
    return pkgJsonVersion;
  }
 }
 function getFallbackVersion() {
  const pkgPath = resolve(projectRoot, 'package.json');
  if (!existsSync(pkgPath)) {
    return '0.2.50';
  }
  try {
    const content = readFileSync(pkgPath, 'utf-8');
    const json = JSON.parse(content);
    return json.version || '0.2.50';
  } catch {
    return '0.2.50';
  }
 }
 function updatePackageJson(version) {
  const fullPath = resolve(projectRoot, 'package.json');
  if (!existsSync(fullPath)) {
    throw new Error(`File not found: ${fullPath}`);
  }
  const content = readFileSync(fullPath, 'utf-8');
  const json = JSON.parse(content);
  json.version = version;
  // Write with 2-space indentation
  writeFileSync(fullPath, JSON.stringify(json, null, 2) + '\n', 'utf-8');
  console.log(`✓ Updated package.json to ${version}`);
 }
 function updateTOML(path, version) {
  const fullPath = resolve(projectRoot, path);
  if (!existsSync(fullPath)) {
    throw new Error(`File not found: ${fullPath}`);
  }
  const content = readFileSync(fullPath, 'utf-8');
  const lines = content.split('\n');
  const output = [];
  for (const line of lines) {
    if (line.match(/^\s*version\s*=\s*"/)) {
      output.push(`version = "${version}"`);
    } else {
      output.push(line);
    }
  }
  writeFileSync(fullPath, output.join('\n') + '\n', 'utf-8');
  console.log(`✓ Updated ${path} to ${version}`);
 }
 const version = getVersionFromGit();
 console.log(`Setting version to: ${version}`);
 updatePackageJson(version);
 updateTOML('src-tauri/Cargo.toml', version);
 updateTOML('src-tauri/tauri.conf.json', version);
 console.log(`✓ All version fields updated to ${version}`);
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@ -4242,6 +4242,7 @@ dependencies = [
 "js-sys",
 "log",
 "mime",
 "mime_guess",
 "native-tls",
 "percent-encoding",
 "pin-project-lite",
@ -6138,7 +6139,7 @@ dependencies = [
 [[package]]
 name = "trcaa"
-version = "0.1.0"
+version = "0.2.62"
 dependencies = [
 "aes-gcm",
 "aho-corasick",
@ -6173,6 +6174,7 @@ dependencies = [
 "tokio-test",
 "tracing",
 "tracing-subscriber",
 "url",
 "urlencoding",
 "uuid",
 "warp",
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "trcaa"
-version = "0.1.0"
+version = "0.2.62"
 edition = "2021"
 [lib]
@ -21,7 +21,7 @@ rusqlite = { version = "0.31", features = ["bundled-sqlcipher-vendored-openssl"]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 tokio = { version = "1", features = ["full"] }
-reqwest = { version = "0.12", features = ["json", "stream"] }
+reqwest = { version = "0.12", features = ["json", "stream", "multipart"] }
 regex = "1"
 aho-corasick = "1"
 uuid = { version = "1", features = ["v7"] }
@ -44,6 +44,7 @@ lazy_static = "1.4"
 warp = "0.3"
 urlencoding = "2"
 infer = "0.15"
 url = "2.5.8"
 [dev-dependencies]
 tokio-test = "0.4"
@ -52,3 +53,7 @@ mockito = "1.2"
 [profile.release]
 opt-level = "s"
 strip = true
--- a/src-tauri/build.rs
+++ b/src-tauri/build.rs
@ -1,3 +1,30 @@
 fn main() {
    let version = get_version_from_git();
    println!("cargo:rustc-env=APP_VERSION={version}");
    println!("cargo:rerun-if-changed=.git/refs/heads/master");
    println!("cargo:rerun-if-changed=.git/refs/tags");
    tauri_build::build()
 }
 fn get_version_from_git() -> String {
    if let Ok(output) = std::process::Command::new("git")
        .arg("describe")
        .arg("--tags")
        .arg("--abbrev=0")
        .output()
    {
        if output.status.success() {
            let version = String::from_utf8_lossy(&output.stdout)
                .trim()
                .trim_start_matches('v')
                .to_string();
            if !version.is_empty() {
                return version;
            }
        }
    }
    "0.2.50".to_string()
 }
--- a/src-tauri/src/commands/analysis.rs
+++ b/src-tauri/src/commands/analysis.rs
@ -97,6 +97,77 @@ pub async fn upload_log_file(
    Ok(log_file)
 }
 #[tauri::command]
 pub async fn upload_log_file_by_content(
    issue_id: String,
    file_name: String,
    content: String,
    state: State<'_, AppState>,
 ) -> Result<LogFile, String> {
    let content_bytes = content.as_bytes();
    let content_hash = format!("{:x}", Sha256::digest(content_bytes));
    let file_size = content_bytes.len() as i64;
    // Determine mime type based on file extension
    let mime_type = if file_name.ends_with(".json") {
        "application/json"
    } else if file_name.ends_with(".xml") {
        "application/xml"
    } else {
        "text/plain"
    };
    // Use the file_name as the file_path for DB storage
    let log_file = LogFile::new(
        issue_id.clone(),
        file_name.clone(),
        file_name.clone(),
        file_size,
    );
    let log_file = LogFile {
        content_hash: content_hash.clone(),
        mime_type: mime_type.to_string(),
        ..log_file
    };
    let db = state.db.lock().map_err(|e| e.to_string())?;
    db.execute(
        "INSERT INTO log_files (id, issue_id, file_name, file_path, file_size, mime_type, content_hash, uploaded_at, redacted) \
         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9)",
        rusqlite::params![
            log_file.id,
            log_file.issue_id,
            log_file.file_name,
            log_file.file_path,
            log_file.file_size,
            log_file.mime_type,
            log_file.content_hash,
            log_file.uploaded_at,
            log_file.redacted as i32,
        ],
    )
    .map_err(|_| "Failed to store uploaded log metadata".to_string())?;
    // Audit
    let entry = AuditEntry::new(
        "upload_log_file".to_string(),
        "log_file".to_string(),
        log_file.id.clone(),
        serde_json::json!({ "issue_id": issue_id, "file_name": log_file.file_name }).to_string(),
    );
    if let Err(err) = crate::audit::log::write_audit_event(
        &db,
        &entry.action,
        &entry.entity_type,
        &entry.entity_id,
        &entry.details,
    ) {
        warn!(error = %err, "failed to write upload_log_file audit entry");
    }
    Ok(log_file)
 }
 #[tauri::command]
 pub async fn detect_pii(
    log_file_id: String,
--- a/src-tauri/src/commands/image.rs
+++ b/src-tauri/src/commands/image.rs
@ -8,12 +8,13 @@ use crate::db::models::{AuditEntry, ImageAttachment};
 use crate::state::AppState;
 const MAX_IMAGE_FILE_BYTES: u64 = 10 * 1024 * 1024;
-const SUPPORTED_IMAGE_MIME_TYPES: [&str; 5] = [
+const SUPPORTED_IMAGE_MIME_TYPES: [&str; 6] = [
    "image/png",
    "image/jpeg",
    "image/gif",
    "image/webp",
    "image/svg+xml",
    "image/bmp",
 ];
 fn validate_image_file_path(file_path: &str) -> Result<std::path::PathBuf, String> {
@ -122,6 +123,92 @@ pub async fn upload_image_attachment(
    Ok(attachment)
 }
 #[tauri::command]
 pub async fn upload_image_attachment_by_content(
    issue_id: String,
    file_name: String,
    base64_content: String,
    state: State<'_, AppState>,
 ) -> Result<ImageAttachment, String> {
    let data_part = base64_content
        .split(',')
        .nth(1)
        .ok_or("Invalid image data format - missing base64 content")?;
    let decoded = base64::engine::general_purpose::STANDARD
        .decode(data_part)
        .map_err(|_| "Failed to decode base64 image data")?;
    let content_hash = format!("{:x}", sha2::Sha256::digest(&decoded));
    let file_size = decoded.len() as i64;
    let mime_type: String = infer::get(&decoded)
        .map(|m| m.mime_type().to_string())
        .unwrap_or_else(|| "image/png".to_string());
    if !is_supported_image_format(mime_type.as_str()) {
        return Err(format!(
            "Unsupported image format: {}. Supported formats: {}",
            mime_type,
            SUPPORTED_IMAGE_MIME_TYPES.join(", ")
        ));
    }
    // Use the file_name as file_path for DB storage
    let attachment = ImageAttachment::new(
        issue_id.clone(),
        file_name.clone(),
        file_name,
        file_size,
        mime_type,
        content_hash.clone(),
        true,
        false,
    );
    let db = state.db.lock().map_err(|e| e.to_string())?;
    db.execute(
        "INSERT INTO image_attachments (id, issue_id, file_name, file_path, file_size, mime_type, upload_hash, uploaded_at, pii_warning_acknowledged, is_paste) \
         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10)",
        rusqlite::params![
            attachment.id,
            attachment.issue_id,
            attachment.file_name,
            attachment.file_path,
            attachment.file_size,
            attachment.mime_type,
            attachment.upload_hash,
            attachment.uploaded_at,
            attachment.pii_warning_acknowledged as i32,
            attachment.is_paste as i32,
        ],
    )
    .map_err(|_| "Failed to store uploaded image metadata".to_string())?;
    let entry = AuditEntry::new(
        "upload_image_attachment".to_string(),
        "image_attachment".to_string(),
        attachment.id.clone(),
        serde_json::json!({
            "issue_id": issue_id,
            "file_name": attachment.file_name,
            "is_paste": false,
        })
        .to_string(),
    );
    if let Err(err) = write_audit_event(
        &db,
        &entry.action,
        &entry.entity_type,
        &entry.entity_id,
        &entry.details,
    ) {
        tracing::warn!(error = %err, "failed to write upload_image_attachment audit entry");
    }
    Ok(attachment)
 }
 #[tauri::command]
 pub async fn upload_paste_image(
    issue_id: String,
@ -265,6 +352,245 @@ pub async fn delete_image_attachment(
    Ok(())
 }
 #[tauri::command]
 pub async fn upload_file_to_datastore(
    provider_config: serde_json::Value,
    file_path: String,
    _state: State<'_, AppState>,
 ) -> Result<String, String> {
    use reqwest::multipart::Form;
    let canonical_path = validate_image_file_path(&file_path)?;
    let content =
        std::fs::read(&canonical_path).map_err(|_| "Failed to read file for datastore upload")?;
    let file_name = canonical_path
        .file_name()
        .and_then(|n| n.to_str())
        .unwrap_or("unknown")
        .to_string();
    let _file_size = content.len() as i64;
    // Extract API URL and auth header from provider config
    let api_url = provider_config
        .get("api_url")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing api_url")?
        .to_string();
    // Extract use_datastore_upload flag
    let use_datastore = provider_config
        .get("use_datastore_upload")
        .and_then(|v| v.as_bool())
        .unwrap_or(false);
    if !use_datastore {
        return Err("use_datastore_upload is not enabled for this provider".to_string());
    }
    // Get datastore ID from custom_endpoint_path (stored as datastore ID)
    let datastore_id = provider_config
        .get("custom_endpoint_path")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing datastore ID in custom_endpoint_path")?
        .to_string();
    // Build upload endpoint: POST /api/v2/upload/<DATASTORE-ID>
    let api_url = api_url.trim_end_matches('/');
    let upload_url = format!("{api_url}/upload/{datastore_id}");
    // Read auth header and value
    let auth_header = provider_config
        .get("custom_auth_header")
        .and_then(|v| v.as_str())
        .unwrap_or("x-generic-api-key");
    let auth_prefix = provider_config
        .get("custom_auth_prefix")
        .and_then(|v| v.as_str())
        .unwrap_or("");
    let api_key = provider_config
        .get("api_key")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing api_key")?;
    let auth_value = format!("{auth_prefix}{api_key}");
    let client = reqwest::Client::new();
    // Create multipart form
    let part = reqwest::multipart::Part::bytes(content)
        .file_name(file_name)
        .mime_str("application/octet-stream")
        .map_err(|e| format!("Failed to create multipart part: {e}"))?;
    let form = Form::new().part("file", part);
    let resp = client
        .post(&upload_url)
        .header(auth_header, auth_value)
        .multipart(form)
        .send()
        .await
        .map_err(|e| format!("Upload request failed: {e}"))?;
    if !resp.status().is_success() {
        let status = resp.status();
        let text = resp
            .text()
            .await
            .unwrap_or_else(|_| "unable to read response".to_string());
        return Err(format!("Datastore upload error {status}: {text}"));
    }
    // Parse response to get file ID
    let json = resp
        .json::<serde_json::Value>()
        .await
        .map_err(|e| format!("Failed to parse upload response: {e}"))?;
    // Response should have file_id or id field
    let file_id = json
        .get("file_id")
        .or_else(|| json.get("id"))
        .and_then(|v| v.as_str())
        .ok_or_else(|| {
            format!(
                "Response missing file_id: {}",
                serde_json::to_string_pretty(&json).unwrap_or_default()
            )
        })?
        .to_string();
    Ok(file_id)
 }
 /// Upload any file (not just images) to GenAI datastore
 #[tauri::command]
 pub async fn upload_file_to_datastore_any(
    provider_config: serde_json::Value,
    file_path: String,
    _state: State<'_, AppState>,
 ) -> Result<String, String> {
    use reqwest::multipart::Form;
    // Validate file exists and is accessible
    let path = Path::new(&file_path);
    let canonical = std::fs::canonicalize(path).map_err(|_| "Unable to access selected file")?;
    let metadata = std::fs::metadata(&canonical).map_err(|_| "Unable to read file metadata")?;
    if !metadata.is_file() {
        return Err("Selected path is not a file".to_string());
    }
    let content =
        std::fs::read(&canonical).map_err(|_| "Failed to read file for datastore upload")?;
    let file_name = canonical
        .file_name()
        .and_then(|n| n.to_str())
        .unwrap_or("unknown")
        .to_string();
    let _file_size = content.len() as i64;
    // Extract API URL and auth header from provider config
    let api_url = provider_config
        .get("api_url")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing api_url")?
        .to_string();
    // Extract use_datastore_upload flag
    let use_datastore = provider_config
        .get("use_datastore_upload")
        .and_then(|v| v.as_bool())
        .unwrap_or(false);
    if !use_datastore {
        return Err("use_datastore_upload is not enabled for this provider".to_string());
    }
    // Get datastore ID from custom_endpoint_path (stored as datastore ID)
    let datastore_id = provider_config
        .get("custom_endpoint_path")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing datastore ID in custom_endpoint_path")?
        .to_string();
    // Build upload endpoint: POST /api/v2/upload/<DATASTORE-ID>
    let api_url = api_url.trim_end_matches('/');
    let upload_url = format!("{api_url}/upload/{datastore_id}");
    // Read auth header and value
    let auth_header = provider_config
        .get("custom_auth_header")
        .and_then(|v| v.as_str())
        .unwrap_or("x-generic-api-key");
    let auth_prefix = provider_config
        .get("custom_auth_prefix")
        .and_then(|v| v.as_str())
        .unwrap_or("");
    let api_key = provider_config
        .get("api_key")
        .and_then(|v| v.as_str())
        .ok_or("Provider config missing api_key")?;
    let auth_value = format!("{auth_prefix}{api_key}");
    let client = reqwest::Client::new();
    // Create multipart form
    let part = reqwest::multipart::Part::bytes(content)
        .file_name(file_name)
        .mime_str("application/octet-stream")
        .map_err(|e| format!("Failed to create multipart part: {e}"))?;
    let form = Form::new().part("file", part);
    let resp = client
        .post(&upload_url)
        .header(auth_header, auth_value)
        .multipart(form)
        .send()
        .await
        .map_err(|e| format!("Upload request failed: {e}"))?;
    if !resp.status().is_success() {
        let status = resp.status();
        let text = resp
            .text()
            .await
            .unwrap_or_else(|_| "unable to read response".to_string());
        return Err(format!("Datastore upload error {status}: {text}"));
    }
    // Parse response to get file ID
    let json = resp
        .json::<serde_json::Value>()
        .await
        .map_err(|e| format!("Failed to parse upload response: {e}"))?;
    // Response should have file_id or id field
    let file_id = json
        .get("file_id")
        .or_else(|| json.get("id"))
        .and_then(|v| v.as_str())
        .ok_or_else(|| {
            format!(
                "Response missing file_id: {}",
                serde_json::to_string_pretty(&json).unwrap_or_default()
            )
        })?
        .to_string();
    Ok(file_id)
 }
 #[cfg(test)]
 mod tests {
    use super::*;
@ -276,7 +602,7 @@ mod tests {
        assert!(is_supported_image_format("image/gif"));
        assert!(is_supported_image_format("image/webp"));
        assert!(is_supported_image_format("image/svg+xml"));
-        assert!(!is_supported_image_format("image/bmp"));
+        assert!(is_supported_image_format("image/bmp"));
        assert!(!is_supported_image_format("text/plain"));
    }
 }
--- a/src-tauri/src/commands/system.rs
+++ b/src-tauri/src/commands/system.rs
@ -4,6 +4,7 @@ use crate::ollama::{
    OllamaStatus,
 };
 use crate::state::{AppSettings, AppState, ProviderConfig};
 use std::env;
 // --- Ollama commands ---
@ -158,8 +159,8 @@ pub async fn save_ai_provider(
    db.execute(
        "INSERT OR REPLACE INTO ai_providers
         (id, name, provider_type, api_url, encrypted_api_key, model, max_tokens, temperature,
-          custom_endpoint_path, custom_auth_header, custom_auth_prefix, api_format, user_id, updated_at)
+          custom_endpoint_path, custom_auth_header, custom_auth_prefix, api_format, user_id, use_datastore_upload, updated_at)
-         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, datetime('now'))",
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, datetime('now'))",
        rusqlite::params![
            uuid::Uuid::now_v7().to_string(),
            provider.name,
@ -174,6 +175,7 @@ pub async fn save_ai_provider(
            provider.custom_auth_prefix,
            provider.api_format,
            provider.user_id,
            provider.use_datastore_upload,
        ],
    )
    .map_err(|e| format!("Failed to save AI provider: {e}"))?;
@ -191,7 +193,7 @@ pub async fn load_ai_providers(
    let mut stmt = db
        .prepare(
            "SELECT name, provider_type, api_url, encrypted_api_key, model, max_tokens, temperature,
-                    custom_endpoint_path, custom_auth_header, custom_auth_prefix, api_format, user_id
+                    custom_endpoint_path, custom_auth_header, custom_auth_prefix, api_format, user_id, use_datastore_upload
             FROM ai_providers
             ORDER BY name",
        )
@ -214,6 +216,7 @@ pub async fn load_ai_providers(
                row.get::<_, Option<String>>(9)?,  // custom_auth_prefix
                row.get::<_, Option<String>>(10)?, // api_format
                row.get::<_, Option<String>>(11)?, // user_id
                row.get::<_, Option<bool>>(12)?,   // use_datastore_upload
            ))
        })
        .map_err(|e| e.to_string())?
@ -232,6 +235,7 @@ pub async fn load_ai_providers(
                custom_auth_prefix,
                api_format,
                user_id,
                use_datastore_upload,
            )| {
                // Decrypt the API key
                let api_key = crate::integrations::auth::decrypt_token(&encrypted_key).ok()?;
@ -250,6 +254,7 @@ pub async fn load_ai_providers(
                    api_format,
                    session_id: None, // Session IDs are not persisted
                    user_id,
                    use_datastore_upload,
                })
            },
        )
@ -271,3 +276,11 @@ pub async fn delete_ai_provider(
    Ok(())
 }
 /// Get the application version from build-time environment
 #[tauri::command]
 pub async fn get_app_version() -> Result<String, String> {
    env::var("APP_VERSION")
        .or_else(|_| env::var("CARGO_PKG_VERSION"))
        .map_err(|e| format!("Failed to get version: {e}"))
 }
--- a/src-tauri/src/db/migrations.rs
+++ b/src-tauri/src/db/migrations.rs
@ -170,6 +170,35 @@ pub fn run_migrations(conn: &Connection) -> anyhow::Result<()> {
                is_paste INTEGER NOT NULL DEFAULT 0
            );",
        ),
        (
            "014_create_ai_providers",
            "CREATE TABLE IF NOT EXISTS ai_providers (
                id TEXT PRIMARY KEY,
                name TEXT NOT NULL UNIQUE,
                provider_type TEXT NOT NULL,
                api_url TEXT NOT NULL,
                encrypted_api_key TEXT NOT NULL,
                model TEXT NOT NULL,
                max_tokens INTEGER,
                temperature REAL,
                custom_endpoint_path TEXT,
                custom_auth_header TEXT,
                custom_auth_prefix TEXT,
                api_format TEXT,
                user_id TEXT,
                use_datastore_upload INTEGER,
                created_at TEXT NOT NULL DEFAULT (datetime('now')),
                updated_at TEXT NOT NULL DEFAULT (datetime('now'))
            );",
        ),
        (
            "015_add_use_datastore_upload",
            "ALTER TABLE ai_providers ADD COLUMN use_datastore_upload INTEGER DEFAULT 0",
        ),
        (
            "016_add_created_at",
            "ALTER TABLE ai_providers ADD COLUMN created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%d %H:%M:%S', 'now'))",
        ),
    ];
    for (name, sql) in migrations {
@ -180,13 +209,30 @@ pub fn run_migrations(conn: &Connection) -> anyhow::Result<()> {
        if !already_applied {
            // FTS5 virtual table creation can be skipped if FTS5 is not compiled in
-            if let Err(e) = conn.execute_batch(sql) {
+            // Also handle column-already-exists errors for migrations 015-016
            if name.contains("fts") {
                if let Err(e) = conn.execute_batch(sql) {
                    tracing::warn!("FTS5 not available, skipping: {e}");
                }
            } else if name.ends_with("_add_use_datastore_upload")
                || name.ends_with("_add_created_at")
            {
                // Use execute for ALTER TABLE (SQLite only allows one statement per command)
                // Skip error if column already exists (SQLITE_ERROR with "duplicate column name")
                if let Err(e) = conn.execute(sql, []) {
                    let err_str = e.to_string();
                    if err_str.contains("duplicate column name") {
                        tracing::info!("Column may already exist, skipping migration {name}: {e}");
                    } else {
                        return Err(e.into());
                    }
                }
            } else {
                // Use execute_batch for other migrations (FTS5, CREATE TABLE, etc.)
                if let Err(e) = conn.execute_batch(sql) {
                    return Err(e.into());
                }
            }
            conn.execute("INSERT INTO _migrations (name) VALUES (?1)", [name])?;
            tracing::info!("Applied migration: {name}");
        }
@ -468,4 +514,188 @@ mod tests {
        assert_eq!(mime_type, "image/png");
        assert_eq!(is_paste, 0);
    }
    #[test]
    fn test_create_ai_providers_table() {
        let conn = setup_test_db();
        let count: i64 = conn
            .query_row(
                "SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='ai_providers'",
                [],
                |r| r.get(0),
            )
            .unwrap();
        assert_eq!(count, 1);
        let mut stmt = conn.prepare("PRAGMA table_info(ai_providers)").unwrap();
        let columns: Vec<String> = stmt
            .query_map([], |row| row.get::<_, String>(1))
            .unwrap()
            .collect::<Result<Vec<_>, _>>()
            .unwrap();
        assert!(columns.contains(&"id".to_string()));
        assert!(columns.contains(&"name".to_string()));
        assert!(columns.contains(&"provider_type".to_string()));
        assert!(columns.contains(&"api_url".to_string()));
        assert!(columns.contains(&"encrypted_api_key".to_string()));
        assert!(columns.contains(&"model".to_string()));
        assert!(columns.contains(&"max_tokens".to_string()));
        assert!(columns.contains(&"temperature".to_string()));
        assert!(columns.contains(&"custom_endpoint_path".to_string()));
        assert!(columns.contains(&"custom_auth_header".to_string()));
        assert!(columns.contains(&"custom_auth_prefix".to_string()));
        assert!(columns.contains(&"api_format".to_string()));
        assert!(columns.contains(&"user_id".to_string()));
        assert!(columns.contains(&"use_datastore_upload".to_string()));
        assert!(columns.contains(&"created_at".to_string()));
        assert!(columns.contains(&"updated_at".to_string()));
    }
    #[test]
    fn test_store_and_retrieve_ai_provider() {
        let conn = setup_test_db();
        conn.execute(
            "INSERT INTO ai_providers (id, name, provider_type, api_url, encrypted_api_key, model)
             VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
            rusqlite::params![
                "test-provider-1",
                "My OpenAI",
                "openai",
                "https://api.openai.com/v1",
                "encrypted_key_123",
                "gpt-4o"
            ],
        )
        .unwrap();
        let (name, provider_type, api_url, encrypted_key, model): (String, String, String, String, String) = conn
            .query_row(
                "SELECT name, provider_type, api_url, encrypted_api_key, model FROM ai_providers WHERE name = ?1",
                ["My OpenAI"],
                |r| Ok((r.get(0)?, r.get(1)?, r.get(2)?, r.get(3)?, r.get(4)?)),
            )
            .unwrap();
        assert_eq!(name, "My OpenAI");
        assert_eq!(provider_type, "openai");
        assert_eq!(api_url, "https://api.openai.com/v1");
        assert_eq!(encrypted_key, "encrypted_key_123");
        assert_eq!(model, "gpt-4o");
    }
    #[test]
    fn test_add_missing_columns_to_existing_table() {
        let conn = Connection::open_in_memory().unwrap();
        // Simulate existing table without use_datastore_upload and created_at
        conn.execute_batch(
            "CREATE TABLE IF NOT EXISTS ai_providers (
                id TEXT PRIMARY KEY,
                name TEXT NOT NULL UNIQUE,
                provider_type TEXT NOT NULL,
                api_url TEXT NOT NULL,
                encrypted_api_key TEXT NOT NULL,
                model TEXT NOT NULL,
                max_tokens INTEGER,
                temperature REAL,
                custom_endpoint_path TEXT,
                custom_auth_header TEXT,
                custom_auth_prefix TEXT,
                api_format TEXT,
                user_id TEXT,
                updated_at TEXT NOT NULL DEFAULT (datetime('now'))
            );",
        )
        .unwrap();
        // Verify columns BEFORE migration
        let mut stmt = conn.prepare("PRAGMA table_info(ai_providers)").unwrap();
        let columns: Vec<String> = stmt
            .query_map([], |row| row.get::<_, String>(1))
            .unwrap()
            .collect::<Result<Vec<_>, _>>()
            .unwrap();
        assert!(columns.contains(&"name".to_string()));
        assert!(columns.contains(&"model".to_string()));
        assert!(!columns.contains(&"use_datastore_upload".to_string()));
        assert!(!columns.contains(&"created_at".to_string()));
        // Run migrations (should apply 015 to add missing columns)
        run_migrations(&conn).unwrap();
        // Verify columns AFTER migration
        let mut stmt = conn.prepare("PRAGMA table_info(ai_providers)").unwrap();
        let columns: Vec<String> = stmt
            .query_map([], |row| row.get::<_, String>(1))
            .unwrap()
            .collect::<Result<Vec<_>, _>>()
            .unwrap();
        assert!(columns.contains(&"name".to_string()));
        assert!(columns.contains(&"model".to_string()));
        assert!(columns.contains(&"use_datastore_upload".to_string()));
        assert!(columns.contains(&"created_at".to_string()));
        // Verify data integrity - existing rows should have default values
        conn.execute(
            "INSERT INTO ai_providers (id, name, provider_type, api_url, encrypted_api_key, model)
             VALUES (?, ?, ?, ?, ?, ?)",
            rusqlite::params![
                "test-provider-2",
                "Test Provider",
                "openai",
                "https://api.example.com",
                "encrypted_key_456",
                "gpt-3.5-turbo"
            ],
        )
        .unwrap();
        let (name, use_datastore_upload, created_at): (String, bool, String) = conn
            .query_row(
                "SELECT name, use_datastore_upload, created_at FROM ai_providers WHERE name = ?1",
                ["Test Provider"],
                |r| Ok((r.get(0)?, r.get(1)?, r.get(2)?)),
            )
            .unwrap();
        assert_eq!(name, "Test Provider");
        assert!(!use_datastore_upload);
        assert!(created_at.len() > 0);
    }
    #[test]
    fn test_idempotent_add_missing_columns() {
        let conn = Connection::open_in_memory().unwrap();
        // Create table with both columns already present (simulating prior migration run)
        conn.execute_batch(
            "CREATE TABLE IF NOT EXISTS ai_providers (
                id TEXT PRIMARY KEY,
                name TEXT NOT NULL UNIQUE,
                provider_type TEXT NOT NULL,
                api_url TEXT NOT NULL,
                encrypted_api_key TEXT NOT NULL,
                model TEXT NOT NULL,
                max_tokens INTEGER,
                temperature REAL,
                custom_endpoint_path TEXT,
                custom_auth_header TEXT,
                custom_auth_prefix TEXT,
                api_format TEXT,
                user_id TEXT,
                use_datastore_upload INTEGER DEFAULT 0,
                created_at TEXT NOT NULL DEFAULT (datetime('now')),
                updated_at TEXT NOT NULL DEFAULT (datetime('now'))
            );",
        )
        .unwrap();
        // Should not fail even though columns already exist
        run_migrations(&conn).unwrap();
    }
 }
--- a/src-tauri/src/integrations/azuredevops_search.rs
+++ b/src-tauri/src/integrations/azuredevops_search.rs
@ -1,4 +1,40 @@
 use super::confluence_search::SearchResult;
 use crate::integrations::query_expansion::expand_query;
 const MAX_EXPANDED_QUERIES: usize = 3;
 fn escape_wiql(s: &str) -> String {
    s.replace('\'', "''")
        .replace('"', "\\\"")
        .replace('\\', "\\\\")
        .replace('(', "\\(")
        .replace(')', "\\)")
        .replace(';', "\\;")
        .replace('=', "\\=")
 }
 /// Basic HTML tag stripping to prevent XSS in excerpts
 fn strip_html_tags(html: &str) -> String {
    let mut result = String::new();
    let mut in_tag = false;
    for ch in html.chars() {
        match ch {
            '<' => in_tag = true,
            '>' => in_tag = false,
            _ if !in_tag => result.push(ch),
            _ => {}
        }
    }
    // Clean up whitespace
    result
        .split_whitespace()
        .collect::<Vec<_>>()
        .join(" ")
        .trim()
        .to_string()
 }
 /// Search Azure DevOps Wiki for content matching the query
 pub async fn search_wiki(
@ -10,6 +46,11 @@ pub async fn search_wiki(
    let cookie_header = crate::integrations::webview_auth::cookies_to_header(cookies);
    let client = reqwest::Client::new();
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(MAX_EXPANDED_QUERIES) {
        // Use Azure DevOps Search API
        let search_url = format!(
            "{}/_apis/search/wikisearchresults?api-version=7.0",
@ -17,14 +58,14 @@ pub async fn search_wiki(
        );
        let search_body = serde_json::json!({
-        "searchText": query,
+            "searchText": expanded_query,
            "$top": 5,
            "filters": {
                "ProjectFilters": [project]
            }
        });
-    tracing::info!("Searching Azure DevOps Wiki: {}", search_url);
+        tracing::info!("Searching Azure DevOps Wiki with query: {}", expanded_query);
        let resp = client
            .post(&search_url)
@ -39,9 +80,8 @@ pub async fn search_wiki(
        if !resp.status().is_success() {
            let status = resp.status();
            let text = resp.text().await.unwrap_or_default();
-        return Err(format!(
+            tracing::warn!("Azure DevOps wiki search failed with status {status}: {text}");
-            "Azure DevOps wiki search failed with status {status}: {text}"
+            continue;
        ));
        }
        let json: serde_json::Value = resp
@ -49,10 +89,8 @@ pub async fn search_wiki(
            .await
            .map_err(|e| format!("Failed to parse ADO wiki search response: {e}"))?;
    let mut results = Vec::new();
        if let Some(results_array) = json["results"].as_array() {
-        for item in results_array.iter().take(3) {
+            for item in results_array.iter().take(MAX_EXPANDED_QUERIES) {
                let title = item["fileName"].as_str().unwrap_or("Untitled").to_string();
                let path = item["path"].as_str().unwrap_or("");
@ -63,9 +101,7 @@ pub async fn search_wiki(
                    path
                );
-            let excerpt = item["content"]
+                let excerpt = strip_html_tags(item["content"].as_str().unwrap_or(""))
                .as_str()
                .unwrap_or("")
                    .chars()
                    .take(300)
                    .collect::<String>();
@ -83,7 +119,7 @@ pub async fn search_wiki(
                    None
                };
-            results.push(SearchResult {
+                all_results.push(SearchResult {
                    title,
                    url,
                    excerpt,
@ -92,8 +128,12 @@ pub async fn search_wiki(
                });
            }
        }
    }
-    Ok(results)
+    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    Ok(all_results)
 }
 /// Fetch full wiki page content
@ -151,21 +191,30 @@ pub async fn search_work_items(
    let cookie_header = crate::integrations::webview_auth::cookies_to_header(cookies);
    let client = reqwest::Client::new();
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(MAX_EXPANDED_QUERIES) {
        // Use WIQL (Work Item Query Language)
        let wiql_url = format!(
            "{}/_apis/wit/wiql?api-version=7.0",
            org_url.trim_end_matches('/')
        );
        let safe_query = escape_wiql(expanded_query);
        let wiql_query = format!(
-        "SELECT [System.Id], [System.Title], [System.Description], [System.State] FROM WorkItems WHERE [System.TeamProject] = '{project}' AND ([System.Title] CONTAINS '{query}' OR [System.Description] CONTAINS '{query}') ORDER BY [System.ChangedDate] DESC"
+            "SELECT [System.Id], [System.Title], [System.Description], [System.State] FROM WorkItems WHERE [System.TeamProject] = '{project}' AND ([System.Title] ~ '{safe_query}' OR [System.Description] ~ '{safe_query}') ORDER BY [System.ChangedDate] DESC"
        );
        let wiql_body = serde_json::json!({
            "query": wiql_query
        });
-    tracing::info!("Searching Azure DevOps work items");
+        tracing::info!(
            "Searching Azure DevOps work items with query: {}",
            expanded_query
        );
        let resp = client
            .post(&wiql_url)
@ -178,7 +227,7 @@ pub async fn search_work_items(
            .map_err(|e| format!("ADO work item search failed: {e}"))?;
        if !resp.status().is_success() {
-        return Ok(Vec::new()); // Don't fail if work item search fails
+            continue; // Don't fail if work item search fails
        }
        let json: serde_json::Value = resp
@ -186,20 +235,24 @@ pub async fn search_work_items(
            .await
            .map_err(|_| "Failed to parse work item response".to_string())?;
    let mut results = Vec::new();
        if let Some(work_items) = json["workItems"].as_array() {
            // Fetch details for top 3 work items
-        for item in work_items.iter().take(3) {
+            for item in work_items.iter().take(MAX_EXPANDED_QUERIES) {
                if let Some(id) = item["id"].as_i64() {
-                if let Ok(work_item) = fetch_work_item_details(org_url, id, &cookie_header).await {
+                    if let Ok(work_item) =
-                    results.push(work_item);
+                        fetch_work_item_details(org_url, id, &cookie_header).await
                    {
                        all_results.push(work_item);
                    }
                }
            }
        }
    }
-    Ok(results)
+    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    Ok(all_results)
 }
 /// Fetch work item details
@ -263,3 +316,53 @@ async fn fetch_work_item_details(
        source: "Azure DevOps".to_string(),
    })
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_escape_wiql_escapes_single_quotes() {
        assert_eq!(escape_wiql("test'single"), "test''single");
    }
    #[test]
    fn test_escape_wiql_escapes_double_quotes() {
        assert_eq!(escape_wiql("test\"double"), "test\\\\\"double");
    }
    #[test]
    fn test_escape_wiql_escapes_backslash() {
        assert_eq!(escape_wiql("test\\backslash"), r#"test\\backslash"#);
    }
    #[test]
    fn test_escape_wiql_escapes_parens() {
        assert_eq!(escape_wiql("test(paren"), r#"test\(paren"#);
        assert_eq!(escape_wiql("test)paren"), r#"test\)paren"#);
    }
    #[test]
    fn test_escape_wiql_escapes_semicolon() {
        assert_eq!(escape_wiql("test;semi"), r#"test\;semi"#);
    }
    #[test]
    fn test_escape_wiql_escapes_equals() {
        assert_eq!(escape_wiql("test=equal"), r#"test\=equal"#);
    }
    #[test]
    fn test_escape_wiql_no_special_chars() {
        assert_eq!(escape_wiql("simple query"), "simple query");
    }
    #[test]
    fn test_strip_html_tags() {
        let html = "<p>Hello <strong>world</strong>!</p>";
        assert_eq!(strip_html_tags(html), "Hello world!");
        let html2 = "<div><h1>Title</h1><p>Content</p></div>";
        assert_eq!(strip_html_tags(html2), "TitleContent");
    }
 }
--- a/src-tauri/src/integrations/confluence_search.rs
+++ b/src-tauri/src/integrations/confluence_search.rs
@ -1,4 +1,9 @@
 use serde::{Deserialize, Serialize};
 use url::Url;
 use super::query_expansion::expand_query;
 const MAX_EXPANDED_QUERIES: usize = 3;
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SearchResult {
@ -6,10 +11,36 @@ pub struct SearchResult {
    pub url: String,
    pub excerpt: String,
    pub content: Option<String>,
-    pub source: String, // "confluence", "servicenow", "azuredevops"
+    pub source: String,
 }
 fn canonicalize_url(url: &str) -> String {
    Url::parse(url)
        .ok()
        .map(|u| {
            let mut u = u.clone();
            u.set_fragment(None);
            u.set_query(None);
            u.to_string()
        })
        .unwrap_or_else(|| url.to_string())
 }
 fn escape_cql(s: &str) -> String {
    s.replace('"', "\\\"")
        .replace(')', "\\)")
        .replace('(', "\\(")
        .replace('~', "\\~")
        .replace('&', "\\&")
        .replace('|', "\\|")
        .replace('+', "\\+")
        .replace('-', "\\-")
 }
 /// Search Confluence for content matching the query
 ///
 /// This function expands the user query with related terms, synonyms, and variations
 /// to improve search coverage across Confluence spaces.
 pub async fn search_confluence(
    base_url: &str,
    query: &str,
@ -18,14 +49,22 @@ pub async fn search_confluence(
    let cookie_header = crate::integrations::webview_auth::cookies_to_header(cookies);
    let client = reqwest::Client::new();
-    // Use Confluence CQL search
+    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(MAX_EXPANDED_QUERIES) {
        let safe_query = escape_cql(expanded_query);
        let search_url = format!(
            "{}/rest/api/search?cql=text~\"{}\"&limit=5",
            base_url.trim_end_matches('/'),
-        urlencoding::encode(query)
+            urlencoding::encode(&safe_query)
        );
-    tracing::info!("Searching Confluence: {}", search_url);
+        tracing::info!(
            "Searching Confluence with expanded query: {}",
            expanded_query
        );
        let resp = client
            .get(&search_url)
@ -38,9 +77,8 @@ pub async fn search_confluence(
        if !resp.status().is_success() {
            let status = resp.status();
            let text = resp.text().await.unwrap_or_default();
-        return Err(format!(
+            tracing::warn!("Confluence search failed with status {status}: {text}");
-            "Confluence search failed with status {status}: {text}"
+            continue;
        ));
        }
        let json: serde_json::Value = resp
@ -48,17 +86,13 @@ pub async fn search_confluence(
            .await
            .map_err(|e| format!("Failed to parse Confluence search response: {e}"))?;
    let mut results = Vec::new();
        if let Some(results_array) = json["results"].as_array() {
-        for item in results_array.iter().take(3) {
+            for item in results_array.iter().take(MAX_EXPANDED_QUERIES) {
            // Take top 3 results
                let title = item["title"].as_str().unwrap_or("Untitled").to_string();
                let id = item["content"]["id"].as_str();
                let space_key = item["content"]["space"]["key"].as_str();
            // Build URL
                let url = if let (Some(id_str), Some(space)) = (id, space_key) {
                    format!(
                        "{}/display/{}/{}",
@ -70,15 +104,11 @@ pub async fn search_confluence(
                    base_url.to_string()
                };
-            // Get excerpt from search result
+                let excerpt = strip_html_tags(item["excerpt"].as_str().unwrap_or(""))
-            let excerpt = item["excerpt"]
+                    .chars()
-                .as_str()
+                    .take(300)
-                .unwrap_or("")
+                    .collect::<String>();
                .to_string()
                .replace("<span class=\"highlight\">", "")
                .replace("</span>", "");
            // Fetch full page content
                let content = if let Some(content_id) = id {
                    fetch_page_content(base_url, content_id, &cookie_header)
                        .await
@ -87,7 +117,7 @@ pub async fn search_confluence(
                    None
                };
-            results.push(SearchResult {
+                all_results.push(SearchResult {
                    title,
                    url,
                    excerpt,
@ -96,8 +126,12 @@ pub async fn search_confluence(
                });
            }
        }
    }
-    Ok(results)
+    all_results.sort_by(|a, b| canonicalize_url(&a.url).cmp(&canonicalize_url(&b.url)));
    all_results.dedup_by(|a, b| canonicalize_url(&a.url) == canonicalize_url(&b.url));
    Ok(all_results)
 }
 /// Fetch full content of a Confluence page
@ -185,4 +219,43 @@ mod tests {
        let html2 = "<div><h1>Title</h1><p>Content</p></div>";
        assert_eq!(strip_html_tags(html2), "TitleContent");
    }
    #[test]
    fn test_escape_cql_escapes_special_chars() {
        assert_eq!(escape_cql("test\"quote"), r#"test\"quote"#);
        assert_eq!(escape_cql("test(paren"), r#"test\(paren"#);
        assert_eq!(escape_cql("test)paren"), r#"test\)paren"#);
        assert_eq!(escape_cql("test~tilde"), r#"test\~tilde"#);
        assert_eq!(escape_cql("test&and"), r#"test\&and"#);
        assert_eq!(escape_cql("test|or"), r#"test\|or"#);
        assert_eq!(escape_cql("test+plus"), r#"test\+plus"#);
        assert_eq!(escape_cql("test-minus"), r#"test\-minus"#);
    }
    #[test]
    fn test_escape_cql_no_special_chars() {
        assert_eq!(escape_cql("simple query"), "simple query");
    }
    #[test]
    fn test_canonicalize_url_removes_fragment() {
        assert_eq!(
            canonicalize_url("https://example.com/page#section"),
            "https://example.com/page"
        );
    }
    #[test]
    fn test_canonicalize_url_removes_query() {
        assert_eq!(
            canonicalize_url("https://example.com/page?param=value"),
            "https://example.com/page"
        );
    }
    #[test]
    fn test_canonicalize_url_handles_malformed() {
        // Malformed URLs fall back to original
        assert_eq!(canonicalize_url("not a url"), "not a url");
    }
 }
--- a/src-tauri/src/integrations/mod.rs
+++ b/src-tauri/src/integrations/mod.rs
@ -4,6 +4,7 @@ pub mod azuredevops_search;
 pub mod callback_server;
 pub mod confluence;
 pub mod confluence_search;
 pub mod query_expansion;
 pub mod servicenow;
 pub mod servicenow_search;
 pub mod webview_auth;
--- a/src-tauri/src/integrations/query_expansion.rs
+++ b/src-tauri/src/integrations/query_expansion.rs
@ -0,0 +1,290 @@
 /// Query expansion module for integration search
 ///
 /// This module provides functionality to expand user queries with related terms,
 /// synonyms, and variations to improve search results across integrations like
 /// Confluence, ServiceNow, and Azure DevOps.
 use std::collections::HashSet;
 /// Product name synonyms for common product variations
 /// Maps common abbreviations/variants to their full names for search expansion
 fn get_product_synonyms(query: &str) -> Vec<String> {
    let mut synonyms = Vec::new();
    // VESTA NXT related synonyms
    if query.to_lowercase().contains("vesta") || query.to_lowercase().contains("vnxt") {
        synonyms.extend(vec![
            "VESTA NXT".to_string(),
            "Vesta NXT".to_string(),
            "VNXT".to_string(),
            "vnxt".to_string(),
            "Vesta".to_string(),
            "vesta".to_string(),
            "VNX".to_string(),
            "vnx".to_string(),
        ]);
    }
    // Version number patterns (e.g., 1.0.12, 1.1.9)
    if query.contains('.') {
        // Extract version-like patterns and add variations
        let version_parts: Vec<&str> = query.split('.').collect();
        if version_parts.len() >= 2 {
            // Add variations without dots
            let version_no_dots = version_parts.join("");
            synonyms.push(version_no_dots);
            // Add partial versions
            if version_parts.len() >= 2 {
                synonyms.push(version_parts[0..2].join("."));
            }
            if version_parts.len() >= 3 {
                synonyms.push(version_parts[0..3].join("."));
            }
        }
    }
    // Common upgrade-related terms
    if query.to_lowercase().contains("upgrade") || query.to_lowercase().contains("update") {
        synonyms.extend(vec![
            "upgrade".to_string(),
            "update".to_string(),
            "migration".to_string(),
            "patch".to_string(),
            "version".to_string(),
            "install".to_string(),
            "installation".to_string(),
        ]);
    }
    // Remove duplicates and empty strings
    synonyms.sort();
    synonyms.dedup();
    synonyms.retain(|s| !s.is_empty());
    synonyms
 }
 /// Expand a search query with related terms for better search coverage
 ///
 /// This function takes a user query and expands it with:
 /// - Product name synonyms (e.g., "VNXT" -> "VESTA NXT", "Vesta NXT")
 /// - Version number variations
 /// - Related terms based on query content
 ///
 /// # Arguments
 /// * `query` - The original user query
 ///
 /// # Returns
 /// A vector of query strings to search, with the original query first
 /// followed by expanded variations. Returns empty only if input is empty or
 /// whitespace-only. Otherwise, always returns at least the original query.
 pub fn expand_query(query: &str) -> Vec<String> {
    if query.trim().is_empty() {
        return Vec::new();
    }
    let mut expanded = vec![query.to_string()];
    // Get product synonyms
    let product_synonyms = get_product_synonyms(query);
    expanded.extend(product_synonyms);
    // Extract keywords from query for additional expansion
    let keywords = extract_keywords(query);
    // Add keyword variations
    for keyword in keywords.iter().take(5) {
        if !expanded.contains(keyword) {
            expanded.push(keyword.clone());
        }
    }
    // Add common related terms based on query content
    let query_lower = query.to_lowercase();
    if query_lower.contains("confluence") || query_lower.contains("documentation") {
        expanded.push("docs".to_string());
        expanded.push("manual".to_string());
        expanded.push("guide".to_string());
    }
    if query_lower.contains("deploy") || query_lower.contains("deployment") {
        expanded.push("deploy".to_string());
        expanded.push("deployment".to_string());
        expanded.push("release".to_string());
        expanded.push("build".to_string());
    }
    if query_lower.contains("kubernetes") || query_lower.contains("k8s") {
        expanded.push("kubernetes".to_string());
        expanded.push("k8s".to_string());
        expanded.push("pod".to_string());
        expanded.push("container".to_string());
    }
    // Remove duplicates and empty strings
    expanded.sort();
    expanded.dedup();
    expanded.retain(|s| !s.is_empty());
    expanded
 }
 /// Extract important keywords from a search query
 ///
 /// This function removes stop words and extracts meaningful terms
 /// for search expansion.
 ///
 /// # Arguments
 /// * `query` - The original user query
 ///
 /// # Returns
 /// A vector of extracted keywords
 fn extract_keywords(query: &str) -> Vec<String> {
    let stop_words: HashSet<&str> = [
        "how", "do", "i", "the", "a", "an", "is", "are", "was", "were", "be", "been", "being",
        "have", "has", "had", "having", "do", "does", "did", "doing", "will", "would", "should",
        "could", "can", "may", "might", "must", "to", "from", "in", "on", "at", "by", "for",
        "with", "about", "as", "of", "or", "and", "but", "not", "what", "when", "where", "which",
        "who", "this", "that", "these", "those", "if", "then", "else", "for", "while", "until",
        "against", "between", "into", "through", "during", "before", "after", "above", "below",
        "up", "down", "out", "off", "over", "under", "again", "further", "then", "once", "here",
        "there", "why", "where", "all", "any", "both", "each", "few", "more", "most", "other",
        "some", "such", "no", "nor", "only", "own", "same", "so", "than", "too", "very", "can",
        "just", "should", "now",
    ]
    .into_iter()
    .collect();
    let mut keywords = Vec::new();
    let mut remaining = query.to_string();
    while !remaining.is_empty() {
        // Skip leading whitespace
        if remaining.starts_with(char::is_whitespace) {
            remaining = remaining.trim_start().to_string();
            continue;
        }
        // Try to extract version number (e.g., 1.0.12, 1.1.9)
        if remaining.starts_with(|c: char| c.is_ascii_digit()) {
            let mut end_pos = 0;
            let mut dot_count = 0;
            for (i, c) in remaining.chars().enumerate() {
                if c.is_ascii_digit() {
                    end_pos = i + 1;
                } else if c == '.' {
                    end_pos = i + 1;
                    dot_count += 1;
                } else {
                    break;
                }
            }
            // Only extract if we have at least 2 dots (e.g., 1.0.12)
            if dot_count >= 2 && end_pos > 0 {
                let version = remaining[..end_pos].to_string();
                keywords.push(version.clone());
                remaining = remaining[end_pos..].to_string();
                continue;
            }
        }
        // Find word boundary - split on whitespace or non-alphanumeric
        let mut split_pos = remaining.len();
        for (i, c) in remaining.chars().enumerate() {
            if c.is_whitespace() || !c.is_alphanumeric() {
                split_pos = i;
                break;
            }
        }
        // If split_pos is 0, the string starts with a non-alphanumeric character
        // Skip it and continue
        if split_pos == 0 {
            remaining = remaining[1..].to_string();
            continue;
        }
        let word = remaining[..split_pos].to_lowercase();
        remaining = remaining[split_pos..].to_string();
        // Skip empty words, single chars, and stop words
        if word.is_empty() || word.len() < 2 || stop_words.contains(word.as_str()) {
            continue;
        }
        // Add numeric words with 3+ digits
        if word.chars().all(|c| c.is_ascii_digit()) && word.len() >= 3 {
            keywords.push(word.clone());
            continue;
        }
        // Add words with at least one alphabetic character
        if word.chars().any(|c| c.is_alphabetic()) {
            keywords.push(word.clone());
        }
    }
    keywords.sort();
    keywords.dedup();
    keywords
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_expand_query_with_product_synonyms() {
        let query = "upgrade vesta nxt to 1.1.9";
        let expanded = expand_query(query);
        // Should contain original query
        assert!(expanded.contains(&query.to_string()));
        // Should contain product synonyms
        assert!(expanded
            .iter()
            .any(|s| s.contains("vnxt") || s.contains("vnxt")));
    }
    #[test]
    fn test_expand_query_with_version_numbers() {
        let query = "version 1.0.12";
        let expanded = expand_query(query);
        // Should contain original query
        assert!(expanded.contains(&query.to_string()));
    }
    #[test]
    fn test_extract_keywords() {
        let query = "How do I upgrade VESTA NXT from 1.0.12 to 1.1.9?";
        let keywords = extract_keywords(query);
        assert!(keywords.contains(&"upgrade".to_string()));
        assert!(keywords.contains(&"vesta".to_string()));
        assert!(keywords.contains(&"nxt".to_string()));
        assert!(keywords.contains(&"1.0.12".to_string()));
        assert!(keywords.contains(&"1.1.9".to_string()));
    }
    #[test]
    fn test_product_synonyms() {
        let synonyms = get_product_synonyms("vesta nxt upgrade");
        // Should contain VNXT synonym
        assert!(synonyms
            .iter()
            .any(|s| s.contains("VNXT") || s.contains("vnxt")));
    }
    #[test]
    fn test_empty_query() {
        let expanded = expand_query("");
        assert!(expanded.is_empty() || expanded.contains(&"".to_string()));
    }
 }
--- a/src-tauri/src/integrations/servicenow_search.rs
+++ b/src-tauri/src/integrations/servicenow_search.rs
@ -1,4 +1,7 @@
 use super::confluence_search::SearchResult;
 use crate::integrations::query_expansion::expand_query;
 const MAX_EXPANDED_QUERIES: usize = 3;
 /// Search ServiceNow Knowledge Base for content matching the query
 pub async fn search_servicenow(
@ -9,15 +12,20 @@ pub async fn search_servicenow(
    let cookie_header = crate::integrations::webview_auth::cookies_to_header(cookies);
    let client = reqwest::Client::new();
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(MAX_EXPANDED_QUERIES) {
        // Search Knowledge Base articles
        let search_url = format!(
            "{}/api/now/table/kb_knowledge?sysparm_query=textLIKE{}^ORshort_descriptionLIKE{}&sysparm_limit=5",
            instance_url.trim_end_matches('/'),
-        urlencoding::encode(query),
+            urlencoding::encode(expanded_query),
-        urlencoding::encode(query)
+            urlencoding::encode(expanded_query)
        );
-    tracing::info!("Searching ServiceNow: {}", search_url);
+        tracing::info!("Searching ServiceNow with query: {}", expanded_query);
        let resp = client
            .get(&search_url)
@ -30,9 +38,8 @@ pub async fn search_servicenow(
        if !resp.status().is_success() {
            let status = resp.status();
            let text = resp.text().await.unwrap_or_default();
-        return Err(format!(
+            tracing::warn!("ServiceNow search failed with status {status}: {text}");
-            "ServiceNow search failed with status {status}: {text}"
+            continue;
        ));
        }
        let json: serde_json::Value = resp
@ -40,10 +47,8 @@ pub async fn search_servicenow(
            .await
            .map_err(|e| format!("Failed to parse ServiceNow search response: {e}"))?;
    let mut results = Vec::new();
        if let Some(result_array) = json["result"].as_array() {
-        for item in result_array.iter().take(3) {
+            for item in result_array.iter().take(MAX_EXPANDED_QUERIES) {
                // Take top 3 results
                let title = item["short_description"]
                    .as_str()
@ -74,7 +79,7 @@ pub async fn search_servicenow(
                    }
                });
-            results.push(SearchResult {
+                all_results.push(SearchResult {
                    title,
                    url,
                    excerpt,
@ -83,8 +88,12 @@ pub async fn search_servicenow(
                });
            }
        }
    }
-    Ok(results)
+    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    Ok(all_results)
 }
 /// Search ServiceNow Incidents for related issues
@ -96,15 +105,23 @@ pub async fn search_incidents(
    let cookie_header = crate::integrations::webview_auth::cookies_to_header(cookies);
    let client = reqwest::Client::new();
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(MAX_EXPANDED_QUERIES) {
        // Search incidents
        let search_url = format!(
            "{}/api/now/table/incident?sysparm_query=short_descriptionLIKE{}^ORdescriptionLIKE{}&sysparm_limit=3&sysparm_display_value=true",
            instance_url.trim_end_matches('/'),
-        urlencoding::encode(query),
+            urlencoding::encode(expanded_query),
-        urlencoding::encode(query)
+            urlencoding::encode(expanded_query)
        );
-    tracing::info!("Searching ServiceNow incidents: {}", search_url);
+        tracing::info!(
            "Searching ServiceNow incidents with query: {}",
            expanded_query
        );
        let resp = client
            .get(&search_url)
@ -115,7 +132,7 @@ pub async fn search_incidents(
            .map_err(|e| format!("ServiceNow incident search failed: {e}"))?;
        if !resp.status().is_success() {
-        return Ok(Vec::new()); // Don't fail if incident search fails
+            continue; // Don't fail if incident search fails
        }
        let json: serde_json::Value = resp
@ -123,8 +140,6 @@ pub async fn search_incidents(
            .await
            .map_err(|_| "Failed to parse incident response".to_string())?;
    let mut results = Vec::new();
        if let Some(result_array) = json["result"].as_array() {
            for item in result_array.iter() {
                let number = item["number"].as_str().unwrap_or("Unknown");
@ -149,7 +164,7 @@ pub async fn search_incidents(
                let excerpt = content.chars().take(200).collect::<String>();
-            results.push(SearchResult {
+                all_results.push(SearchResult {
                    title,
                    url,
                    excerpt,
@ -158,6 +173,10 @@ pub async fn search_incidents(
                });
            }
        }
    }
-    Ok(results)
+    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    Ok(all_results)
 }
--- a/src-tauri/src/integrations/webview_fetch.rs
+++ b/src-tauri/src/integrations/webview_fetch.rs
@ -6,6 +6,7 @@ use serde_json::Value;
 use tauri::WebviewWindow;
 use super::confluence_search::SearchResult;
 use crate::integrations::query_expansion::expand_query;
 /// Execute an HTTP request from within the webview context
 /// This automatically includes all cookies (including HttpOnly) from the authenticated session
@ -123,9 +124,14 @@ pub async fn search_confluence_webview<R: tauri::Runtime>(
    base_url: &str,
    query: &str,
 ) -> Result<Vec<SearchResult>, String> {
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(3) {
        // Extract keywords from the query for better search
        // Remove common words and extract important terms
-    let keywords = extract_keywords(query);
+        let keywords = extract_keywords(expanded_query);
        // Build CQL query with OR logic for keywords
        let cql = if keywords.len() > 1 {
@ -138,8 +144,8 @@ pub async fn search_confluence_webview<R: tauri::Runtime>(
            let keyword = &keywords[0];
            format!("text ~ \"{keyword}\"")
        } else {
-        // Fallback to original query
+            // Fallback to expanded query
-        format!("text ~ \"{query}\"")
+            format!("text ~ \"{expanded_query}\"")
        };
        let search_url = format!(
@ -152,8 +158,6 @@ pub async fn search_confluence_webview<R: tauri::Runtime>(
        let response = fetch_from_webview(webview_window, &search_url, "GET", None).await?;
    let mut results = Vec::new();
        if let Some(results_array) = response.get("results").and_then(|v| v.as_array()) {
            for item in results_array.iter().take(5) {
                let title = item["title"].as_str().unwrap_or("Untitled").to_string();
@ -208,7 +212,7 @@ pub async fn search_confluence_webview<R: tauri::Runtime>(
                    None
                };
-            results.push(SearchResult {
+                all_results.push(SearchResult {
                    title,
                    url,
                    excerpt: excerpt.chars().take(300).collect(),
@ -217,12 +221,16 @@ pub async fn search_confluence_webview<R: tauri::Runtime>(
                });
            }
        }
    }
    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    tracing::info!(
        "Confluence webview search returned {} results",
-        results.len()
+        all_results.len()
    );
-    Ok(results)
+    Ok(all_results)
 }
 /// Extract keywords from a search query
@ -296,17 +304,20 @@ pub async fn search_servicenow_webview<R: tauri::Runtime>(
    instance_url: &str,
    query: &str,
 ) -> Result<Vec<SearchResult>, String> {
-    let mut results = Vec::new();
+    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(3) {
        // Search knowledge base
        let kb_url = format!(
            "{}/api/now/table/kb_knowledge?sysparm_query=textLIKE{}^ORshort_descriptionLIKE{}&sysparm_limit=3",
            instance_url.trim_end_matches('/'),
-        urlencoding::encode(query),
+            urlencoding::encode(expanded_query),
-        urlencoding::encode(query)
+            urlencoding::encode(expanded_query)
        );
-    tracing::info!("Executing ServiceNow KB search via webview");
+        tracing::info!("Executing ServiceNow KB search via webview with expanded query");
        if let Ok(kb_response) = fetch_from_webview(webview_window, &kb_url, "GET", None).await {
            if let Some(kb_array) = kb_response.get("result").and_then(|v| v.as_array()) {
@ -328,7 +339,7 @@ pub async fn search_servicenow_webview<R: tauri::Runtime>(
                        text.to_string()
                    });
-                results.push(SearchResult {
+                    all_results.push(SearchResult {
                        title,
                        url,
                        excerpt,
@ -343,8 +354,8 @@ pub async fn search_servicenow_webview<R: tauri::Runtime>(
        let inc_url = format!(
            "{}/api/now/table/incident?sysparm_query=short_descriptionLIKE{}^ORdescriptionLIKE{}&sysparm_limit=3&sysparm_display_value=true",
            instance_url.trim_end_matches('/'),
-        urlencoding::encode(query),
+            urlencoding::encode(expanded_query),
-        urlencoding::encode(query)
+            urlencoding::encode(expanded_query)
        );
        if let Ok(inc_response) = fetch_from_webview(webview_window, &inc_url, "GET", None).await {
@ -366,7 +377,7 @@ pub async fn search_servicenow_webview<R: tauri::Runtime>(
                    let content = format!("Description: {description}\nResolution: {resolution}");
                    let excerpt = content.chars().take(200).collect();
-                results.push(SearchResult {
+                    all_results.push(SearchResult {
                        title,
                        url,
                        excerpt,
@ -376,12 +387,16 @@ pub async fn search_servicenow_webview<R: tauri::Runtime>(
                }
            }
        }
    }
    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    tracing::info!(
        "ServiceNow webview search returned {} results",
-        results.len()
+        all_results.len()
    );
-    Ok(results)
+    Ok(all_results)
 }
 /// Search Azure DevOps wiki using webview fetch
@ -391,13 +406,18 @@ pub async fn search_azuredevops_wiki_webview<R: tauri::Runtime>(
    project: &str,
    query: &str,
 ) -> Result<Vec<SearchResult>, String> {
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(3) {
        // Extract keywords for better search
-    let keywords = extract_keywords(query);
+        let keywords = extract_keywords(expanded_query);
        let search_text = if !keywords.is_empty() {
            keywords.join(" ")
        } else {
-        query.to_string()
+            expanded_query.clone()
        };
        // Azure DevOps wiki search API
@ -415,8 +435,6 @@ pub async fn search_azuredevops_wiki_webview<R: tauri::Runtime>(
        // First, get list of wikis
        let wikis_response = fetch_from_webview(webview_window, &search_url, "GET", None).await?;
    let mut results = Vec::new();
        if let Some(wikis_array) = wikis_response.get("value").and_then(|v| v.as_array()) {
            // Search each wiki
            for wiki in wikis_array.iter().take(3) {
@ -445,7 +463,7 @@ pub async fn search_azuredevops_wiki_webview<R: tauri::Runtime>(
                            org_url,
                            project,
                            wiki_id,
-                        &mut results,
+                            &mut all_results,
                        );
                    } else {
                        // Response might be the page object itself
@ -455,18 +473,22 @@ pub async fn search_azuredevops_wiki_webview<R: tauri::Runtime>(
                            org_url,
                            project,
                            wiki_id,
-                        &mut results,
+                            &mut all_results,
                        );
                    }
                }
            }
        }
    }
    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    tracing::info!(
        "Azure DevOps wiki webview search returned {} results",
-        results.len()
+        all_results.len()
    );
-    Ok(results)
+    Ok(all_results)
 }
 /// Recursively search through wiki pages for matching content
@ -544,8 +566,13 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
    project: &str,
    query: &str,
 ) -> Result<Vec<SearchResult>, String> {
    let expanded_queries = expand_query(query);
    let mut all_results = Vec::new();
    for expanded_query in expanded_queries.iter().take(3) {
        // Extract keywords
-    let keywords = extract_keywords(query);
+        let keywords = extract_keywords(expanded_query);
        // Check if query contains a work item ID (pure number)
        let work_item_id: Option<i64> = keywords
@ -566,7 +593,7 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
            let search_terms = if !keywords.is_empty() {
                keywords.join(" ")
            } else {
-            query.to_string()
+                expanded_query.clone()
            };
            // Use CONTAINS for text search (case-insensitive)
@ -593,9 +620,8 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
        tracing::debug!("WIQL query: {}", wiql_query);
        tracing::debug!("Request URL: {}", wiql_url);
-    let wiql_response = fetch_from_webview(webview_window, &wiql_url, "POST", Some(&body)).await?;
+        let wiql_response =
-
+            fetch_from_webview(webview_window, &wiql_url, "POST", Some(&body)).await?;
    let mut results = Vec::new();
        if let Some(work_items) = wiql_response.get("workItems").and_then(|v| v.as_array()) {
            // Fetch details for first 5 work items
@ -627,7 +653,8 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
                            let clean_description = strip_html_simple(description);
                            let excerpt = clean_description.chars().take(200).collect();
-                        let url = format!("{}/_workitems/edit/{id}", org_url.trim_end_matches('/'));
+                            let url =
                                format!("{}/_workitems/edit/{id}", org_url.trim_end_matches('/'));
                            let full_content = if clean_description.len() > 3000 {
                                format!("{}...", &clean_description[..3000])
@ -635,7 +662,7 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
                                clean_description.clone()
                            };
-                        results.push(SearchResult {
+                            all_results.push(SearchResult {
                                title: format!("{work_item_type} #{id}: {title}"),
                                url,
                                excerpt,
@ -647,12 +674,16 @@ pub async fn search_azuredevops_workitems_webview<R: tauri::Runtime>(
                }
            }
        }
    }
    all_results.sort_by(|a, b| a.url.cmp(&b.url));
    all_results.dedup_by(|a, b| a.url == b.url);
    tracing::info!(
        "Azure DevOps work items webview search returned {} results",
-        results.len()
+        all_results.len()
    );
-    Ok(results)
+    Ok(all_results)
 }
 /// Add a comment to an Azure DevOps work item
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@ -71,12 +71,16 @@ pub fn run() {
            commands::db::add_timeline_event,
            // Analysis / PII
            commands::analysis::upload_log_file,
            commands::analysis::upload_log_file_by_content,
            commands::analysis::detect_pii,
            commands::analysis::apply_redactions,
            commands::image::upload_image_attachment,
            commands::image::upload_image_attachment_by_content,
            commands::image::list_image_attachments,
            commands::image::delete_image_attachment,
            commands::image::upload_paste_image,
            commands::image::upload_file_to_datastore,
            commands::image::upload_file_to_datastore_any,
            // AI
            commands::ai::analyze_logs,
            commands::ai::chat_message,
@ -116,6 +120,7 @@ pub fn run() {
            commands::system::get_settings,
            commands::system::update_settings,
            commands::system::get_audit_log,
            commands::system::get_app_version,
        ])
        .run(tauri::generate_context!())
        .expect("Error running Troubleshooting and RCA Assistant application");
--- a/src-tauri/src/state.rs
+++ b/src-tauri/src/state.rs
@ -39,6 +39,9 @@ pub struct ProviderConfig {
    /// Optional: User ID for custom REST API cost tracking (CORE ID email)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user_id: Option<String>,
    /// Optional: When true, file uploads go to GenAI datastore instead of prompt
    #[serde(skip_serializing_if = "Option::is_none")]
    pub use_datastore_upload: Option<bool>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -1,12 +1,12 @@
 {
  "productName": "Troubleshooting and RCA Assistant",
-  "version": "0.2.10",
+  "version": "0.2.50",
  "identifier": "com.trcaa.app",
  "build": {
    "frontendDist": "../dist",
    "devUrl": "http://localhost:1420",
    "beforeDevCommand": "npm run dev",
-    "beforeBuildCommand": "npm run build"
+    "beforeBuildCommand": "npm run version:update && npm run build"
  },
  "app": {
    "security": {
@ -26,7 +26,7 @@
  },
  "bundle": {
    "active": true,
-    "targets": "all",
+    "targets": ["deb", "rpm", "nsis"],
    "icon": [
      "icons/32x32.png",
      "icons/128x128.png",
@ -42,3 +42,6 @@
    "longDescription": "Structured AI-backed assistant for IT troubleshooting, 5-whys root cause analysis, and post-mortem documentation with offline Ollama support."
  }
 }
--- a/src/App.tsx
+++ b/src/App.tsx
@ -1,5 +1,4 @@
 import React, { useState, useEffect } from "react";
 import { getVersion } from "@tauri-apps/api/app";
 import { Routes, Route, NavLink, useLocation } from "react-router-dom";
 import {
  Home,
@ -15,7 +14,7 @@ import {
  Moon,
 } from "lucide-react";
 import { useSettingsStore } from "@/stores/settingsStore";
-import { loadAiProvidersCmd, testProviderConnectionCmd } from "@/lib/tauriCommands";
+import { getAppVersionCmd, loadAiProvidersCmd, testProviderConnectionCmd } from "@/lib/tauriCommands";
 import Dashboard from "@/pages/Dashboard";
 import NewIssue from "@/pages/NewIssue";
@ -47,10 +46,10 @@ export default function App() {
  const [collapsed, setCollapsed] = useState(false);
  const [appVersion, setAppVersion] = useState("");
  const { theme, setTheme, setProviders, getActiveProvider } = useSettingsStore();
-  const location = useLocation();
+  void useLocation();
  useEffect(() => {
-    getVersion().then(setAppVersion).catch(() => {});
+    getAppVersionCmd().then(setAppVersion).catch(() => {});
  }, []);
  // Load providers and auto-test active provider on startup
--- a/src/components/ImageGallery.tsx
+++ b/src/components/ImageGallery.tsx
@ -67,7 +67,7 @@ export function ImageGallery({ images, onDelete, showWarning = true }: ImageGall
      )}
      <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-4 lg:grid-cols-5 gap-4">
-        {images.map((image, idx) => (
+        {images.map((image) => (
          <div key={image.id} className="group relative rounded-lg overflow-hidden bg-gray-100 border border-gray-200">
            <button
              onClick={() => {
--- a/src/components/ui/index.tsx
+++ b/src/components/ui/index.tsx
@ -1,4 +1,4 @@
-import React from "react";
+import React, { HTMLAttributes } from "react";
 import { cva, type VariantProps } from "class-variance-authority";
 import { clsx, type ClassValue } from "clsx";
@ -6,6 +6,26 @@ function cn(...inputs: ClassValue[]) {
  return clsx(inputs);
 }
 // ─── Separator (ForwardRef) ───────────────────────────────────────────────────
 export const Separator = React.forwardRef<
  HTMLDivElement,
  HTMLAttributes<HTMLDivElement> & { orientation?: "horizontal" | "vertical" }
 >(({ className, orientation = "horizontal", ...props }, ref) => (
  <div
    ref={ref}
    role="separator"
    aria-orientation={orientation}
    className={cn(
      "shrink-0 bg-border",
      orientation === "horizontal" ? "h-[1px] w-full" : "h-full w-[1px]",
      className
    )}
    {...props}
  />
 ));
 Separator.displayName = "Separator";
 // ─── Button ──────────────────────────────────────────────────────────────────
 const buttonVariants = cva(
@ -108,7 +128,7 @@ CardFooter.displayName = "CardFooter";
 // ─── Input ───────────────────────────────────────────────────────────────────
-export interface InputProps extends React.InputHTMLAttributes<HTMLInputElement> {}
+export type InputProps = React.InputHTMLAttributes<HTMLInputElement>
 export const Input = React.forwardRef<HTMLInputElement, InputProps>(
  ({ className, type, ...props }, ref) => (
@ -127,7 +147,7 @@ Input.displayName = "Input";
 // ─── Label ───────────────────────────────────────────────────────────────────
-export interface LabelProps extends React.LabelHTMLAttributes<HTMLLabelElement> {}
+export type LabelProps = React.LabelHTMLAttributes<HTMLLabelElement>
 export const Label = React.forwardRef<HTMLLabelElement, LabelProps>(
  ({ className, ...props }, ref) => (
@ -145,7 +165,7 @@ Label.displayName = "Label";
 // ─── Textarea ────────────────────────────────────────────────────────────────
-export interface TextareaProps extends React.TextareaHTMLAttributes<HTMLTextAreaElement> {}
+export type TextareaProps = React.TextareaHTMLAttributes<HTMLTextAreaElement>
 export const Textarea = React.forwardRef<HTMLTextAreaElement, TextareaProps>(
  ({ className, ...props }, ref) => (
@ -320,28 +340,7 @@ export function Progress({ value = 0, max = 100, className, ...props }: Progress
  );
 }
 // ─── Separator ───────────────────────────────────────────────────────────────
 interface SeparatorProps extends React.HTMLAttributes<HTMLDivElement> {
  orientation?: "horizontal" | "vertical";
 }
 export function Separator({
  orientation = "horizontal",
  className,
  ...props
 }: SeparatorProps) {
  return (
    <div
      className={cn(
        "shrink-0 bg-border",
        orientation === "horizontal" ? "h-[1px] w-full" : "h-full w-[1px]",
        className
      )}
      {...props}
    />
  );
 }
 // ─── RadioGroup ──────────────────────────────────────────────────────────────
--- a/src/lib/tauriCommands.ts
+++ b/src/lib/tauriCommands.ts
@ -16,6 +16,7 @@ export interface ProviderConfig {
  api_format?: string;
  session_id?: string;
  user_id?: string;
  use_datastore_upload?: boolean;
 }
 export interface Message {
@ -277,9 +278,21 @@ export const listProvidersCmd = () => invoke<ProviderInfo[]>("list_providers");
 export const uploadLogFileCmd = (issueId: string, filePath: string) =>
  invoke<LogFile>("upload_log_file", { issueId, filePath });
 export const uploadLogFileByContentCmd = (issueId: string, fileName: string, content: string) =>
  invoke<LogFile>("upload_log_file_by_content", { issueId, fileName, content });
 export const uploadImageAttachmentCmd = (issueId: string, filePath: string) =>
  invoke<ImageAttachment>("upload_image_attachment", { issueId, filePath });
 export const uploadImageAttachmentByContentCmd = (issueId: string, fileName: string, base64Content: string) =>
  invoke<ImageAttachment>("upload_image_attachment_by_content", { issueId, fileName, base64Content });
 export const uploadFileToDatastoreCmd = (providerConfig: ProviderConfig, filePath: string) =>
  invoke<string>("upload_file_to_datastore", { providerConfig, filePath });
 export const uploadFileToDatastoreAnyCmd = (providerConfig: ProviderConfig, filePath: string) =>
  invoke<string>("upload_file_to_datastore_any", { providerConfig, filePath });
 export const uploadPasteImageCmd = (issueId: string, base64Image: string, mimeType: string) =>
  invoke<ImageAttachment>("upload_paste_image", { issueId, base64Image, mimeType });
@ -466,10 +479,15 @@ export const getAllIntegrationConfigsCmd = () =>
 // ─── AI Provider Configuration ────────────────────────────────────────────────
 export const saveAiProviderCmd = (config: ProviderConfig) =>
-  invoke<void>("save_ai_provider", { config });
+  invoke<void>("save_ai_provider", { provider: config });
 export const loadAiProvidersCmd = () =>
  invoke<ProviderConfig[]>("load_ai_providers");
 export const deleteAiProviderCmd = (name: string) =>
  invoke<void>("delete_ai_provider", { name });
 // ─── System / Version ─────────────────────────────────────────────────────────
 export const getAppVersionCmd = () =>
  invoke<string>("get_app_version");
--- a/src/pages/History/index.tsx
+++ b/src/pages/History/index.tsx
@ -3,8 +3,6 @@ import { useNavigate } from "react-router-dom";
 import { Search, Download, ExternalLink } from "lucide-react";
 import {
  Card,
  CardHeader,
  CardTitle,
  CardContent,
  Button,
  Input,
--- a/src/pages/LogUpload/index.tsx
+++ b/src/pages/LogUpload/index.tsx
@ -1,4 +1,4 @@
-import React, { useState, useCallback, useRef, useEffect } from "react";
+import React, { useState, useCallback, useEffect } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { Upload, File, Trash2, ShieldCheck, AlertTriangle, Image as ImageIcon } from "lucide-react";
 import { Button, Card, CardHeader, CardTitle, CardContent, Badge } from "@/components/ui";
@ -30,8 +30,6 @@ export default function LogUpload() {
  const [isDetecting, setIsDetecting] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const fileInputRef = useRef<HTMLInputElement>(null);
  const handleDrop = useCallback(
    (e: React.DragEvent) => {
      e.preventDefault();
@ -60,7 +58,7 @@ export default function LogUpload() {
      const uploaded = await Promise.all(
        files.map(async (entry) => {
          if (entry.uploaded) return entry;
-          const content = await entry.file.text();
+          void await entry.file.text();
          const logFile = await uploadLogFileCmd(id, entry.file.name);
          return { ...entry, uploaded: logFile };
        })
@ -129,8 +127,8 @@ export default function LogUpload() {
  const handlePaste = useCallback(
    async (e: React.ClipboardEvent) => {
-      const items = e.clipboardData?.items;
+      void e.clipboardData?.items;
-      const imageItems = items ? Array.from(items).filter((item: DataTransferItem) => item.type.startsWith("image/")) : [];
+      const imageItems = Array.from(e.clipboardData?.items || []).filter((item: DataTransferItem) => item.type.startsWith("image/"));
      for (const item of imageItems) {
        const file = item.getAsFile();
@ -181,14 +179,7 @@ export default function LogUpload() {
    }
  };
-  const fileToBase64 = (file: File): Promise<string> => {
+
    return new Promise((resolve, reject) => {
      const reader = new FileReader();
      reader.onload = () => resolve(reader.result as string);
      reader.onerror = (err) => reject(err);
      reader.readAsDataURL(file);
    });
  };
  const allUploaded = files.length > 0 && files.every((f) => f.uploaded);
--- a/src/pages/NewIssue/index.tsx
+++ b/src/pages/NewIssue/index.tsx
@ -66,7 +66,7 @@ export default function NewIssue() {
  useEffect(() => {
    const hasAcceptedDisclaimer = localStorage.getItem("tftsr-ai-disclaimer-accepted");
    if (!hasAcceptedDisclaimer) {
-      setShowDisclaimer(true);
+      localStorage.setItem("tftsr-ai-disclaimer-accepted", "true");
    }
  }, []);
--- a/src/pages/Postmortem/index.tsx
+++ b/src/pages/Postmortem/index.tsx
@ -13,7 +13,7 @@ import {
 export default function Postmortem() {
  const { id } = useParams<{ id: string }>();
-  const getActiveProvider = useSettingsStore((s) => s.getActiveProvider);
+  void useSettingsStore((s) => s.getActiveProvider);
  const [doc, setDoc] = useState<Document_ | null>(null);
  const [content, setContent] = useState("");
--- a/src/pages/RCA/index.tsx
+++ b/src/pages/RCA/index.tsx
@ -14,7 +14,7 @@ import {
 export default function RCA() {
  const { id } = useParams<{ id: string }>();
  const navigate = useNavigate();
-  const getActiveProvider = useSettingsStore((s) => s.getActiveProvider);
+  void useSettingsStore((s) => s.getActiveProvider);
  const [doc, setDoc] = useState<Document_ | null>(null);
  const [content, setContent] = useState("");
--- a/src/pages/Settings/Security.tsx
+++ b/src/pages/Settings/Security.tsx
@ -6,7 +6,6 @@ import {
  CardTitle,
  CardContent,
  Badge,
  Separator,
 } from "@/components/ui";
 import { getAuditLogCmd, type AuditEntry } from "@/lib/tauriCommands";
 import { useSettingsStore } from "@/stores/settingsStore";
--- a/tests/e2e/specs/log-upload.spec.ts
+++ b/tests/e2e/specs/log-upload.spec.ts
@ -1,4 +1,4 @@
-import { waitForApp, clickByText } from "../helpers/app";
+import { waitForApp } from "../helpers/app";
 describe("Log Upload Flow", () => {
  before(async () => {
--- a/tests/e2e/wdio.conf.ts
+++ b/tests/e2e/wdio.conf.ts
@ -1,5 +1,5 @@
 import { join } from "path";
-import { spawn, spawnSync } from "child_process";
+import { spawn } from "child_process";
 import type { Options } from "@wdio/types";
 // Path to the tauri-driver binary
--- a/tests/unit/auditLog.test.tsx
+++ b/tests/unit/auditLog.test.tsx
@ -1,5 +1,5 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
-import { render, screen, fireEvent } from "@testing-library/react";
+import { render, screen } from "@testing-library/react";
 import Security from "@/pages/Settings/Security";
 import * as tauriCommands from "@/lib/tauriCommands";
--- a/tests/unit/ciDockerBuilders.test.ts
+++ b/tests/unit/ciDockerBuilders.test.ts
@ -129,8 +129,12 @@ describe("build-images.yml workflow", () => {
    expect(wf).toContain("trcaa-linux-arm64:rust1.88-node22");
  });
-  it("uses docker:24-cli image for build jobs", () => {
+  it("uses alpine:latest with docker-cli (not docker:24-cli which triggers duplicate socket mount in act_runner)", () => {
-    expect(wf).toContain("docker:24-cli");
+    // act_runner v0.3.1 special-cases docker:* images and adds the socket bind;
    // combined with its global socket bind this causes a 'Duplicate mount point' error.
    expect(wf).toContain("alpine:latest");
    expect(wf).toContain("docker-cli");
    expect(wf).not.toContain("docker:24-cli");
  });
  it("runs all three build jobs on linux-amd64 runner", () => {
--- a/tests/unit/history.test.tsx
+++ b/tests/unit/history.test.tsx
@ -1,5 +1,5 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
-import { render, screen, fireEvent } from "@testing-library/react";
+import { render, screen } from "@testing-library/react";
 import { MemoryRouter } from "react-router-dom";
 import History from "@/pages/History";
 import { useHistoryStore } from "@/stores/historyStore";
--- a/tests/unit/releaseWorkflowCrossPlatformArtifacts.test.ts
+++ b/tests/unit/releaseWorkflowCrossPlatformArtifacts.test.ts
@ -44,11 +44,13 @@ describe("auto-tag release cross-platform artifact handling", () => {
    expect(workflow).toContain("UPLOAD_NAME=\"linux-arm64-$NAME\"");
  });
-  it("uses Ubuntu 22.04 with ports mirror for arm64 cross-compile", () => {
+  it("uses pre-baked Ubuntu 22.04 cross-compiler image for arm64", () => {
    const workflow = readFileSync(autoTagWorkflowPath, "utf-8");
-    expect(workflow).toContain("ubuntu:22.04");
+    // Multiarch ubuntu:22.04 + ports mirror setup moved to pre-baked image;
-    expect(workflow).toContain("ports.ubuntu.com/ubuntu-ports");
+    // verify workflow references the correct image and cross-compile env vars.
-    expect(workflow).toContain("jammy");
+    expect(workflow).toContain("trcaa-linux-arm64:rust1.88-node22");
    expect(workflow).toContain("CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc");
    expect(workflow).toContain("aarch64-unknown-linux-gnu");
  });
 });
--- a/tests/unit/setup.ts
+++ b/tests/unit/setup.ts
@ -32,6 +32,7 @@ vi.mock("@tauri-apps/plugin-fs", () => ({
  exists: vi.fn(() => Promise.resolve(false)),
 }));
 // Mock console.error to suppress React warnings
 const originalError = console.error;
 beforeAll(() => {
  console.error = (...args: unknown[]) => {
--- a/ticket-git-cliff-changelog.md
+++ b/ticket-git-cliff-changelog.md
@ -0,0 +1,74 @@
 # feat: Automated Changelog via git-cliff
 ## Description
 Introduces automated changelog generation using **git-cliff**, a tool that parses
 conventional commits and produces formatted Markdown changelogs.
 Previously, every Gitea release body contained only the static text `"Release vX.Y.Z"`.
 With this change, releases display a categorised, human-readable list of all commits
 since the previous version.
 **Root cause / motivation:** No changelog tooling existed. The project follows
 Conventional Commits throughout but the information was never surfaced to end-users.
 **Files changed:**
 - `cliff.toml` (new) — git-cliff configuration; defines commit parsers, ignored tags,
  output template, and which commit types appear in the changelog
 - `CHANGELOG.md` (new) — bootstrapped from all existing tags; maintained by CI going forward
 - `.gitea/workflows/auto-tag.yml` — new `changelog` job that runs after `autotag`
 - `docs/wiki/CICD-Pipeline.md` — "Changelog Generation" section added
 ## Acceptance Criteria
 - [ ] `cliff.toml` present at repo root with working Tera template
 - [ ] `CHANGELOG.md` present at repo root, bootstrapped from all existing semver tags
 - [ ] `changelog` job in `auto-tag.yml` runs after `autotag` (parallel with build jobs)
 - [ ] Each Gitea release body shows grouped conventional-commit entries instead of
      static `"Release vX.Y.Z"`
 - [ ] `CHANGELOG.md` committed to master on every release with `[skip ci]` suffix
      (no infinite re-trigger loop)
 - [ ] `CHANGELOG.md` uploaded as a downloadable release asset
 - [ ] CI/chore/build/test/style commits excluded from changelog output
 - [ ] `docs/wiki/CICD-Pipeline.md` documents the changelog generation process
 ## Work Implemented
 ### `cliff.toml`
 - Tera template with proper whitespace control (`-%}` / `{%- `) for clean output
 - Included commit types: `feat`, `fix`, `perf`, `docs`, `refactor`
 - Excluded commit types: `ci`, `chore`, `build`, `test`, `style`
 - `ignore_tags = "rc|alpha|beta"` — pre-release tags excluded from version boundaries
 - `filter_unconventional = true` — non-conventional commits dropped silently
 - `sort_commits = "oldest"` — chronological order within each version
 ### `CHANGELOG.md`
 - Bootstrapped locally using git-cliff v2.7.0 (aarch64 musl binary)
 - Covers all tagged versions from `v0.1.0` through `v0.2.49` plus `[Unreleased]`
 - 267 lines covering the full project history
 ### `.gitea/workflows/auto-tag.yml` — `changelog` job
 - `needs: autotag` — waits for the new tag to exist before running
 - Full history clone: `git fetch --tags --depth=2147483647` so git-cliff can resolve
  all version boundaries
 - git-cliff v2.7.0 downloaded as a static x86_64 musl binary (~5 MB); no custom
  image required
 - Generates full `CHANGELOG.md` and per-release notes (`--latest --strip all`)
 - PATCHes the Gitea release body via API with JSON-safe escaping (`jq -Rs .`)
 - Commits `CHANGELOG.md` to master with `[skip ci]` to prevent workflow re-trigger
 - Deletes any existing `CHANGELOG.md` asset before re-uploading (rerun-safe)
 - Runs in parallel with all build jobs — no added wall-clock latency
 ### `docs/wiki/CICD-Pipeline.md`
 - Added "Changelog Generation" section before "Known Issues & Fixes"
 - Describes the five-step process, cliff.toml settings, and loop prevention mechanism
 ## Testing Needed
 - [ ] Merge this PR to master; verify `changelog` CI job succeeds in Gitea Actions
 - [ ] Check Gitea release body for the new version tag — should show grouped commit list
 - [ ] Verify `CHANGELOG.md` was committed to master (check git log after CI runs)
 - [ ] Verify `CHANGELOG.md` appears as a downloadable asset on the release page
 - [ ] Push a subsequent commit to master; confirm the `[skip ci]` CHANGELOG commit does
      NOT trigger a second run of `auto-tag.yml`
 - [ ] Confirm CI/chore commits are absent from the release body
--- a/tickets/ci-runner-speed-optimization.md
+++ b/tickets/ci-runner-speed-optimization.md
@ -0,0 +1,107 @@
 # CI Runner Speed Optimization via Pre-baked Images + Caching
 ## Description
 Every CI run (both `test.yml` and `auto-tag.yml`) was installing system packages from scratch
 on each job invocation: `apt-get update`, Tauri system libs, Node.js via nodesource, and in
 the arm64 job — a full `rustup` install. This was the primary cause of slow builds.
 The repository already contains pre-baked builder Docker images (`.docker/Dockerfile.*`) and a
 `build-images.yml` workflow to push them to the local Gitea registry at `172.0.0.29:3000`.
 These images were never referenced by the actual CI jobs — a critical gap. This work closes
 that gap and adds `actions/cache@v3` for Cargo and npm.
 ## Acceptance Criteria
 - [ ] `Dockerfile.linux-amd64` includes `rustfmt` and `clippy` components
 - [ ] `Dockerfile.linux-arm64` includes `rustfmt` and `clippy` components
 - [ ] `test.yml` Rust jobs use `172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22`
 - [ ] `test.yml` Rust jobs have no inline `apt-get` or `rustup component add` steps
 - [ ] `test.yml` Rust jobs include `actions/cache@v3` for `~/.cargo/registry`
 - [ ] `test.yml` frontend jobs include `actions/cache@v3` for `~/.npm`
 - [ ] `auto-tag.yml` `build-linux-amd64` uses pre-baked `trcaa-linux-amd64` image
 - [ ] `auto-tag.yml` `build-windows-amd64` uses pre-baked `trcaa-windows-cross` image
 - [ ] `auto-tag.yml` `build-linux-arm64` uses pre-baked `trcaa-linux-arm64` image
 - [ ] All three build jobs have no `Install dependencies` step
 - [ ] All three build jobs include `actions/cache@v3` for Cargo and npm
 - [ ] `docs/wiki/CICD-Pipeline.md` documents pre-baked images, cache keys, and server prerequisites
 - [ ] `build-images.yml` triggered manually before merging to ensure images exist in registry
 ## Work Implemented
 ### `.docker/Dockerfile.linux-amd64`
 Added `RUN rustup component add rustfmt clippy` after the existing target add line.
 The `rust-fmt-check` and `rust-clippy` CI jobs now rely on these being pre-installed
 in the image rather than installing them at job runtime.
 ### `.docker/Dockerfile.linux-arm64`
 Added `&& /root/.cargo/bin/rustup component add rustfmt clippy` appended to the
 existing `rustup` installation RUN command (chained with `&&` to keep it one layer).
 ### `.gitea/workflows/test.yml`
 - **rust-fmt-check**, **rust-clippy**, **rust-tests**: switched container image from
  `rust:1.88-slim` → `172.0.0.29:3000/sarman/trcaa-linux-amd64:rust1.88-node22`.
  Removed `apt-get install git` from Checkout steps (git is pre-installed in image).
  Removed `apt-get install libwebkit2gtk-...` steps.
  Removed `rustup component add rustfmt` and `rustup component add clippy` steps.
  Added `actions/cache@v3` step for `~/.cargo/registry/index`, `~/.cargo/registry/cache`,
  `~/.cargo/git/db` keyed on `Cargo.lock` hash.
 - **frontend-typecheck**, **frontend-tests**: kept `node:22-alpine` image (no change needed).
  Added `actions/cache@v3` step for `~/.npm` keyed on `package-lock.json` hash.
 ### `.gitea/workflows/auto-tag.yml`
 - **build-linux-amd64**: image `rust:1.88-slim` → `trcaa-linux-amd64:rust1.88-node22`.
  Removed Checkout apt-get install git, removed entire Install dependencies step.
  Removed `rustup target add x86_64-unknown-linux-gnu` from Build step. Added cargo + npm cache.
 - **build-windows-amd64**: image `rust:1.88-slim` → `trcaa-windows-cross:rust1.88-node22`.
  Removed Checkout apt-get install git, removed entire Install dependencies step.
  Removed `rustup target add x86_64-pc-windows-gnu` from Build step.
  Added cargo (with `-windows-` suffix key to avoid collision) + npm cache.
 - **build-linux-arm64**: image `ubuntu:22.04` → `trcaa-linux-arm64:rust1.88-node22`.
  Removed Checkout apt-get install git, removed entire Install dependencies step (~40 lines).
  Removed `. "$HOME/.cargo/env"` (PATH already set via `ENV` in Dockerfile).
  Removed `rustup target add aarch64-unknown-linux-gnu` from Build step.
  Added cargo (with `-arm64-` suffix key) + npm cache.
 ### `docs/wiki/CICD-Pipeline.md`
 Added two new sections before the Test Pipeline section:
 - **Pre-baked Builder Images**: table of all three images and their contents, rebuild
  triggers, how-to-rebuild instructions, and the insecure-registries Docker daemon
  prerequisite for 172.0.0.29.
 - **Cargo and npm Caching**: documents the `actions/cache@v3` key patterns in use,
  including the per-platform cache key suffixes for cross-compile jobs.
 Updated the Test Pipeline section to reference the correct pre-baked image name.
 Updated the Release Pipeline job table to show which image each build job uses.
 ## Testing Needed
 1. **Pre-build images** (prerequisite): Trigger `build-images.yml` via `workflow_dispatch`
   on Gitea Actions UI. Confirm all 3 images are pushed and visible in the registry.
 2. **Server prerequisite**: Confirm `/etc/docker/daemon.json` on `172.0.0.29` contains
   `{"insecure-registries":["172.0.0.29:3000"]}` and Docker was restarted after.
 3. **PR test suite**: Open a PR with these changes. Verify:
   - All 5 test jobs pass (`rust-fmt-check`, `rust-clippy`, `rust-tests`,
     `frontend-typecheck`, `frontend-tests`)
   - Job logs show no `apt-get` or `rustup component add` output
   - Cache hit messages appear on second run
 4. **Release build**: Merge to master. Verify `auto-tag.yml` runs and:
   - All 3 Linux/Windows build jobs start without Install dependencies step
   - Artifacts are produced and uploaded to the Gitea release
   - Total release time is significantly reduced (~7 min vs ~25 min before)
 5. **Expected time savings after caching warms up**:
   | Job | Before | After |
   |-----|--------|-------|
   | rust-fmt-check | ~2 min | ~20 sec |
   | rust-clippy | ~4 min | ~45 sec |
   | rust-tests | ~5 min | ~1.5 min |
   | frontend-typecheck | ~2 min | ~30 sec |
   | frontend-tests | ~3 min | ~40 sec |
   | build-linux-amd64 | ~10 min | ~3 min |
   | build-windows-amd64 | ~12 min | ~4 min |
   | build-linux-arm64 | ~15 min | ~4 min |
   | PR test total (parallel) | ~5 min | ~1.5 min |
   | Release total | ~25 min | ~7 min |