72 changed files with 1086 additions and 2167 deletions
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@ -115,60 +115,54 @@ jobs:
          }
          Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
-      - name: Upload all artifacts to SeaweedFS
+      - name: Upload to Gitea
        shell: powershell
        run: |
          $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $s3 = "https://files.command.vigilcyber.com/wraith"
+          $giteaUrl = "https://git.command.vigilcyber.com"
-
+          $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
          # Upload installer
          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
          foreach ($file in $installers) {
            Write-Host "Uploading: $($file.Name)"
            Invoke-RestMethod -Uri "$s3/$ver/$($file.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $file.FullName
            # Also upload as 'latest' for direct download links
            Invoke-RestMethod -Uri "$s3/latest/$($file.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $file.FullName
          }
          # Upload MCP bridge binary
          $bridge = "src-tauri\target\release\wraith-mcp-bridge.exe"
          if (Test-Path $bridge) {
            Write-Host "Uploading: wraith-mcp-bridge.exe"
-            Invoke-RestMethod -Uri "$s3/$ver/wraith-mcp-bridge.exe" -Method PUT -ContentType "application/octet-stream" -InFile $bridge
+            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/wraith-mcp-bridge.exe" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $bridge
            Invoke-RestMethod -Uri "$s3/latest/wraith-mcp-bridge.exe" -Method PUT -ContentType "application/octet-stream" -InFile $bridge
          }
-          # Upload .nsis.zip for Tauri auto-updater
+          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
-          $zipFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip | Select-Object -First 1
+          foreach ($file in $installers) {
-          if ($zipFile) {
+            $hash = (Get-FileHash $file.FullName -Algorithm SHA256).Hash.ToLower()
-            Write-Host "Uploading: $($zipFile.Name)"
+            @{ version = $ver; filename = $file.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
-            Invoke-RestMethod -Uri "$s3/$ver/$($zipFile.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $zipFile.FullName
+
            Write-Host "Uploading: $($file.Name)"
            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($file.Name)" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $file.FullName
            Write-Host "Uploading: version.json"
            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
          }
-          # Upload version.json metadata
+          Write-Host "=== Upload complete ==="
          $installer = $installers | Select-Object -First 1
          if ($installer) {
            $hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower()
            @{ version = $ver; filename = $installer.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
            Invoke-RestMethod -Uri "$s3/$ver/version.json" -Method PUT -ContentType "application/json" -InFile version.json
            Invoke-RestMethod -Uri "$s3/latest/version.json" -Method PUT -ContentType "application/json" -InFile version.json
          }
          Write-Host "=== SeaweedFS upload complete ==="
      - name: Generate and upload update.json for Tauri updater
        shell: powershell
        run: |
          $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $s3 = "https://files.command.vigilcyber.com/wraith"
+          $giteaUrl = "https://git.command.vigilcyber.com"
          $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
          # Find the .sig file produced by Tauri signing
          $sigFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip.sig | Select-Object -First 1
          $zipFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip | Select-Object -First 1
          if ($sigFile -and $zipFile) {
            $signature = Get-Content $sigFile.FullName -Raw
-            $downloadUrl = "$s3/$ver/$($zipFile.Name)"
+            $downloadUrl = "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($zipFile.Name)"
            # Upload the .nsis.zip to packages
            Write-Host "Uploading: $($zipFile.Name)"
            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($zipFile.Name)" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $zipFile.FullName
            # Build update.json
            $updateJson = @{
              version = "v$ver"
              notes = "Wraith Desktop v$ver"
@ -185,13 +179,44 @@ jobs:
            Write-Host "update.json content:"
            Get-Content update.json
-            # Upload to root (Tauri updater endpoint)
+            # Upload to latest/ so the updater endpoint always points to the newest
-            Invoke-RestMethod -Uri "$s3/update.json" -Method PUT -ContentType "application/json" -InFile update.json
+            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/latest/update.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile update.json
-            # Also versioned copy
+
-            Invoke-RestMethod -Uri "$s3/$ver/update.json" -Method PUT -ContentType "application/json" -InFile update.json
+            # Also upload to versioned path
            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/update.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile update.json
            Write-Host "=== Update manifest uploaded ==="
          } else {
            Write-Host 'WARNING - No .sig file found, update signing may have failed'
            Write-Host 'Sig files found'
            Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig
          }
      - name: Create Release and attach installers
        shell: powershell
        run: |
          $ver = ("${{ github.ref_name }}" -replace '^v','')
          $giteaUrl = "https://git.command.vigilcyber.com"
          $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}"; "Content-Type" = "application/json" }
          $body = @{ tag_name = "v$ver"; name = "Wraith v$ver"; body = "Wraith Desktop v$ver - Tauri v2 / Rust build." } | ConvertTo-Json
          $release = Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" -Method POST -Headers $headers -Body $body
          $releaseId = $release.id
          Write-Host "Release v$ver created (id: $releaseId)"
          $uploadHeaders = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
          # Attach installer(s)
          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
          foreach ($file in $installers) {
            Write-Host "Attaching $($file.Name) to release..."
            Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases/$releaseId/assets?name=$($file.Name)" -Method POST -Headers $uploadHeaders -ContentType "application/octet-stream" -InFile $file.FullName
            Write-Host "Attached: $($file.Name)"
          }
          # Attach MCP bridge binary
          $bridge = "src-tauri\target\release\wraith-mcp-bridge.exe"
          if (Test-Path $bridge) {
            Write-Host "Attaching wraith-mcp-bridge.exe to release..."
            Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases/$releaseId/assets?name=wraith-mcp-bridge.exe" -Method POST -Headers $uploadHeaders -ContentType "application/octet-stream" -InFile $bridge
            Write-Host "Attached: wraith-mcp-bridge.exe"
          }
--- a/.gitignore
+++ b/.gitignore
@ -4,4 +4,3 @@ src-tauri/target/
 src-tauri/binaries/
 *.log
 .DS_Store
 .claude/worktrees/
--- a/docs/screenshots/stats-and-status-bars.png
+++ b/docs/screenshots/stats-and-status-bars.png
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@ -2991,7 +2991,6 @@ checksum = "47c225751e8fbfaaaac5572a80e25d0a0921e9cf408c55509526161b5609157c"
 dependencies = [
 "ironrdp-connector",
 "ironrdp-core",
 "ironrdp-displaycontrol",
 "ironrdp-graphics",
 "ironrdp-input",
 "ironrdp-pdu",
@ -8914,11 +8913,9 @@ dependencies = [
 "thiserror 2.0.18",
 "tokio",
 "tokio-rustls",
 "tokio-util",
 "ureq",
 "uuid",
 "x509-cert",
 "zeroize",
 ]
 [[package]]
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -12,15 +12,11 @@ crate-type = ["lib", "cdylib", "staticlib"]
 name = "wraith-mcp-bridge"
 path = "src/bin/wraith_mcp_bridge.rs"
 [features]
 default = []
 devtools = ["tauri/devtools"]
 [build-dependencies]
 tauri-build = { version = "2", features = [] }
 [dependencies]
-tauri = { version = "2", features = [] }
+tauri = { version = "2", features = ["devtools"] }
 tauri-plugin-shell = "2"
 tauri-plugin-updater = "2"
 anyhow = "1"
@ -37,8 +33,6 @@ uuid = { version = "1", features = ["v4"] }
 base64 = "0.22"
 dashmap = "6"
 tokio = { version = "1", features = ["full"] }
 tokio-util = "0.7"
 zeroize = { version = "1", features = ["derive"] }
 async-trait = "0.1"
 log = "0.4"
 env_logger = "0.11"
@ -65,7 +59,7 @@ ureq = "3"
 png = "0.17"
 # RDP (IronRDP)
-ironrdp = { version = "0.14", features = ["connector", "session", "graphics", "input", "displaycontrol"] }
+ironrdp = { version = "0.14", features = ["connector", "session", "graphics", "input"] }
 ironrdp-tokio = { version = "0.8", features = ["reqwest-rustls-ring"] }
 ironrdp-tls = { version = "0.2", features = ["rustls"] }
 tokio-rustls = "0.26"
--- a/src-tauri/src/bin/wraith_mcp_bridge.rs
+++ b/src-tauri/src/bin/wraith_mcp_bridge.rs
@ -38,22 +38,19 @@ struct JsonRpcError {
    message: String,
 }
-fn get_data_dir() -> Result<std::path::PathBuf, String> {
+fn get_mcp_port() -> Result<u16, String> {
-    if let Ok(appdata) = std::env::var("APPDATA") {
+    // Check standard locations for the port file
-        Ok(std::path::PathBuf::from(appdata).join("Wraith"))
+    let port_file = if let Ok(appdata) = std::env::var("APPDATA") {
        std::path::PathBuf::from(appdata).join("Wraith").join("mcp-port")
    } else if let Ok(home) = std::env::var("HOME") {
        if cfg!(target_os = "macos") {
-            Ok(std::path::PathBuf::from(home).join("Library").join("Application Support").join("Wraith"))
+            std::path::PathBuf::from(home).join("Library").join("Application Support").join("Wraith").join("mcp-port")
        } else {
-            Ok(std::path::PathBuf::from(home).join(".local").join("share").join("wraith"))
+            std::path::PathBuf::from(home).join(".local").join("share").join("wraith").join("mcp-port")
        }
    } else {
-        Err("Cannot determine data directory".to_string())
+        return Err("Cannot determine data directory".to_string());
-    }
+    };
 }
 fn get_mcp_port() -> Result<u16, String> {
    let port_file = get_data_dir()?.join("mcp-port");
    let port_str = std::fs::read_to_string(&port_file)
        .map_err(|e| format!("Cannot read MCP port file at {}: {} — is Wraith running?", port_file.display(), e))?;
@ -62,15 +59,6 @@ fn get_mcp_port() -> Result<u16, String> {
        .map_err(|e| format!("Invalid port in MCP port file: {}", e))
 }
 fn get_mcp_token() -> Result<String, String> {
    let token_file = get_data_dir()?.join("mcp-token");
    let token = std::fs::read_to_string(&token_file)
        .map_err(|e| format!("Cannot read MCP token file at {}: {} — is Wraith running?", token_file.display(), e))?;
    Ok(token.trim().to_string())
 }
 fn handle_initialize(id: Value) -> JsonRpcResponse {
    JsonRpcResponse {
        jsonrpc: "2.0".to_string(),
@ -95,19 +83,6 @@ fn handle_tools_list(id: Value) -> JsonRpcResponse {
        id,
        result: Some(serde_json::json!({
            "tools": [
                {
                    "name": "terminal_type",
                    "description": "Type text into a terminal session (like a human typing). Optionally presses Enter after. Use this to send messages or commands without output capture.",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The session ID to type into" },
                            "text": { "type": "string", "description": "The text to type" },
                            "press_enter": { "type": "boolean", "description": "Whether to press Enter after typing (default: true)" }
                        },
                        "required": ["session_id", "text"]
                    }
                },
                {
                    "name": "terminal_read",
                    "description": "Read recent terminal output from an active SSH or PTY session (ANSI codes stripped)",
@ -236,72 +211,6 @@ fn handle_tools_list(id: Value) -> JsonRpcResponse {
                    "description": "Generate a cryptographically secure random password",
                    "inputSchema": { "type": "object", "properties": { "length": { "type": "number" }, "uppercase": { "type": "boolean" }, "lowercase": { "type": "boolean" }, "digits": { "type": "boolean" }, "symbols": { "type": "boolean" } } }
                },
                {
                    "name": "docker_ps",
                    "description": "List all Docker containers with status, image, and ports",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" } }, "required": ["session_id"] }
                },
                {
                    "name": "docker_action",
                    "description": "Perform a Docker action: start, stop, restart, remove, logs, builder-prune, system-prune",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "action": { "type": "string", "description": "start|stop|restart|remove|logs|builder-prune|system-prune" }, "target": { "type": "string", "description": "Container name (not needed for prune actions)" } }, "required": ["session_id", "action", "target"] }
                },
                {
                    "name": "docker_exec",
                    "description": "Execute a command inside a running Docker container",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "container": { "type": "string" }, "command": { "type": "string" } }, "required": ["session_id", "container", "command"] }
                },
                {
                    "name": "service_status",
                    "description": "Check systemd service status on a remote host",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string", "description": "Service name" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "process_list",
                    "description": "List processes on a remote host (top CPU by default, or filter by name)",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string", "description": "Process name filter (empty for top 30 by CPU)" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "git_status",
                    "description": "Get git status of a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string", "description": "Path to the git repo on the remote host" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "git_pull",
                    "description": "Pull latest changes on a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "git_log",
                    "description": "Show recent commits on a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "rdp_click",
                    "description": "Click at a position in an RDP session (use terminal_screenshot first to see coordinates)",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "x": { "type": "number" }, "y": { "type": "number" }, "button": { "type": "string", "description": "left (default), right, or middle" } }, "required": ["session_id", "x", "y"] }
                },
                {
                    "name": "rdp_type",
                    "description": "Type text into an RDP session via clipboard paste",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "text": { "type": "string" } }, "required": ["session_id", "text"] }
                },
                {
                    "name": "rdp_clipboard",
                    "description": "Set the clipboard content on a remote RDP session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "text": { "type": "string" } }, "required": ["session_id", "text"] }
                },
                {
                    "name": "ssh_connect",
                    "description": "Open a new SSH connection through Wraith. Returns the session ID for use with other tools.",
                    "inputSchema": { "type": "object", "properties": {
                        "hostname": { "type": "string" },
                        "port": { "type": "number", "description": "Default: 22" },
                        "username": { "type": "string" },
                        "password": { "type": "string", "description": "Password (for password auth)" },
                        "private_key_path": { "type": "string", "description": "Path to SSH private key file on the local machine" }
                    }, "required": ["hostname", "username"] }
                },
                {
                    "name": "list_sessions",
                    "description": "List all active Wraith sessions (SSH, RDP, PTY) with connection details",
@ -316,13 +225,12 @@ fn handle_tools_list(id: Value) -> JsonRpcResponse {
    }
 }
-fn call_wraith(port: u16, token: &str, endpoint: &str, body: Value) -> Result<Value, String> {
+fn call_wraith(port: u16, endpoint: &str, body: Value) -> Result<Value, String> {
    let url = format!("http://127.0.0.1:{}{}", port, endpoint);
    let body_str = serde_json::to_string(&body).unwrap_or_default();
    let mut resp = ureq::post(url)
        .header("Content-Type", "application/json")
        .header("Authorization", &format!("Bearer {}", token))
        .send(body_str.as_bytes())
        .map_err(|e| format!("HTTP request to Wraith failed: {}", e))?;
@ -340,40 +248,27 @@ fn call_wraith(port: u16, token: &str, endpoint: &str, body: Value) -> Result<Va
    }
 }
-fn handle_tool_call(id: Value, port: u16, token: &str, tool_name: &str, args: &Value) -> JsonRpcResponse {
+fn handle_tool_call(id: Value, port: u16, tool_name: &str, args: &Value) -> JsonRpcResponse {
    let result = match tool_name {
-        "list_sessions" => call_wraith(port, token, "/mcp/sessions", serde_json::json!({})),
+        "list_sessions" => call_wraith(port, "/mcp/sessions", serde_json::json!({})),
-        "terminal_type" => call_wraith(port, token, "/mcp/terminal/type", args.clone()),
+        "terminal_read" => call_wraith(port, "/mcp/terminal/read", args.clone()),
-        "terminal_read" => call_wraith(port, token, "/mcp/terminal/read", args.clone()),
+        "terminal_execute" => call_wraith(port, "/mcp/terminal/execute", args.clone()),
-        "terminal_execute" => call_wraith(port, token, "/mcp/terminal/execute", args.clone()),
+        "sftp_list" => call_wraith(port, "/mcp/sftp/list", args.clone()),
-        "sftp_list" => call_wraith(port, token, "/mcp/sftp/list", args.clone()),
+        "sftp_read" => call_wraith(port, "/mcp/sftp/read", args.clone()),
-        "sftp_read" => call_wraith(port, token, "/mcp/sftp/read", args.clone()),
+        "sftp_write" => call_wraith(port, "/mcp/sftp/write", args.clone()),
-        "sftp_write" => call_wraith(port, token, "/mcp/sftp/write", args.clone()),
+        "network_scan" => call_wraith(port, "/mcp/tool/scan-network", args.clone()),
-        "network_scan" => call_wraith(port, token, "/mcp/tool/scan-network", args.clone()),
+        "port_scan" => call_wraith(port, "/mcp/tool/scan-ports", args.clone()),
-        "port_scan" => call_wraith(port, token, "/mcp/tool/scan-ports", args.clone()),
+        "ping" => call_wraith(port, "/mcp/tool/ping", args.clone()),
-        "ping" => call_wraith(port, token, "/mcp/tool/ping", args.clone()),
+        "traceroute" => call_wraith(port, "/mcp/tool/traceroute", args.clone()),
-        "traceroute" => call_wraith(port, token, "/mcp/tool/traceroute", args.clone()),
+        "dns_lookup" => call_wraith(port, "/mcp/tool/dns", args.clone()),
-        "dns_lookup" => call_wraith(port, token, "/mcp/tool/dns", args.clone()),
+        "whois" => call_wraith(port, "/mcp/tool/whois", args.clone()),
-        "whois" => call_wraith(port, token, "/mcp/tool/whois", args.clone()),
+        "wake_on_lan" => call_wraith(port, "/mcp/tool/wol", args.clone()),
-        "wake_on_lan" => call_wraith(port, token, "/mcp/tool/wol", args.clone()),
+        "bandwidth_test" => call_wraith(port, "/mcp/tool/bandwidth", args.clone()),
-        "bandwidth_test" => call_wraith(port, token, "/mcp/tool/bandwidth", args.clone()),
+        "subnet_calc" => call_wraith(port, "/mcp/tool/subnet", args.clone()),
-        "subnet_calc" => call_wraith(port, token, "/mcp/tool/subnet", args.clone()),
+        "generate_ssh_key" => call_wraith(port, "/mcp/tool/keygen", args.clone()),
-        "generate_ssh_key" => call_wraith(port, token, "/mcp/tool/keygen", args.clone()),
+        "generate_password" => call_wraith(port, "/mcp/tool/passgen", args.clone()),
        "generate_password" => call_wraith(port, token, "/mcp/tool/passgen", args.clone()),
        "docker_ps" => call_wraith(port, token, "/mcp/docker/ps", args.clone()),
        "docker_action" => call_wraith(port, token, "/mcp/docker/action", args.clone()),
        "docker_exec" => call_wraith(port, token, "/mcp/docker/exec", args.clone()),
        "service_status" => call_wraith(port, token, "/mcp/service/status", args.clone()),
        "process_list" => call_wraith(port, token, "/mcp/process/list", args.clone()),
        "git_status" => call_wraith(port, token, "/mcp/git/status", args.clone()),
        "git_pull" => call_wraith(port, token, "/mcp/git/pull", args.clone()),
        "git_log" => call_wraith(port, token, "/mcp/git/log", args.clone()),
        "rdp_click" => call_wraith(port, token, "/mcp/rdp/click", args.clone()),
        "rdp_type" => call_wraith(port, token, "/mcp/rdp/type", args.clone()),
        "rdp_clipboard" => call_wraith(port, token, "/mcp/rdp/clipboard", args.clone()),
        "ssh_connect" => call_wraith(port, token, "/mcp/ssh/connect", args.clone()),
        "terminal_screenshot" => {
-            let result = call_wraith(port, token, "/mcp/screenshot", args.clone());
+            let result = call_wraith(port, "/mcp/screenshot", args.clone());
            // Screenshot returns base64 PNG — wrap as image content for multimodal AI
            return match result {
                Ok(b64) => JsonRpcResponse {
@ -433,14 +328,6 @@ fn main() {
        }
    };
    let token = match get_mcp_token() {
        Ok(t) => t,
        Err(e) => {
            eprintln!("wraith-mcp-bridge: {}", e);
            std::process::exit(1);
        }
    };
    let stdin = io::stdin();
    let mut stdout = io::stdout();
@ -479,7 +366,7 @@ fn main() {
                let args = request.params.get("arguments")
                    .cloned()
                    .unwrap_or(Value::Object(serde_json::Map::new()));
-                handle_tool_call(request.id, port, &token, tool_name, &args)
+                handle_tool_call(request.id, port, tool_name, &args)
            }
            "notifications/initialized" | "notifications/cancelled" => {
                // Notifications don't get responses
--- a/src-tauri/src/commands/credentials.rs
+++ b/src-tauri/src/commands/credentials.rs
@ -3,16 +3,34 @@ use tauri::State;
 use crate::credentials::Credential;
 use crate::AppState;
 /// Guard helper: lock the credentials mutex and return a ref to the inner
 /// `CredentialService`, or a "Vault is locked" error if the vault has not
 /// been unlocked for this session.
 ///
 /// This is a macro rather than a function because returning a `MutexGuard`
 /// from a helper function would require lifetime annotations that complicate
 /// the tauri command signatures unnecessarily.
 macro_rules! require_unlocked {
    ($state:expr) => {{
        let guard = $state
            .credentials
            .lock()
            .map_err(|_| "Credentials mutex was poisoned".to_string())?;
        if guard.is_none() {
            return Err("Vault is locked — call unlock before accessing credentials".into());
        }
        // SAFETY: we just checked `is_none` above, so `unwrap` cannot panic.
        guard
    }};
 }
 /// Return all credentials ordered by name.
 ///
 /// Secret values (passwords, private keys) are never included — only metadata.
 #[tauri::command]
-pub async fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credential>, String> {
+pub fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credential>, String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard.as_ref().unwrap().list()
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.list()
 }
 /// Store a new username/password credential.
@ -21,18 +39,18 @@ pub async fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credenti
 /// Returns the created credential record (without the plaintext password).
 /// `domain` is `None` for non-domain credentials; `Some("")` is treated as NULL.
 #[tauri::command]
-pub async fn create_password(
+pub fn create_password(
    name: String,
    username: String,
    password: String,
    domain: Option<String>,
    state: State<'_, AppState>,
 ) -> Result<Credential, String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard
        .as_ref()
-        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
+        .unwrap()
-    svc.create_password(name, username, password, domain)
+        .create_password(name, username, password, domain)
 }
 /// Store a new SSH private key credential.
@ -41,18 +59,18 @@ pub async fn create_password(
 /// Pass `None` for `passphrase` when the key has no passphrase.
 /// Returns the created credential record without any secret material.
 #[tauri::command]
-pub async fn create_ssh_key(
+pub fn create_ssh_key(
    name: String,
    username: String,
    private_key_pem: String,
    passphrase: Option<String>,
    state: State<'_, AppState>,
 ) -> Result<Credential, String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard
        .as_ref()
-        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
+        .unwrap()
-    svc.create_ssh_key(name, username, private_key_pem, passphrase)
+        .create_ssh_key(name, username, private_key_pem, passphrase)
 }
 /// Delete a credential by id.
@ -60,30 +78,21 @@ pub async fn create_ssh_key(
 /// For SSH key credentials, the associated `ssh_keys` row is also deleted.
 /// Returns `Err` if the vault is locked or the id does not exist.
 #[tauri::command]
-pub async fn delete_credential(id: i64, state: State<'_, AppState>) -> Result<(), String> {
+pub fn delete_credential(id: i64, state: State<'_, AppState>) -> Result<(), String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard.as_ref().unwrap().delete(id)
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.delete(id)
 }
 /// Decrypt and return the password for a credential.
 #[tauri::command]
-pub async fn decrypt_password(credential_id: i64, state: State<'_, AppState>) -> Result<String, String> {
+pub fn decrypt_password(credential_id: i64, state: State<'_, AppState>) -> Result<String, String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard.as_ref().unwrap().decrypt_password(credential_id)
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.decrypt_password(credential_id)
 }
 /// Decrypt and return the SSH private key and passphrase.
 #[tauri::command]
-pub async fn decrypt_ssh_key(ssh_key_id: i64, state: State<'_, AppState>) -> Result<(String, String), String> {
+pub fn decrypt_ssh_key(ssh_key_id: i64, state: State<'_, AppState>) -> Result<(String, String), String> {
-    let guard = state.credentials.lock().await;
+    let guard = require_unlocked!(state);
-    let svc = guard
+    guard.as_ref().unwrap().decrypt_ssh_key(ssh_key_id)
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.decrypt_ssh_key(ssh_key_id)
 }
--- a/src-tauri/src/commands/docker_commands.rs
+++ b/src-tauri/src/commands/docker_commands.rs
@ -3,8 +3,6 @@
 use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
@ -39,7 +37,7 @@ pub struct DockerVolume {
 pub async fn docker_list_containers(session_id: String, all: Option<bool>, state: State<'_, AppState>) -> Result<Vec<DockerContainer>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let flag = if all.unwrap_or(true) { "-a" } else { "" };
-    let output = exec_on_session(&session.handle, &format!("docker ps {} --format '{{{{.ID}}}}|{{{{.Names}}}}|{{{{.Image}}}}|{{{{.Status}}}}|{{{{.Ports}}}}|{{{{.CreatedAt}}}}' 2>&1", flag)).await?;
+    let output = exec(&session.handle, &format!("docker ps {} --format '{{{{.ID}}}}|{{{{.Names}}}}|{{{{.Image}}}}|{{{{.Status}}}}|{{{{.Ports}}}}|{{{{.CreatedAt}}}}' 2>&1", flag)).await?;
    Ok(output.lines().filter(|l| !l.is_empty() && !l.starts_with("CONTAINER")).map(|line| {
        let p: Vec<&str> = line.splitn(6, '|').collect();
        DockerContainer {
@ -56,7 +54,7 @@ pub async fn docker_list_containers(session_id: String, all: Option<bool>, state
 #[tauri::command]
 pub async fn docker_list_images(session_id: String, state: State<'_, AppState>) -> Result<Vec<DockerImage>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
-    let output = exec_on_session(&session.handle, "docker images --format '{{.ID}}|{{.Repository}}|{{.Tag}}|{{.Size}}|{{.CreatedAt}}' 2>&1").await?;
+    let output = exec(&session.handle, "docker images --format '{{.ID}}|{{.Repository}}|{{.Tag}}|{{.Size}}|{{.CreatedAt}}' 2>&1").await?;
    Ok(output.lines().filter(|l| !l.is_empty()).map(|line| {
        let p: Vec<&str> = line.splitn(5, '|').collect();
        DockerImage {
@ -72,7 +70,7 @@ pub async fn docker_list_images(session_id: String, state: State<'_, AppState>)
 #[tauri::command]
 pub async fn docker_list_volumes(session_id: String, state: State<'_, AppState>) -> Result<Vec<DockerVolume>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
-    let output = exec_on_session(&session.handle, "docker volume ls --format '{{.Name}}|{{.Driver}}|{{.Mountpoint}}' 2>&1").await?;
+    let output = exec(&session.handle, "docker volume ls --format '{{.Name}}|{{.Driver}}|{{.Mountpoint}}' 2>&1").await?;
    Ok(output.lines().filter(|l| !l.is_empty()).map(|line| {
        let p: Vec<&str> = line.splitn(3, '|').collect();
        DockerVolume {
@ -86,20 +84,32 @@ pub async fn docker_list_volumes(session_id: String, state: State<'_, AppState>)
 #[tauri::command]
 pub async fn docker_action(session_id: String, action: String, target: String, state: State<'_, AppState>) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let t = shell_escape(&target);
    let cmd = match action.as_str() {
-        "start" => format!("docker start {} 2>&1", t),
+        "start" => format!("docker start {} 2>&1", target),
-        "stop" => format!("docker stop {} 2>&1", t),
+        "stop" => format!("docker stop {} 2>&1", target),
-        "restart" => format!("docker restart {} 2>&1", t),
+        "restart" => format!("docker restart {} 2>&1", target),
-        "remove" => format!("docker rm -f {} 2>&1", t),
+        "remove" => format!("docker rm -f {} 2>&1", target),
-        "logs" => format!("docker logs --tail 100 {} 2>&1", t),
+        "logs" => format!("docker logs --tail 100 {} 2>&1", target),
-        "remove-image" => format!("docker rmi {} 2>&1", t),
+        "remove-image" => format!("docker rmi {} 2>&1", target),
-        "remove-volume" => format!("docker volume rm {} 2>&1", t),
+        "remove-volume" => format!("docker volume rm {} 2>&1", target),
        "builder-prune" => "docker builder prune -f 2>&1".to_string(),
        "system-prune" => "docker system prune -f 2>&1".to_string(),
        "system-prune-all" => "docker system prune -a -f 2>&1".to_string(),
        _ => return Err(format!("Unknown docker action: {}", action)),
    };
-    exec_on_session(&session.handle, &cmd).await
+    exec(&session.handle, &cmd).await
 }
 async fn exec(handle: &std::sync::Arc<tokio::sync::Mutex<russh::client::Handle<crate::ssh::session::SshClient>>>, cmd: &str) -> Result<String, String> {
    let mut channel = { let h = handle.lock().await; h.channel_open_session().await.map_err(|e| format!("Exec failed: {}", e))? };
    channel.exec(true, cmd).await.map_err(|e| format!("Exec failed: {}", e))?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(russh::ChannelMsg::Data { ref data }) => { if let Ok(t) = std::str::from_utf8(data.as_ref()) { output.push_str(t); } }
            Some(russh::ChannelMsg::Eof) | Some(russh::ChannelMsg::Close) | None => break,
            _ => {}
        }
    }
    Ok(output)
 }
--- a/src-tauri/src/commands/mcp_commands.rs
+++ b/src-tauri/src/commands/mcp_commands.rs
@ -70,7 +70,7 @@ pub async fn mcp_terminal_execute(
    let before = buf.total_written();
    // Send command + marker echo
-    let full_cmd = format!("{}\recho {}\r", command, marker);
+    let full_cmd = format!("{}\necho {}\n", command, marker);
    state.ssh.write(&session_id, full_cmd.as_bytes()).await?;
    // Poll scrollback until marker appears or timeout
@ -116,10 +116,7 @@ pub async fn mcp_terminal_execute(
            return Ok(clean.trim().to_string());
        }
-        // Yield the executor before sleeping so other tasks aren't starved,
+        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
        // then wait 200 ms — much cheaper than the original 50 ms busy-poll.
        tokio::task::yield_now().await;
        tokio::time::sleep(std::time::Duration::from_millis(200)).await;
    }
 }
--- a/src-tauri/src/commands/mod.rs
+++ b/src-tauri/src/commands/mod.rs
@ -14,4 +14,3 @@ pub mod updater;
 pub mod tools_commands_r2;
 pub mod workspace_commands;
 pub mod docker_commands;
 pub mod window_commands;
--- a/src-tauri/src/commands/rdp_commands.rs
+++ b/src-tauri/src/commands/rdp_commands.rs
@ -3,53 +3,35 @@
 //! Mirrors the pattern used by `ssh_commands.rs` — thin command wrappers that
 //! delegate to the `RdpService` via `State<AppState>`.
-use tauri::{AppHandle, State};
+use tauri::State;
 use tauri::ipc::Response;
 use crate::rdp::{RdpConfig, RdpSessionInfo};
 use crate::AppState;
 /// Connect to an RDP server.
 ///
 /// Performs the full connection handshake (TCP -> TLS -> CredSSP -> RDP) and
 /// starts streaming frame updates in the background.
 ///
 /// Returns the session UUID.
 #[tauri::command]
 pub fn connect_rdp(
    config: RdpConfig,
    app_handle: AppHandle,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
-    state.rdp.connect(config, app_handle)
+    state.rdp.connect(config)
 }
-/// Get the dirty region since last call as raw RGBA bytes via binary IPC.
+/// Get the current frame buffer as raw RGBA bytes (binary IPC — no base64).
 ///
-/// Binary format: 8-byte header + pixel data
+/// Pixel format: RGBA, 4 bytes per pixel, row-major, top-left origin.
-///   Header: [x: u16, y: u16, width: u16, height: u16] (little-endian)
+/// Returns empty Vec if frame hasn't changed since last call.
 ///   If header is all zeros, the payload is a full frame (width*height*4 bytes).
 ///   If header is non-zero, payload contains only the dirty rectangle pixels.
 /// Returns empty payload if nothing changed.
 #[tauri::command]
-pub fn rdp_get_frame(
+pub async fn rdp_get_frame(
    session_id: String,
    state: State<'_, AppState>,
-) -> Result<Response, String> {
+) -> Result<Vec<u8>, String> {
-    let (region, pixels) = state.rdp.get_frame(&session_id)?;
+    state.rdp.get_frame(&session_id).await
    if pixels.is_empty() {
        return Ok(Response::new(Vec::new()));
    }
    // Prepend 8-byte dirty rect header
    let mut out = Vec::with_capacity(8 + pixels.len());
    match region {
        Some(rect) => {
            out.extend_from_slice(&rect.x.to_le_bytes());
            out.extend_from_slice(&rect.y.to_le_bytes());
            out.extend_from_slice(&rect.width.to_le_bytes());
            out.extend_from_slice(&rect.height.to_le_bytes());
        }
        None => {
            out.extend_from_slice(&[0u8; 8]); // full frame marker
        }
    }
    out.extend_from_slice(&pixels);
    Ok(Response::new(out))
 }
 /// Send a mouse event to an RDP session.
@ -64,7 +46,7 @@ pub fn rdp_get_frame(
 /// - 0x0100 = negative wheel direction
 /// - 0x0400 = horizontal wheel
 #[tauri::command]
-pub fn rdp_send_mouse(
+pub async fn rdp_send_mouse(
    session_id: String,
    x: u16,
    y: u16,
@ -82,7 +64,7 @@ pub fn rdp_send_mouse(
 ///
 /// `pressed` is `true` for key-down, `false` for key-up.
 #[tauri::command]
-pub fn rdp_send_key(
+pub async fn rdp_send_key(
    session_id: String,
    scancode: u16,
    pressed: bool,
@ -93,7 +75,7 @@ pub fn rdp_send_key(
 /// Send clipboard text to an RDP session by simulating keystrokes.
 #[tauri::command]
-pub fn rdp_send_clipboard(
+pub async fn rdp_send_clipboard(
    session_id: String,
    text: String,
    state: State<'_, AppState>,
@ -101,34 +83,11 @@ pub fn rdp_send_clipboard(
    state.rdp.send_clipboard(&session_id, &text)
 }
 /// Force the next get_frame to return a full frame regardless of dirty state.
 /// Used when switching tabs or after resize to ensure the canvas is fully repainted.
 #[tauri::command]
 pub fn rdp_force_refresh(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.rdp.force_refresh(&session_id)
 }
 /// Resize the RDP session's desktop resolution.
 /// Sends a Display Control Virtual Channel request to the server.
 /// The server will re-render at the new resolution and send updated frames.
 #[tauri::command]
 pub fn rdp_resize(
    session_id: String,
    width: u16,
    height: u16,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.rdp.resize(&session_id, width, height)
 }
 /// Disconnect an RDP session.
 ///
 /// Sends a graceful shutdown to the RDP server and removes the session.
 #[tauri::command]
-pub fn disconnect_rdp(
+pub async fn disconnect_rdp(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
@ -137,7 +96,7 @@ pub fn disconnect_rdp(
 /// List all active RDP sessions (metadata only).
 #[tauri::command]
-pub fn list_rdp_sessions(
+pub async fn list_rdp_sessions(
    state: State<'_, AppState>,
 ) -> Result<Vec<RdpSessionInfo>, String> {
    Ok(state.rdp.list_sessions())
--- a/src-tauri/src/commands/tools_commands.rs
+++ b/src-tauri/src/commands/tools_commands.rs
@ -4,8 +4,6 @@ use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 // ── Ping ─────────────────────────────────────────────────────────────────────
@ -27,7 +25,7 @@ pub async fn tool_ping(
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let n = count.unwrap_or(4);
-    let cmd = format!("ping -c {} {} 2>&1", n, shell_escape(&target));
+    let cmd = format!("ping -c {} {} 2>&1", n, target);
    let output = exec_on_session(&session.handle, &cmd).await?;
    Ok(PingResult { target, output })
 }
@ -41,8 +39,7 @@ pub async fn tool_traceroute(
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
-    let t = shell_escape(&target);
+    let cmd = format!("traceroute {} 2>&1 || tracert {} 2>&1", target, target);
    let cmd = format!("traceroute {} 2>&1 || tracert {} 2>&1", t, t);
    exec_on_session(&session.handle, &cmd).await
 }
@ -68,16 +65,14 @@ pub async fn tool_wake_on_lan(
    let cmd = format!(
        r#"python3 -c "
 import socket, struct
-mac = bytes.fromhex({mac_clean_escaped})
+mac = bytes.fromhex('{mac_clean}')
 pkt = b'\xff'*6 + mac*16
 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
 s.sendto(pkt, ('255.255.255.255', 9))
 s.close()
-print('WoL packet sent to {mac_display_escaped}')
+print('WoL packet sent to {mac_address}')
-" 2>&1 || echo "python3 not available — install python3 on remote host for WoL""#,
+" 2>&1 || echo "python3 not available — install python3 on remote host for WoL""#
        mac_clean_escaped = shell_escape(&mac_clean),
        mac_display_escaped = shell_escape(&mac_address),
    );
    exec_on_session(&session.handle, &cmd).await
@ -186,3 +181,32 @@ pub fn tool_generate_password_inner(
    Ok(password)
 }
 // ── Helper ───────────────────────────────────────────────────────────────────
 async fn exec_on_session(
    handle: &std::sync::Arc<tokio::sync::Mutex<russh::client::Handle<crate::ssh::session::SshClient>>>,
    cmd: &str,
 ) -> Result<String, String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session().await.map_err(|e| format!("Exec channel failed: {}", e))?
    };
    channel.exec(true, cmd).await.map_err(|e| format!("Exec failed: {}", e))?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(russh::ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) {
                    output.push_str(text);
                }
            }
            Some(russh::ChannelMsg::Eof) | Some(russh::ChannelMsg::Close) | None => break,
            Some(russh::ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Ok(output)
 }
--- a/src-tauri/src/commands/tools_commands_r2.rs
+++ b/src-tauri/src/commands/tools_commands_r2.rs
@ -4,8 +4,6 @@ use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 // ── DNS Lookup ───────────────────────────────────────────────────────────────
@ -18,11 +16,10 @@ pub async fn tool_dns_lookup(
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
-    let d = shell_escape(&domain);
+    let rtype = record_type.unwrap_or_else(|| "A".to_string());
    let rt = shell_escape(&record_type.unwrap_or_else(|| "A".to_string()));
    let cmd = format!(
        r#"dig {} {} +short 2>/dev/null || nslookup -type={} {} 2>/dev/null || host -t {} {} 2>/dev/null"#,
-        d, rt, rt, d, rt, d
+        domain, rtype, rtype, domain, rtype, domain
    );
    exec_on_session(&session.handle, &cmd).await
 }
@ -37,7 +34,7 @@ pub async fn tool_whois(
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
-    let cmd = format!("whois {} 2>&1 | head -80", shell_escape(&target));
+    let cmd = format!("whois {} 2>&1 | head -80", target);
    exec_on_session(&session.handle, &cmd).await
 }
@ -53,10 +50,9 @@ pub async fn tool_bandwidth_iperf(
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let dur = duration.unwrap_or(5);
    let s = shell_escape(&server);
    let cmd = format!(
        "iperf3 -c {} -t {} --json 2>/dev/null || iperf3 -c {} -t {} 2>&1 || echo 'iperf3 not installed — run: apt install iperf3 / brew install iperf3'",
-        s, dur, s, dur
+        server, dur, server, dur
    );
    exec_on_session(&session.handle, &cmd).await
 }
@ -182,3 +178,27 @@ fn to_ip(val: u32) -> String {
    format!("{}.{}.{}.{}", val >> 24, (val >> 16) & 0xFF, (val >> 8) & 0xFF, val & 0xFF)
 }
 // ── Helper ───────────────────────────────────────────────────────────────────
 async fn exec_on_session(
    handle: &std::sync::Arc<tokio::sync::Mutex<russh::client::Handle<crate::ssh::session::SshClient>>>,
    cmd: &str,
 ) -> Result<String, String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session().await.map_err(|e| format!("Exec channel failed: {}", e))?
    };
    channel.exec(true, cmd).await.map_err(|e| format!("Exec failed: {}", e))?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(russh::ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) { output.push_str(text); }
            }
            Some(russh::ChannelMsg::Eof) | Some(russh::ChannelMsg::Close) | None => break,
            Some(russh::ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Ok(output)
 }
--- a/src-tauri/src/commands/updater.rs
+++ b/src-tauri/src/commands/updater.rs
@ -48,8 +48,10 @@ pub async fn check_for_updates(app_handle: tauri::AppHandle) -> Result<UpdateInf
        .unwrap_or("")
        .to_string();
-    // Direct download from SeaweedFS
+    let html_url = latest.get("html_url")
-    let html_url = format!("https://files.command.vigilcyber.com/wraith/{}/", tag);
+        .and_then(|v| v.as_str())
        .unwrap_or("https://git.command.vigilcyber.com/vstockwell/wraith/releases")
        .to_string();
    let update_available = version_is_newer(&tag, &current);
--- a/src-tauri/src/commands/vault.rs
+++ b/src-tauri/src/commands/vault.rs
@ -1,5 +1,4 @@
 use tauri::State;
 use zeroize::Zeroize;
 use crate::vault::{self, VaultService};
 use crate::credentials::CredentialService;
@ -22,15 +21,14 @@ pub fn is_first_run(state: State<'_, AppState>) -> bool {
 /// Returns `Err` if the vault has already been set up or if any storage
 /// operation fails.
 #[tauri::command]
-pub async fn create_vault(mut password: String, state: State<'_, AppState>) -> Result<(), String> {
+pub fn create_vault(password: String, state: State<'_, AppState>) -> Result<(), String> {
    let result = async {
    if !state.is_first_run() {
        return Err("Vault already exists — use unlock instead of create".into());
    }
    let salt = vault::generate_salt();
    let key = vault::derive_key(&password, &salt);
-        let vs = VaultService::new(key.clone());
+    let vs = VaultService::new(key);
    // Persist the salt so we can re-derive the key on future unlocks.
    state.settings.set("vault_salt", &hex::encode(salt))?;
@ -41,14 +39,10 @@ pub async fn create_vault(mut password: String, state: State<'_, AppState>) -> R
    // Activate the vault and credentials service for this session.
    let cred_svc = CredentialService::new(state.db.clone(), VaultService::new(key));
-        *state.credentials.lock().await = Some(cred_svc);
+    *state.credentials.lock().unwrap() = Some(cred_svc);
-        *state.vault.lock().await = Some(vs);
+    *state.vault.lock().unwrap() = Some(vs);
    Ok(())
    }.await;
    password.zeroize();
    result
 }
 /// Unlock an existing vault using the master password.
@ -58,8 +52,7 @@ pub async fn create_vault(mut password: String, state: State<'_, AppState>) -> R
 ///
 /// Returns `Err("Incorrect master password")` if the password is wrong.
 #[tauri::command]
-pub async fn unlock(mut password: String, state: State<'_, AppState>) -> Result<(), String> {
+pub fn unlock(password: String, state: State<'_, AppState>) -> Result<(), String> {
    let result = async {
    let salt_hex = state
        .settings
        .get("vault_salt")
@ -69,7 +62,7 @@ pub async fn unlock(mut password: String, state: State<'_, AppState>) -> Result<
        .map_err(|e| format!("Stored vault salt is corrupt: {e}"))?;
    let key = vault::derive_key(&password, &salt);
-        let vs = VaultService::new(key.clone());
+    let vs = VaultService::new(key);
    // Verify the password by decrypting the check value.
    let check_blob = state
@ -87,18 +80,14 @@ pub async fn unlock(mut password: String, state: State<'_, AppState>) -> Result<
    // Activate the vault and credentials service for this session.
    let cred_svc = CredentialService::new(state.db.clone(), VaultService::new(key));
-        *state.credentials.lock().await = Some(cred_svc);
+    *state.credentials.lock().unwrap() = Some(cred_svc);
-        *state.vault.lock().await = Some(vs);
+    *state.vault.lock().unwrap() = Some(vs);
    Ok(())
    }.await;
    password.zeroize();
    result
 }
 /// Returns `true` if the vault is currently unlocked for this session.
 #[tauri::command]
-pub async fn is_unlocked(state: State<'_, AppState>) -> Result<bool, String> {
+pub fn is_unlocked(state: State<'_, AppState>) -> bool {
-    Ok(state.is_unlocked().await)
+    state.is_unlocked()
 }
--- a/src-tauri/src/commands/window_commands.rs
+++ b/src-tauri/src/commands/window_commands.rs
@ -1,40 +0,0 @@
 use tauri::AppHandle;
 use tauri::WebviewWindowBuilder;
 /// Open a child window from the Rust side using WebviewWindowBuilder.
 ///
 /// The `url` parameter supports hash fragments (e.g. "index.html#/tool/ping?sessionId=abc").
 /// WebviewUrl::App takes a PathBuf and cannot handle hash/query — so we load plain
 /// index.html and set the hash via JS after the window is created.
 #[tauri::command]
 pub fn open_child_window(
    app_handle: AppHandle,
    label: String,
    title: String,
    url: String,
    width: f64,
    height: f64,
 ) -> Result<(), String> {
    // Split "index.html#/tool/ping?sessionId=abc" into path and fragment
    let (path, hash) = match url.split_once('#') {
        Some((p, h)) => (p.to_string(), Some(format!("#{}", h))),
        None => (url.clone(), None),
    };
    let webview_url = tauri::WebviewUrl::App(path.into());
    let window = WebviewWindowBuilder::new(&app_handle, &label, webview_url)
        .title(&title)
        .inner_size(width, height)
        .resizable(true)
        .center()
        .build()
        .map_err(|e| format!("Failed to create window '{}': {}", label, e))?;
    // Set the hash fragment after the window loads — this triggers App.vue's
    // onMounted hash detection to render the correct tool/detached component.
    if let Some(hash) = hash {
        let _ = window.eval(&format!("window.location.hash = '{}';", hash));
    }
    Ok(())
 }
--- a/src-tauri/src/connections/mod.rs
+++ b/src-tauri/src/connections/mod.rs
@ -19,7 +19,6 @@ use crate::db::Database;
 // ── domain types ──────────────────────────────────────────────────────────────
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct ConnectionGroup {
    pub id: i64,
    pub name: String,
@ -434,9 +433,6 @@ impl ConnectionService {
    /// Batch-update sort_order for a list of connection IDs.
    pub fn reorder_connections(&self, ids: &[i64]) -> Result<(), String> {
        let conn = self.db.conn();
        conn.execute_batch("BEGIN")
            .map_err(|e| format!("Failed to begin reorder transaction: {e}"))?;
        let result = (|| {
        for (i, id) in ids.iter().enumerate() {
            conn.execute(
                "UPDATE connections SET sort_order = ?1 WHERE id = ?2",
@ -445,22 +441,11 @@ impl ConnectionService {
            .map_err(|e| format!("Failed to reorder connection {id}: {e}"))?;
        }
        Ok(())
        })();
        if result.is_err() {
            let _ = conn.execute_batch("ROLLBACK");
        } else {
            conn.execute_batch("COMMIT")
                .map_err(|e| format!("Failed to commit reorder transaction: {e}"))?;
        }
        result
    }
    /// Batch-update sort_order for a list of group IDs.
    pub fn reorder_groups(&self, ids: &[i64]) -> Result<(), String> {
        let conn = self.db.conn();
        conn.execute_batch("BEGIN")
            .map_err(|e| format!("Failed to begin reorder transaction: {e}"))?;
        let result = (|| {
        for (i, id) in ids.iter().enumerate() {
            conn.execute(
                "UPDATE groups SET sort_order = ?1 WHERE id = ?2",
@ -469,14 +454,6 @@ impl ConnectionService {
            .map_err(|e| format!("Failed to reorder group {id}: {e}"))?;
        }
        Ok(())
        })();
        if result.is_err() {
            let _ = conn.execute_batch("ROLLBACK");
        } else {
            conn.execute_batch("COMMIT")
                .map_err(|e| format!("Failed to commit reorder transaction: {e}"))?;
        }
        result
    }
 }
--- a/src-tauri/src/db/mod.rs
+++ b/src-tauri/src/db/mod.rs
@ -31,11 +31,10 @@ impl Database {
    /// Acquire a lock on the underlying connection.
    ///
-    /// Recovers gracefully from a poisoned mutex by taking the inner value.
+    /// Panics if the mutex was poisoned (which only happens if a thread
-    /// A poisoned mutex means a thread panicked while holding the lock; the
+    /// panicked while holding the lock — a non-recoverable situation anyway).
    /// connection itself is still valid, so we can continue operating.
    pub fn conn(&self) -> std::sync::MutexGuard<'_, Connection> {
-        self.conn.lock().unwrap_or_else(|e| e.into_inner())
+        self.conn.lock().unwrap()
    }
    /// Run all embedded SQL migrations.
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@ -21,9 +21,9 @@ pub mod pty;
 pub mod mcp;
 pub mod scanner;
 pub mod commands;
 pub mod utils;
 use std::path::PathBuf;
 use std::sync::Mutex;
 use db::Database;
 use vault::VaultService;
@ -41,10 +41,10 @@ use mcp::error_watcher::ErrorWatcher;
 pub struct AppState {
    pub db: Database,
-    pub vault: tokio::sync::Mutex<Option<VaultService>>,
+    pub vault: Mutex<Option<VaultService>>,
    pub settings: SettingsService,
    pub connections: ConnectionService,
-    pub credentials: tokio::sync::Mutex<Option<CredentialService>>,
+    pub credentials: Mutex<Option<CredentialService>>,
    pub ssh: SshService,
    pub sftp: SftpService,
    pub rdp: RdpService,
@ -60,18 +60,17 @@ impl AppState {
        std::fs::create_dir_all(&data_dir)?;
        let database = Database::open(&data_dir.join("wraith.db"))?;
        database.migrate()?;
        let settings = SettingsService::new(database.clone());
        Ok(Self {
            db: database.clone(),
-            vault: tokio::sync::Mutex::new(None),
+            vault: Mutex::new(None),
            settings: SettingsService::new(database.clone()),
            connections: ConnectionService::new(database.clone()),
-            credentials: tokio::sync::Mutex::new(None),
+            credentials: Mutex::new(None),
            ssh: SshService::new(database.clone()),
            sftp: SftpService::new(),
            rdp: RdpService::new(),
-            theme: ThemeService::new(database),
+            theme: ThemeService::new(database.clone()),
-            workspace: WorkspaceService::new(settings.clone()),
+            workspace: WorkspaceService::new(SettingsService::new(database.clone())),
            settings,
            pty: PtyService::new(),
            scrollback: ScrollbackRegistry::new(),
            error_watcher: std::sync::Arc::new(ErrorWatcher::new()),
@ -86,8 +85,8 @@ impl AppState {
        self.settings.get("vault_salt").unwrap_or_default().is_empty()
    }
-    pub async fn is_unlocked(&self) -> bool {
+    pub fn is_unlocked(&self) -> bool {
-        self.vault.lock().await.is_some()
+        self.vault.lock().unwrap().is_some()
    }
 }
@ -101,24 +100,9 @@ pub fn data_directory() -> PathBuf {
    PathBuf::from(".")
 }
 /// Cached log file handle — opened once on first use, reused for all subsequent
 /// writes.  Avoids the open/close syscall pair that the original implementation
 /// paid on every `wraith_log!` invocation.
 static LOG_FILE: std::sync::OnceLock<std::sync::Mutex<std::fs::File>> = std::sync::OnceLock::new();
 fn write_log(path: &std::path::Path, msg: &str) -> std::io::Result<()> {
    use std::io::Write;
-
+    let mut f = std::fs::OpenOptions::new().create(true).append(true).open(path)?;
    let handle = LOG_FILE.get_or_init(|| {
        let file = std::fs::OpenOptions::new()
            .create(true)
            .append(true)
            .open(path)
            .expect("failed to open wraith.log");
        std::sync::Mutex::new(file)
    });
    let mut f = handle.lock().unwrap_or_else(|e| e.into_inner());
    let elapsed = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
@ -171,9 +155,7 @@ pub fn run() {
                    let _ = write_log(&log_file, "Setup: cloned services OK");
                    // Error watcher — std::thread, no tokio needed
                    let watcher_for_mcp = watcher.clone();
                    let app_handle = app.handle().clone();
                    let app_handle_for_mcp = app.handle().clone();
                    let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                        mcp::error_watcher::start_error_watcher(watcher, scrollback.clone(), app_handle);
                    }));
@ -183,7 +165,7 @@ pub fn run() {
                    let log_file2 = log_file.clone();
                    let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                        tauri::async_runtime::spawn(async move {
-                            match mcp::server::start_mcp_server(ssh, rdp, sftp, scrollback, app_handle_for_mcp, watcher_for_mcp).await {
+                            match mcp::server::start_mcp_server(ssh, rdp, sftp, scrollback).await {
                                Ok(port) => { let _ = write_log(&log_file2, &format!("MCP server started on localhost:{}", port)); }
                                Err(e) => { let _ = write_log(&log_file2, &format!("MCP server FAILED: {}", e)); }
                            }
@ -224,7 +206,7 @@ pub fn run() {
            commands::credentials::list_credentials, commands::credentials::create_password, commands::credentials::create_ssh_key, commands::credentials::delete_credential, commands::credentials::decrypt_password, commands::credentials::decrypt_ssh_key,
            commands::ssh_commands::connect_ssh, commands::ssh_commands::connect_ssh_with_key, commands::ssh_commands::ssh_write, commands::ssh_commands::ssh_resize, commands::ssh_commands::disconnect_ssh, commands::ssh_commands::disconnect_session, commands::ssh_commands::list_ssh_sessions,
            commands::sftp_commands::sftp_list, commands::sftp_commands::sftp_read_file, commands::sftp_commands::sftp_write_file, commands::sftp_commands::sftp_mkdir, commands::sftp_commands::sftp_delete, commands::sftp_commands::sftp_rename,
-            commands::rdp_commands::connect_rdp, commands::rdp_commands::rdp_get_frame, commands::rdp_commands::rdp_force_refresh, commands::rdp_commands::rdp_send_mouse, commands::rdp_commands::rdp_send_key, commands::rdp_commands::rdp_send_clipboard, commands::rdp_commands::rdp_resize, commands::rdp_commands::disconnect_rdp, commands::rdp_commands::list_rdp_sessions,
+            commands::rdp_commands::connect_rdp, commands::rdp_commands::rdp_get_frame, commands::rdp_commands::rdp_send_mouse, commands::rdp_commands::rdp_send_key, commands::rdp_commands::rdp_send_clipboard, commands::rdp_commands::disconnect_rdp, commands::rdp_commands::list_rdp_sessions,
            commands::theme_commands::list_themes, commands::theme_commands::get_theme,
            commands::pty_commands::list_available_shells, commands::pty_commands::spawn_local_shell, commands::pty_commands::pty_write, commands::pty_commands::pty_resize, commands::pty_commands::disconnect_pty,
            commands::mcp_commands::mcp_list_sessions, commands::mcp_commands::mcp_terminal_read, commands::mcp_commands::mcp_terminal_execute, commands::mcp_commands::mcp_get_session_context, commands::mcp_commands::mcp_bridge_path,
@ -234,7 +216,6 @@ pub fn run() {
            commands::updater::check_for_updates,
            commands::workspace_commands::save_workspace, commands::workspace_commands::load_workspace,
            commands::docker_commands::docker_list_containers, commands::docker_commands::docker_list_images, commands::docker_commands::docker_list_volumes, commands::docker_commands::docker_action,
            commands::window_commands::open_child_window,
        ])
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
--- a/src-tauri/src/mcp/bridge_manager.rs
+++ b/src-tauri/src/mcp/bridge_manager.rs
@ -40,7 +40,7 @@ pub async fn ensure_bridge(app_version: &str) -> Result<(), String> {
    };
    let url = format!(
-        "https://files.command.vigilcyber.com/wraith/{}/{}",
+        "https://git.command.vigilcyber.com/api/packages/vstockwell/generic/wraith/{}/{}",
        app_version, binary_name
    );
--- a/src-tauri/src/mcp/error_watcher.rs
+++ b/src-tauri/src/mcp/error_watcher.rs
@ -62,9 +62,9 @@ impl ErrorWatcher {
                    continue;
                }
-                // Only scan bytes written since the last check — avoids
+                let raw = buf.read_raw();
-                // reading the entire 64 KB ring buffer on every 2-second tick.
+                let new_start = raw.len().saturating_sub(total - last_pos);
-                let new_content = buf.read_since(last_pos);
+                let new_content = &raw[new_start..];
                for line in new_content.lines() {
                    for pattern in ERROR_PATTERNS {
--- a/src-tauri/src/mcp/mod.rs
+++ b/src-tauri/src/mcp/mod.rs
@ -36,7 +36,7 @@ impl ScrollbackRegistry {
    /// Get the scrollback buffer for a session.
    pub fn get(&self, session_id: &str) -> Option<Arc<ScrollbackBuffer>> {
-        self.buffers.get(session_id).map(|r| r.value().clone())
+        self.buffers.get(session_id).map(|entry| entry.clone())
    }
    /// Remove a session's scrollback buffer.
--- a/src-tauri/src/mcp/scrollback.rs
+++ b/src-tauri/src/mcp/scrollback.rs
@ -40,25 +40,13 @@ impl ScrollbackBuffer {
    /// Append bytes to the buffer. Old data is overwritten when full.
    pub fn push(&self, bytes: &[u8]) {
-        if bytes.is_empty() {
+        let mut buf = self.inner.lock().unwrap();
-            return;
+        for &b in bytes {
            let pos = buf.write_pos;
            buf.data[pos] = b;
            buf.write_pos = (pos + 1) % buf.capacity;
            buf.total_written += 1;
        }
        let mut buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
        let cap = buf.capacity;
        // If input exceeds capacity, only keep the last `cap` bytes
        let data = if bytes.len() > cap {
            &bytes[bytes.len() - cap..]
        } else {
            bytes
        };
        let write_pos = buf.write_pos;
        let first_len = (cap - write_pos).min(data.len());
        buf.data[write_pos..write_pos + first_len].copy_from_slice(&data[..first_len]);
        if first_len < data.len() {
            buf.data[..data.len() - first_len].copy_from_slice(&data[first_len..]);
        }
        buf.write_pos = (write_pos + data.len()) % cap;
        buf.total_written += bytes.len();
    }
    /// Read the last `n` lines from the buffer, with ANSI escape codes stripped.
@ -72,7 +60,7 @@ impl ScrollbackBuffer {
    /// Read all buffered content as raw bytes (ordered oldest→newest).
    pub fn read_raw(&self) -> String {
-        let buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
+        let buf = self.inner.lock().unwrap();
        let bytes = if buf.total_written >= buf.capacity {
            // Buffer has wrapped — read from write_pos to end, then start to write_pos
            let mut out = Vec::with_capacity(buf.capacity);
@ -88,47 +76,7 @@ impl ScrollbackBuffer {
    /// Total bytes written since creation.
    pub fn total_written(&self) -> usize {
-        self.inner.lock().unwrap_or_else(|e| e.into_inner()).total_written
+        self.inner.lock().unwrap().total_written
    }
    /// Read only the bytes written after `position` (total_written offset),
    /// ordered oldest→newest, with ANSI codes stripped.
    ///
    /// Returns an empty string when there is nothing new since `position`.
    /// This is more efficient than `read_raw()` for incremental scanning because
    /// it avoids copying the full 64 KB ring buffer when only a small delta exists.
    pub fn read_since(&self, position: usize) -> String {
        let buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
        let total = buf.total_written;
        if total <= position {
            return String::new();
        }
        let new_bytes = total - position;
        let cap = buf.capacity;
        // How many bytes are actually stored in the ring (max = capacity)
        let stored = total.min(cap);
        // Clamp new_bytes to what's actually in the buffer
        let readable = new_bytes.min(stored);
        // Write position is where the *next* byte would go; reading backwards
        // from write_pos gives us the most recent `readable` bytes.
        let write_pos = buf.write_pos;
        let bytes = if readable <= write_pos {
            // Contiguous slice ending at write_pos
            buf.data[write_pos - readable..write_pos].to_vec()
        } else {
            // Wraps around: tail of buffer + head up to write_pos
            let tail_len = readable - write_pos;
            let tail_start = cap - tail_len;
            let mut out = Vec::with_capacity(readable);
            out.extend_from_slice(&buf.data[tail_start..]);
            out.extend_from_slice(&buf.data[..write_pos]);
            out
        };
        let raw = String::from_utf8_lossy(&bytes).to_string();
        strip_ansi(&raw)
    }
 }
@ -244,42 +192,4 @@ mod tests {
        buf.push(b"ABCD"); // 4 more, wraps
        assert_eq!(buf.total_written(), 12);
    }
    #[test]
    fn push_empty_is_noop() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"hello");
        buf.push(b"");
        assert_eq!(buf.total_written(), 5);
        assert!(buf.read_raw().contains("hello"));
    }
    #[test]
    fn push_larger_than_capacity() {
        let buf = ScrollbackBuffer::with_capacity(4);
        buf.push(b"ABCDEFGH"); // 8 bytes into 4-byte buffer
        let raw = buf.read_raw();
        assert_eq!(raw, "EFGH"); // only last 4 bytes kept
        assert_eq!(buf.total_written(), 8);
    }
    #[test]
    fn push_exact_capacity() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"12345678");
        let raw = buf.read_raw();
        assert_eq!(raw, "12345678");
        assert_eq!(buf.total_written(), 8);
    }
    #[test]
    fn push_wrap_around_boundary() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"123456"); // write_pos = 6
        buf.push(b"ABCD");  // wraps: 2 at end, 2 at start
        let raw = buf.read_raw();
        // Buffer: [C, D, 3, 4, 5, 6, A, B], write_pos=2
        // Read from pos 2: "3456AB" + wrap: no, read from write_pos to end then start
        assert_eq!(raw, "3456ABCD");
    }
 }
--- a/src-tauri/src/mcp/server.rs
+++ b/src-tauri/src/mcp/server.rs
@ -5,23 +5,14 @@
 use std::sync::Arc;
-use axum::{
+use axum::{extract::State as AxumState, routing::post, Json, Router};
    extract::State as AxumState,
    http::{Request, StatusCode},
    middleware::{self, Next},
    response::Response,
    routing::post,
    Json, Router,
 };
 use serde::{Deserialize, Serialize};
 use tokio::net::TcpListener;
 use crate::mcp::ScrollbackRegistry;
 use crate::rdp::RdpService;
 use crate::sftp::SftpService;
 use crate::ssh::exec::exec_on_session;
 use crate::ssh::session::SshService;
 use crate::utils::shell_escape;
 /// Shared state passed to axum handlers.
 pub struct McpServerState {
@ -29,29 +20,6 @@ pub struct McpServerState {
    pub rdp: RdpService,
    pub sftp: SftpService,
    pub scrollback: ScrollbackRegistry,
    pub app_handle: tauri::AppHandle,
    pub error_watcher: std::sync::Arc<crate::mcp::error_watcher::ErrorWatcher>,
    pub bearer_token: String,
 }
 /// Middleware that validates the `Authorization: Bearer <token>` header.
 async fn auth_middleware(
    AxumState(state): AxumState<Arc<McpServerState>>,
    req: Request<axum::body::Body>,
    next: Next,
 ) -> Result<Response, StatusCode> {
    let auth_header = req
        .headers()
        .get("authorization")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");
    let expected = format!("Bearer {}", state.bearer_token);
    if auth_header != expected {
        return Err(StatusCode::UNAUTHORIZED);
    }
    Ok(next.run(req).await)
 }
 #[derive(Deserialize)]
@ -84,13 +52,6 @@ struct SftpWriteRequest {
    content: String,
 }
 #[derive(Deserialize)]
 struct TerminalTypeRequest {
    session_id: String,
    text: String,
    press_enter: Option<bool>,
 }
 #[derive(Deserialize)]
 struct TerminalExecuteRequest {
    session_id: String,
@ -187,28 +148,12 @@ async fn handle_screenshot(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<ScreenshotRequest>,
 ) -> Json<McpResponse<String>> {
-    match state.rdp.screenshot_png_base64(&req.session_id) {
+    match state.rdp.screenshot_png_base64(&req.session_id).await {
        Ok(b64) => ok_response(b64),
        Err(e) => err_response(e),
    }
 }
 async fn handle_terminal_type(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<TerminalTypeRequest>,
 ) -> Json<McpResponse<String>> {
    let text = if req.press_enter.unwrap_or(true) {
        format!("{}\r", req.text)
    } else {
        req.text.clone()
    };
    match state.ssh.write(&req.session_id, text.as_bytes()).await {
        Ok(()) => ok_response("sent".to_string()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_terminal_read(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<TerminalReadRequest>,
@ -233,7 +178,7 @@ async fn handle_terminal_execute(
    };
    let before = buf.total_written();
-    let full_cmd = format!("{}\recho {}\r", req.command, marker);
+    let full_cmd = format!("{}\necho {}\n", req.command, marker);
    if let Err(e) = state.ssh.write(&req.session_id, full_cmd.as_bytes()).await {
        return err_response(e);
@ -309,32 +254,30 @@ struct ToolPassgenRequest { length: Option<usize>, uppercase: Option<bool>, lowe
 async fn handle_tool_ping(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
-    match exec_on_session(&session.handle, &format!("ping -c 4 {} 2>&1", shell_escape(&req.target))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
+    match tool_exec(&session.handle, &format!("ping -c 4 {} 2>&1", req.target)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_traceroute(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
-    let t = shell_escape(&req.target);
+    match tool_exec(&session.handle, &format!("traceroute {} 2>&1 || tracert {} 2>&1", req.target, req.target)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
    match exec_on_session(&session.handle, &format!("traceroute {} 2>&1 || tracert {} 2>&1", t, t)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_dns(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolDnsRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
-    let rt = shell_escape(&req.record_type.unwrap_or_else(|| "A".to_string()));
+    let rt = req.record_type.unwrap_or_else(|| "A".to_string());
-    let d = shell_escape(&req.domain);
+    match tool_exec(&session.handle, &format!("dig {} {} +short 2>/dev/null || nslookup -type={} {} 2>/dev/null || host -t {} {} 2>/dev/null", req.domain, rt, rt, req.domain, rt, req.domain)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
    match exec_on_session(&session.handle, &format!("dig {} {} +short 2>/dev/null || nslookup -type={} {} 2>/dev/null || host -t {} {} 2>/dev/null", d, rt, rt, d, rt, d)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_whois(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
-    match exec_on_session(&session.handle, &format!("whois {} 2>&1 | head -80", shell_escape(&req.target))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
+    match tool_exec(&session.handle, &format!("whois {} 2>&1 | head -80", req.target)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_wol(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolWolRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let mac_clean = req.mac_address.replace([':', '-'], "");
-    let cmd = format!(r#"python3 -c "import socket;mac=bytes.fromhex({});pkt=b'\xff'*6+mac*16;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST,1);s.sendto(pkt,('255.255.255.255',9));s.close();print('WoL sent to {}')" 2>&1"#, shell_escape(&mac_clean), shell_escape(&req.mac_address));
+    let cmd = format!(r#"python3 -c "import socket;mac=bytes.fromhex('{}');pkt=b'\xff'*6+mac*16;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST,1);s.sendto(pkt,('255.255.255.255',9));s.close();print('WoL sent to {}')" 2>&1"#, mac_clean, req.mac_address);
-    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
+    match tool_exec(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_scan_network(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolScanNetworkRequest>) -> Json<McpResponse<serde_json::Value>> {
@ -365,7 +308,7 @@ async fn handle_tool_subnet(_state: AxumState<Arc<McpServerState>>, Json(req): J
 async fn handle_tool_bandwidth(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionOnly>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let cmd = r#"if command -v speedtest-cli >/dev/null 2>&1; then speedtest-cli --simple 2>&1; elif command -v curl >/dev/null 2>&1; then curl -o /dev/null -w "Download: %{speed_download} bytes/sec\n" https://speed.cloudflare.com/__down?bytes=25000000 2>/dev/null; else echo "No speedtest tool found"; fi"#;
-    match exec_on_session(&session.handle, cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
+    match tool_exec(&session.handle, cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_keygen(_state: AxumState<Arc<McpServerState>>, Json(req): Json<ToolKeygenRequest>) -> Json<McpResponse<serde_json::Value>> {
@ -382,166 +325,18 @@ async fn handle_tool_passgen(_state: AxumState<Arc<McpServerState>>, Json(req):
    }
 }
-// ── Docker handlers ──────────────────────────────────────────────────────────
+async fn tool_exec(handle: &std::sync::Arc<tokio::sync::Mutex<russh::client::Handle<crate::ssh::session::SshClient>>>, cmd: &str) -> Result<String, String> {
-
+    let mut channel = { let h = handle.lock().await; h.channel_open_session().await.map_err(|e| format!("Exec failed: {}", e))? };
-#[derive(Deserialize)]
+    channel.exec(true, cmd).await.map_err(|e| format!("Exec failed: {}", e))?;
-struct DockerActionRequest { session_id: String, action: String, target: String }
+    let mut output = String::new();
-
+    loop {
-#[derive(Deserialize)]
+        match channel.wait().await {
-struct DockerListRequest { session_id: String }
+            Some(russh::ChannelMsg::Data { ref data }) => { if let Ok(t) = std::str::from_utf8(data.as_ref()) { output.push_str(t); } }
-
+            Some(russh::ChannelMsg::Eof) | Some(russh::ChannelMsg::Close) | None => break,
-#[derive(Deserialize)]
+            _ => {}
 struct DockerExecRequest { session_id: String, container: String, command: String }
 async fn handle_docker_ps(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerListRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, "docker ps -a --format '{{.Names}}|{{.Image}}|{{.Status}}|{{.Ports}}' 2>&1").await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_docker_action(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerActionRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let t = shell_escape(&req.target);
    let cmd = match req.action.as_str() {
        "start" => format!("docker start {} 2>&1", t),
        "stop" => format!("docker stop {} 2>&1", t),
        "restart" => format!("docker restart {} 2>&1", t),
        "remove" => format!("docker rm -f {} 2>&1", t),
        "logs" => format!("docker logs --tail 100 {} 2>&1", t),
        "builder-prune" => "docker builder prune -f 2>&1".to_string(),
        "system-prune" => "docker system prune -f 2>&1".to_string(),
        _ => return err_response(format!("Unknown action: {}", req.action)),
    };
    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_docker_exec(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerExecRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let cmd = format!("docker exec {} {} 2>&1", shell_escape(&req.container), shell_escape(&req.command));
    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Service/process handlers ─────────────────────────────────────────────────
 async fn handle_service_status(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let t = shell_escape(&req.target);
    match exec_on_session(&session.handle, &format!("systemctl status {} --no-pager 2>&1 || service {} status 2>&1", t, t)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_process_list(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let filter = if req.target.is_empty() { "aux --sort=-%cpu | head -30".to_string() } else { format!("aux | grep -i {} | grep -v grep", shell_escape(&req.target)) };
    match exec_on_session(&session.handle, &format!("ps {}", filter)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Git handlers ─────────────────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct GitRequest { session_id: String, path: String }
 async fn handle_git_status(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git status --short --branch 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_git_pull(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git pull 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_git_log(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git log --oneline -20 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Session creation handlers ────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct SshConnectRequest {
    hostname: String,
    port: Option<u16>,
    username: String,
    password: Option<String>,
    private_key_path: Option<String>,
 }
 async fn handle_ssh_connect(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<SshConnectRequest>) -> Json<McpResponse<String>> {
    use crate::ssh::session::AuthMethod;
    let port = req.port.unwrap_or(22);
    let auth = if let Some(key_path) = req.private_key_path {
        // Read key file
        let pem = match std::fs::read_to_string(&key_path) {
            Ok(p) => p,
            Err(e) => return err_response(format!("Failed to read key file {}: {}", key_path, e)),
        };
        AuthMethod::Key { private_key_pem: pem, passphrase: req.password }
    } else {
        AuthMethod::Password(req.password.unwrap_or_default())
    };
    match state.ssh.connect(
        state.app_handle.clone(),
        &req.hostname,
        port,
        &req.username,
        auth,
        120, 40,
        &state.sftp,
        &state.scrollback,
        &state.error_watcher,
    ).await {
        Ok(session_id) => ok_response(session_id),
        Err(e) => err_response(e),
        }
-}
+    }
-
+    Ok(output)
 // ── RDP interaction handlers ─────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct RdpClickRequest { session_id: String, x: u16, y: u16, button: Option<String> }
 #[derive(Deserialize)]
 struct RdpTypeRequest { session_id: String, text: String }
 #[derive(Deserialize)]
 struct RdpClipboardRequest { session_id: String, text: String }
 async fn handle_rdp_click(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpClickRequest>) -> Json<McpResponse<String>> {
    use crate::rdp::input::mouse_flags;
    let button_flag = match req.button.as_deref().unwrap_or("left") {
        "right" => mouse_flags::BUTTON2,
        "middle" => mouse_flags::BUTTON3,
        _ => mouse_flags::BUTTON1,
    };
    // Move to position
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, mouse_flags::MOVE) { return err_response(e); }
    // Click down
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, button_flag | mouse_flags::DOWN) { return err_response(e); }
    // Click up
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, button_flag) { return err_response(e); }
    ok_response(format!("clicked ({}, {})", req.x, req.y))
 }
 async fn handle_rdp_type(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpTypeRequest>) -> Json<McpResponse<String>> {
    // Set clipboard then simulate Ctrl+V to paste (most reliable for arbitrary text)
    if let Err(e) = state.rdp.send_clipboard(&req.session_id, &req.text) { return err_response(e); }
    // Small delay for clipboard to propagate, then Ctrl+V
    tokio::time::sleep(std::time::Duration::from_millis(50)).await;
    // Ctrl down
    let _ = state.rdp.send_key(&req.session_id, 0x001D, true);
    // V down
    let _ = state.rdp.send_key(&req.session_id, 0x002F, true);
    // V up
    let _ = state.rdp.send_key(&req.session_id, 0x002F, false);
    // Ctrl up
    let _ = state.rdp.send_key(&req.session_id, 0x001D, false);
    ok_response(format!("typed {} chars via clipboard paste", req.text.len()))
 }
 async fn handle_rdp_clipboard(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpClipboardRequest>) -> Json<McpResponse<String>> {
    if let Err(e) = state.rdp.send_clipboard(&req.session_id, &req.text) { return err_response(e); }
    ok_response("clipboard set".to_string())
 }
 /// Start the MCP HTTP server and write the port to disk.
@ -550,22 +345,11 @@ pub async fn start_mcp_server(
    rdp: RdpService,
    sftp: SftpService,
    scrollback: ScrollbackRegistry,
    app_handle: tauri::AppHandle,
    error_watcher: std::sync::Arc<crate::mcp::error_watcher::ErrorWatcher>,
 ) -> Result<u16, String> {
-    // Generate a cryptographically random bearer token for authentication
+    let state = Arc::new(McpServerState { ssh, rdp, sftp, scrollback });
    use rand::Rng;
    let bearer_token: String = rand::rng()
        .sample_iter(&rand::distr::Alphanumeric)
        .take(64)
        .map(char::from)
        .collect();
    let state = Arc::new(McpServerState { ssh, rdp, sftp, scrollback, app_handle, error_watcher, bearer_token: bearer_token.clone() });
    let app = Router::new()
        .route("/mcp/sessions", post(handle_list_sessions))
        .route("/mcp/terminal/type", post(handle_terminal_type))
        .route("/mcp/terminal/read", post(handle_terminal_read))
        .route("/mcp/terminal/execute", post(handle_terminal_execute))
        .route("/mcp/screenshot", post(handle_screenshot))
@ -583,19 +367,6 @@ pub async fn start_mcp_server(
        .route("/mcp/tool/bandwidth", post(handle_tool_bandwidth))
        .route("/mcp/tool/keygen", post(handle_tool_keygen))
        .route("/mcp/tool/passgen", post(handle_tool_passgen))
        .route("/mcp/docker/ps", post(handle_docker_ps))
        .route("/mcp/docker/action", post(handle_docker_action))
        .route("/mcp/docker/exec", post(handle_docker_exec))
        .route("/mcp/service/status", post(handle_service_status))
        .route("/mcp/process/list", post(handle_process_list))
        .route("/mcp/git/status", post(handle_git_status))
        .route("/mcp/git/pull", post(handle_git_pull))
        .route("/mcp/git/log", post(handle_git_log))
        .route("/mcp/rdp/click", post(handle_rdp_click))
        .route("/mcp/rdp/type", post(handle_rdp_type))
        .route("/mcp/rdp/clipboard", post(handle_rdp_clipboard))
        .route("/mcp/ssh/connect", post(handle_ssh_connect))
        .layer(middleware::from_fn_with_state(state.clone(), auth_middleware))
        .with_state(state);
    let listener = TcpListener::bind("127.0.0.1:0").await
@ -606,23 +377,10 @@ pub async fn start_mcp_server(
        .port();
    // Write port to well-known location
-    let data_dir = crate::data_directory();
+    let port_file = crate::data_directory().join("mcp-port");
    let port_file = data_dir.join("mcp-port");
    std::fs::write(&port_file, port.to_string())
        .map_err(|e| format!("Failed to write MCP port file: {}", e))?;
    // Write bearer token to a separate file with restrictive permissions
    let token_file = data_dir.join("mcp-token");
    std::fs::write(&token_file, &bearer_token)
        .map_err(|e| format!("Failed to write MCP token file: {}", e))?;
    // Set owner-only read/write permissions (Unix)
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let _ = std::fs::set_permissions(&token_file, std::fs::Permissions::from_mode(0o600));
    }
    tokio::spawn(async move {
        axum::serve(listener, app).await.ok();
    });
--- a/src-tauri/src/rdp/mod.rs
+++ b/src-tauri/src/rdp/mod.rs
@ -8,12 +8,11 @@ use std::sync::atomic::{AtomicBool, Ordering};
 use base64::Engine;
 use dashmap::DashMap;
 use log::{error, info, warn};
 use tauri::Emitter;
 use serde::{Deserialize, Serialize};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio::net::TcpStream;
 use tokio::sync::mpsc;
-
+use tokio::sync::Mutex as TokioMutex;
 use ironrdp::connector::{self, ClientConnector, ConnectionResult, Credentials, DesktopSize};
 use ironrdp::graphics::image_processing::PixelFormat;
@ -63,29 +62,15 @@ enum InputEvent {
        pressed: bool,
    },
    Clipboard(String),
    Resize { width: u16, height: u16 },
    Disconnect,
 }
 /// Dirty rectangle from the last GraphicsUpdate — used for partial frame transfer.
 #[derive(Debug, Clone, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DirtyRect {
    pub x: u16,
    pub y: u16,
    pub width: u16,
    pub height: u16,
 }
 struct RdpSessionHandle {
    id: String,
    hostname: String,
    width: u16,
    height: u16,
-    /// Frame buffer: RDP thread writes via RwLock write, IPC reads via RwLock read.
+    frame_buffer: Arc<TokioMutex<Vec<u8>>>,
    front_buffer: Arc<std::sync::RwLock<Vec<u8>>>,
    /// Accumulated dirty region since last get_frame — union of all GraphicsUpdate rects.
    dirty_region: Arc<std::sync::Mutex<Option<DirtyRect>>>,
    frame_dirty: Arc<AtomicBool>,
    input_tx: mpsc::UnboundedSender<InputEvent>,
 }
@ -101,7 +86,7 @@ impl RdpService {
        }
    }
-    pub fn connect(&self, config: RdpConfig, app_handle: tauri::AppHandle) -> Result<String, String> {
+    pub fn connect(&self, config: RdpConfig) -> Result<String, String> {
        let session_id = uuid::Uuid::new_v4().to_string();
        wraith_log!("[RDP] Connecting to {}:{} as {} (session {})", config.hostname, config.port, config.username, session_id);
        let width = config.width;
@ -113,8 +98,7 @@ impl RdpService {
        for pixel in initial_buf.chunks_exact_mut(4) {
            pixel[3] = 255;
        }
-        let front_buffer = Arc::new(std::sync::RwLock::new(initial_buf));
+        let frame_buffer = Arc::new(TokioMutex::new(initial_buf));
        let dirty_region = Arc::new(std::sync::Mutex::new(None));
        let frame_dirty = Arc::new(AtomicBool::new(false));
        let (input_tx, input_rx) = mpsc::unbounded_channel();
@ -124,8 +108,7 @@ impl RdpService {
            hostname: hostname.clone(),
            width,
            height,
-            front_buffer: front_buffer.clone(),
+            frame_buffer: frame_buffer.clone(),
            dirty_region: dirty_region.clone(),
            frame_dirty: frame_dirty.clone(),
            input_tx,
        });
@ -172,14 +155,11 @@ impl RdpService {
                if let Err(e) = run_active_session(
                    connection_result,
                    framed,
-                    front_buffer,
+                    frame_buffer,
                    dirty_region,
                    frame_dirty,
                    input_rx,
                    width as u16,
                    height as u16,
                    app_handle,
                    sid.clone(),
                )
                .await
                {
@ -217,57 +197,27 @@ impl RdpService {
        Ok(session_id)
    }
-    /// Get the dirty region since the last call. Returns (region_metadata, pixel_bytes).
+    pub async fn get_frame(&self, session_id: &str) -> Result<Vec<u8>, String> {
    /// The pixel bytes contain only the dirty rectangle in row-major RGBA order.
    /// If nothing changed, returns empty bytes. If the dirty region covers >50% of the
    /// frame, falls back to full frame for efficiency (avoids row-by-row extraction).
    pub fn get_frame(&self, session_id: &str) -> Result<(Option<DirtyRect>, Vec<u8>), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
-        if !handle.frame_dirty.swap(false, Ordering::Acquire) {
+        if !handle.frame_dirty.swap(false, Ordering::Relaxed) {
-            return Ok((None, Vec::new()));
+            return Ok(Vec::new()); // No change — return empty
        }
        let buf = handle.frame_buffer.lock().await;
        Ok(buf.clone())
    }
-        let region = handle.dirty_region.lock().unwrap_or_else(|e| e.into_inner()).take();
+    pub async fn get_frame_raw(&self, session_id: &str) -> Result<Vec<u8>, String> {
        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
        let stride = handle.width as usize * 4;
        let total_pixels = handle.width as usize * handle.height as usize;
        match region {
            Some(rect) if (rect.width as usize * rect.height as usize) < total_pixels / 2 => {
                // Partial: extract only the dirty rectangle
                let rw = rect.width as usize;
                let rh = rect.height as usize;
                let rx = rect.x as usize;
                let ry = rect.y as usize;
                let mut out = Vec::with_capacity(rw * rh * 4);
                for row in ry..ry + rh {
                    let start = row * stride + rx * 4;
                    let end = start + rw * 4;
                    if end <= buf.len() {
                        out.extend_from_slice(&buf[start..end]);
                    }
                }
                Ok((Some(rect), out))
            }
            _ => {
                // Full frame: dirty region covers most of the screen or is missing
                Ok((None, buf.clone()))
            }
        }
    }
    pub fn get_frame_raw(&self, session_id: &str) -> Result<Vec<u8>, String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
-        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
+        let buf = handle.frame_buffer.lock().await;
        Ok(buf.clone())
    }
    /// Capture the current RDP frame as a base64-encoded PNG.
-    pub fn screenshot_png_base64(&self, session_id: &str) -> Result<String, String> {
+    pub async fn screenshot_png_base64(&self, session_id: &str) -> Result<String, String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        let width = handle.width as u32;
        let height = handle.height as u32;
-        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
+        let buf = handle.frame_buffer.lock().await;
        // Encode RGBA raw bytes to PNG (fast compression for speed)
        let mut png_data = Vec::new();
@ -300,19 +250,6 @@ impl RdpService {
        handle.input_tx.send(InputEvent::Key { scancode, pressed }).map_err(|_| format!("RDP session {} input channel closed", session_id))
    }
    pub fn force_refresh(&self, session_id: &str) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        // Clear any accumulated dirty region so get_frame returns the full buffer
        *handle.dirty_region.lock().unwrap_or_else(|e| e.into_inner()) = None;
        handle.frame_dirty.store(true, Ordering::Release);
        Ok(())
    }
    pub fn resize(&self, session_id: &str, width: u16, height: u16) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        handle.input_tx.send(InputEvent::Resize { width, height }).map_err(|_| format!("RDP session {} input channel closed", session_id))
    }
    pub fn disconnect(&self, session_id: &str) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        let _ = handle.input_tx.send(InputEvent::Disconnect);
@ -366,11 +303,7 @@ fn build_connector_config(config: &RdpConfig) -> Result<connector::Config, Strin
        request_data: None,
        autologon: false,
        enable_audio_playback: false,
-        performance_flags: PerformanceFlags::DISABLE_WALLPAPER
+        performance_flags: PerformanceFlags::default(),
            | PerformanceFlags::DISABLE_MENUANIMATIONS
            | PerformanceFlags::DISABLE_CURSOR_SHADOW
            | PerformanceFlags::ENABLE_FONT_SMOOTHING
            | PerformanceFlags::ENABLE_DESKTOP_COMPOSITION,
        desktop_scale_factor: 0,
        hardware_id: None,
        license_cache: None,
@ -400,7 +333,7 @@ async fn establish_connection(config: connector::Config, hostname: &str, port: u
    Ok((connection_result, upgraded_framed))
 }
-async fn run_active_session(connection_result: ConnectionResult, framed: UpgradedFramed, front_buffer: Arc<std::sync::RwLock<Vec<u8>>>, dirty_region: Arc<std::sync::Mutex<Option<DirtyRect>>>, frame_dirty: Arc<AtomicBool>, mut input_rx: mpsc::UnboundedReceiver<InputEvent>, mut width: u16, mut height: u16, app_handle: tauri::AppHandle, session_id: String) -> Result<(), String> {
+async fn run_active_session(connection_result: ConnectionResult, framed: UpgradedFramed, frame_buffer: Arc<TokioMutex<Vec<u8>>>, frame_dirty: Arc<AtomicBool>, mut input_rx: mpsc::UnboundedReceiver<InputEvent>, width: u16, height: u16) -> Result<(), String> {
    let (mut reader, mut writer) = split_tokio_framed(framed);
    let mut image = DecodedImage::new(PixelFormat::RgbA32, width, height);
    let mut active_stage = ActiveStage::new(connection_result);
@ -452,68 +385,17 @@ async fn run_active_session(connection_result: ConnectionResult, framed: Upgrade
                        }
                        all_outputs
                    }
                    Some(InputEvent::Resize { width: new_w, height: new_h }) => {
                        // Ensure dimensions are within RDP spec (200-8192, even width)
                        let w = (new_w.max(200).min(8192) & !1) as u32;
                        let h = new_h.max(200).min(8192) as u32;
                        if let Some(Ok(resize_frame)) = active_stage.encode_resize(w, h, None, None) {
                            writer.write_all(&resize_frame).await.map_err(|e| format!("Failed to send resize: {}", e))?;
                            // Reallocate image and front buffer for new dimensions
                            image = DecodedImage::new(PixelFormat::RgbA32, w as u16, h as u16);
                            let buf_size = w as usize * h as usize * 4;
                            let mut new_buf = vec![0u8; buf_size];
                            for pixel in new_buf.chunks_exact_mut(4) { pixel[3] = 255; }
                            *front_buffer.write().unwrap_or_else(|e| e.into_inner()) = new_buf;
                            width = w as u16;
                            height = h as u16;
                            info!("RDP session {} resized to {}x{}", session_id, width, height);
                        }
                        Vec::new()
                    }
                }
            }
        };
        for out in outputs {
            match out {
                ActiveStageOutput::ResponseFrame(frame) => { writer.write_all(&frame).await.map_err(|e| format!("Failed to write RDP response frame: {}", e))?; }
-                ActiveStageOutput::GraphicsUpdate(region) => {
+                ActiveStageOutput::GraphicsUpdate(_region) => {
-                    let rx = region.left as usize;
+                    let mut buf = frame_buffer.lock().await;
                    let ry = region.top as usize;
                    let rr = (region.right as usize).saturating_add(1).min(width as usize);
                    let rb = (region.bottom as usize).saturating_add(1).min(height as usize);
                    let stride = width as usize * 4;
                    // Copy only the dirty rectangle rows from decoded image → front buffer
                    {
                    let src = image.data();
-                        let mut front = front_buffer.write().unwrap_or_else(|e| e.into_inner());
+                    if src.len() == buf.len() { buf.copy_from_slice(src); } else { *buf = src.to_vec(); }
-                        for row in ry..rb {
+                    frame_dirty.store(true, Ordering::Relaxed);
                            let src_start = row * stride + rx * 4;
                            let src_end = row * stride + rr * 4;
                            if src_end <= src.len() && src_end <= front.len() {
                                front[src_start..src_end].copy_from_slice(&src[src_start..src_end]);
                            }
                        }
                    }
                    // Accumulate dirty region (union of all rects since last get_frame)
                    {
                        let new_rect = DirtyRect { x: rx as u16, y: ry as u16, width: (rr - rx) as u16, height: (rb - ry) as u16 };
                        let mut dr = dirty_region.lock().unwrap_or_else(|e| e.into_inner());
                        *dr = Some(match dr.take() {
                            None => new_rect,
                            Some(prev) => {
                                let x = prev.x.min(new_rect.x);
                                let y = prev.y.min(new_rect.y);
                                let r = (prev.x + prev.width).max(new_rect.x + new_rect.width);
                                let b = (prev.y + prev.height).max(new_rect.y + new_rect.height);
                                DirtyRect { x, y, width: r - x, height: b - y }
                            }
                        });
                    }
                    frame_dirty.store(true, Ordering::Release);
                    let _ = app_handle.emit(&format!("rdp:frame:{}", session_id), ());
                }
                ActiveStageOutput::Terminate(reason) => { info!("RDP session terminated: {:?}", reason); return Ok(()); }
                ActiveStageOutput::DeactivateAll(_) => { warn!("RDP server sent DeactivateAll — reconnection not yet implemented"); return Ok(()); }
--- a/src-tauri/src/scanner/mod.rs
+++ b/src-tauri/src/scanner/mod.rs
@ -12,7 +12,6 @@ use serde::Serialize;
 use tokio::sync::Mutex as TokioMutex;
 use crate::ssh::session::SshClient;
 use crate::utils::shell_escape;
 #[derive(Debug, Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
@ -64,44 +63,18 @@ fn service_name(port: u16) -> &'static str {
    }
 }
 /// Validate that `subnet` contains exactly three dot-separated octet groups,
 /// each consisting only of 1–3 ASCII digits (e.g. "192.168.1").
 /// Returns an error string if the format is invalid.
 fn validate_subnet(subnet: &str) -> Result<(), String> {
    let parts: Vec<&str> = subnet.split('.').collect();
    if parts.len() != 3 {
        return Err(format!(
            "Invalid subnet '{}': expected three octets (e.g. 192.168.1)",
            subnet
        ));
    }
    for part in &parts {
        if part.is_empty() || part.len() > 3 || !part.chars().all(|c| c.is_ascii_digit()) {
            return Err(format!(
                "Invalid subnet '{}': each octet must be 1–3 decimal digits",
                subnet
            ));
        }
    }
    Ok(())
 }
 /// Discover hosts on the remote network using ARP table and ping sweep.
 pub async fn scan_network(
    handle: &Arc<TokioMutex<Handle<SshClient>>>,
    subnet: &str,
 ) -> Result<Vec<DiscoveredHost>, String> {
    // Validate subnet format before using it in remote shell commands.
    validate_subnet(subnet)?;
    // Script that works on Linux and macOS:
    // 1. Ping sweep the subnet to populate ARP cache
    // 2. Read ARP table for IP/MAC pairs
    // 3. Try reverse DNS for hostnames
    let escaped_subnet = shell_escape(subnet);
    let script = format!(r#"
 OS=$(uname -s 2>/dev/null)
-SUBNET={escaped_subnet}
+SUBNET="{subnet}"
 # Ping sweep (background, fast)
 if [ "$OS" = "Linux" ]; then
@ -178,12 +151,6 @@ pub async fn scan_ports(
    target: &str,
    ports: &[u16],
 ) -> Result<Vec<PortResult>, String> {
    // Validate target — /dev/tcp requires a bare hostname/IP, not a shell-quoted value.
    // Only allow alphanumeric, dots, hyphens, and colons (for IPv6).
    if !target.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-' || c == ':') {
        return Err(format!("Invalid target for port scan: {}", target));
    }
    // Use bash /dev/tcp for port scanning — no nmap required
    let port_checks: Vec<String> = ports.iter()
        .map(|p| format!(
--- a/src-tauri/src/settings/mod.rs
+++ b/src-tauri/src/settings/mod.rs
@ -8,7 +8,6 @@ use crate::db::Database;
 ///
 /// All operations acquire the shared DB mutex for their duration and
 /// return immediately — no async needed for a local SQLite store.
 #[derive(Clone)]
 pub struct SettingsService {
    db: Database,
 }
--- a/src-tauri/src/sftp/mod.rs
+++ b/src-tauri/src/sftp/mod.rs
@ -5,6 +5,7 @@
 //! provides all file operations needed by the frontend.
 use std::sync::Arc;
 use std::time::{Duration, UNIX_EPOCH};
 use dashmap::DashMap;
 use log::{debug, info};
@ -34,6 +35,9 @@ pub struct FileEntry {
 /// Format a Unix timestamp (seconds since epoch) as "Mon DD HH:MM".
 fn format_mtime(unix_secs: u32) -> String {
    // Build a SystemTime from the raw epoch value.
    let st = UNIX_EPOCH + Duration::from_secs(unix_secs as u64);
    // Convert to seconds-since-epoch for manual formatting.  We avoid pulling
    // in chrono just for this; a simple manual decomposition is sufficient for
    // the "Mar 17 14:30" display format expected by the frontend.
@ -50,10 +54,12 @@ fn format_mtime(unix_secs: u32) -> String {
    let era = if z >= 0 { z } else { z - 146_096 } / 146_097;
    let doe = z - era * 146_097;
    let yoe = (doe - doe / 1_460 + doe / 36_524 - doe / 146_096) / 365;
    let y = yoe + era * 400;
    let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
    let mp = (5 * doy + 2) / 153;
    let d = doy - (153 * mp + 2) / 5 + 1;
    let m = if mp < 10 { mp + 3 } else { mp - 9 };
    let _y = if m <= 2 { y + 1 } else { y };
    let month = match m {
        1 => "Jan",
@ -71,6 +77,9 @@ fn format_mtime(unix_secs: u32) -> String {
        _ => "???",
    };
    // Suppress unused variable warning — st is only used as a sanity anchor.
    let _ = st;
    format!("{} {:2} {:02}:{:02}", month, d, hours, minutes)
 }
@ -310,7 +319,7 @@ impl SftpService {
    ) -> Result<Arc<TokioMutex<SftpSession>>, String> {
        self.clients
            .get(session_id)
-            .map(|r| r.value().clone())
+            .map(|r| r.clone())
            .ok_or_else(|| format!("No SFTP client for session {}", session_id))
    }
 }
--- a/src-tauri/src/ssh/cwd.rs
+++ b/src-tauri/src/ssh/cwd.rs
@ -16,7 +16,6 @@ use russh::ChannelMsg;
 use tauri::{AppHandle, Emitter};
 use tokio::sync::watch;
 use tokio::sync::Mutex as TokioMutex;
 use tokio_util::sync::CancellationToken;
 use crate::ssh::session::SshClient;
@ -40,15 +39,13 @@ impl CwdTracker {
    /// Spawn a background tokio task that polls `pwd` every 2 seconds on a
    /// separate exec channel.
    ///
-    /// The task runs until cancelled via the `CancellationToken`, or until the
+    /// The task runs until the SSH connection is closed or the channel cannot
-    /// SSH connection is closed or the channel cannot be opened.
+    /// be opened. CWD changes are emitted as `ssh:cwd:{session_id}` events.
    /// CWD changes are emitted as `ssh:cwd:{session_id}` events.
    pub fn start(
        &self,
        handle: Arc<TokioMutex<Handle<SshClient>>>,
        app_handle: AppHandle,
        session_id: String,
        cancel: CancellationToken,
    ) {
        let sender = self._sender.clone();
@ -59,10 +56,6 @@ impl CwdTracker {
            let mut previous_cwd = String::new();
            loop {
                if cancel.is_cancelled() {
                    break;
                }
                // Open a fresh exec channel for each `pwd` invocation.
                // Some SSH servers do not allow multiple exec requests on a
                // single channel, so we open a new one each time.
@ -126,11 +119,8 @@ impl CwdTracker {
                    }
                }
-                // Wait 2 seconds before the next poll, or cancel.
+                // Wait 2 seconds before the next poll.
-                tokio::select! {
+                tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
                    _ = tokio::time::sleep(tokio::time::Duration::from_secs(2)) => {}
                    _ = cancel.cancelled() => { break; }
                }
            }
            debug!("CWD tracker for session {} stopped", session_id);
--- a/src-tauri/src/ssh/exec.rs
+++ b/src-tauri/src/ssh/exec.rs
@ -1,51 +0,0 @@
 //! Shared SSH exec-channel helper used by commands, MCP handlers, and tools.
 //!
 //! Opens a one-shot exec channel on an existing SSH handle, runs `cmd`, collects
 //! all stdout/stderr, and returns it as a `String`.  The caller is responsible
 //! for ensuring the session is still alive.
 use std::sync::Arc;
 use tokio::sync::Mutex as TokioMutex;
 use crate::ssh::session::SshClient;
 /// Execute `cmd` on a separate exec channel and return all output as a `String`.
 ///
 /// Locks the handle for only as long as it takes to open the channel, then
 /// releases it before reading — this avoids holding the lock while waiting on
 /// remote I/O.
 pub async fn exec_on_session(
    handle: &Arc<TokioMutex<russh::client::Handle<SshClient>>>,
    cmd: &str,
 ) -> Result<String, String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session()
            .await
            .map_err(|e| format!("Exec channel failed: {}", e))?
    };
    channel
        .exec(true, cmd)
        .await
        .map_err(|e| format!("Exec failed: {}", e))?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(russh::ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) {
                    output.push_str(text);
                }
            }
            Some(russh::ChannelMsg::Eof)
            | Some(russh::ChannelMsg::Close)
            | None => break,
            Some(russh::ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Ok(output)
 }
--- a/src-tauri/src/ssh/mod.rs
+++ b/src-tauri/src/ssh/mod.rs
@ -2,4 +2,3 @@ pub mod session;
 pub mod host_key;
 pub mod cwd;
 pub mod monitor;
 pub mod exec;
--- a/src-tauri/src/ssh/monitor.rs
+++ b/src-tauri/src/ssh/monitor.rs
@ -6,13 +6,11 @@
 use std::sync::Arc;
 use log::warn;
 use russh::client::Handle;
 use russh::ChannelMsg;
 use serde::Serialize;
 use tauri::{AppHandle, Emitter};
 use tokio::sync::Mutex as TokioMutex;
 use tokio_util::sync::CancellationToken;
 use crate::ssh::session::SshClient;
@ -32,53 +30,26 @@ pub struct SystemStats {
 }
 /// Spawn a background task that polls system stats every 5 seconds.
 ///
 /// The task runs until cancelled via the `CancellationToken`, or until the
 /// SSH connection is closed.
 pub fn start_monitor(
    handle: Arc<TokioMutex<Handle<SshClient>>>,
    app_handle: AppHandle,
    session_id: String,
    cancel: CancellationToken,
 ) {
    tokio::spawn(async move {
        // Brief delay to let the shell start up
        tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
        let mut consecutive_timeouts: u32 = 0;
        loop {
            if cancel.is_cancelled() {
                break;
            }
            let stats = collect_stats(&handle).await;
-            match stats {
+            if let Some(stats) = stats {
                Some(stats) => {
                    consecutive_timeouts = 0;
                let _ = app_handle.emit(
                    &format!("ssh:monitor:{}", session_id),
                    &stats,
                );
            }
                None => {
                    consecutive_timeouts += 1;
                    if consecutive_timeouts >= 3 {
                        warn!(
                            "SSH monitor for session {}: 3 consecutive failures, stopping",
                            session_id
                        );
                        break;
                    }
                }
            }
-            // Wait 5 seconds before the next poll, or cancel.
+            tokio::time::sleep(tokio::time::Duration::from_secs(5)).await;
            tokio::select! {
                _ = tokio::time::sleep(tokio::time::Duration::from_secs(5)) => {}
                _ = cancel.cancelled() => { break; }
            }
        }
    });
 }
@ -154,24 +125,7 @@ fn parse_stats(raw: &str) -> Option<SystemStats> {
    })
 }
 /// Execute a command on a separate exec channel with a 10-second timeout.
 async fn exec_command(handle: &Arc<TokioMutex<Handle<SshClient>>>, cmd: &str) -> Option<String> {
    let result = tokio::time::timeout(
        std::time::Duration::from_secs(10),
        exec_command_inner(handle, cmd),
    )
    .await;
    match result {
        Ok(output) => output,
        Err(_) => {
            warn!("SSH monitor exec_command timed out after 10s");
            None
        }
    }
 }
 async fn exec_command_inner(handle: &Arc<TokioMutex<Handle<SshClient>>>, cmd: &str) -> Option<String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session().await.ok()?
--- a/src-tauri/src/ssh/session.rs
+++ b/src-tauri/src/ssh/session.rs
@ -17,7 +17,6 @@ use crate::mcp::error_watcher::ErrorWatcher;
 use crate::sftp::SftpService;
 use crate::ssh::cwd::CwdTracker;
 use crate::ssh::host_key::{HostKeyResult, HostKeyStore};
 use tokio_util::sync::CancellationToken;
 pub enum AuthMethod {
    Password(String),
@ -48,7 +47,6 @@ pub struct SshSession {
    pub handle: Arc<TokioMutex<Handle<SshClient>>>,
    pub command_tx: mpsc::UnboundedSender<ChannelCommand>,
    pub cwd_tracker: Option<CwdTracker>,
    pub cancel_token: CancellationToken,
 }
 pub struct SshClient {
@ -137,11 +135,10 @@ impl SshService {
        let channel_id = channel.id();
        let handle = Arc::new(TokioMutex::new(handle));
        let (command_tx, mut command_rx) = mpsc::unbounded_channel::<ChannelCommand>();
        let cancel_token = CancellationToken::new();
        let cwd_tracker = CwdTracker::new();
-        cwd_tracker.start(handle.clone(), app_handle.clone(), session_id.clone(), cancel_token.clone());
+        cwd_tracker.start(handle.clone(), app_handle.clone(), session_id.clone());
-        let session = Arc::new(SshSession { id: session_id.clone(), hostname: hostname.to_string(), port, username: username.to_string(), channel_id, handle: handle.clone(), command_tx: command_tx.clone(), cwd_tracker: Some(cwd_tracker), cancel_token: cancel_token.clone() });
+        let session = Arc::new(SshSession { id: session_id.clone(), hostname: hostname.to_string(), port, username: username.to_string(), channel_id, handle: handle.clone(), command_tx: command_tx.clone(), cwd_tracker: Some(cwd_tracker) });
        self.sessions.insert(session_id.clone(), session);
        {   let h = handle.lock().await;
@ -161,7 +158,7 @@ impl SshService {
        error_watcher.watch(&session_id);
        // Start remote monitoring if enabled (runs on a separate exec channel)
-        crate::ssh::monitor::start_monitor(handle.clone(), app_handle.clone(), session_id.clone(), cancel_token.clone());
+        crate::ssh::monitor::start_monitor(handle.clone(), app_handle.clone(), session_id.clone());
        // Inject OSC 7 CWD reporting hook into the user's shell.
        // This enables SFTP CWD following on all platforms (Linux, macOS, FreeBSD).
@ -249,8 +246,6 @@ impl SshService {
    pub async fn disconnect(&self, session_id: &str, sftp_service: &SftpService) -> Result<(), String> {
        let (_, session) = self.sessions.remove(session_id).ok_or_else(|| format!("Session {} not found", session_id))?;
        // Cancel background tasks (CWD tracker, monitor) before tearing down the connection.
        session.cancel_token.cancel();
        let _ = session.command_tx.send(ChannelCommand::Shutdown);
        {   let handle = session.handle.lock().await; let _ = handle.disconnect(Disconnect::ByApplication, "", "en").await; }
        sftp_service.remove_client(session_id);
@ -258,7 +253,7 @@ impl SshService {
    }
    pub fn get_session(&self, session_id: &str) -> Option<Arc<SshSession>> {
-        self.sessions.get(session_id).map(|r| r.value().clone())
+        self.sessions.get(session_id).map(|entry| entry.clone())
    }
    pub fn list_sessions(&self) -> Vec<SessionInfo> {
@ -405,23 +400,22 @@ fn extract_osc7_cwd(data: &[u8]) -> Option<String> {
 }
 fn percent_decode(input: &str) -> String {
-    let mut bytes: Vec<u8> = Vec::with_capacity(input.len());
+    let mut output = String::with_capacity(input.len());
    let mut chars = input.chars();
    while let Some(ch) = chars.next() {
        if ch == '%' {
            let hex: String = chars.by_ref().take(2).collect();
            if let Ok(byte) = u8::from_str_radix(&hex, 16) {
-                bytes.push(byte);
+                output.push(byte as char);
            } else {
-                bytes.extend_from_slice(b"%");
+                output.push('%');
-                bytes.extend_from_slice(hex.as_bytes());
+                output.push_str(&hex);
            }
        } else {
-            let mut buf = [0u8; 4];
+            output.push(ch);
            bytes.extend_from_slice(ch.encode_utf8(&mut buf).as_bytes());
        }
    }
-    String::from_utf8_lossy(&bytes).into_owned()
+    output
 }
 /// Resolve a private key string — if it looks like PEM content, return as-is.
--- a/src-tauri/src/theme/mod.rs
+++ b/src-tauri/src/theme/mod.rs
@ -59,7 +59,6 @@ struct BuiltinTheme {
 // ── service ───────────────────────────────────────────────────────────────────
 #[derive(Clone)]
 pub struct ThemeService {
    db: Database,
 }
@ -254,7 +253,7 @@ impl ThemeService {
                    t.bright_blue, t.bright_magenta, t.bright_cyan, t.bright_white,
                ],
            ) {
-                wraith_log!("theme::seed_builtins: failed to seed '{}': {}", t.name, e);
+                eprintln!("theme::seed_builtins: failed to seed '{}': {}", t.name, e);
            }
        }
    }
@ -273,7 +272,7 @@ impl ThemeService {
        ) {
            Ok(s) => s,
            Err(e) => {
-                wraith_log!("theme::list: failed to prepare query: {}", e);
+                eprintln!("theme::list: failed to prepare query: {}", e);
                return vec![];
            }
        };
@ -281,12 +280,12 @@ impl ThemeService {
        match stmt.query_map([], map_theme_row) {
            Ok(rows) => rows
                .filter_map(|r| {
-                    r.map_err(|e| wraith_log!("theme::list: row error: {}", e))
+                    r.map_err(|e| eprintln!("theme::list: row error: {}", e))
                        .ok()
                })
                .collect(),
            Err(e) => {
-                wraith_log!("theme::list: query failed: {}", e);
+                eprintln!("theme::list: query failed: {}", e);
                vec![]
            }
        }
--- a/src-tauri/src/utils.rs
+++ b/src-tauri/src/utils.rs
@ -1,19 +0,0 @@
 //! Shared utility functions.
 /// Escape a string for safe interpolation into a POSIX shell command.
 ///
 /// Wraps the input in single quotes and escapes any embedded single quotes
 /// using the `'\''` technique. This prevents command injection when building
 /// shell commands from user-supplied values.
 ///
 /// # Examples
 ///
 /// ```
 /// # use wraith_lib::utils::shell_escape;
 /// assert_eq!(shell_escape("hello"), "'hello'");
 /// assert_eq!(shell_escape("it's"), "'it'\\''s'");
 /// assert_eq!(shell_escape(";rm -rf /"), "';rm -rf /'");
 /// ```
 pub fn shell_escape(input: &str) -> String {
    format!("'{}'", input.replace('\'', "'\\''"))
 }
--- a/src-tauri/src/vault/mod.rs
+++ b/src-tauri/src/vault/mod.rs
@ -4,7 +4,6 @@ use aes_gcm::{
    Aes256Gcm, Key, Nonce,
 };
 use argon2::{Algorithm, Argon2, Params, Version};
 use zeroize::Zeroizing;
 // ---------------------------------------------------------------------------
 // VaultService
@ -22,18 +21,18 @@ use zeroize::Zeroizing;
 /// The version prefix allows a future migration to a different algorithm
 /// without breaking existing stored blobs.
 pub struct VaultService {
-    key: Zeroizing<[u8; 32]>,
+    key: [u8; 32],
 }
 impl VaultService {
-    pub fn new(key: Zeroizing<[u8; 32]>) -> Self {
+    pub fn new(key: [u8; 32]) -> Self {
        Self { key }
    }
    /// Encrypt `plaintext` and return a `v1:{iv_hex}:{sealed_hex}` blob.
    pub fn encrypt(&self, plaintext: &str) -> Result<String, String> {
        // Build the AES-256-GCM cipher from our key.
-        let key = Key::<Aes256Gcm>::from_slice(&*self.key);
+        let key = Key::<Aes256Gcm>::from_slice(&self.key);
        let cipher = Aes256Gcm::new(key);
        // Generate a random 12-byte nonce (96-bit is the GCM standard).
@ -72,7 +71,7 @@ impl VaultService {
            ));
        }
-        let key = Key::<Aes256Gcm>::from_slice(&*self.key);
+        let key = Key::<Aes256Gcm>::from_slice(&self.key);
        let cipher = Aes256Gcm::new(key);
        let nonce = Nonce::from_slice(&iv_bytes);
@ -96,7 +95,7 @@ impl VaultService {
 ///   t = 3 iterations
 ///   m = 65536 KiB (64 MiB) memory
 ///   p = 4 parallelism lanes
-pub fn derive_key(password: &str, salt: &[u8]) -> Zeroizing<[u8; 32]> {
+pub fn derive_key(password: &str, salt: &[u8]) -> [u8; 32] {
    let params = Params::new(
        65536, // m_cost: 64 MiB
        3,     // t_cost: iterations
@ -107,9 +106,9 @@ pub fn derive_key(password: &str, salt: &[u8]) -> Zeroizing<[u8; 32]> {
    let argon2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
-    let mut output_key = Zeroizing::new([0u8; 32]);
+    let mut output_key = [0u8; 32];
    argon2
-        .hash_password_into(password.as_bytes(), salt, &mut *output_key)
+        .hash_password_into(password.as_bytes(), salt, &mut output_key)
        .expect("Argon2id key derivation failed");
    output_key
--- a/src-tauri/src/workspace/mod.rs
+++ b/src-tauri/src/workspace/mod.rs
@ -24,7 +24,6 @@ pub struct WorkspaceSnapshot {
 const SNAPSHOT_KEY: &str = "workspace_snapshot";
 const CLEAN_SHUTDOWN_KEY: &str = "clean_shutdown";
 #[derive(Clone)]
 pub struct WorkspaceService {
    settings: SettingsService,
 }
@ -48,7 +47,7 @@ impl WorkspaceService {
    pub fn load(&self) -> Option<WorkspaceSnapshot> {
        let json = self.settings.get(SNAPSHOT_KEY)?;
        serde_json::from_str(&json)
-            .map_err(|e| wraith_log!("workspace::load: failed to deserialize snapshot: {e}"))
+            .map_err(|e| eprintln!("workspace::load: failed to deserialize snapshot: {e}"))
            .ok()
    }
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -18,14 +18,13 @@
        "minHeight": 600,
        "decorations": true,
        "resizable": true,
-        "dragDropEnabled": false,
+        "dragDropEnabled": false
        "additionalBrowserArgs": "--enable-gpu-rasterization --enable-zero-copy --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection"
      }
    ],
    "security": {
      "csp": null
    },
-    "withGlobalTauri": false
+    "withGlobalTauri": true
  },
  "bundle": {
    "active": true,
@ -53,7 +52,7 @@
    "updater": {
      "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDNCRkQ2OUY2OEY0Q0ZFQkYKUldTLy9reVA5bW45T3dUQ1R5OFNCenVhL2srTXlLcHR4cFNaeCtJSmJUSTZKSUNHVTRIbWZwanEK",
      "endpoints": [
-        "https://files.command.vigilcyber.com/wraith/update.json"
+        "https://git.command.vigilcyber.com/api/packages/vstockwell/generic/wraith/latest/update.json"
      ]
    }
  }
--- a/src/App.vue
+++ b/src/App.vue
@ -1,65 +1,48 @@
 <script setup lang="ts">
-import { ref, onMounted, onErrorCaptured, defineAsyncComponent } from "vue";
+import { ref, onMounted, defineAsyncComponent } from "vue";
 import { useAppStore } from "@/stores/app.store";
 import UnlockLayout from "@/layouts/UnlockLayout.vue";
 import ToolWindow from "@/components/tools/ToolWindow.vue";
-const MainLayout = defineAsyncComponent({
+const MainLayout = defineAsyncComponent(
-  loader: () => import("@/layouts/MainLayout.vue"),
+  () => import("@/layouts/MainLayout.vue")
-  onError(error) { console.error("[App] MainLayout load failed:", error); },
+);
-});
+const ToolWindow = defineAsyncComponent(
-const DetachedSession = defineAsyncComponent({
+  () => import("@/components/tools/ToolWindow.vue")
-  loader: () => import("@/components/session/DetachedSession.vue"),
+);
-  onError(error) { console.error("[App] DetachedSession load failed:", error); },
+const DetachedSession = defineAsyncComponent(
-});
+  () => import("@/components/session/DetachedSession.vue")
 );
 const app = useAppStore();
 const appError = ref<string | null>(null);
 // Tool window mode — detected from URL hash: #/tool/network-scanner?sessionId=abc
 const isToolMode = ref(false);
 const isDetachedMode = ref(false);
 const toolName = ref("");
 const toolSessionId = ref("");
-onErrorCaptured((err) => {
+onMounted(async () => {
-  appError.value = err instanceof Error ? err.message : String(err);
+  const hash = window.location.hash;
  console.error("[App] Uncaught error:", err);
  return false;
 });
 /** Parse hash and set mode flags. Called on mount and on hashchange. */
 function applyHash(hash: string): void {
  if (hash.startsWith("#/tool/")) {
    isToolMode.value = true;
-    const rest = hash.substring(7);
+    const rest = hash.substring(7); // after "#/tool/"
    const [name, query] = rest.split("?");
    toolName.value = name;
    toolSessionId.value = new URLSearchParams(query || "").get("sessionId") || "";
  } else if (hash.startsWith("#/detached-session")) {
    isDetachedMode.value = true;
-  }
+  } else {
 }
 onMounted(async () => {
  // Check hash at load time (present if JS-side WebviewWindow set it in the URL)
  applyHash(window.location.hash);
  // Also listen for hash changes (Rust-side window sets hash via eval after load)
  window.addEventListener("hashchange", () => applyHash(window.location.hash));
  // Only init vault for the main app window (no hash)
  if (!isToolMode.value && !isDetachedMode.value) {
    await app.checkVaultState();
  }
 });
 </script>
 <template>
-  <div v-if="appError" class="fixed inset-0 z-50 flex items-center justify-center bg-[#0d1117] text-red-400 p-8 text-sm font-mono whitespace-pre-wrap">
+  <!-- Detached session window mode -->
-    {{ appError }}
+  <DetachedSession v-if="isDetachedMode" />
-  </div>
+  <!-- Tool popup window mode -->
  <DetachedSession v-else-if="isDetachedMode" />
  <ToolWindow v-else-if="isToolMode" :tool="toolName" :session-id="toolSessionId" />
  <!-- Normal app mode -->
  <div v-else class="app-root">
    <UnlockLayout v-if="!app.isUnlocked" />
    <MainLayout v-else />
--- a/src/assets/css/terminal.css
+++ b/src/assets/css/terminal.css
@ -2,7 +2,7 @@
 .terminal-container {
  width: 100%;
-  min-height: 0;
+  height: 100%;
  position: relative;
  overflow: hidden;
  background: var(--wraith-bg-primary);
@ -20,16 +20,14 @@
  height: 100%;
 }
-/* WKWebView focus fix: xterm.js hides its helper textarea with opacity: 0,
+/* Selection styling */
-   width/height: 0, left: -9999em. macOS WKWebView doesn't reliably focus
+.terminal-container .xterm-selection div {
-   elements with zero dimensions positioned off-screen. Override to keep it
+  background-color: rgba(88, 166, 255, 0.3) !important;
-   within the viewport with non-zero dimensions so focus events fire. */
+}
-.terminal-container .xterm .xterm-helper-textarea {
+
-  left: 0 !important;
+/* Cursor styling */
-  top: 0 !important;
+.terminal-container .xterm-cursor-layer {
-  width: 1px !important;
+  z-index: 4;
  height: 1px !important;
  opacity: 0.01 !important;
 }
 /* Scrollbar inside terminal */
--- a/src/components/ai/CopilotPanel.vue
+++ b/src/components/ai/CopilotPanel.vue
@ -203,12 +203,10 @@ async function launch(): Promise<void> {
    });
    connected.value = true;
-    // Instantiate terminal synchronously (before any further awaits) now that
+    await nextTick();
    // sessionId is known. Cleanup is owned by this component's onBeforeUnmount.
    terminalInstance = useTerminal(sessionId, "pty");
-    nextTick(() => {
+    if (containerRef.value) {
-      if (containerRef.value && terminalInstance) {
+      terminalInstance = useTerminal(sessionId, "pty");
      terminalInstance.mount(containerRef.value);
      // Fit after mount to get real dimensions, then resize the PTY
@ -224,7 +222,6 @@ async function launch(): Promise<void> {
        }
      }, 50);
    }
    });
    // Listen for shell exit
    closeUnlisten = await listen(`pty:close:${sessionId}`, () => {
--- a/src/components/common/CommandPalette.vue
+++ b/src/components/common/CommandPalette.vue
@ -116,9 +116,9 @@ const connectionStore = useConnectionStore();
 const sessionStore = useSessionStore();
 const emit = defineEmits<{
-  "open-import": [];
+  (e: "open-import"): void;
-  "open-settings": [];
+  (e: "open-settings"): void;
-  "open-new-connection": [protocol?: "ssh" | "rdp"];
+  (e: "open-new-connection", protocol?: "ssh" | "rdp"): void;
 }>();
 const actions: PaletteAction[] = [
--- a/src/components/common/SettingsModal.vue
+++ b/src/components/common/SettingsModal.vue
@ -422,16 +422,9 @@ watch(
  () => settings.value.defaultProtocol,
  (val) => invoke("set_setting", { key: "default_protocol", value: val }).catch(console.error),
 );
 let sidebarWidthDebounce: ReturnType<typeof setTimeout>;
 watch(
  () => settings.value.sidebarWidth,
-  (val) => {
+  (val) => invoke("set_setting", { key: "sidebar_width", value: String(val) }).catch(console.error),
    clearTimeout(sidebarWidthDebounce);
    sidebarWidthDebounce = setTimeout(
      () => invoke("set_setting", { key: "sidebar_width", value: String(val) }).catch(console.error),
      300,
    );
  },
 );
 watch(
  () => settings.value.terminalTheme,
--- a/src/components/common/StatusBar.vue
+++ b/src/components/common/StatusBar.vue
@ -1,5 +1,5 @@
 <template>
-  <div class="h-[48px] flex items-center justify-between px-6 bg-[var(--wraith-bg-secondary)] border-t border-[var(--wraith-border)] text-base text-[var(--wraith-text-muted)] shrink-0">
+  <div class="h-6 flex items-center justify-between px-4 bg-[var(--wraith-bg-secondary)] border-t border-[var(--wraith-border)] text-[10px] text-[var(--wraith-text-muted)] shrink-0">
    <!-- Left: connection info -->
    <div class="flex items-center gap-3">
      <template v-if="sessionStore.activeSession">
@ -47,7 +47,7 @@ const connectionStore = useConnectionStore();
 const activeThemeName = ref("Default");
 const emit = defineEmits<{
-  "open-theme-picker": [];
+  (e: "open-theme-picker"): void;
 }>();
 const connectionInfo = computed(() => {
--- a/src/components/common/ThemePicker.vue
+++ b/src/components/common/ThemePicker.vue
@ -112,8 +112,6 @@ export interface ThemeDefinition {
  brightMagenta: string;
  brightCyan: string;
  brightWhite: string;
  selectionBackground?: string;
  selectionForeground?: string;
  isBuiltin?: boolean;
 }
--- a/src/components/rdp/RdpView.vue
+++ b/src/components/rdp/RdpView.vue
@ -28,8 +28,7 @@
 </template>
 <script setup lang="ts">
-import { ref, computed, onMounted, onBeforeUnmount, watch } from "vue";
+import { ref, onMounted, onBeforeUnmount, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useRdp, MouseFlag } from "@/composables/useRdp";
 const props = defineProps<{
@ -43,8 +42,8 @@ const containerRef = ref<HTMLElement | null>(null);
 const canvasWrapper = ref<HTMLElement | null>(null);
 const canvasRef = ref<HTMLCanvasElement | null>(null);
-const rdpWidth = computed(() => props.width ?? 1920);
+const rdpWidth = props.width ?? 1920;
-const rdpHeight = computed(() => props.height ?? 1080);
+const rdpHeight = props.height ?? 1080;
 const {
  connected,
@ -77,8 +76,8 @@ function toRdpCoords(e: MouseEvent): { x: number; y: number } | null {
  if (!canvas) return null;
  const rect = canvas.getBoundingClientRect();
-  const scaleX = canvas.width / rect.width;
+  const scaleX = rdpWidth / rect.width;
-  const scaleY = canvas.height / rect.height;
+  const scaleY = rdpHeight / rect.height;
  return {
    x: Math.floor((e.clientX - rect.left) * scaleX),
@ -154,95 +153,25 @@ function handleKeyUp(e: KeyboardEvent): void {
  sendKey(props.sessionId, e.code, false);
 }
 let resizeObserver: ResizeObserver | null = null;
 let resizeTimeout: ReturnType<typeof setTimeout> | null = null;
 onMounted(() => {
  if (canvasRef.value) {
-    startFrameLoop(props.sessionId, canvasRef.value, rdpWidth.value, rdpHeight.value);
+    startFrameLoop(props.sessionId, canvasRef.value, rdpWidth, rdpHeight);
  }
  // Watch container size and request server-side RDP resize (debounced 500ms)
  if (canvasWrapper.value) {
    resizeObserver = new ResizeObserver((entries) => {
      const entry = entries[0];
      if (!entry || !connected.value) return;
      const { width: cw, height: ch } = entry.contentRect;
      if (cw < 200 || ch < 200) return;
      // Round to even width (RDP spec requirement)
      const newW = Math.round(cw) & ~1;
      const newH = Math.round(ch);
      if (resizeTimeout) clearTimeout(resizeTimeout);
      resizeTimeout = setTimeout(() => {
        invoke("rdp_resize", {
          sessionId: props.sessionId,
          width: newW,
          height: newH,
        }).then(() => {
          if (canvasRef.value) {
            canvasRef.value.width = newW;
            canvasRef.value.height = newH;
          }
          // Force full frame after resize so canvas gets a clean repaint
          setTimeout(() => {
            invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
          }, 200);
        }).catch((err: unknown) => {
          console.warn("[RdpView] resize failed:", err);
        });
      }, 500);
    });
    resizeObserver.observe(canvasWrapper.value);
  }
 });
 onBeforeUnmount(() => {
  stopFrameLoop();
  if (resizeObserver) { resizeObserver.disconnect(); resizeObserver = null; }
  if (resizeTimeout) { clearTimeout(resizeTimeout); resizeTimeout = null; }
 });
-// Focus canvas, re-check dimensions, and force full frame on tab switch.
+// Focus canvas when this tab becomes active and keyboard is grabbed
 // Uses 300ms delay to let the flex layout fully settle (copilot panel toggle, etc.)
 watch(
  () => props.isActive,
  (active) => {
-    if (!active || !canvasRef.value) return;
+    if (active && keyboardGrabbed.value && canvasRef.value) {
    // Immediate focus so keyboard works right away
    if (keyboardGrabbed.value) canvasRef.value.focus();
    // Immediate force refresh to show SOMETHING while we check dimensions
    invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
    // Delayed dimension check — layout needs time to settle
      setTimeout(() => {
-      const wrapper = canvasWrapper.value;
+        canvasRef.value?.focus();
-      const canvas = canvasRef.value;
+      }, 0);
      if (!wrapper || !canvas) return;
      const { width: cw, height: ch } = wrapper.getBoundingClientRect();
      const newW = Math.round(cw) & ~1;
      const newH = Math.round(ch);
      if (newW >= 200 && newH >= 200 && (newW !== canvas.width || newH !== canvas.height)) {
        invoke("rdp_resize", {
          sessionId: props.sessionId,
          width: newW,
          height: newH,
        }).then(() => {
          if (canvas) {
            canvas.width = newW;
            canvas.height = newH;
    }
          setTimeout(() => {
            invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
          }, 500);
        }).catch(() => {});
      }
    }, 300);
  },
 );
 </script>
@ -267,8 +196,9 @@ watch(
 }
 .rdp-canvas {
-  width: 100%;
+  max-width: 100%;
-  height: 100%;
+  max-height: 100%;
  object-fit: contain;
  cursor: default;
  outline: none;
  image-rendering: auto;
--- a/src/components/session/DetachedSession.vue
+++ b/src/components/session/DetachedSession.vue
@ -26,34 +26,36 @@ const sessionName = ref("Detached Session");
 const protocol = ref("ssh");
 const containerRef = ref<HTMLElement | null>(null);
-// Parse session info from URL hash synchronously so backend type is known at setup time
+let terminalInstance: ReturnType<typeof useTerminal> | null = null;
 const hash = window.location.hash;
 const params = new URLSearchParams(hash.split("?")[1] || "");
 const _initialSessionId = params.get("sessionId") || "";
 const _initialProtocol = params.get("protocol") || "ssh";
 const _backend = (_initialProtocol === "local" ? "pty" : "ssh") as 'ssh' | 'pty';
 const terminalInstance = useTerminal(_initialSessionId, _backend);
 onMounted(async () => {
-  sessionId.value = _initialSessionId;
+  // Parse session info from URL hash
  const hash = window.location.hash;
  const params = new URLSearchParams(hash.split("?")[1] || "");
  sessionId.value = params.get("sessionId") || "";
  sessionName.value = decodeURIComponent(params.get("name") || "Detached Session");
-  protocol.value = _initialProtocol;
+  protocol.value = params.get("protocol") || "ssh";
  if (!sessionId.value || !containerRef.value) return;
  // Determine backend type
  const backend = protocol.value === "local" ? "pty" : "ssh";
  terminalInstance = useTerminal(sessionId.value, backend as 'ssh' | 'pty');
  terminalInstance.mount(containerRef.value);
  setTimeout(() => {
    if (terminalInstance) {
      terminalInstance.fit();
      terminalInstance.terminal.focus();
-    const resizeCmd = _backend === "ssh" ? "ssh_resize" : "pty_resize";
+      // Resize the backend
      const resizeCmd = backend === "ssh" ? "ssh_resize" : "pty_resize";
      invoke(resizeCmd, {
        sessionId: sessionId.value,
        cols: terminalInstance.terminal.cols,
        rows: terminalInstance.terminal.rows,
      }).catch(() => {});
    }
  }, 50);
  // On window close, emit event so main window reattaches the tab
@ -70,6 +72,9 @@ onMounted(async () => {
 });
 onBeforeUnmount(() => {
  if (terminalInstance) {
    terminalInstance.destroy();
    terminalInstance = null;
  }
 });
 </script>
--- a/src/components/session/TabBar.vue
+++ b/src/components/session/TabBar.vue
@ -88,7 +88,7 @@
 </template>
 <script setup lang="ts">
-import { ref, onMounted, onBeforeUnmount } from "vue";
+import { ref, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useSessionStore, type Session } from "@/stores/session.store";
 import { useConnectionStore } from "@/stores/connection.store";
@ -133,14 +133,16 @@ async function detachTab(): Promise<void> {
  session.active = false;
  // Open a new Tauri window for this session
-  try {
+  const { WebviewWindow } = await import("@tauri-apps/api/webviewWindow");
-    await invoke("open_child_window", {
+  const label = `detached-${session.id.substring(0, 8)}-${Date.now()}`;
-      label: `detached-${session.id.substring(0, 8)}-${Date.now()}`,
+  new WebviewWindow(label, {
    title: `${session.name} — Wraith`,
    width: 900,
    height: 600,
    resizable: true,
    center: true,
    url: `index.html#/detached-session?sessionId=${session.id}&name=${encodeURIComponent(session.name)}&protocol=${session.protocol}`,
      width: 900, height: 600,
  });
  } catch (err) { console.error("Detach window error:", err); }
 }
 function closeMenuTab(): void {
@ -149,10 +151,16 @@ function closeMenuTab(): void {
  if (session) sessionStore.closeSession(session.id);
 }
 // Listen for reattach events from detached windows
 import { listen } from "@tauri-apps/api/event";
-import type { UnlistenFn } from "@tauri-apps/api/event";
+listen<{ sessionId: string; name: string; protocol: string }>("session:reattach", (event) => {
-
+  const { sessionId } = event.payload;
-let unlistenReattach: UnlistenFn | null = null;
+  const session = sessionStore.sessions.find(s => s.id === sessionId);
  if (session) {
    session.active = true;
    sessionStore.activateSession(sessionId);
  }
 });
 onMounted(async () => {
  try {
@ -160,19 +168,6 @@ onMounted(async () => {
  } catch {
    availableShells.value = [];
  }
  unlistenReattach = await listen<{ sessionId: string; name: string; protocol: string }>("session:reattach", (event) => {
    const { sessionId } = event.payload;
    const session = sessionStore.sessions.find(s => s.id === sessionId);
    if (session) {
      session.active = true;
      sessionStore.activateSession(sessionId);
    }
  });
 });
 onBeforeUnmount(() => {
  unlistenReattach?.();
 });
 // Drag-and-drop tab reordering
--- a/src/components/sftp/FileTree.vue
+++ b/src/components/sftp/FileTree.vue
@ -371,31 +371,6 @@ function handleFileSelected(event: Event): void {
    failTransfer(transferId);
  };
  // Guard: the backend sftp_write_file command accepts a UTF-8 string only.
  // Binary files (images, archives, executables, etc.) will be corrupted if
  // sent as text. Warn and abort for known binary extensions or large files.
  const BINARY_EXTENSIONS = new Set([
    "png", "jpg", "jpeg", "gif", "webp", "bmp", "ico", "tiff", "svg",
    "zip", "tar", "gz", "bz2", "xz", "7z", "rar", "zst",
    "exe", "dll", "so", "dylib", "bin", "elf",
    "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx",
    "mp3", "mp4", "avi", "mkv", "mov", "flac", "wav", "ogg",
    "ttf", "otf", "woff", "woff2",
    "db", "sqlite", "sqlite3",
  ]);
  const ext = file.name.split(".").pop()?.toLowerCase() ?? "";
  const isBinary = BINARY_EXTENSIONS.has(ext);
  const isLarge = file.size > 1 * 1024 * 1024; // 1 MB
  if (isBinary || isLarge) {
    const reason = isBinary
      ? `"${ext}" files are binary and cannot be safely uploaded as text`
      : `file is ${(file.size / (1024 * 1024)).toFixed(1)} MB — only text files under 1 MB are supported`;
    alert(`Upload blocked: ${reason}.\n\nBinary file upload support will be added in a future release.`);
    failTransfer(transferId);
    return;
  }
  reader.readAsText(file);
 }
--- a/src/components/sftp/TransferProgress.vue
+++ b/src/components/sftp/TransferProgress.vue
@ -52,15 +52,11 @@
 </template>
 <script setup lang="ts">
-import { ref, watch } from "vue";
+import { ref } from "vue";
 import { useTransfers } from "@/composables/useTransfers";
 const expanded = ref(false);
 const { transfers } = useTransfers();
 // Auto-expand when transfers become active, collapse when all are gone
-watch(() => transfers.value.length, (newLen, oldLen) => {
+const { transfers } = useTransfers();
  if (newLen > 0 && oldLen === 0) expanded.value = true;
  if (newLen === 0) expanded.value = false;
 });
 </script>
--- a/src/components/sidebar/ConnectionTree.vue
+++ b/src/components/sidebar/ConnectionTree.vue
@ -110,7 +110,7 @@
 </template>
 <script setup lang="ts">
-import { ref, watch } from "vue";
+import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useConnectionStore, type Connection, type Group } from "@/stores/connection.store";
 import { useSessionStore } from "@/stores/session.store";
@ -224,15 +224,6 @@ const expandedGroups = ref<Set<number>>(
  new Set(connectionStore.groups.map((g) => g.id)),
 );
 // Auto-expand groups added after initial load
 watch(() => connectionStore.groups, (newGroups) => {
  for (const group of newGroups) {
    if (!expandedGroups.value.has(group.id)) {
      expandedGroups.value.add(group.id);
    }
  }
 }, { deep: true });
 function toggleGroup(groupId: number): void {
  if (expandedGroups.value.has(groupId)) {
    expandedGroups.value.delete(groupId);
--- a/src/components/sidebar/SidebarToggle.vue
+++ b/src/components/sidebar/SidebarToggle.vue
@ -5,11 +5,11 @@
      :key="tab.id"
      class="flex-1 py-2 text-xs font-medium text-center transition-colors cursor-pointer"
      :class="
-        model === tab.id
+        modelValue === tab.id
          ? 'text-[var(--wraith-accent-blue)] border-b-2 border-[var(--wraith-accent-blue)]'
          : 'text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-secondary)]'
      "
-      @click="model = tab.id"
+      @click="emit('update:modelValue', tab.id)"
    >
      {{ tab.label }}
    </button>
@ -24,5 +24,11 @@ const tabs = [
  { id: "sftp" as const, label: "SFTP" },
 ];
-const model = defineModel<SidebarTab>();
+defineProps<{
  modelValue: SidebarTab;
 }>();
 const emit = defineEmits<{
  "update:modelValue": [tab: SidebarTab];
 }>();
 </script>
--- a/src/components/terminal/LocalTerminalView.vue
+++ b/src/components/terminal/LocalTerminalView.vue
@ -12,7 +12,6 @@
 import { ref, onMounted, onBeforeUnmount, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useTerminal } from "@/composables/useTerminal";
 import { useSessionStore } from "@/stores/session.store";
 import "@/assets/css/terminal.css";
 const props = defineProps<{
@ -20,57 +19,22 @@ const props = defineProps<{
  isActive: boolean;
 }>();
 const sessionStore = useSessionStore();
 const containerRef = ref<HTMLElement | null>(null);
 const { terminal, mount, fit, destroy } = useTerminal(props.sessionId, "pty");
-
+let resizeObserver: ResizeObserver | null = null;
 /** Apply the session store's active theme to this local terminal instance. */
 function applyTheme(): void {
  const theme = sessionStore.activeTheme;
  if (!theme) return;
  terminal.options.theme = {
    background: theme.background,
    foreground: theme.foreground,
    cursor: theme.cursor,
    cursorAccent: theme.background,
    selectionBackground: theme.selectionBackground ?? "#264f78",
    selectionForeground: theme.selectionForeground ?? "#ffffff",
    selectionInactiveBackground: theme.selectionBackground ?? "#264f78",
    black: theme.black,
    red: theme.red,
    green: theme.green,
    yellow: theme.yellow,
    blue: theme.blue,
    magenta: theme.magenta,
    cyan: theme.cyan,
    white: theme.white,
    brightBlack: theme.brightBlack,
    brightRed: theme.brightRed,
    brightGreen: theme.brightGreen,
    brightYellow: theme.brightYellow,
    brightBlue: theme.brightBlue,
    brightMagenta: theme.brightMagenta,
    brightCyan: theme.brightCyan,
    brightWhite: theme.brightWhite,
  };
  if (containerRef.value) {
    containerRef.value.style.backgroundColor = theme.background;
  }
  terminal.refresh(0, terminal.rows - 1);
 }
 onMounted(() => {
  if (containerRef.value) {
    mount(containerRef.value);
  }
-  // Apply current theme immediately if one is already active
+    // Watch container size changes and refit terminal
-  if (sessionStore.activeTheme) {
+    resizeObserver = new ResizeObserver(() => {
-    applyTheme();
+      if (props.isActive) {
        fit();
      }
    });
    resizeObserver.observe(containerRef.value);
  }
  setTimeout(() => {
    fit();
    terminal.focus();
@ -86,27 +50,19 @@ watch(
  () => props.isActive,
  (active) => {
    if (active) {
-      requestAnimationFrame(() => {
+      setTimeout(() => {
        requestAnimationFrame(() => {
        fit();
        terminal.focus();
-          invoke("pty_resize", {
+      }, 0);
            sessionId: props.sessionId,
            cols: terminal.cols,
            rows: terminal.rows,
          }).catch(() => {});
        });
      });
    }
  },
 );
 // Watch for theme changes and apply to this local terminal
 watch(() => sessionStore.activeTheme, (newTheme) => {
  if (newTheme) applyTheme();
 }, { deep: true });
 onBeforeUnmount(() => {
  if (resizeObserver) {
    resizeObserver.disconnect();
    resizeObserver = null;
  }
  destroy();
 });
 </script>
--- a/src/components/terminal/MonitorBar.vue
+++ b/src/components/terminal/MonitorBar.vue
@ -1,7 +1,7 @@
 <template>
  <div
    v-if="stats"
-    class="flex items-center gap-4 px-6 h-[48px] bg-[var(--wraith-bg-tertiary)] border-t border-[var(--wraith-border)] text-base font-mono shrink-0 select-none"
+    class="flex items-center gap-4 px-3 h-6 bg-[var(--wraith-bg-tertiary)] border-t border-[var(--wraith-border)] text-[10px] font-mono shrink-0 select-none"
  >
    <!-- CPU -->
    <span class="flex items-center gap-1">
@ -55,7 +55,6 @@ interface SystemStats {
 const stats = ref<SystemStats | null>(null);
 let unlistenFn: UnlistenFn | null = null;
 let subscribeGeneration = 0;
 function colorClass(value: number, warnThreshold: number, critThreshold: number): string {
  if (value >= critThreshold) return "text-[#f85149]"; // red
@ -71,17 +70,10 @@ function formatBytes(bytes: number): string {
 }
 async function subscribe(): Promise<void> {
  const gen = ++subscribeGeneration;
  if (unlistenFn) unlistenFn();
-  const fn = await listen<SystemStats>(`ssh:monitor:${props.sessionId}`, (event) => {
+  unlistenFn = await listen<SystemStats>(`ssh:monitor:${props.sessionId}`, (event) => {
    stats.value = event.payload;
  });
  if (gen !== subscribeGeneration) {
    // A newer subscribe() call has already taken over — discard this listener
    fn();
    return;
  }
  unlistenFn = fn;
 }
 onMounted(subscribe);
--- a/src/components/terminal/TerminalView.vue
+++ b/src/components/terminal/TerminalView.vue
@ -59,12 +59,10 @@
 </template>
 <script setup lang="ts">
-import { ref, nextTick, onMounted, onBeforeUnmount, watch } from "vue";
+import { ref, nextTick, onMounted, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useTerminal } from "@/composables/useTerminal";
 import { useSessionStore } from "@/stores/session.store";
 import MonitorBar from "@/components/terminal/MonitorBar.vue";
 import type { IDisposable } from "@xterm/xterm";
 import "@/assets/css/terminal.css";
 const props = defineProps<{
@ -75,11 +73,6 @@ const props = defineProps<{
 const sessionStore = useSessionStore();
 const containerRef = ref<HTMLElement | null>(null);
 const { terminal, searchAddon, mount, fit } = useTerminal(props.sessionId);
 let resizeDisposable: IDisposable | null = null;
 function handleFocus(): void {
  terminal.focus();
 }
 // --- Search state ---
 const searchVisible = ref(false);
@ -145,7 +138,7 @@ onMounted(() => {
  }
  // Track terminal dimensions in the session store
-  resizeDisposable = terminal.onResize(({ cols, rows }) => {
+  terminal.onResize(({ cols, rows }) => {
    sessionStore.setTerminalDimensions(props.sessionId, cols, rows);
  });
@ -156,27 +149,15 @@ onMounted(() => {
  }, 50);
 });
-// Re-fit and focus terminal when switching back to this tab.
+// Re-fit and focus terminal when switching back to this tab
 // Must wait for the container to have real dimensions after becoming visible.
 watch(
  () => props.isActive,
  (active) => {
    if (active) {
-      // Double rAF ensures the container has been laid out by the browser
+      setTimeout(() => {
      requestAnimationFrame(() => {
        requestAnimationFrame(() => {
        fit();
        terminal.focus();
-          // Also notify the backend of the correct size
+      }, 0);
          const session = sessionStore.sessions.find(s => s.id === props.sessionId);
          const resizeCmd = session?.protocol === "local" ? "pty_resize" : "ssh_resize";
          invoke(resizeCmd, {
            sessionId: props.sessionId,
            cols: terminal.cols,
            rows: terminal.rows,
          }).catch(() => {});
        });
      });
    }
  },
 );
@ -189,10 +170,6 @@ function applyTheme(): void {
    background: theme.background,
    foreground: theme.foreground,
    cursor: theme.cursor,
    cursorAccent: theme.background,
    selectionBackground: theme.selectionBackground ?? "#264f78",
    selectionForeground: theme.selectionForeground ?? "#ffffff",
    selectionInactiveBackground: theme.selectionBackground ?? "#264f78",
    black: theme.black,
    red: theme.red,
    green: theme.green,
@ -210,27 +187,14 @@ function applyTheme(): void {
    brightCyan: theme.brightCyan,
    brightWhite: theme.brightWhite,
  };
  // Sync the container background so areas outside the canvas match the theme
  if (containerRef.value) {
    containerRef.value.style.backgroundColor = theme.background;
  }
  // Force xterm.js to repaint all visible rows with the new theme colors
  terminal.refresh(0, terminal.rows - 1);
 }
-// Watch for theme changes in the session store and apply to this terminal.
+// Watch for theme changes in the session store and apply to this terminal
 // Uses deep comparison because the theme is an object — a shallow watch may miss
 // updates if Pinia returns the same reactive proxy wrapper after reassignment.
 watch(() => sessionStore.activeTheme, (newTheme) => {
  if (newTheme) applyTheme();
 }, { deep: true });
 onBeforeUnmount(() => {
  if (resizeDisposable) {
    resizeDisposable.dispose();
    resizeDisposable = null;
  }
 });
 function handleFocus(): void {
  terminal.focus();
 }
 </script>
--- a/src/components/tools/BandwidthTest.vue
+++ b/src/components/tools/BandwidthTest.vue
@ -1,6 +1,6 @@
 <template>
-  <ToolShell ref="shell" placeholder="Select a mode and click Run Test">
+  <div class="flex flex-col h-full p-4 gap-3">
-    <template #default="{ running }">
+    <div class="flex items-center gap-2">
      <select v-model="mode" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none cursor-pointer">
        <option value="speedtest">Internet Speed Test</option>
        <option value="iperf">iperf3 (LAN)</option>
@ -13,31 +13,32 @@
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="run">
        {{ running ? "Testing..." : "Run Test" }}
      </button>
-    </template>
+    </div>
-  </ToolShell>
+    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || "Select a mode and click Run Test" }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const mode = ref("speedtest");
 const server = ref("");
 const duration = ref(5);
-const shell = ref<InstanceType<typeof ToolShell> | null>(null);
+const output = ref("");
 const running = ref(false);
 async function run(): Promise<void> {
-  if (mode.value === "iperf" && !server.value) {
+  running.value = true;
-    shell.value?.setOutput("Enter an iperf3 server IP");
+  output.value = mode.value === "iperf" ? `Running iperf3 to ${server.value}...\n` : "Running speed test...\n";
-    return;
+  try {
  }
  shell.value?.execute(() => {
    if (mode.value === "iperf") {
-      return invoke<string>("tool_bandwidth_iperf", { sessionId: props.sessionId, server: server.value, duration: duration.value });
+      if (!server.value) { output.value = "Enter an iperf3 server IP"; running.value = false; return; }
      output.value = await invoke<string>("tool_bandwidth_iperf", { sessionId: props.sessionId, server: server.value, duration: duration.value });
    } else {
      output.value = await invoke<string>("tool_bandwidth_speedtest", { sessionId: props.sessionId });
    }
-    return invoke<string>("tool_bandwidth_speedtest", { sessionId: props.sessionId });
+  } catch (err) { output.value = String(err); }
-  });
+  running.value = false;
 }
 </script>
--- a/src/components/tools/DnsLookup.vue
+++ b/src/components/tools/DnsLookup.vue
@ -1,29 +1,31 @@
 <template>
-  <ToolShell ref="shell" placeholder="Enter a domain and click Lookup">
+  <div class="flex flex-col h-full p-4 gap-3">
-    <template #default="{ running }">
+    <div class="flex items-center gap-2">
      <input v-model="domain" type="text" placeholder="Domain name" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="lookup" />
      <select v-model="recordType" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none cursor-pointer">
        <option v-for="t in ['A','AAAA','MX','NS','TXT','CNAME','SOA','SRV','PTR']" :key="t" :value="t">{{ t }}</option>
      </select>
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="lookup">Lookup</button>
-    </template>
+    </div>
-  </ToolShell>
+    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || "Enter a domain and click Lookup" }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const domain = ref("");
 const recordType = ref("A");
-const shell = ref<InstanceType<typeof ToolShell> | null>(null);
+const output = ref("");
 const running = ref(false);
 async function lookup(): Promise<void> {
  if (!domain.value) return;
-  shell.value?.execute(() =>
+  running.value = true;
-    invoke<string>("tool_dns_lookup", { sessionId: props.sessionId, domain: domain.value, recordType: recordType.value })
+  try {
-  );
+    output.value = await invoke<string>("tool_dns_lookup", { sessionId: props.sessionId, domain: domain.value, recordType: recordType.value });
  } catch (err) { output.value = String(err); }
  running.value = false;
 }
 </script>
--- a/src/components/tools/DockerPanel.vue
+++ b/src/components/tools/DockerPanel.vue
@ -81,16 +81,12 @@
 import { ref, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 interface DockerContainer { id: string; name: string; image: string; status: string; ports: string; }
 interface DockerImage { repository: string; tag: string; id: string; size: string; }
 interface DockerVolume { name: string; driver: string; mountpoint: string; }
 const props = defineProps<{ sessionId: string }>();
 const tab = ref("containers");
-const containers = ref<DockerContainer[]>([]);
+const containers = ref<any[]>([]);
-const images = ref<DockerImage[]>([]);
+const images = ref<any[]>([]);
-const volumes = ref<DockerVolume[]>([]);
+const volumes = ref<any[]>([]);
 const output = ref("");
 async function refresh(): Promise<void> {
--- a/src/components/tools/NetworkScanner.vue
+++ b/src/components/tools/NetworkScanner.vue
@ -85,6 +85,5 @@ function exportCsv(): void {
  a.href = URL.createObjectURL(blob);
  a.download = `wraith-scan-${subnet.value}-${Date.now()}.csv`;
  a.click();
  setTimeout(() => URL.revokeObjectURL(a.href), 1000);
 }
 </script>
--- a/src/components/tools/PingTool.vue
+++ b/src/components/tools/PingTool.vue
@ -1,28 +1,32 @@
 <template>
-  <ToolShell ref="shell" placeholder="Enter a host and click Ping">
+  <div class="flex flex-col h-full p-4 gap-3">
-    <template #default="{ running }">
+    <div class="flex items-center gap-2">
      <input v-model="target" type="text" placeholder="Host to ping" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="ping" />
      <input v-model.number="count" type="number" min="1" max="100" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-16" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="ping">Ping</button>
-    </template>
+    </div>
-  </ToolShell>
+    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || "Enter a host and click Ping" }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
 const count = ref(4);
-const shell = ref<InstanceType<typeof ToolShell> | null>(null);
+const output = ref("");
 const running = ref(false);
 async function ping(): Promise<void> {
  if (!target.value) return;
-  shell.value?.execute(async () => {
+  running.value = true;
  output.value = `Pinging ${target.value}...\n`;
  try {
    const result = await invoke<{ target: string; output: string }>("tool_ping", { sessionId: props.sessionId, target: target.value, count: count.value });
-    return result.output;
+    output.value = result.output;
-  });
+  } catch (err) { output.value = String(err); }
  running.value = false;
 }
 </script>
--- a/src/components/tools/ToolShell.vue
+++ b/src/components/tools/ToolShell.vue
@ -1,37 +0,0 @@
 <script setup lang="ts">
 import { ref } from "vue";
 defineProps<{
  placeholder?: string;
 }>();
 const output = ref("");
 const running = ref(false);
 async function execute(fn: () => Promise<string>): Promise<void> {
  running.value = true;
  output.value = "";
  try {
    output.value = await fn();
  } catch (err: unknown) {
    output.value = `Error: ${err instanceof Error ? err.message : String(err)}`;
  } finally {
    running.value = false;
  }
 }
 function setOutput(value: string): void {
  output.value = value;
 }
 defineExpose({ execute, setOutput, output, running });
 </script>
 <template>
  <div class="flex flex-col h-full p-4 gap-3">
    <div class="flex items-center gap-2">
      <slot :running="running" />
    </div>
    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || placeholder || "Ready." }}</pre>
  </div>
 </template>
--- a/src/components/tools/TracerouteTool.vue
+++ b/src/components/tools/TracerouteTool.vue
@ -1,25 +1,29 @@
 <template>
-  <ToolShell ref="shell" placeholder="Enter a host and click Trace">
+  <div class="flex flex-col h-full p-4 gap-3">
-    <template #default="{ running }">
+    <div class="flex items-center gap-2">
      <input v-model="target" type="text" placeholder="Host to trace" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="trace" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="trace">Trace</button>
-    </template>
+    </div>
-  </ToolShell>
+    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || "Enter a host and click Trace" }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
-const shell = ref<InstanceType<typeof ToolShell> | null>(null);
+const output = ref("");
 const running = ref(false);
 async function trace(): Promise<void> {
  if (!target.value) return;
-  shell.value?.execute(() =>
+  running.value = true;
-    invoke<string>("tool_traceroute", { sessionId: props.sessionId, target: target.value })
+  output.value = `Tracing route to ${target.value}...\n`;
-  );
+  try {
    output.value = await invoke<string>("tool_traceroute", { sessionId: props.sessionId, target: target.value });
  } catch (err) { output.value = String(err); }
  running.value = false;
 }
 </script>
--- a/src/components/tools/WhoisTool.vue
+++ b/src/components/tools/WhoisTool.vue
@ -1,25 +1,26 @@
 <template>
-  <ToolShell ref="shell" placeholder="Enter a domain or IP and click Whois">
+  <div class="flex flex-col h-full p-4 gap-3">
-    <template #default="{ running }">
+    <div class="flex items-center gap-2">
      <input v-model="target" type="text" placeholder="Domain or IP" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="lookup" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="lookup">Whois</button>
-    </template>
+    </div>
-  </ToolShell>
+    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || "Enter a domain or IP and click Whois" }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
-const shell = ref<InstanceType<typeof ToolShell> | null>(null);
+const output = ref("");
 const running = ref(false);
 async function lookup(): Promise<void> {
  if (!target.value) return;
-  shell.value?.execute(() =>
+  running.value = true;
-    invoke<string>("tool_whois", { sessionId: props.sessionId, target: target.value })
+  try { output.value = await invoke<string>("tool_whois", { sessionId: props.sessionId, target: target.value }); }
-  );
+  catch (err) { output.value = String(err); }
  running.value = false;
 }
 </script>
--- a/src/composables/useKeyboardShortcuts.ts
+++ b/src/composables/useKeyboardShortcuts.ts
@ -1,106 +0,0 @@
 import { onMounted, onBeforeUnmount } from "vue";
 import type { Ref } from "vue";
 import type { useSessionStore } from "@/stores/session.store";
 interface KeyboardShortcutActions {
  sessionStore: ReturnType<typeof useSessionStore>;
  sidebarVisible: Ref<boolean>;
  copilotVisible: Ref<boolean>;
  openCommandPalette: () => void;
  openActiveSearch: () => void;
 }
 export function useKeyboardShortcuts(actions: KeyboardShortcutActions): void {
  const { sessionStore, sidebarVisible, copilotVisible, openCommandPalette, openActiveSearch } = actions;
  function handleKeydown(event: KeyboardEvent): void {
    const target = event.target as HTMLElement;
    const isInputFocused =
      target.tagName === "INPUT" ||
      target.tagName === "TEXTAREA" ||
      target.tagName === "SELECT";
    const ctrl = event.ctrlKey || event.metaKey;
    // Ctrl+K — command palette (fires even when input is focused)
    if (ctrl && event.key === "k") {
      event.preventDefault();
      openCommandPalette();
      return;
    }
    if (isInputFocused) return;
    // Ctrl+W — close active tab
    if (ctrl && event.key === "w") {
      event.preventDefault();
      const active = sessionStore.activeSession;
      if (active) sessionStore.closeSession(active.id);
      return;
    }
    // Ctrl+Tab — next tab
    if (ctrl && event.key === "Tab" && !event.shiftKey) {
      event.preventDefault();
      const sessions = sessionStore.sessions;
      if (sessions.length < 2) return;
      const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId);
      const next = sessions[(idx + 1) % sessions.length];
      sessionStore.activateSession(next.id);
      return;
    }
    // Ctrl+Shift+Tab — previous tab
    if (ctrl && event.key === "Tab" && event.shiftKey) {
      event.preventDefault();
      const sessions = sessionStore.sessions;
      if (sessions.length < 2) return;
      const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId);
      const prev = sessions[(idx - 1 + sessions.length) % sessions.length];
      sessionStore.activateSession(prev.id);
      return;
    }
    // Ctrl+1-9 — jump to tab by index
    if (ctrl && event.key >= "1" && event.key <= "9") {
      const tabIndex = parseInt(event.key, 10) - 1;
      const sessions = sessionStore.sessions;
      if (tabIndex < sessions.length) {
        event.preventDefault();
        sessionStore.activateSession(sessions[tabIndex].id);
      }
      return;
    }
    // Ctrl+B — toggle sidebar
    if (ctrl && event.key === "b") {
      event.preventDefault();
      sidebarVisible.value = !sidebarVisible.value;
      return;
    }
    // Ctrl+Shift+G — toggle AI copilot
    if (ctrl && event.shiftKey && event.key.toLowerCase() === "g") {
      event.preventDefault();
      copilotVisible.value = !copilotVisible.value;
      return;
    }
    // Ctrl+F — terminal search (SSH sessions only)
    if (ctrl && event.key === "f") {
      const active = sessionStore.activeSession;
      if (active?.protocol === "ssh") {
        event.preventDefault();
        openActiveSearch();
      }
      return;
    }
  }
  onMounted(() => {
    document.addEventListener("keydown", handleKeydown);
  });
  onBeforeUnmount(() => {
    document.removeEventListener("keydown", handleKeydown);
  });
 }
--- a/src/composables/useRdp.ts
+++ b/src/composables/useRdp.ts
@ -1,5 +1,4 @@
 import { ref, onBeforeUnmount } from "vue";
 import type { Ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 /**
@ -153,13 +152,13 @@ export function jsKeyToScancode(code: string): number | null {
 export interface UseRdpReturn {
  /** Whether the RDP session is connected (first frame received) */
-  connected: Ref<boolean>;
+  connected: ReturnType<typeof ref<boolean>>;
  /** Whether keyboard capture is enabled */
-  keyboardGrabbed: Ref<boolean>;
+  keyboardGrabbed: ReturnType<typeof ref<boolean>>;
  /** Whether clipboard sync is enabled */
-  clipboardSync: Ref<boolean>;
+  clipboardSync: ReturnType<typeof ref<boolean>>;
-  /** Fetch and render the dirty region directly to a canvas context */
+  /** Fetch the current frame as RGBA ImageData */
-  fetchAndRender: (sessionId: string, width: number, height: number, ctx: CanvasRenderingContext2D) => Promise<boolean>;
+  fetchFrame: (sessionId: string, width: number, height: number) => Promise<ImageData | null>;
  /** Send a mouse event to the backend */
  sendMouse: (sessionId: string, x: number, y: number, flags: number) => void;
  /** Send a key event to the backend */
@ -185,7 +184,7 @@ export interface UseRdpReturn {
 * Composable that manages an RDP session's rendering and input.
 *
 * Uses Tauri's invoke() to call Rust commands:
- *   rdp_get_frame   → raw RGBA ArrayBuffer (binary IPC)
+ *   rdp_get_frame   → base64 RGBA string
 *   rdp_send_mouse  → fire-and-forget
 *   rdp_send_key    → fire-and-forget
 *   rdp_send_clipboard → fire-and-forget
@ -196,53 +195,41 @@ export function useRdp(): UseRdpReturn {
  const clipboardSync = ref(false);
  let animFrameId: number | null = null;
-  let unlistenFrame: (() => void) | null = null;
+  let frameCount = 0;
  /**
-   * Fetch the dirty region from the Rust RDP backend and apply it to the canvas.
+   * Fetch the current frame from the Rust RDP backend.
   *
-   * Binary format from backend: 8-byte header + pixel data
+   * rdp_get_frame returns raw RGBA bytes (width*height*4) serialised as a
-   *   Header: [x: u16, y: u16, w: u16, h: u16] (little-endian)
+   * base64 string over Tauri's IPC bridge. We decode it to Uint8ClampedArray
-   *   If header is all zeros → full frame (width*height*4 bytes)
+   * and wrap in an ImageData for putImageData().
   *   If header is non-zero → dirty rectangle (w*h*4 bytes)
   *
   * Returns true if a frame was rendered, false if nothing changed.
   */
-  async function fetchAndRender(
+  async function fetchFrame(
    sessionId: string,
    width: number,
    height: number,
-    ctx: CanvasRenderingContext2D,
+  ): Promise<ImageData | null> {
-  ): Promise<boolean> {
+    let raw: number[];
    let raw: ArrayBuffer;
    try {
-      raw = await invoke<ArrayBuffer>("rdp_get_frame", { sessionId });
+      raw = await invoke<number[]>("rdp_get_frame", { sessionId });
    } catch {
-      return false;
+      return null;
    }
-    if (!raw || raw.byteLength <= 8) return false;
+    if (!raw || raw.length === 0) return null;
-    const view = new DataView(raw);
+    // Binary IPC — Tauri returns Vec<u8> as number array
-    const rx = view.getUint16(0, true);
+    const bytes = new Uint8ClampedArray(raw);
    const ry = view.getUint16(2, true);
    const rw = view.getUint16(4, true);
    const rh = view.getUint16(6, true);
    const pixelData = new Uint8ClampedArray(raw, 8);
    if (rx === 0 && ry === 0 && rw === 0 && rh === 0) {
      // Full frame
    const expected = width * height * 4;
-      if (pixelData.length !== expected) return false;
+    if (bytes.length !== expected) {
-      ctx.putImageData(new ImageData(pixelData, width, height), 0, 0);
+      console.warn(
-    } else {
+        `[useRdp] Frame size mismatch: got ${bytes.length}, expected ${expected}`,
-      // Dirty rectangle — apply at offset
+      );
-      const expected = rw * rh * 4;
+      return null;
      if (pixelData.length !== expected) return false;
      ctx.putImageData(new ImageData(pixelData, rw, rh), rx, ry);
    }
-    return true;
+    return new ImageData(bytes, width, height);
  }
  /**
@ -310,36 +297,27 @@ export function useRdp(): UseRdpReturn {
    canvas.width = width;
    canvas.height = height;
-    let fetchPending = false;
+    function renderLoop(): void {
-    let rafScheduled = false;
+      frameCount++;
-    // Fetch and render dirty region when backend signals new frame data.
+      // Throttle to ~24fps by rendering every 3rd rAF tick (~60/3=20fps, close to 24)
-    // Uses rAF to coalesce rapid events into one fetch per display frame.
+      // This saves 20% CPU vs 30fps with negligible visual difference for remote desktop
-    function scheduleFrameFetch(): void {
+      if (frameCount % 3 === 0) {
-      if (rafScheduled) return;
+        fetchFrame(sessionId, width, height).then((imageData) => {
-      rafScheduled = true;
+          if (imageData && ctx) {
-      animFrameId = requestAnimationFrame(async () => {
+            ctx.putImageData(imageData, 0, 0);
-        rafScheduled = false;
+            // Mark connected on first successful frame
-        if (fetchPending) return;
+            if (!connected.value) {
-        fetchPending = true;
+              connected.value = true;
-        if (!ctx) return;
+            }
-        const rendered = await fetchAndRender(sessionId, width, height, ctx);
+          }
        fetchPending = false;
        if (rendered && !connected.value) connected.value = true;
        });
      }
-    // Listen for frame events from the backend (push model)
+      animFrameId = requestAnimationFrame(renderLoop);
-    import("@tauri-apps/api/event").then(({ listen }) => {
+    }
      listen(`rdp:frame:${sessionId}`, () => {
        scheduleFrameFetch();
      }).then((unlisten) => {
        unlistenFrame = unlisten;
      });
    });
-    // Initial poll in case frames arrived before listener was set up
+    animFrameId = requestAnimationFrame(renderLoop);
    scheduleFrameFetch();
  }
  /**
@ -350,11 +328,8 @@ export function useRdp(): UseRdpReturn {
      cancelAnimationFrame(animFrameId);
      animFrameId = null;
    }
    if (unlistenFrame !== null) {
      unlistenFrame();
      unlistenFrame = null;
    }
    connected.value = false;
    frameCount = 0;
  }
  function toggleKeyboardGrab(): void {
@ -373,7 +348,7 @@ export function useRdp(): UseRdpReturn {
    connected,
    keyboardGrabbed,
    clipboardSync,
-    fetchAndRender,
+    fetchFrame,
    sendMouse,
    sendKey,
    sendClipboard,
--- a/src/composables/useSftp.ts
+++ b/src/composables/useSftp.ts
@ -24,11 +24,6 @@ export interface UseSftpReturn {
 // Persist the last browsed path per session so switching tabs restores position
 const sessionPaths: Record<string, string> = {};
 /** Remove a session's saved path from the module-level cache. Call on session close. */
 export function cleanupSession(sessionId: string): void {
  delete sessionPaths[sessionId];
 }
 /**
 * Composable that manages SFTP file browsing state.
 * Accepts a reactive session ID ref so it reinitializes on tab switch
--- a/src/composables/useTerminal.ts
+++ b/src/composables/useTerminal.ts
@ -14,9 +14,8 @@ const defaultTheme = {
  foreground: "#e0e0e0",
  cursor: "#58a6ff",
  cursorAccent: "#0d1117",
-  selectionBackground: "#264f78",
+  selectionBackground: "rgba(88, 166, 255, 0.3)",
  selectionForeground: "#ffffff",
  selectionInactiveBackground: "#264f78",
  black: "#0d1117",
  red: "#f85149",
  green: "#3fb950",
@ -156,7 +155,6 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
    // cell widths — producing tiny dashes and 200+ column terminals.
    document.fonts.ready.then(() => {
      fitAddon.fit();
      terminal.focus();
    });
    // Right-click paste on the terminal's DOM element
@ -165,16 +163,9 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
    // Subscribe to SSH output events for this session.
    // Tauri v2 listen() callback receives { payload: T } — the base64 string
    // is in event.payload (not event.data as in Wails).
    // Throttle activity marking to avoid Vue reactivity storms
    let lastActivityMark = 0;
    unlistenPromise = listen<string>(dataEvent, (event) => {
-      // Mark tab activity at most once per second
+      // Mark tab activity for background sessions
      const now = Date.now();
      if (now - lastActivityMark > 1000) {
        lastActivityMark = now;
      try { useSessionStore().markActivity(sessionId); } catch {}
      }
      const b64data = event.payload;
@ -202,12 +193,9 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
      unlistenFn = fn;
    });
-    // Auto-fit when the container resizes — but only if visible
+    // Auto-fit when the container resizes
-    resizeObserver = new ResizeObserver((entries) => {
+    resizeObserver = new ResizeObserver(() => {
      const entry = entries[0];
      if (entry && entry.contentRect.width > 50 && entry.contentRect.height > 50) {
      fitAddon.fit();
      }
    });
    resizeObserver.observe(container);
  }
--- a/src/layouts/MainLayout.vue
+++ b/src/layouts/MainLayout.vue
@ -308,7 +308,6 @@
 <script setup lang="ts">
 import { ref, computed, onMounted, onUnmounted } from "vue";
 import { useKeyboardShortcuts } from "@/composables/useKeyboardShortcuts";
 import { invoke } from "@tauri-apps/api/core";
 import { getCurrentWindow } from "@tauri-apps/api/window";
 import { useAppStore } from "@/stores/app.store";
@ -367,14 +366,16 @@ function closeHelpMenuDeferred(): void {
 async function handleHelpAction(page: string): Promise<void> {
  showHelpMenu.value = false;
-  try {
+  const { WebviewWindow } = await import("@tauri-apps/api/webviewWindow");
-    await invoke("open_child_window", {
+  const label = `help-${page}-${Date.now()}`;
-      label: `help-${page}-${Date.now()}`,
+  new WebviewWindow(label, {
-      title: "Wraith — Help",
+    title: `Wraith — Help`,
    width: 750,
    height: 600,
    resizable: true,
    center: true,
    url: `index.html#/tool/help?page=${page}`,
      width: 750, height: 600,
  });
  } catch (err) { console.error("Help window error:", err); alert("Window error: " + String(err)); }
 }
 async function handleToolAction(tool: string): Promise<void> {
@ -388,6 +389,8 @@ async function handleToolAction(tool: string): Promise<void> {
    return;
  }
  const { WebviewWindow } = await import("@tauri-apps/api/webviewWindow");
  const toolConfig: Record<string, { title: string; width: number; height: number }> = {
    "network-scanner": { title: "Network Scanner", width: 800, height: 600 },
    "port-scanner": { title: "Port Scanner", width: 700, height: 500 },
@ -408,14 +411,16 @@ async function handleToolAction(tool: string): Promise<void> {
  const sessionId = activeSessionId.value || "";
-  try {
+  // Open tool in a new Tauri window
-    await invoke("open_child_window", {
+  const label = `tool-${tool}-${Date.now()}`;
-      label: `tool-${tool}-${Date.now()}`,
+  new WebviewWindow(label, {
    title: `Wraith — ${config.title}`,
    width: config.width,
    height: config.height,
    resizable: true,
    center: true,
    url: `index.html#/tool/${tool}?sessionId=${sessionId}`,
      width: config.width, height: config.height,
  });
  } catch (err) { console.error("Tool window error:", err); alert("Tool window error: " + String(err)); }
 }
 async function handleFileMenuAction(action: string): Promise<void> {
@ -435,13 +440,18 @@ function handleThemeSelect(theme: ThemeDefinition): void {
 async function handleOpenFile(entry: FileEntry): Promise<void> {
  if (!activeSessionId.value) return;
  try {
    const { WebviewWindow } = await import("@tauri-apps/api/webviewWindow");
    const fileName = entry.path.split("/").pop() || entry.path;
    const label = `editor-${Date.now()}`;
    const sessionId = activeSessionId.value;
-    await invoke("open_child_window", {
+
-      label: `editor-${Date.now()}`,
+    new WebviewWindow(label, {
      title: `${fileName} — Wraith Editor`,
      width: 800,
      height: 600,
      resizable: true,
      center: true,
      url: `index.html#/tool/editor?sessionId=${sessionId}&path=${encodeURIComponent(entry.path)}`,
      width: 800, height: 600,
    });
  } catch (err) { console.error("Failed to open editor:", err); }
 }
@ -469,41 +479,25 @@ async function handleQuickConnect(): Promise<void> {
  } catch (err) { console.error("Quick connect failed:", err); }
 }
-useKeyboardShortcuts({
+function handleKeydown(event: KeyboardEvent): void {
-  sessionStore,
+  const target = event.target as HTMLElement;
-  sidebarVisible,
+  const isInputFocused = target.tagName === "INPUT" || target.tagName === "TEXTAREA" || target.tagName === "SELECT";
-  copilotVisible,
+  const ctrl = event.ctrlKey || event.metaKey;
-  openCommandPalette: () => commandPalette.value?.toggle(),
+  if (ctrl && event.key === "k") { event.preventDefault(); commandPalette.value?.toggle(); return; }
-  openActiveSearch: () => sessionContainer.value?.openActiveSearch(),
+  if (isInputFocused) return;
-});
+  if (ctrl && event.key === "w") { event.preventDefault(); const active = sessionStore.activeSession; if (active) sessionStore.closeSession(active.id); return; }
-
+  if (ctrl && event.key === "Tab" && !event.shiftKey) { event.preventDefault(); const sessions = sessionStore.sessions; if (sessions.length < 2) return; const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId); const next = sessions[(idx + 1) % sessions.length]; sessionStore.activateSession(next.id); return; }
-let workspaceSaveInterval: ReturnType<typeof setInterval> | null = null;
+  if (ctrl && event.key === "Tab" && event.shiftKey) { event.preventDefault(); const sessions = sessionStore.sessions; if (sessions.length < 2) return; const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId); const prev = sessions[(idx - 1 + sessions.length) % sessions.length]; sessionStore.activateSession(prev.id); return; }
-
+  if (ctrl && event.key >= "1" && event.key <= "9") { const tabIndex = parseInt(event.key, 10) - 1; const sessions = sessionStore.sessions; if (tabIndex < sessions.length) { event.preventDefault(); sessionStore.activateSession(sessions[tabIndex].id); } return; }
-function handleBeforeUnload(e: BeforeUnloadEvent): void {
+  if (ctrl && event.key === "b") { event.preventDefault(); sidebarVisible.value = !sidebarVisible.value; return; }
-  if (sessionStore.sessions.length > 0) {
+  if (ctrl && event.shiftKey && event.key.toLowerCase() === "g") { event.preventDefault(); copilotVisible.value = !copilotVisible.value; return; }
-    e.preventDefault();
+  if (ctrl && event.key === "f") { const active = sessionStore.activeSession; if (active?.protocol === "ssh") { event.preventDefault(); sessionContainer.value?.openActiveSearch(); } return; }
  }
 }
 onMounted(async () => {
-  // Confirm before closing if sessions are active (synchronous — won't hang)
+  document.addEventListener("keydown", handleKeydown);
  window.addEventListener("beforeunload", handleBeforeUnload);
  await connectionStore.loadAll();
  // Restore saved theme so every terminal opens with the user's preferred colors
  try {
    const savedThemeName = await invoke<string | null>("get_setting", { key: "active_theme" });
    if (savedThemeName) {
      const themes = await invoke<Array<{ name: string; foreground: string; background: string; cursor: string; black: string; red: string; green: string; yellow: string; blue: string; magenta: string; cyan: string; white: string; brightBlack: string; brightRed: string; brightGreen: string; brightYellow: string; brightBlue: string; brightMagenta: string; brightCyan: string; brightWhite: string }>>("list_themes");
      const theme = themes?.find(t => t.name === savedThemeName);
      if (theme) {
        sessionStore.setTheme(theme);
        statusBar.value?.setThemeName(theme.name);
      }
    }
  } catch {}
  // Restore workspace — reconnect saved tabs (non-blocking, non-fatal)
  setTimeout(async () => {
    try {
@ -518,7 +512,7 @@ onMounted(async () => {
  // Auto-save workspace every 30 seconds instead of on close
  // (onCloseRequested was hanging the window close on Windows)
-  workspaceSaveInterval = setInterval(() => {
+  setInterval(() => {
    const tabs = sessionStore.sessions
      .filter(s => s.protocol === "ssh" || s.protocol === "rdp")
      .map((s, i) => ({ connectionId: s.connectionId, protocol: s.protocol, position: i }));
@ -540,10 +534,6 @@ onMounted(async () => {
 });
 onUnmounted(() => {
-  window.removeEventListener("beforeunload", handleBeforeUnload);
+  document.removeEventListener("keydown", handleKeydown);
  if (workspaceSaveInterval !== null) {
    clearInterval(workspaceSaveInterval);
    workspaceSaveInterval = null;
  }
 });
 </script>
--- a/src/layouts/UnlockLayout.vue
+++ b/src/layouts/UnlockLayout.vue
@ -50,25 +50,68 @@ const displayError = computed(() => localError.value ?? app.error);
 </script>
 <template>
-  <div class="h-full flex items-center justify-center bg-[var(--wraith-bg-primary)]">
+  <div
-    <div class="w-full max-w-[400px] p-10 bg-[var(--wraith-bg-secondary)] border border-[var(--wraith-border)] rounded-xl shadow-[0_8px_32px_rgba(0,0,0,0.5)]">
+    class="unlock-root"
    style="
      height: 100%;
      display: flex;
      align-items: center;
      justify-content: center;
      background-color: var(--wraith-bg-primary);
    "
  >
    <div
      class="unlock-card"
      style="
        width: 100%;
        max-width: 400px;
        padding: 2.5rem;
        background-color: var(--wraith-bg-secondary);
        border: 1px solid var(--wraith-border);
        border-radius: 12px;
        box-shadow: 0 8px 32px rgba(0, 0, 0, 0.5);
      "
    >
      <!-- Logo -->
-      <div class="text-center mb-8">
+      <div style="text-align: center; margin-bottom: 2rem">
-        <span class="text-[2rem] font-extrabold tracking-[0.3em] text-[var(--wraith-accent-blue)] uppercase font-['Inter',monospace]">
+        <span
          style="
            font-size: 2rem;
            font-weight: 800;
            letter-spacing: 0.3em;
            color: var(--wraith-accent-blue);
            text-transform: uppercase;
            font-family: 'Inter', monospace;
          "
        >
          WRAITH
        </span>
-        <p class="mt-2 text-[0.8rem] text-[var(--wraith-text-muted)] tracking-[0.15em] uppercase">
+        <p
          style="
            margin: 0.5rem 0 0;
            font-size: 0.8rem;
            color: var(--wraith-text-muted);
            letter-spacing: 0.15em;
            text-transform: uppercase;
          "
        >
          {{ isFirstRun ? "Initialize Secure Vault" : "Secure Desktop" }}
        </p>
      </div>
      <!-- Form -->
-      <form @submit.prevent="handleSubmit" class="flex flex-col gap-4">
+      <form @submit.prevent="handleSubmit" style="display: flex; flex-direction: column; gap: 1rem">
        <!-- Master password -->
        <div>
          <label
            for="master-password"
-            class="block mb-[0.4rem] text-[0.8rem] text-[var(--wraith-text-secondary)] tracking-[0.05em]"
+            style="
              display: block;
              margin-bottom: 0.4rem;
              font-size: 0.8rem;
              color: var(--wraith-text-secondary);
              letter-spacing: 0.05em;
            "
          >
            MASTER PASSWORD
          </label>
@ -79,7 +122,20 @@ const displayError = computed(() => localError.value ?? app.error);
            autocomplete="current-password"
            placeholder="Enter master password"
            :disabled="loading"
-            class="w-full px-[0.9rem] py-[0.65rem] bg-[var(--wraith-bg-tertiary)] border border-[var(--wraith-border)] rounded-[6px] text-[var(--wraith-text-primary)] text-[0.95rem] outline-none transition-colors duration-150 box-border focus:border-[var(--wraith-accent-blue)]"
+            style="
              width: 100%;
              padding: 0.65rem 0.9rem;
              background-color: var(--wraith-bg-tertiary);
              border: 1px solid var(--wraith-border);
              border-radius: 6px;
              color: var(--wraith-text-primary);
              font-size: 0.95rem;
              outline: none;
              transition: border-color 0.15s ease;
              box-sizing: border-box;
            "
            @focus="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-accent-blue)'"
            @blur="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-border)'"
          />
        </div>
@ -87,7 +143,13 @@ const displayError = computed(() => localError.value ?? app.error);
        <div v-if="isFirstRun">
          <label
            for="confirm-password"
-            class="block mb-[0.4rem] text-[0.8rem] text-[var(--wraith-text-secondary)] tracking-[0.05em]"
+            style="
              display: block;
              margin-bottom: 0.4rem;
              font-size: 0.8rem;
              color: var(--wraith-text-secondary);
              letter-spacing: 0.05em;
            "
          >
            CONFIRM PASSWORD
          </label>
@ -98,9 +160,28 @@ const displayError = computed(() => localError.value ?? app.error);
            autocomplete="new-password"
            placeholder="Confirm master password"
            :disabled="loading"
-            class="w-full px-[0.9rem] py-[0.65rem] bg-[var(--wraith-bg-tertiary)] border border-[var(--wraith-border)] rounded-[6px] text-[var(--wraith-text-primary)] text-[0.95rem] outline-none transition-colors duration-150 box-border focus:border-[var(--wraith-accent-blue)]"
+            style="
              width: 100%;
              padding: 0.65rem 0.9rem;
              background-color: var(--wraith-bg-tertiary);
              border: 1px solid var(--wraith-border);
              border-radius: 6px;
              color: var(--wraith-text-primary);
              font-size: 0.95rem;
              outline: none;
              transition: border-color 0.15s ease;
              box-sizing: border-box;
            "
            @focus="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-accent-blue)'"
            @blur="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-border)'"
          />
-          <p class="mt-[0.4rem] text-[0.75rem] text-[var(--wraith-text-muted)]">
+          <p
            style="
              margin: 0.4rem 0 0;
              font-size: 0.75rem;
              color: var(--wraith-text-muted);
            "
          >
            Minimum 12 characters. This password cannot be recovered.
          </p>
        </div>
@ -108,7 +189,14 @@ const displayError = computed(() => localError.value ?? app.error);
        <!-- Error message -->
        <div
          v-if="displayError"
-          class="px-[0.9rem] py-[0.6rem] bg-[rgba(248,81,73,0.1)] border border-[rgba(248,81,73,0.3)] rounded-[6px] text-[var(--wraith-accent-red)] text-[0.85rem]"
+          style="
            padding: 0.6rem 0.9rem;
            background-color: rgba(248, 81, 73, 0.1);
            border: 1px solid rgba(248, 81, 73, 0.3);
            border-radius: 6px;
            color: var(--wraith-accent-red);
            font-size: 0.85rem;
          "
        >
          {{ displayError }}
        </div>
@ -117,8 +205,22 @@ const displayError = computed(() => localError.value ?? app.error);
        <button
          type="submit"
          :disabled="loading"
-          class="w-full py-[0.7rem] mt-2 bg-[var(--wraith-accent-blue)] text-[#0d1117] font-bold text-[0.9rem] tracking-[0.08em] uppercase border-none rounded-[6px] transition-[opacity,background-color] duration-150"
+          style="
-          :class="loading ? 'opacity-60 cursor-not-allowed' : 'cursor-pointer'"
+            width: 100%;
            padding: 0.7rem;
            margin-top: 0.5rem;
            background-color: var(--wraith-accent-blue);
            color: #0d1117;
            font-weight: 700;
            font-size: 0.9rem;
            letter-spacing: 0.08em;
            text-transform: uppercase;
            border: none;
            border-radius: 6px;
            cursor: pointer;
            transition: opacity 0.15s ease, background-color 0.15s ease;
          "
          :style="{ opacity: loading ? '0.6' : '1', cursor: loading ? 'not-allowed' : 'pointer' }"
        >
          <span v-if="loading">
            {{ isFirstRun ? "Creating vault..." : "Unlocking..." }}
@ -130,7 +232,14 @@ const displayError = computed(() => localError.value ?? app.error);
      </form>
      <!-- Footer hint -->
-      <p class="mt-6 text-center text-[0.75rem] text-[var(--wraith-text-muted)]">
+      <p
        style="
          margin: 1.5rem 0 0;
          text-align: center;
          font-size: 0.75rem;
          color: var(--wraith-text-muted);
        "
      >
        <template v-if="isFirstRun">
          Your vault will be encrypted with AES-256-GCM.
        </template>
--- a/src/stores/connection.store.ts
+++ b/src/stores/connection.store.ts
@ -51,33 +51,22 @@ export const useConnectionStore = defineStore("connection", () => {
    );
  });
  /** Memoized map of groupId → filtered connections. Recomputes only when connections or searchQuery change. */
  const connectionsByGroupMap = computed<Record<number, Connection[]>>(() => {
    const q = searchQuery.value.toLowerCase().trim();
    const map: Record<number, Connection[]> = {};
    for (const c of connections.value) {
      if (c.groupId === null) continue;
      if (q) {
        const match =
          c.name.toLowerCase().includes(q) ||
          c.hostname.toLowerCase().includes(q) ||
          c.tags?.some((t) => t.toLowerCase().includes(q));
        if (!match) continue;
      }
      if (!map[c.groupId]) map[c.groupId] = [];
      map[c.groupId].push(c);
    }
    return map;
  });
  /** Get connections belonging to a specific group. */
  function connectionsByGroup(groupId: number): Connection[] {
-    return connectionsByGroupMap.value[groupId] ?? [];
+    const q = searchQuery.value.toLowerCase().trim();
    const groupConns = connections.value.filter((c) => c.groupId === groupId);
    if (!q) return groupConns;
    return groupConns.filter(
      (c) =>
        c.name.toLowerCase().includes(q) ||
        c.hostname.toLowerCase().includes(q) ||
        c.tags?.some((t) => t.toLowerCase().includes(q)),
    );
  }
  /** Check if a group has any matching connections (for search filtering). */
  function groupHasResults(groupId: number): boolean {
-    return (connectionsByGroupMap.value[groupId]?.length ?? 0) > 0;
+    return connectionsByGroup(groupId).length > 0;
  }
  /** Load connections from the Rust backend. */
@ -112,7 +101,6 @@ export const useConnectionStore = defineStore("connection", () => {
    groups,
    searchQuery,
    filteredConnections,
    connectionsByGroupMap,
    connectionsByGroup,
    groupHasResults,
    loadConnections,
--- a/src/stores/session.store.ts
+++ b/src/stores/session.store.ts
@ -2,7 +2,6 @@ import { defineStore } from "pinia";
 import { ref, computed } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { listen } from "@tauri-apps/api/event";
 import type { UnlistenFn } from "@tauri-apps/api/event";
 import { useConnectionStore } from "@/stores/connection.store";
 import type { ThemeDefinition } from "@/components/common/ThemePicker.vue";
@ -40,14 +39,10 @@ export const useSessionStore = defineStore("session", () => {
  const sessionCount = computed(() => sessions.value.length);
  const sessionUnlisteners = new Map<string, Array<UnlistenFn>>();
  // Listen for backend close/exit events to update session status
-  async function setupStatusListeners(sessionId: string): Promise<void> {
+  function setupStatusListeners(sessionId: string): void {
-    const unlisteners: UnlistenFn[] = [];
+    listen(`ssh:close:${sessionId}`, () => markDisconnected(sessionId));
-    unlisteners.push(await listen(`ssh:close:${sessionId}`, () => markDisconnected(sessionId)));
+    listen(`ssh:exit:${sessionId}`, () => markDisconnected(sessionId));
    unlisteners.push(await listen(`ssh:exit:${sessionId}`, () => markDisconnected(sessionId)));
    sessionUnlisteners.set(sessionId, unlisteners);
  }
  function markDisconnected(sessionId: string): void {
@ -97,12 +92,6 @@ export const useSessionStore = defineStore("session", () => {
      console.error("Failed to disconnect session:", err);
    }
    const unlisteners = sessionUnlisteners.get(id);
    if (unlisteners) {
      unlisteners.forEach((fn) => fn());
      sessionUnlisteners.delete(id);
    }
    sessions.value.splice(idx, 1);
    if (activeSessionId.value === id) {
@ -126,31 +115,38 @@ export const useSessionStore = defineStore("session", () => {
    return count === 0 ? baseName : `${baseName} (${count + 1})`;
  }
-  type CredentialRow = { id: number; name: string; username: string | null; domain?: string | null; credentialType: string; sshKeyId: number | null };
+  /**
   * Connect to a server by connection ID.
   * Multiple sessions to the same host are allowed (MobaXTerm-style).
   * Each gets its own tab with a disambiguated name like "Asgard (2)".
   *
   * For Tauri: we must resolve the connection details ourselves and pass
   * hostname/port/username/password directly to connect_ssh, because the
   * Rust side has no knowledge of connection IDs — the vault owns credentials.
   */
  async function connect(connectionId: number): Promise<void> {
    const connectionStore = useConnectionStore();
    const conn = connectionStore.connections.find((c) => c.id === connectionId);
    if (!conn) return;
-  async function resolveCredentials(credentialId: number): Promise<CredentialRow | null> {
+    connecting.value = true;
    try {
-      const allCreds = await invoke<CredentialRow[]>("list_credentials");
+      if (conn.protocol === "ssh") {
      return allCreds.find((c) => c.id === credentialId) ?? null;
    } catch (credErr) {
      console.warn("Failed to resolve credential:", credErr);
      return null;
    }
  }
  async function connectSsh(
    conn: { id: number; name: string; hostname: string; port: number; credentialId?: number | null },
    connectionId: number,
  ): Promise<void> {
        let sessionId: string;
        let resolvedUsername = "";
        let resolvedPassword = "";
        // If connection has a linked credential, decrypt it from the vault
        if (conn.credentialId) {
-      const cred = await resolveCredentials(conn.credentialId);
+          try {
            const allCreds = await invoke<{ id: number; name: string; username: string | null; credentialType: string; sshKeyId: number | null }[]>("list_credentials");
            const cred = allCreds.find((c) => c.id === conn.credentialId);
            if (cred) {
              resolvedUsername = cred.username ?? "";
              if (cred.credentialType === "ssh_key" && cred.sshKeyId) {
                // SSH key auth — decrypt key from vault
                const [privateKey, passphrase] = await invoke<[string, string]>("decrypt_ssh_key", { sshKeyId: cred.sshKeyId });
                sessionId = await invoke<string>("connect_ssh_with_key", {
                  hostname: conn.hostname,
@ -161,6 +157,7 @@ export const useSessionStore = defineStore("session", () => {
                  cols: 120,
                  rows: 40,
                });
                sessions.value.push({
                  id: sessionId,
                  connectionId,
@ -173,15 +170,22 @@ export const useSessionStore = defineStore("session", () => {
                });
                setupStatusListeners(sessionId);
                activeSessionId.value = sessionId;
-          return;
+                return; // early return — key auth handled
              } else {
                // Password auth — decrypt password from vault
                resolvedPassword = await invoke<string>("decrypt_password", { credentialId: cred.id });
              }
            }
          } catch (credErr) {
            console.warn("Failed to resolve credential, will prompt:", credErr);
          }
        }
        try {
-      if (!resolvedUsername) throw new Error("NO_CREDENTIALS");
+          if (!resolvedUsername) {
            // No credential linked — prompt immediately
            throw new Error("NO_CREDENTIALS");
          }
          sessionId = await invoke<string>("connect_ssh", {
            hostname: conn.hostname,
            port: conn.port,
@ -191,13 +195,20 @@ export const useSessionStore = defineStore("session", () => {
            rows: 40,
          });
        } catch (sshErr: unknown) {
-      const errMsg = sshErr instanceof Error ? sshErr.message : typeof sshErr === "string" ? sshErr : String(sshErr);
+          const errMsg = sshErr instanceof Error
            ? sshErr.message
            : typeof sshErr === "string"
              ? sshErr
              : String(sshErr);
          // If no credentials or auth failed, prompt for username/password
          const errLower = errMsg.toLowerCase();
          if (errLower.includes("no_credentials") || errLower.includes("unable to authenticate") || errLower.includes("authentication") || errLower.includes("rejected")) {
            const username = window.prompt(`Username for ${conn.hostname}:`, resolvedUsername || "root");
            if (!username) throw new Error("Connection cancelled");
            const password = window.prompt(`Password for ${username}@${conn.hostname}:`);
            if (password === null) throw new Error("Connection cancelled");
            resolvedUsername = username;
            sessionId = await invoke<string>("connect_ssh", {
              hostname: conn.hostname,
@ -224,25 +235,27 @@ export const useSessionStore = defineStore("session", () => {
        });
        setupStatusListeners(sessionId);
        activeSessionId.value = sessionId;
-  }
+      } else if (conn.protocol === "rdp") {
  async function connectRdp(
    conn: { id: number; name: string; hostname: string; port: number; credentialId?: number | null; options?: string },
    connectionId: number,
  ): Promise<void> {
        let username = "";
        let password = "";
        let domain = "";
        // Try vault credentials first (same as SSH path)
        if (conn.credentialId) {
-      const cred = await resolveCredentials(conn.credentialId);
+          try {
            const allCreds = await invoke<{ id: number; name: string; username: string | null; domain: string | null; credentialType: string; sshKeyId: number | null }[]>("list_credentials");
            const cred = allCreds.find((c) => c.id === conn.credentialId);
            if (cred && cred.credentialType === "password") {
              username = cred.username ?? "";
              domain = cred.domain ?? "";
              password = await invoke<string>("decrypt_password", { credentialId: cred.id });
            }
          } catch (credErr) {
            console.warn("Failed to resolve RDP credential from vault:", credErr);
          }
        }
        // Fall back to connection options JSON if vault didn't provide creds
        if (!username && conn.options) {
          try {
            const opts = JSON.parse(conn.options);
@ -257,19 +270,53 @@ export const useSessionStore = defineStore("session", () => {
        let sessionId: string;
        try {
          sessionId = await invoke<string>("connect_rdp", {
-        config: { hostname: conn.hostname, port: conn.port, username, password, domain, width: 1920, height: 1080 },
+            config: {
              hostname: conn.hostname,
              port: conn.port,
              username,
              password,
              domain,
              width: 1920,
              height: 1080,
            },
          });
        } catch (rdpErr: unknown) {
-      const errMsg = rdpErr instanceof Error ? rdpErr.message : typeof rdpErr === "string" ? rdpErr : String(rdpErr);
+          const errMsg =
-      if (errMsg.includes("NO_CREDENTIALS") || errMsg.includes("authentication") || errMsg.includes("logon failure")) {
+            rdpErr instanceof Error
-        const promptedUsername = prompt(`Username for ${conn.hostname}:`, "Administrator");
+              ? rdpErr.message
              : typeof rdpErr === "string"
                ? rdpErr
                : String(rdpErr);
          // If credentials are missing or rejected, prompt the operator
          if (
            errMsg.includes("NO_CREDENTIALS") ||
            errMsg.includes("authentication") ||
            errMsg.includes("logon failure")
          ) {
            const promptedUsername = prompt(
              `Username for ${conn.hostname}:`,
              "Administrator",
            );
            if (!promptedUsername) throw new Error("Connection cancelled");
-        const promptedPassword = prompt(`Password for ${promptedUsername}@${conn.hostname}:`);
+            const promptedPassword = prompt(
              `Password for ${promptedUsername}@${conn.hostname}:`,
            );
            if (promptedPassword === null) throw new Error("Connection cancelled");
            const promptedDomain = prompt(`Domain (leave blank if none):`, "") ?? "";
            username = promptedUsername;
            sessionId = await invoke<string>("connect_rdp", {
-          config: { hostname: conn.hostname, port: conn.port, username: promptedUsername, password: promptedPassword, domain: promptedDomain, width: 1920, height: 1080 },
+              config: {
                hostname: conn.hostname,
                port: conn.port,
                username: promptedUsername,
                password: promptedPassword,
                domain: promptedDomain,
                width: 1920,
                height: 1080,
              },
            });
          } else {
            throw rdpErr;
@ -288,28 +335,11 @@ export const useSessionStore = defineStore("session", () => {
        });
        activeSessionId.value = sessionId;
      }
  /**
   * Connect to a server by connection ID.
   * Multiple sessions to the same host are allowed (MobaXTerm-style).
   * Each gets its own tab with a disambiguated name like "Asgard (2)".
   */
  async function connect(connectionId: number): Promise<void> {
    const connectionStore = useConnectionStore();
    const conn = connectionStore.connections.find((c) => c.id === connectionId);
    if (!conn) return;
    connecting.value = true;
    try {
      if (conn.protocol === "ssh") {
        await connectSsh(conn, connectionId);
      } else if (conn.protocol === "rdp") {
        await connectRdp(conn, connectionId);
      }
    } catch (err: unknown) {
      const msg = err instanceof Error ? err.message : typeof err === "string" ? err : String(err);
      console.error("Connection failed:", msg);
      lastError.value = msg;
      // Show error as native alert so it's visible without DevTools
      alert(`Connection failed: ${msg}`);
    } finally {
      connecting.value = false;
@ -336,8 +366,7 @@ export const useSessionStore = defineStore("session", () => {
      });
      // Listen for PTY close
-      const unlistenPty = await listen(`pty:close:${sessionId}`, () => markDisconnected(sessionId));
+      listen(`pty:close:${sessionId}`, () => markDisconnected(sessionId));
      sessionUnlisteners.set(sessionId, [unlistenPty]);
      activeSessionId.value = sessionId;
    } catch (err: unknown) {
--- a/vite.config.ts
+++ b/vite.config.ts
@ -1,20 +1,10 @@
-import { defineConfig, type Plugin } from "vite";
+import { defineConfig } from "vite";
 import vue from "@vitejs/plugin-vue";
 import tailwindcss from "@tailwindcss/vite";
 import { resolve } from "path";
 /** Strip crossorigin attribute from HTML — WKWebView + Tauri custom protocol compatibility. */
 function stripCrossOrigin(): Plugin {
  return {
    name: "strip-crossorigin",
    transformIndexHtml(html) {
      return html.replace(/ crossorigin/g, "");
    },
  };
 }
 export default defineConfig({
-  plugins: [vue(), tailwindcss(), stripCrossOrigin()],
+  plugins: [vue(), tailwindcss()],
  resolve: {
    alias: {
      "@": resolve(__dirname, "src"),
@ -33,9 +23,5 @@ export default defineConfig({
    target: ["es2021", "chrome100", "safari13"],
    minify: !process.env.TAURI_DEBUG ? "esbuild" : false,
    sourcemap: !!process.env.TAURI_DEBUG,
    // Disable crossorigin attribute on script/link tags — WKWebView on
    // macOS may reject CORS-mode requests for Tauri's custom tauri://
    // protocol in dynamically created child WebviewWindows.
    crossOriginLoading: false,
  },
 });