fix: WebviewUrl::App hash fragment bug — tool windows loading empty page

ROOT CAUSE FOUND: WebviewUrl::App takes a PathBuf, not a URL. Passing "index.html#/tool/ping?sessionId=abc" treated the ENTIRE string including # and ? as a file path. Tauri looked for a file literally named "index.html#/tool/ping?sessionId=abc" which doesn't exist. The webview loaded an empty/404 page and WKWebView killed the content process, closing the window instantly. Fix: - Rust: split URL at '#' — pass only "index.html" to WebviewUrl::App, then set the hash fragment via window.eval() after build() - Vue: App.vue now listens for 'hashchange' event in addition to checking hash on mount, so the eval-injected hash triggers the correct tool/detached mode This was NEVER a CSP issue, focus issue, crossorigin issue, or async chunk loading issue. It was always a bad file path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix: Rust-side window creation + RDP tab switch layout delay
2026-03-30 15:04:30 -04:00 · 2026-03-30 14:29:14 -04:00 · 2026-03-30 13:40:30 -04:00 · 2026-03-30 13:35:39 -04:00 · 2026-03-30 13:07:43 -04:00 · 2026-03-30 13:06:35 -04:00
95 changed files with 7485 additions and 784 deletions
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@ -61,13 +61,24 @@ jobs:
          $env:Path = "$env:EXTRA_PATH;$env:Path"
          cargo install tauri-cli --version "^2"
-      - name: Build Tauri app
+      - name: Build Tauri app (with update signing)
        shell: powershell
        run: |
          $env:Path = "$env:EXTRA_PATH;$env:Path"
          $env:TAURI_SIGNING_PRIVATE_KEY = "${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}"
          $env:TAURI_SIGNING_PRIVATE_KEY_PASSWORD = "${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}"
          cargo tauri build
          Write-Host "=== Build output ==="
-          Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
+          Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*
      - name: Build and package MCP bridge binary
        shell: powershell
        run: |
          $env:Path = "$env:EXTRA_PATH;$env:Path"
          cd src-tauri
          cargo build --release --bin wraith-mcp-bridge
          Write-Host "Bridge binary built:"
          Get-ChildItem target\release\wraith-mcp-bridge.exe
      - name: Download jsign
        shell: powershell
@ -93,7 +104,10 @@ jobs:
        run: |
          $env:Path = "$env:EXTRA_PATH;$env:Path"
          $token = [System.IO.File]::ReadAllText("$env:TEMP\aztoken.txt")
-          $binaries = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
+          # Sign NSIS installers + MCP bridge binary
          $binaries = @()
          $binaries += Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
          $binaries += Get-Item src-tauri\target\release\wraith-mcp-bridge.exe -ErrorAction SilentlyContinue
          foreach ($binary in $binaries) {
            Write-Host "Signing: $($binary.FullName)"
            java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $binary.FullName
@ -101,42 +115,83 @@ jobs:
          }
          Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
-      - name: Upload to Gitea
+      - name: Upload all artifacts to SeaweedFS
        shell: powershell
        run: |
          $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $giteaUrl = "https://git.command.vigilcyber.com"
+          $s3 = "https://files.command.vigilcyber.com/wraith"
          $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
          # Upload installer
          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
          foreach ($file in $installers) {
            $hash = (Get-FileHash $file.FullName -Algorithm SHA256).Hash.ToLower()
            @{ version = $ver; filename = $file.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
            Write-Host "Uploading: $($file.Name)"
-            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($file.Name)" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $file.FullName
+            Invoke-RestMethod -Uri "$s3/$ver/$($file.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $file.FullName
-
+            # Also upload as 'latest' for direct download links
-            Write-Host "Uploading: version.json"
+            Invoke-RestMethod -Uri "$s3/latest/$($file.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $file.FullName
            Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
          }
-          Write-Host "=== Upload complete ==="
+          # Upload MCP bridge binary
          $bridge = "src-tauri\target\release\wraith-mcp-bridge.exe"
          if (Test-Path $bridge) {
            Write-Host "Uploading: wraith-mcp-bridge.exe"
            Invoke-RestMethod -Uri "$s3/$ver/wraith-mcp-bridge.exe" -Method PUT -ContentType "application/octet-stream" -InFile $bridge
            Invoke-RestMethod -Uri "$s3/latest/wraith-mcp-bridge.exe" -Method PUT -ContentType "application/octet-stream" -InFile $bridge
          }
-      - name: Create Release and attach installers
+          # Upload .nsis.zip for Tauri auto-updater
          $zipFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip | Select-Object -First 1
          if ($zipFile) {
            Write-Host "Uploading: $($zipFile.Name)"
            Invoke-RestMethod -Uri "$s3/$ver/$($zipFile.Name)" -Method PUT -ContentType "application/octet-stream" -InFile $zipFile.FullName
          }
          # Upload version.json metadata
          $installer = $installers | Select-Object -First 1
          if ($installer) {
            $hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower()
            @{ version = $ver; filename = $installer.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
            Invoke-RestMethod -Uri "$s3/$ver/version.json" -Method PUT -ContentType "application/json" -InFile version.json
            Invoke-RestMethod -Uri "$s3/latest/version.json" -Method PUT -ContentType "application/json" -InFile version.json
          }
          Write-Host "=== SeaweedFS upload complete ==="
      - name: Generate and upload update.json for Tauri updater
        shell: powershell
        run: |
          $ver = ("${{ github.ref_name }}" -replace '^v','')
-          $giteaUrl = "https://git.command.vigilcyber.com"
+          $s3 = "https://files.command.vigilcyber.com/wraith"
          $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}"; "Content-Type" = "application/json" }
          $body = @{ tag_name = "v$ver"; name = "Wraith v$ver"; body = "Wraith Desktop v$ver - Tauri v2 / Rust build." } | ConvertTo-Json
          $release = Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" -Method POST -Headers $headers -Body $body
          $releaseId = $release.id
          Write-Host "Release v$ver created (id: $releaseId)"
-          $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
+          $sigFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip.sig | Select-Object -First 1
-          $uploadHeaders = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
+          $zipFile = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.nsis.zip | Select-Object -First 1
-          foreach ($file in $installers) {
+
-            Write-Host "Attaching $($file.Name) to release..."
+          if ($sigFile -and $zipFile) {
-            Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases/$releaseId/assets?name=$($file.Name)" -Method POST -Headers $uploadHeaders -ContentType "application/octet-stream" -InFile $file.FullName
+            $signature = Get-Content $sigFile.FullName -Raw
-            Write-Host "Attached: $($file.Name)"
+            $downloadUrl = "$s3/$ver/$($zipFile.Name)"
            $updateJson = @{
              version = "v$ver"
              notes = "Wraith Desktop v$ver"
              pub_date = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ")
              platforms = @{
                "windows-x86_64" = @{
                  signature = $signature.Trim()
                  url = $downloadUrl
                }
              }
            } | ConvertTo-Json -Depth 4
            $updateJson | Out-File update.json -Encoding utf8
            Write-Host "update.json content:"
            Get-Content update.json
            # Upload to root (Tauri updater endpoint)
            Invoke-RestMethod -Uri "$s3/update.json" -Method PUT -ContentType "application/json" -InFile update.json
            # Also versioned copy
            Invoke-RestMethod -Uri "$s3/$ver/update.json" -Method PUT -ContentType "application/json" -InFile update.json
            Write-Host "=== Update manifest uploaded ==="
          } else {
            Write-Host 'WARNING - No .sig file found, update signing may have failed'
          }
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,7 @@
 node_modules/
 dist/
 src-tauri/target/
 src-tauri/binaries/
 *.log
 .DS_Store
 .claude/worktrees/
--- a/AGENTS.md
+++ b/AGENTS.md
@ -53,7 +53,7 @@ The Commander may direct Gemini to work on Wraith alongside or instead of Claude
 ## The Go Reference
-The Go version of Wraith lives at `../wraith`. It is the reference implementation:
+The Go version of Wraith lives at `../wraith-go-archive`. It is the reference implementation:
 - SSH terminal with xterm.js worked
 - SFTP sidebar with CWD following worked
 - Connection manager with groups and search worked
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -16,7 +16,7 @@ You are the Wraith XO. The Commander built this from a working Go/Wails v3 proto
 **Don't be timid.** The Go version worked. Users connected to servers, transferred files, managed sessions. Your Rust version needs to match that and surpass it. If something is broken, fix it. If something is missing, build it. If you need to make an architectural decision, present COAs — don't ask "should I proceed?"
-**The Go version is your reference implementation.** It lives at `../wraith`. The SSH terminal worked. The SFTP sidebar worked. The connection manager worked. The vault worked. When in doubt about what a feature should do, read the Go code. It's the spec that ran in production.
+**The Go version is your reference implementation.** It lives at `../wraith-go-archive`. The SSH terminal worked. The SFTP sidebar worked. The connection manager worked. The vault worked. When in doubt about what a feature should do, read the Go code. It's the spec that ran in production.
 ## Tech Stack
@ -61,7 +61,7 @@ npm install                 # Install frontend deps
 npm run dev                 # Vite dev server only
 cargo tauri dev             # Full app (Rust + frontend)
 cargo tauri build           # Production build
-cd src-tauri && cargo test  # Run Rust tests (87 tests)
+cd src-tauri && cargo test  # Run Rust tests (95 tests)
 cd src-tauri && cargo build # Build Rust only
 ```
@ -76,7 +76,7 @@ cd src-tauri && cargo build # Build Rust only
 ## V4_WORKFLOW — Standard Operating Procedure
-**Phase 1: RECON** — Read all relevant files before proposing changes. Understand patterns, dependencies, blast radius. When touching Rust, check the Go version at `../wraith` for how it was done before.
+**Phase 1: RECON** — Read all relevant files before proposing changes. Understand patterns, dependencies, blast radius. When touching Rust, check the Go version at `../wraith-go-archive` for how it was done before.
 **Phase 2: PLAN** — Present approach for approval. **Never make executive decisions autonomously** — surface trade-offs as COAs (Courses of Action).
@ -92,7 +92,7 @@ cd src-tauri && cargo build # Build Rust only
 - **Don't ask "should I proceed?" when the answer is obviously yes.** Read the room. If the Commander gave you a task, execute it.
 - **If something is broken, fix it.** Don't document it and move on. Fix it.
 - **Tauri v2 ACL is mandatory.** Every new Tauri command or event MUST be added to `capabilities/default.json` or it will silently fail.
- **Check the Go version first.** Before building any feature, read how `../wraith` did it. Don't reinvent what was already solved.
+- **Check the Go version first.** Before building any feature, read how `../wraith-go-archive` did it. Don't reinvent what was already solved.
 ## Key Design Decisions
@ -106,7 +106,7 @@ cd src-tauri && cargo build # Build Rust only
 1. **Tauri v2 capabilities are not optional.** The blank screen bug that stumped the first XO was a missing `"url": "index.html"` in `tauri.conf.json` and an empty `capabilities/` directory. Tauri v2's security model blocks ALL frontend event listeners and IPC calls without explicit permissions. Every new feature that uses `emit()`, `listen()`, or `invoke()` must have a corresponding entry in `capabilities/default.json`. If the frontend silently does nothing, check capabilities first.
-2. **The Go version is the spec.** When in doubt about what a feature should do, how it should behave, or what edge cases to handle — read the Go code at `../wraith`. It ran. Users used it. The terminal worked, the SFTP worked, the vault worked. Don't guess. Read.
+2. **The Go version is the spec.** When in doubt about what a feature should do, how it should behave, or what edge cases to handle — read the Go code at `../wraith-go-archive`. It ran. Users used it. The terminal worked, the SFTP worked, the vault worked. Don't guess. Read.
 3. **Rust backend command names must match frontend invoke names exactly.** If the frontend calls `invoke('disconnect_ssh')` but the backend exports `disconnect_session`, nothing happens. No error. Silent failure. When adding Tauri commands, grep the frontend for the exact invoke string.
@ -116,7 +116,7 @@ cd src-tauri && cargo build # Build Rust only
 ## Lineage
-This is a ground-up Rust rewrite of `wraith` (Go/Wails v3). The Go version is at `../wraith`. The original design spec is at `docs/superpowers/specs/2026-03-17-wraith-desktop-design.md` in the Go repo. The enterprise feature roadmap is at `../wraith/docs/FUTURE-FEATURES.md`.
+This is a ground-up Rust rewrite of `wraith` (Go/Wails v3). The Go version is at `../wraith-go-archive`. The original design spec is at `docs/superpowers/specs/2026-03-17-wraith-desktop-design.md` in the Go repo. The enterprise feature roadmap is at `../wraith-go-archive/docs/FUTURE-FEATURES.md`.
 ## Future Vision
--- a/docs/screenshots/stats-and-status-bars.png
+++ b/docs/screenshots/stats-and-status-bars.png
--- a/docs/specs/wraith-terminal-mcp-spec.md
+++ b/docs/specs/wraith-terminal-mcp-spec.md
@ -0,0 +1,340 @@
 # Wraith Terminal MCP — Design Specification
 **Date:** March 25, 2026
 **Status:** Draft
 **Author:** Gargoyle (HQ XO)
 ---
 ## 1. Problem
 The AI copilot panel in Wraith runs CLI tools (Claude, Gemini, Codex) in a local PTY. The AI can chat with the user, but it cannot independently interact with active SSH/RDP sessions. The technician has to manually copy-paste terminal output into the AI and relay commands back.
 The goal: let the AI **drive** the terminal. Read output. Execute commands. Take screenshots. React to errors. All through a standardized protocol.
 ---
 ## 2. Solution: Wraith Terminal MCP Server
 Implement an MCP (Model Context Protocol) server inside Wraith's Rust backend that exposes active sessions as tools and resources. The AI CLI running in the copilot panel connects to this MCP server and gains programmatic access to every open session.
 ### Architecture
 ```
 AI CLI (claude/gemini)
    |
    +-- MCP Client (built into the CLI)
    |
    +-- connects to localhost:PORT or Unix socket
    |
    v
 Wraith MCP Server (Rust, runs inside Tauri)
    |
    +-- Tool: terminal_execute(session_id, command)
    +-- Tool: terminal_read(session_id, lines?)
    +-- Tool: terminal_screenshot(session_id)  [RDP only]
    +-- Tool: sftp_list(session_id, path)
    +-- Tool: sftp_read(session_id, path)
    +-- Tool: sftp_write(session_id, path, content)
    +-- Resource: sessions://list
    +-- Resource: sessions://{id}/info
    +-- Resource: sessions://{id}/scrollback
 ```
 ---
 ## 3. MCP Server Implementation
 ### 3.1 Transport
 Two options for how the AI CLI connects to the MCP server:
 **Option A: stdio (Recommended for v1)**
 - The copilot panel spawns the AI CLI with `--mcp-server` flag pointing to a Wraith helper binary
 - The helper binary communicates with Wraith's Tauri backend via Tauri commands
 - Simple, no port management, no firewall issues
 - Pattern: AI CLI → stdio → wraith-mcp-bridge → Tauri invoke → session data
 **Option B: HTTP/SSE (Future)**
 - Wraith runs an HTTP server on localhost:random-port
 - AI CLI connects via `--mcp-server http://localhost:PORT`
 - More flexible (multiple AI CLIs can connect), but requires port management
 - Pattern: AI CLI → HTTP → Wraith MCP HTTP handler → session data
 ### 3.2 Rust Implementation
 ```
 src-tauri/src/mcp/
    mod.rs          — MCP server lifecycle, transport handling
    tools.rs        — Tool definitions (terminal_execute, screenshot, etc.)
    resources.rs    — Resource definitions (session list, scrollback)
    bridge.rs       — Bridge between MCP protocol and existing services
 ```
 The MCP server reuses existing services:
 - `SshService` — for terminal_execute, terminal_read on SSH sessions
 - `RdpService` — for terminal_screenshot on RDP sessions
 - `SftpService` — for sftp_list, sftp_read, sftp_write
 - `PtyService` — for local shell access
 - `SessionStore` (DashMap) — for session enumeration
 ---
 ## 4. Tools
 ### 4.1 terminal_execute
 Execute a command in an active SSH or local PTY session and return the output.
 ```json
 {
  "name": "terminal_execute",
  "description": "Execute a command in a terminal session and return output",
  "parameters": {
    "session_id": "string — the active session ID",
    "command": "string — the command to run (newline appended automatically)",
    "timeout_ms": "number — max wait for output (default: 5000)"
  },
  "returns": "string — captured terminal output after command execution"
 }
 ```
 **Implementation:** Write command + `\n` to the session's writer. Start capturing output from the session's reader. Wait for a shell prompt pattern or timeout. Return captured bytes as UTF-8 string.
 **Challenge:** Detecting when command output is "done" — shell prompt detection is fragile. Options:
 - **Marker approach:** Send `echo __WRAITH_DONE__` after the command, capture until marker appears
 - **Timeout approach:** Wait N ms after last output byte, assume done
 - **Prompt regex:** Configurable prompt pattern (default: `$ `, `# `, `> `, `PS>`)
 Recommend: marker approach for SSH, timeout approach for PTY (since local shells have predictable prompt timing).
 ### 4.2 terminal_read
 Read the current scrollback or recent output from a session without executing anything.
 ```json
 {
  "name": "terminal_read",
  "description": "Read recent terminal output from a session",
  "parameters": {
    "session_id": "string",
    "lines": "number — last N lines (default: 50)"
  },
  "returns": "string — terminal scrollback content (ANSI stripped)"
 }
 ```
 **Implementation:** Maintain a circular buffer of recent output per session (last 10KB). On read, return the last N lines with ANSI escape codes stripped.
 **Note:** The buffer exists in the Rust backend, not xterm.js. The AI doesn't need to scrape the DOM — it reads from the same data stream that feeds the terminal.
 ### 4.3 terminal_screenshot
 Capture the current frame of an RDP session as a base64-encoded PNG.
 ```json
 {
  "name": "terminal_screenshot",
  "description": "Capture a screenshot of an RDP session",
  "parameters": {
    "session_id": "string — must be an RDP session"
  },
  "returns": "string — base64-encoded PNG image"
 }
 ```
 **Implementation:** The RDP frame buffer is already maintained by `RdpService`. Encode the current frame as PNG (using the `image` crate), base64 encode, return. The AI CLI passes this to the multimodal AI provider for visual analysis.
 **Use case:** "Screenshot the error on screen. What can you tell me about it?"
 ### 4.4 sftp_list
 List files in a directory on the remote host via the session's SFTP channel.
 ```json
 {
  "name": "sftp_list",
  "description": "List files in a remote directory",
  "parameters": {
    "session_id": "string",
    "path": "string — remote directory path"
  },
  "returns": "array of { name, size, modified, is_dir }"
 }
 ```
 ### 4.5 sftp_read
 Read a file from the remote host.
 ```json
 {
  "name": "sftp_read",
  "description": "Read a file from the remote host",
  "parameters": {
    "session_id": "string",
    "path": "string — remote file path",
    "max_bytes": "number — limit (default: 1MB)"
  },
  "returns": "string — file content (UTF-8) or base64 for binary"
 }
 ```
 ### 4.6 sftp_write
 Write a file to the remote host.
 ```json
 {
  "name": "sftp_write",
  "description": "Write content to a file on the remote host",
  "parameters": {
    "session_id": "string",
    "path": "string — remote file path",
    "content": "string — file content"
  }
 }
 ```
 ---
 ## 5. Resources
 ### 5.1 sessions://list
 Returns all active sessions with their type, connection info, and status.
 ```json
 [
  {
    "id": "ssh-abc123",
    "type": "ssh",
    "name": "prod-web-01",
    "host": "10.0.1.50",
    "username": "admin",
    "status": "connected"
  },
  {
    "id": "rdp-def456",
    "type": "rdp",
    "name": "dc-01",
    "host": "10.0.1.10",
    "status": "connected"
  }
 ]
 ```
 ### 5.2 sessions://{id}/info
 Detailed info about a specific session — connection parameters, uptime, bytes transferred.
 ### 5.3 sessions://{id}/scrollback
 Full scrollback buffer for a terminal session (last 10KB, ANSI stripped).
 ---
 ## 6. Security
 - **MCP server only binds to localhost** — no remote access, no network exposure
 - **Session access inherits Wraith's auth** — if the user is logged into Wraith, the MCP server trusts the connection
 - **No credential exposure** — the MCP tools execute commands through existing authenticated sessions. The AI never sees passwords or SSH keys.
 - **Audit trail** — every MCP tool invocation logged with timestamp, session ID, command, and result size
 - **Read-only option** — sessions can be marked read-only in connection settings, preventing terminal_execute and sftp_write
 ---
 ## 7. AI CLI Integration
 ### 7.1 Claude Code
 Claude Code already supports MCP servers via `--mcp-server` flag or `.claude/settings.json`. Configuration:
 ```json
 {
  "mcpServers": {
    "wraith": {
      "command": "wraith-mcp-bridge",
      "args": []
    }
  }
 }
 ```
 The `wraith-mcp-bridge` is a small binary that Wraith ships alongside the main app. It communicates with the running Wraith instance via Tauri's IPC.
 ### 7.2 Gemini CLI
 Gemini CLI supports MCP servers similarly. Same bridge binary, same configuration pattern.
 ### 7.3 Auto-Configuration
 When the copilot panel launches an AI CLI, Wraith can auto-inject the MCP server configuration via environment variables or command-line flags, so the user doesn't have to manually configure anything.
 ```rust
 // When spawning the AI CLI in the PTY:
 let mut cmd = CommandBuilder::new(shell_path);
 cmd.env("CLAUDE_MCP_SERVERS", r#"{"wraith":{"command":"wraith-mcp-bridge"}}"#);
 ```
 ---
 ## 8. Data Flow Example
 **User says to Claude in copilot panel:** "Check disk space on the server I'm connected to"
 1. Claude's MCP client calls `sessions://list` → gets `[{id: "ssh-abc", name: "prod-web-01", ...}]`
 2. Claude calls `terminal_execute(session_id: "ssh-abc", command: "df -h")`
 3. Wraith MCP bridge → Tauri invoke → SshService.write("ssh-abc", "df -h\n")
 4. Wraith captures output until prompt marker
 5. Returns: `/dev/sda1  50G  45G  5G  90% /`
 6. Claude analyzes: "Your root partition is at 90%. You should clean up /var/log or expand the disk."
 **User says:** "Screenshot the RDP session, what's that error?"
 1. Claude calls `terminal_screenshot(session_id: "rdp-def")`
 2. Wraith MCP bridge → RdpService.get_frame("rdp-def") → PNG encode → base64
 3. Returns 200KB base64 PNG
 4. Claude (multimodal) analyzes the image: "That's a Windows Event Viewer showing Event ID 1001 — application crash in outlook.exe. The faulting module is mso.dll. This is a known Office corruption issue. Run `sfc /scannow` or repair Office from Control Panel."
 ---
 ## 9. Implementation Phases
 ### Phase 1: Bridge + Basic Tools (MVP)
 - `wraith-mcp-bridge` binary (stdio transport)
 - `terminal_execute` tool (marker-based output capture)
 - `terminal_read` tool (scrollback buffer)
 - `sessions://list` resource
 - Auto-configuration when spawning AI CLI
 ### Phase 2: SFTP + Screenshot
 - `sftp_list`, `sftp_read`, `sftp_write` tools
 - `terminal_screenshot` tool (RDP frame capture)
 - Session info resource
 ### Phase 3: Advanced
 - HTTP/SSE transport for multi-client access
 - Read-only session enforcement
 - Audit trail logging
 - AI-initiated session creation ("Connect me to prod-web-01")
 ---
 ## 10. Dependencies
 | Component | Crate/Tool | License |
 |---|---|---|
 | MCP protocol | Custom implementation (JSON-RPC over stdio) | Proprietary |
 | PNG encoding | `image` crate | MIT/Apache-2.0 |
 | Base64 | `base64` crate (already in deps) | MIT/Apache-2.0 |
 | ANSI stripping | `strip-ansi-escapes` crate | MIT/Apache-2.0 |
 | Bridge binary | Rust, ships alongside Wraith | Proprietary |
 ---
 ## 11. Black Binder Note
 An MCP server embedded in a remote access client that gives AI tools programmatic access to live SSH, RDP, and SFTP sessions is, to the company's knowledge, a novel integration. No competing SSH/RDP client ships with an MCP server that allows AI assistants to interact with active remote sessions.
 The combination of terminal command execution, RDP screenshot analysis, and SFTP file operations through a standardized AI tool protocol represents a new category of AI-augmented remote access.
--- a/package-lock.json
+++ b/package-lock.json
@ -19,7 +19,9 @@
        "@codemirror/theme-one-dark": "^6.0.0",
        "@codemirror/view": "^6.0.0",
        "@tauri-apps/api": "^2.0.0",
        "@tauri-apps/plugin-process": "^2.3.1",
        "@tauri-apps/plugin-shell": "^2.0.0",
        "@tauri-apps/plugin-updater": "^2.10.0",
        "@xterm/addon-fit": "^0.11.0",
        "@xterm/addon-search": "^0.16.0",
        "@xterm/addon-web-links": "^0.12.0",
@ -1516,6 +1518,15 @@
        "url": "https://opencollective.com/tauri"
      }
    },
    "node_modules/@tauri-apps/plugin-process": {
      "version": "2.3.1",
      "resolved": "https://registry.npmjs.org/@tauri-apps/plugin-process/-/plugin-process-2.3.1.tgz",
      "integrity": "sha512-nCa4fGVaDL/B9ai03VyPOjfAHRHSBz5v6F/ObsB73r/dA3MHHhZtldaDMIc0V/pnUw9ehzr2iEG+XkSEyC0JJA==",
      "license": "MIT OR Apache-2.0",
      "dependencies": {
        "@tauri-apps/api": "^2.8.0"
      }
    },
    "node_modules/@tauri-apps/plugin-shell": {
      "version": "2.3.5",
      "resolved": "https://registry.npmjs.org/@tauri-apps/plugin-shell/-/plugin-shell-2.3.5.tgz",
@ -1525,6 +1536,15 @@
        "@tauri-apps/api": "^2.10.1"
      }
    },
    "node_modules/@tauri-apps/plugin-updater": {
      "version": "2.10.0",
      "resolved": "https://registry.npmjs.org/@tauri-apps/plugin-updater/-/plugin-updater-2.10.0.tgz",
      "integrity": "sha512-ljN8jPlnT0aSn8ecYhuBib84alxfMx6Hc8vJSKMJyzGbTPFZAC44T2I1QNFZssgWKrAlofvJqCC6Rr472JWfkQ==",
      "license": "MIT OR Apache-2.0",
      "dependencies": {
        "@tauri-apps/api": "^2.10.1"
      }
    },
    "node_modules/@types/estree": {
      "version": "1.0.8",
      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
--- a/package.json
+++ b/package.json
@ -10,31 +10,33 @@
    "tauri": "tauri"
  },
  "dependencies": {
-    "vue": "^3.5.0",
+    "@codemirror/autocomplete": "^6.0.0",
-    "pinia": "^3.0.0",
+    "@codemirror/commands": "^6.0.0",
    "@codemirror/lang-javascript": "^6.0.0",
    "@codemirror/lang-json": "^6.0.0",
    "@codemirror/lang-markdown": "^6.0.0",
    "@codemirror/lang-python": "^6.0.0",
    "@codemirror/language": "^6.0.0",
    "@codemirror/state": "^6.0.0",
    "@codemirror/theme-one-dark": "^6.0.0",
    "@codemirror/view": "^6.0.0",
    "@tauri-apps/api": "^2.0.0",
    "@tauri-apps/plugin-process": "^2.3.1",
    "@tauri-apps/plugin-shell": "^2.0.0",
-    "@xterm/xterm": "^6.0.0",
+    "@tauri-apps/plugin-updater": "^2.10.0",
    "@xterm/addon-fit": "^0.11.0",
    "@xterm/addon-search": "^0.16.0",
    "@xterm/addon-web-links": "^0.12.0",
-    "@codemirror/view": "^6.0.0",
+    "@xterm/xterm": "^6.0.0",
-    "@codemirror/state": "^6.0.0",
+    "pinia": "^3.0.0",
-    "@codemirror/commands": "^6.0.0",
+    "vue": "^3.5.0"
    "@codemirror/language": "^6.0.0",
    "@codemirror/lang-javascript": "^6.0.0",
    "@codemirror/lang-json": "^6.0.0",
    "@codemirror/lang-python": "^6.0.0",
    "@codemirror/lang-markdown": "^6.0.0",
    "@codemirror/autocomplete": "^6.0.0",
    "@codemirror/theme-one-dark": "^6.0.0"
  },
  "devDependencies": {
    "@tailwindcss/vite": "^4.0.0",
    "@vitejs/plugin-vue": "^5.0.0",
    "tailwindcss": "^4.0.0",
    "typescript": "^5.7.0",
    "vite": "^6.0.0",
-    "@vitejs/plugin-vue": "^5.0.0",
+    "vue-tsc": "^2.0.0"
    "vue-tsc": "^2.0.0",
    "tailwindcss": "^4.0.0",
    "@tailwindcss/vite": "^4.0.0"
  }
 }
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@ -356,6 +356,58 @@ dependencies = [
 "fs_extra",
 ]
 [[package]]
 name = "axum"
 version = "0.8.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b52af3cb4058c895d37317bb27508dccc8e5f2d39454016b297bf4a400597b8"
 dependencies = [
 "axum-core",
 "bytes",
 "form_urlencoded",
 "futures-util",
 "http",
 "http-body",
 "http-body-util",
 "hyper",
 "hyper-util",
 "itoa",
 "matchit",
 "memchr",
 "mime",
 "percent-encoding",
 "pin-project-lite",
 "serde_core",
 "serde_json",
 "serde_path_to_error",
 "serde_urlencoded",
 "sync_wrapper",
 "tokio",
 "tower",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
 name = "axum-core"
 version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1"
 dependencies = [
 "bytes",
 "futures-core",
 "http",
 "http-body",
 "http-body-util",
 "mime",
 "pin-project-lite",
 "sync_wrapper",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
 name = "base16ct"
 version = "0.2.0"
@ -2596,6 +2648,12 @@ version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
 [[package]]
 name = "httpdate"
 version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 [[package]]
 name = "hybrid-array"
 version = "0.4.8"
@ -2621,6 +2679,7 @@ dependencies = [
 "http",
 "http-body",
 "httparse",
 "httpdate",
 "itoa",
 "pin-project-lite",
 "pin-utils",
@ -2932,6 +2991,7 @@ checksum = "47c225751e8fbfaaaac5572a80e25d0a0921e9cf408c55509526161b5609157c"
 dependencies = [
 "ironrdp-connector",
 "ironrdp-core",
 "ironrdp-displaycontrol",
 "ironrdp-graphics",
 "ironrdp-input",
 "ironrdp-pdu",
@ -3495,6 +3555,12 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5"
 [[package]]
 name = "matchit"
 version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 [[package]]
 name = "md-5"
 version = "0.10.6"
@ -5974,6 +6040,17 @@ dependencies = [
 "zmij",
 ]
 [[package]]
 name = "serde_path_to_error"
 version = "0.1.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
 dependencies = [
 "itoa",
 "serde",
 "serde_core",
 ]
 [[package]]
 name = "serde_repr"
 version = "0.1.20"
@ -7402,6 +7479,7 @@ dependencies = [
 "tokio",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
@ -7591,6 +7669,35 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 [[package]]
 name = "ureq"
 version = "3.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dea7109cdcd5864d4eeb1b58a1648dc9bf520360d7af16ec26d0a9354bafcfc0"
 dependencies = [
 "base64 0.22.1",
 "flate2",
 "log",
 "percent-encoding",
 "rustls",
 "rustls-pki-types",
 "ureq-proto",
 "utf8-zero",
 "webpki-roots",
 ]
 [[package]]
 name = "ureq-proto"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e994ba84b0bd1b1b0cf92878b7ef898a5c1760108fe7b6010327e274917a808c"
 dependencies = [
 "base64 0.22.1",
 "http",
 "httparse",
 "log",
 ]
 [[package]]
 name = "url"
 version = "2.5.8"
@ -7622,6 +7729,12 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 [[package]]
 name = "utf8-zero"
 version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b8c0a043c9540bae7c578c88f91dda8bd82e59ae27c21baca69c8b191aaf5a6e"
 [[package]]
 name = "utf8_iter"
 version = "1.0.4"
@ -8768,6 +8881,7 @@ dependencies = [
 "anyhow",
 "argon2",
 "async-trait",
 "axum",
 "base64 0.22.1",
 "block-padding 0.3.3",
 "cbc 0.1.2",
@ -8781,6 +8895,7 @@ dependencies = [
 "md5",
 "pem",
 "pkcs8 0.10.2",
 "png",
 "portable-pty",
 "rand 0.9.2",
 "reqwest 0.12.28",
@ -8799,8 +8914,11 @@ dependencies = [
 "thiserror 2.0.18",
 "tokio",
 "tokio-rustls",
 "tokio-util",
 "ureq",
 "uuid",
 "x509-cert",
 "zeroize",
 ]
 [[package]]
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -2,16 +2,25 @@
 name = "wraith"
 version = "0.1.0"
 edition = "2024"
 default-run = "wraith"
 [lib]
 name = "wraith_lib"
 crate-type = ["lib", "cdylib", "staticlib"]
 [[bin]]
 name = "wraith-mcp-bridge"
 path = "src/bin/wraith_mcp_bridge.rs"
 [features]
 default = []
 devtools = ["tauri/devtools"]
 [build-dependencies]
 tauri-build = { version = "2", features = [] }
 [dependencies]
-tauri = { version = "2", features = ["devtools"] }
+tauri = { version = "2", features = [] }
 tauri-plugin-shell = "2"
 tauri-plugin-updater = "2"
 anyhow = "1"
@ -28,6 +37,8 @@ uuid = { version = "1", features = ["v4"] }
 base64 = "0.22"
 dashmap = "6"
 tokio = { version = "1", features = ["full"] }
 tokio-util = "0.7"
 zeroize = { version = "1", features = ["derive"] }
 async-trait = "0.1"
 log = "0.4"
 env_logger = "0.11"
@ -48,8 +59,13 @@ sec1 = { version = "0.7", features = ["pem"] }
 # Local PTY for AI copilot panel
 portable-pty = "0.8"
 # MCP HTTP server (for bridge binary communication)
 axum = "0.8"
 ureq = "3"
 png = "0.17"
 # RDP (IronRDP)
-ironrdp = { version = "0.14", features = ["connector", "session", "graphics", "input"] }
+ironrdp = { version = "0.14", features = ["connector", "session", "graphics", "input", "displaycontrol"] }
 ironrdp-tokio = { version = "0.8", features = ["reqwest-rustls-ring"] }
 ironrdp-tls = { version = "0.2", features = ["rustls"] }
 tokio-rustls = "0.26"
--- a/src-tauri/capabilities/default.json
+++ b/src-tauri/capabilities/default.json
@ -1,11 +1,15 @@
 {
  "identifier": "default",
  "description": "Default capabilities for the main Wraith window",
-  "windows": ["main"],
+  "windows": ["main", "tool-*", "detached-*", "editor-*", "help-*"],
  "permissions": [
    "core:default",
    "core:event:default",
    "core:window:default",
-    "shell:allow-open"
+    "core:window:allow-create",
    "core:webview:default",
    "core:webview:allow-create-webview-window",
    "shell:allow-open",
    "updater:default"
  ]
 }
--- a/src-tauri/gen/schemas/capabilities.json
+++ b/src-tauri/gen/schemas/capabilities.json
@ -1 +1 @@
-{"default":{"identifier":"default","description":"Default capabilities for the main Wraith window","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:window:default","shell:allow-open"]}}
+{"default":{"identifier":"default","description":"Default capabilities for the main Wraith window","local":true,"windows":["main","tool-*","detached-*","editor-*","help-*"],"permissions":["core:default","core:event:default","core:window:default","core:window:allow-create","core:webview:default","core:webview:allow-create-webview-window","shell:allow-open","updater:default"]}}
--- a/src-tauri/src/bin/wraith_mcp_bridge.rs
+++ b/src-tauri/src/bin/wraith_mcp_bridge.rs
@ -0,0 +1,499 @@
 //! Wraith MCP Bridge — stdio JSON-RPC proxy to Wraith's HTTP API.
 //!
 //! This binary is spawned by AI CLIs (Claude Code, Gemini CLI) as an MCP
 //! server. It reads JSON-RPC requests from stdin, translates them to HTTP
 //! calls against the running Wraith instance, and writes responses to stdout.
 //!
 //! The Wraith instance's MCP HTTP port is read from the data directory's
 //! `mcp-port` file.
 use std::io::{self, BufRead, Write};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 #[derive(Deserialize)]
 #[allow(dead_code)]
 struct JsonRpcRequest {
    jsonrpc: String,
    id: Value,
    method: String,
    #[serde(default)]
    params: Value,
 }
 #[derive(Serialize)]
 struct JsonRpcResponse {
    jsonrpc: String,
    id: Value,
    #[serde(skip_serializing_if = "Option::is_none")]
    result: Option<Value>,
    #[serde(skip_serializing_if = "Option::is_none")]
    error: Option<JsonRpcError>,
 }
 #[derive(Serialize)]
 struct JsonRpcError {
    code: i32,
    message: String,
 }
 fn get_data_dir() -> Result<std::path::PathBuf, String> {
    if let Ok(appdata) = std::env::var("APPDATA") {
        Ok(std::path::PathBuf::from(appdata).join("Wraith"))
    } else if let Ok(home) = std::env::var("HOME") {
        if cfg!(target_os = "macos") {
            Ok(std::path::PathBuf::from(home).join("Library").join("Application Support").join("Wraith"))
        } else {
            Ok(std::path::PathBuf::from(home).join(".local").join("share").join("wraith"))
        }
    } else {
        Err("Cannot determine data directory".to_string())
    }
 }
 fn get_mcp_port() -> Result<u16, String> {
    let port_file = get_data_dir()?.join("mcp-port");
    let port_str = std::fs::read_to_string(&port_file)
        .map_err(|e| format!("Cannot read MCP port file at {}: {} — is Wraith running?", port_file.display(), e))?;
    port_str.trim().parse::<u16>()
        .map_err(|e| format!("Invalid port in MCP port file: {}", e))
 }
 fn get_mcp_token() -> Result<String, String> {
    let token_file = get_data_dir()?.join("mcp-token");
    let token = std::fs::read_to_string(&token_file)
        .map_err(|e| format!("Cannot read MCP token file at {}: {} — is Wraith running?", token_file.display(), e))?;
    Ok(token.trim().to_string())
 }
 fn handle_initialize(id: Value) -> JsonRpcResponse {
    JsonRpcResponse {
        jsonrpc: "2.0".to_string(),
        id,
        result: Some(serde_json::json!({
            "protocolVersion": "2024-11-05",
            "capabilities": {
                "tools": {}
            },
            "serverInfo": {
                "name": "wraith-terminal",
                "version": "1.0.0"
            }
        })),
        error: None,
    }
 }
 fn handle_tools_list(id: Value) -> JsonRpcResponse {
    JsonRpcResponse {
        jsonrpc: "2.0".to_string(),
        id,
        result: Some(serde_json::json!({
            "tools": [
                {
                    "name": "terminal_type",
                    "description": "Type text into a terminal session (like a human typing). Optionally presses Enter after. Use this to send messages or commands without output capture.",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The session ID to type into" },
                            "text": { "type": "string", "description": "The text to type" },
                            "press_enter": { "type": "boolean", "description": "Whether to press Enter after typing (default: true)" }
                        },
                        "required": ["session_id", "text"]
                    }
                },
                {
                    "name": "terminal_read",
                    "description": "Read recent terminal output from an active SSH or PTY session (ANSI codes stripped)",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The session ID to read from. Use list_sessions to find IDs." },
                            "lines": { "type": "number", "description": "Number of recent lines to return (default: 50)" }
                        },
                        "required": ["session_id"]
                    }
                },
                {
                    "name": "terminal_execute",
                    "description": "Execute a command in an active SSH session and return the output",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The SSH session ID to execute in" },
                            "command": { "type": "string", "description": "The command to run" },
                            "timeout_ms": { "type": "number", "description": "Max wait time in ms (default: 5000)" }
                        },
                        "required": ["session_id", "command"]
                    }
                },
                {
                    "name": "terminal_screenshot",
                    "description": "Capture a screenshot of an active RDP session as a base64-encoded PNG image for visual analysis",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The RDP session ID to screenshot" }
                        },
                        "required": ["session_id"]
                    }
                },
                {
                    "name": "sftp_list",
                    "description": "List files in a directory on a remote host via SFTP",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The SSH session ID" },
                            "path": { "type": "string", "description": "Remote directory path" }
                        },
                        "required": ["session_id", "path"]
                    }
                },
                {
                    "name": "sftp_read",
                    "description": "Read a file from a remote host via SFTP",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The SSH session ID" },
                            "path": { "type": "string", "description": "Remote file path" }
                        },
                        "required": ["session_id", "path"]
                    }
                },
                {
                    "name": "sftp_write",
                    "description": "Write content to a file on a remote host via SFTP",
                    "inputSchema": {
                        "type": "object",
                        "properties": {
                            "session_id": { "type": "string", "description": "The SSH session ID" },
                            "path": { "type": "string", "description": "Remote file path" },
                            "content": { "type": "string", "description": "File content to write" }
                        },
                        "required": ["session_id", "path", "content"]
                    }
                },
                {
                    "name": "network_scan",
                    "description": "Discover all devices on a remote network subnet via ARP + ping sweep",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "subnet": { "type": "string", "description": "First 3 octets, e.g. 192.168.1" } }, "required": ["session_id", "subnet"] }
                },
                {
                    "name": "port_scan",
                    "description": "Scan TCP ports on a target host through an SSH session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string" }, "ports": { "type": "array", "items": { "type": "number" }, "description": "Specific ports. Omit for quick scan of 24 common ports." } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "ping",
                    "description": "Ping a host through an SSH session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "traceroute",
                    "description": "Traceroute to a host through an SSH session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "dns_lookup",
                    "description": "DNS lookup for a domain through an SSH session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "domain": { "type": "string" }, "record_type": { "type": "string", "description": "A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, PTR" } }, "required": ["session_id", "domain"] }
                },
                {
                    "name": "whois",
                    "description": "Whois lookup for a domain or IP through an SSH session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "wake_on_lan",
                    "description": "Send Wake-on-LAN magic packet through an SSH session to wake a device",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "mac_address": { "type": "string", "description": "MAC address (AA:BB:CC:DD:EE:FF)" } }, "required": ["session_id", "mac_address"] }
                },
                {
                    "name": "bandwidth_test",
                    "description": "Run an internet speed test on a remote host through SSH",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" } }, "required": ["session_id"] }
                },
                {
                    "name": "subnet_calc",
                    "description": "Calculate subnet details from CIDR notation (no SSH needed)",
                    "inputSchema": { "type": "object", "properties": { "cidr": { "type": "string", "description": "e.g. 192.168.1.0/24" } }, "required": ["cidr"] }
                },
                {
                    "name": "generate_ssh_key",
                    "description": "Generate an SSH key pair (ed25519 or RSA)",
                    "inputSchema": { "type": "object", "properties": { "key_type": { "type": "string", "description": "ed25519 or rsa" }, "comment": { "type": "string" } }, "required": ["key_type"] }
                },
                {
                    "name": "generate_password",
                    "description": "Generate a cryptographically secure random password",
                    "inputSchema": { "type": "object", "properties": { "length": { "type": "number" }, "uppercase": { "type": "boolean" }, "lowercase": { "type": "boolean" }, "digits": { "type": "boolean" }, "symbols": { "type": "boolean" } } }
                },
                {
                    "name": "docker_ps",
                    "description": "List all Docker containers with status, image, and ports",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" } }, "required": ["session_id"] }
                },
                {
                    "name": "docker_action",
                    "description": "Perform a Docker action: start, stop, restart, remove, logs, builder-prune, system-prune",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "action": { "type": "string", "description": "start|stop|restart|remove|logs|builder-prune|system-prune" }, "target": { "type": "string", "description": "Container name (not needed for prune actions)" } }, "required": ["session_id", "action", "target"] }
                },
                {
                    "name": "docker_exec",
                    "description": "Execute a command inside a running Docker container",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "container": { "type": "string" }, "command": { "type": "string" } }, "required": ["session_id", "container", "command"] }
                },
                {
                    "name": "service_status",
                    "description": "Check systemd service status on a remote host",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string", "description": "Service name" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "process_list",
                    "description": "List processes on a remote host (top CPU by default, or filter by name)",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "target": { "type": "string", "description": "Process name filter (empty for top 30 by CPU)" } }, "required": ["session_id", "target"] }
                },
                {
                    "name": "git_status",
                    "description": "Get git status of a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string", "description": "Path to the git repo on the remote host" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "git_pull",
                    "description": "Pull latest changes on a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "git_log",
                    "description": "Show recent commits on a remote repository",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "path": { "type": "string" } }, "required": ["session_id", "path"] }
                },
                {
                    "name": "rdp_click",
                    "description": "Click at a position in an RDP session (use terminal_screenshot first to see coordinates)",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "x": { "type": "number" }, "y": { "type": "number" }, "button": { "type": "string", "description": "left (default), right, or middle" } }, "required": ["session_id", "x", "y"] }
                },
                {
                    "name": "rdp_type",
                    "description": "Type text into an RDP session via clipboard paste",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "text": { "type": "string" } }, "required": ["session_id", "text"] }
                },
                {
                    "name": "rdp_clipboard",
                    "description": "Set the clipboard content on a remote RDP session",
                    "inputSchema": { "type": "object", "properties": { "session_id": { "type": "string" }, "text": { "type": "string" } }, "required": ["session_id", "text"] }
                },
                {
                    "name": "ssh_connect",
                    "description": "Open a new SSH connection through Wraith. Returns the session ID for use with other tools.",
                    "inputSchema": { "type": "object", "properties": {
                        "hostname": { "type": "string" },
                        "port": { "type": "number", "description": "Default: 22" },
                        "username": { "type": "string" },
                        "password": { "type": "string", "description": "Password (for password auth)" },
                        "private_key_path": { "type": "string", "description": "Path to SSH private key file on the local machine" }
                    }, "required": ["hostname", "username"] }
                },
                {
                    "name": "list_sessions",
                    "description": "List all active Wraith sessions (SSH, RDP, PTY) with connection details",
                    "inputSchema": {
                        "type": "object",
                        "properties": {}
                    }
                }
            ]
        })),
        error: None,
    }
 }
 fn call_wraith(port: u16, token: &str, endpoint: &str, body: Value) -> Result<Value, String> {
    let url = format!("http://127.0.0.1:{}{}", port, endpoint);
    let body_str = serde_json::to_string(&body).unwrap_or_default();
    let mut resp = ureq::post(url)
        .header("Content-Type", "application/json")
        .header("Authorization", &format!("Bearer {}", token))
        .send(body_str.as_bytes())
        .map_err(|e| format!("HTTP request to Wraith failed: {}", e))?;
    let resp_str = resp.body_mut().read_to_string()
        .map_err(|e| format!("Failed to read Wraith response: {}", e))?;
    let json: Value = serde_json::from_str(&resp_str)
        .map_err(|e| format!("Failed to parse Wraith response: {}", e))?;
    if json.get("ok").and_then(|v| v.as_bool()) == Some(true) {
        Ok(json.get("data").cloned().unwrap_or(Value::Null))
    } else {
        let err_msg = json.get("error").and_then(|e| e.as_str()).unwrap_or("Unknown error");
        Err(err_msg.to_string())
    }
 }
 fn handle_tool_call(id: Value, port: u16, token: &str, tool_name: &str, args: &Value) -> JsonRpcResponse {
    let result = match tool_name {
        "list_sessions" => call_wraith(port, token, "/mcp/sessions", serde_json::json!({})),
        "terminal_type" => call_wraith(port, token, "/mcp/terminal/type", args.clone()),
        "terminal_read" => call_wraith(port, token, "/mcp/terminal/read", args.clone()),
        "terminal_execute" => call_wraith(port, token, "/mcp/terminal/execute", args.clone()),
        "sftp_list" => call_wraith(port, token, "/mcp/sftp/list", args.clone()),
        "sftp_read" => call_wraith(port, token, "/mcp/sftp/read", args.clone()),
        "sftp_write" => call_wraith(port, token, "/mcp/sftp/write", args.clone()),
        "network_scan" => call_wraith(port, token, "/mcp/tool/scan-network", args.clone()),
        "port_scan" => call_wraith(port, token, "/mcp/tool/scan-ports", args.clone()),
        "ping" => call_wraith(port, token, "/mcp/tool/ping", args.clone()),
        "traceroute" => call_wraith(port, token, "/mcp/tool/traceroute", args.clone()),
        "dns_lookup" => call_wraith(port, token, "/mcp/tool/dns", args.clone()),
        "whois" => call_wraith(port, token, "/mcp/tool/whois", args.clone()),
        "wake_on_lan" => call_wraith(port, token, "/mcp/tool/wol", args.clone()),
        "bandwidth_test" => call_wraith(port, token, "/mcp/tool/bandwidth", args.clone()),
        "subnet_calc" => call_wraith(port, token, "/mcp/tool/subnet", args.clone()),
        "generate_ssh_key" => call_wraith(port, token, "/mcp/tool/keygen", args.clone()),
        "generate_password" => call_wraith(port, token, "/mcp/tool/passgen", args.clone()),
        "docker_ps" => call_wraith(port, token, "/mcp/docker/ps", args.clone()),
        "docker_action" => call_wraith(port, token, "/mcp/docker/action", args.clone()),
        "docker_exec" => call_wraith(port, token, "/mcp/docker/exec", args.clone()),
        "service_status" => call_wraith(port, token, "/mcp/service/status", args.clone()),
        "process_list" => call_wraith(port, token, "/mcp/process/list", args.clone()),
        "git_status" => call_wraith(port, token, "/mcp/git/status", args.clone()),
        "git_pull" => call_wraith(port, token, "/mcp/git/pull", args.clone()),
        "git_log" => call_wraith(port, token, "/mcp/git/log", args.clone()),
        "rdp_click" => call_wraith(port, token, "/mcp/rdp/click", args.clone()),
        "rdp_type" => call_wraith(port, token, "/mcp/rdp/type", args.clone()),
        "rdp_clipboard" => call_wraith(port, token, "/mcp/rdp/clipboard", args.clone()),
        "ssh_connect" => call_wraith(port, token, "/mcp/ssh/connect", args.clone()),
        "terminal_screenshot" => {
            let result = call_wraith(port, token, "/mcp/screenshot", args.clone());
            // Screenshot returns base64 PNG — wrap as image content for multimodal AI
            return match result {
                Ok(b64) => JsonRpcResponse {
                    jsonrpc: "2.0".to_string(),
                    id,
                    result: Some(serde_json::json!({
                        "content": [{
                            "type": "image",
                            "data": b64,
                            "mimeType": "image/png"
                        }]
                    })),
                    error: None,
                },
                Err(e) => JsonRpcResponse {
                    jsonrpc: "2.0".to_string(),
                    id,
                    result: None,
                    error: Some(JsonRpcError { code: -32000, message: e }),
                },
            };
        }
        _ => Err(format!("Unknown tool: {}", tool_name)),
    };
    match result {
        Ok(data) => JsonRpcResponse {
            jsonrpc: "2.0".to_string(),
            id,
            result: Some(serde_json::json!({
                "content": [{
                    "type": "text",
                    "text": if data.is_string() {
                        data.as_str().unwrap().to_string()
                    } else {
                        serde_json::to_string_pretty(&data).unwrap_or_default()
                    }
                }]
            })),
            error: None,
        },
        Err(e) => JsonRpcResponse {
            jsonrpc: "2.0".to_string(),
            id,
            result: None,
            error: Some(JsonRpcError { code: -32000, message: e }),
        },
    }
 }
 fn main() {
    let port = match get_mcp_port() {
        Ok(p) => p,
        Err(e) => {
            eprintln!("wraith-mcp-bridge: {}", e);
            std::process::exit(1);
        }
    };
    let token = match get_mcp_token() {
        Ok(t) => t,
        Err(e) => {
            eprintln!("wraith-mcp-bridge: {}", e);
            std::process::exit(1);
        }
    };
    let stdin = io::stdin();
    let mut stdout = io::stdout();
    for line in stdin.lock().lines() {
        let line = match line {
            Ok(l) => l,
            Err(_) => break,
        };
        if line.trim().is_empty() {
            continue;
        }
        let request: JsonRpcRequest = match serde_json::from_str(&line) {
            Ok(r) => r,
            Err(e) => {
                let err_resp = JsonRpcResponse {
                    jsonrpc: "2.0".to_string(),
                    id: Value::Null,
                    result: None,
                    error: Some(JsonRpcError { code: -32700, message: format!("Parse error: {}", e) }),
                };
                let _ = writeln!(stdout, "{}", serde_json::to_string(&err_resp).unwrap());
                let _ = stdout.flush();
                continue;
            }
        };
        let response = match request.method.as_str() {
            "initialize" => handle_initialize(request.id),
            "tools/list" => handle_tools_list(request.id),
            "tools/call" => {
                let tool_name = request.params.get("name")
                    .and_then(|v| v.as_str())
                    .unwrap_or("");
                let args = request.params.get("arguments")
                    .cloned()
                    .unwrap_or(Value::Object(serde_json::Map::new()));
                handle_tool_call(request.id, port, &token, tool_name, &args)
            }
            "notifications/initialized" | "notifications/cancelled" => {
                // Notifications don't get responses
                continue;
            }
            _ => JsonRpcResponse {
                jsonrpc: "2.0".to_string(),
                id: request.id,
                result: None,
                error: Some(JsonRpcError { code: -32601, message: format!("Method not found: {}", request.method) }),
            },
        };
        let _ = writeln!(stdout, "{}", serde_json::to_string(&response).unwrap());
        let _ = stdout.flush();
    }
 }
--- a/src-tauri/src/commands/connections.rs
+++ b/src-tauri/src/commands/connections.rs
@ -92,3 +92,19 @@ pub fn search_connections(
 ) -> Result<Vec<ConnectionRecord>, String> {
    state.connections.search(&query)
 }
 #[tauri::command]
 pub fn reorder_connections(
    ids: Vec<i64>,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.connections.reorder_connections(&ids)
 }
 #[tauri::command]
 pub fn reorder_groups(
    ids: Vec<i64>,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.connections.reorder_groups(&ids)
 }
--- a/src-tauri/src/commands/credentials.rs
+++ b/src-tauri/src/commands/credentials.rs
@ -3,34 +3,16 @@ use tauri::State;
 use crate::credentials::Credential;
 use crate::AppState;
 /// Guard helper: lock the credentials mutex and return a ref to the inner
 /// `CredentialService`, or a "Vault is locked" error if the vault has not
 /// been unlocked for this session.
 ///
 /// This is a macro rather than a function because returning a `MutexGuard`
 /// from a helper function would require lifetime annotations that complicate
 /// the tauri command signatures unnecessarily.
 macro_rules! require_unlocked {
    ($state:expr) => {{
        let guard = $state
            .credentials
            .lock()
            .map_err(|_| "Credentials mutex was poisoned".to_string())?;
        if guard.is_none() {
            return Err("Vault is locked — call unlock before accessing credentials".into());
        }
        // SAFETY: we just checked `is_none` above, so `unwrap` cannot panic.
        guard
    }};
 }
 /// Return all credentials ordered by name.
 ///
 /// Secret values (passwords, private keys) are never included — only metadata.
 #[tauri::command]
-pub fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credential>, String> {
+pub async fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credential>, String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard.as_ref().unwrap().list()
+    let svc = guard
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.list()
 }
 /// Store a new username/password credential.
@ -39,18 +21,18 @@ pub fn list_credentials(state: State<'_, AppState>) -> Result<Vec<Credential>, S
 /// Returns the created credential record (without the plaintext password).
 /// `domain` is `None` for non-domain credentials; `Some("")` is treated as NULL.
 #[tauri::command]
-pub fn create_password(
+pub async fn create_password(
    name: String,
    username: String,
    password: String,
    domain: Option<String>,
    state: State<'_, AppState>,
 ) -> Result<Credential, String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard
+    let svc = guard
        .as_ref()
-        .unwrap()
+        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
-        .create_password(name, username, password, domain)
+    svc.create_password(name, username, password, domain)
 }
 /// Store a new SSH private key credential.
@ -59,18 +41,18 @@ pub fn create_password(
 /// Pass `None` for `passphrase` when the key has no passphrase.
 /// Returns the created credential record without any secret material.
 #[tauri::command]
-pub fn create_ssh_key(
+pub async fn create_ssh_key(
    name: String,
    username: String,
    private_key_pem: String,
    passphrase: Option<String>,
    state: State<'_, AppState>,
 ) -> Result<Credential, String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard
+    let svc = guard
        .as_ref()
-        .unwrap()
+        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
-        .create_ssh_key(name, username, private_key_pem, passphrase)
+    svc.create_ssh_key(name, username, private_key_pem, passphrase)
 }
 /// Delete a credential by id.
@ -78,21 +60,30 @@ pub fn create_ssh_key(
 /// For SSH key credentials, the associated `ssh_keys` row is also deleted.
 /// Returns `Err` if the vault is locked or the id does not exist.
 #[tauri::command]
-pub fn delete_credential(id: i64, state: State<'_, AppState>) -> Result<(), String> {
+pub async fn delete_credential(id: i64, state: State<'_, AppState>) -> Result<(), String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard.as_ref().unwrap().delete(id)
+    let svc = guard
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.delete(id)
 }
 /// Decrypt and return the password for a credential.
 #[tauri::command]
-pub fn decrypt_password(credential_id: i64, state: State<'_, AppState>) -> Result<String, String> {
+pub async fn decrypt_password(credential_id: i64, state: State<'_, AppState>) -> Result<String, String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard.as_ref().unwrap().decrypt_password(credential_id)
+    let svc = guard
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.decrypt_password(credential_id)
 }
 /// Decrypt and return the SSH private key and passphrase.
 #[tauri::command]
-pub fn decrypt_ssh_key(ssh_key_id: i64, state: State<'_, AppState>) -> Result<(String, String), String> {
+pub async fn decrypt_ssh_key(ssh_key_id: i64, state: State<'_, AppState>) -> Result<(String, String), String> {
-    let guard = require_unlocked!(state);
+    let guard = state.credentials.lock().await;
-    guard.as_ref().unwrap().decrypt_ssh_key(ssh_key_id)
+    let svc = guard
        .as_ref()
        .ok_or_else(|| "Vault is locked — call unlock before accessing credentials".to_string())?;
    svc.decrypt_ssh_key(ssh_key_id)
 }
--- a/src-tauri/src/commands/docker_commands.rs
+++ b/src-tauri/src/commands/docker_commands.rs
@ -0,0 +1,105 @@
 //! Tauri commands for Docker management via SSH exec channels.
 use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DockerContainer {
    pub id: String,
    pub name: String,
    pub image: String,
    pub status: String,
    pub ports: String,
    pub created: String,
 }
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DockerImage {
    pub id: String,
    pub repository: String,
    pub tag: String,
    pub size: String,
    pub created: String,
 }
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DockerVolume {
    pub name: String,
    pub driver: String,
    pub mountpoint: String,
 }
 #[tauri::command]
 pub async fn docker_list_containers(session_id: String, all: Option<bool>, state: State<'_, AppState>) -> Result<Vec<DockerContainer>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let flag = if all.unwrap_or(true) { "-a" } else { "" };
    let output = exec_on_session(&session.handle, &format!("docker ps {} --format '{{{{.ID}}}}|{{{{.Names}}}}|{{{{.Image}}}}|{{{{.Status}}}}|{{{{.Ports}}}}|{{{{.CreatedAt}}}}' 2>&1", flag)).await?;
    Ok(output.lines().filter(|l| !l.is_empty() && !l.starts_with("CONTAINER")).map(|line| {
        let p: Vec<&str> = line.splitn(6, '|').collect();
        DockerContainer {
            id: p.first().unwrap_or(&"").to_string(),
            name: p.get(1).unwrap_or(&"").to_string(),
            image: p.get(2).unwrap_or(&"").to_string(),
            status: p.get(3).unwrap_or(&"").to_string(),
            ports: p.get(4).unwrap_or(&"").to_string(),
            created: p.get(5).unwrap_or(&"").to_string(),
        }
    }).collect())
 }
 #[tauri::command]
 pub async fn docker_list_images(session_id: String, state: State<'_, AppState>) -> Result<Vec<DockerImage>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let output = exec_on_session(&session.handle, "docker images --format '{{.ID}}|{{.Repository}}|{{.Tag}}|{{.Size}}|{{.CreatedAt}}' 2>&1").await?;
    Ok(output.lines().filter(|l| !l.is_empty()).map(|line| {
        let p: Vec<&str> = line.splitn(5, '|').collect();
        DockerImage {
            id: p.first().unwrap_or(&"").to_string(),
            repository: p.get(1).unwrap_or(&"").to_string(),
            tag: p.get(2).unwrap_or(&"").to_string(),
            size: p.get(3).unwrap_or(&"").to_string(),
            created: p.get(4).unwrap_or(&"").to_string(),
        }
    }).collect())
 }
 #[tauri::command]
 pub async fn docker_list_volumes(session_id: String, state: State<'_, AppState>) -> Result<Vec<DockerVolume>, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let output = exec_on_session(&session.handle, "docker volume ls --format '{{.Name}}|{{.Driver}}|{{.Mountpoint}}' 2>&1").await?;
    Ok(output.lines().filter(|l| !l.is_empty()).map(|line| {
        let p: Vec<&str> = line.splitn(3, '|').collect();
        DockerVolume {
            name: p.first().unwrap_or(&"").to_string(),
            driver: p.get(1).unwrap_or(&"").to_string(),
            mountpoint: p.get(2).unwrap_or(&"").to_string(),
        }
    }).collect())
 }
 #[tauri::command]
 pub async fn docker_action(session_id: String, action: String, target: String, state: State<'_, AppState>) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id).ok_or("Session not found")?;
    let t = shell_escape(&target);
    let cmd = match action.as_str() {
        "start" => format!("docker start {} 2>&1", t),
        "stop" => format!("docker stop {} 2>&1", t),
        "restart" => format!("docker restart {} 2>&1", t),
        "remove" => format!("docker rm -f {} 2>&1", t),
        "logs" => format!("docker logs --tail 100 {} 2>&1", t),
        "remove-image" => format!("docker rmi {} 2>&1", t),
        "remove-volume" => format!("docker volume rm {} 2>&1", t),
        "builder-prune" => "docker builder prune -f 2>&1".to_string(),
        "system-prune" => "docker system prune -f 2>&1".to_string(),
        "system-prune-all" => "docker system prune -a -f 2>&1".to_string(),
        _ => return Err(format!("Unknown docker action: {}", action)),
    };
    exec_on_session(&session.handle, &cmd).await
 }
--- a/src-tauri/src/commands/mcp_commands.rs
+++ b/src-tauri/src/commands/mcp_commands.rs
@ -0,0 +1,142 @@
 //! Tauri commands for MCP tool operations.
 //!
 //! These expose terminal_read, terminal_execute, and session listing to both
 //! the frontend and the MCP bridge binary.
 use serde::Serialize;
 use tauri::State;
 use crate::AppState;
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct McpSessionInfo {
    pub id: String,
    pub session_type: String, // "ssh" or "pty"
    pub name: String,
    pub host: Option<String>,
    pub username: Option<String>,
 }
 /// List all active sessions (SSH + PTY) with metadata.
 #[tauri::command]
 pub fn mcp_list_sessions(state: State<'_, AppState>) -> Vec<McpSessionInfo> {
    let mut sessions = Vec::new();
    // SSH sessions
    for info in state.ssh.list_sessions() {
        sessions.push(McpSessionInfo {
            id: info.id,
            session_type: "ssh".to_string(),
            name: format!("{}@{}:{}", info.username, info.hostname, info.port),
            host: Some(info.hostname),
            username: Some(info.username),
        });
    }
    sessions
 }
 /// Read the last N lines from a session's scrollback buffer (ANSI stripped).
 #[tauri::command]
 pub fn mcp_terminal_read(
    session_id: String,
    lines: Option<usize>,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let n = lines.unwrap_or(50);
    let buf = state.scrollback.get(&session_id)
        .ok_or_else(|| format!("No scrollback buffer for session {}", session_id))?;
    Ok(buf.read_lines(n))
 }
 /// Execute a command in an SSH session and capture output using a marker.
 ///
 /// Sends the command followed by `echo __WRAITH_MCP_DONE__`, then reads the
 /// scrollback until the marker appears or timeout is reached.
 #[tauri::command]
 pub async fn mcp_terminal_execute(
    session_id: String,
    command: String,
    timeout_ms: Option<u64>,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let timeout = timeout_ms.unwrap_or(5000);
    let marker = "__WRAITH_MCP_DONE__";
    // Record current buffer position
    let buf = state.scrollback.get(&session_id)
        .ok_or_else(|| format!("No scrollback buffer for session {}", session_id))?;
    let before = buf.total_written();
    // Send command + marker echo
    let full_cmd = format!("{}\recho {}\r", command, marker);
    state.ssh.write(&session_id, full_cmd.as_bytes()).await?;
    // Poll scrollback until marker appears or timeout
    let start = std::time::Instant::now();
    let timeout_dur = std::time::Duration::from_millis(timeout);
    loop {
        if start.elapsed() > timeout_dur {
            // Return whatever we captured so far
            let raw = buf.read_raw();
            let total = buf.total_written();
            // Extract just the new content since we sent the command
            let new_bytes = total.saturating_sub(before);
            let output = if new_bytes > 0 && raw.len() >= new_bytes {
                &raw[raw.len() - new_bytes.min(raw.len())..]
            } else {
                ""
            };
            return Ok(format!("[timeout after {}ms]\n{}", timeout, output));
        }
        let raw = buf.read_raw();
        if raw.contains(marker) {
            // Extract output between command echo and marker
            let total = buf.total_written();
            let new_bytes = total.saturating_sub(before);
            let output = if new_bytes > 0 && raw.len() >= new_bytes {
                raw[raw.len() - new_bytes.min(raw.len())..].to_string()
            } else {
                String::new()
            };
            // Strip the command echo and marker from output
            let clean = output
                .lines()
                .filter(|line| {
                    !line.contains(marker)
                        && !line.trim().starts_with(&command.trim_start().chars().take(20).collect::<String>())
                })
                .collect::<Vec<_>>()
                .join("\n");
            return Ok(clean.trim().to_string());
        }
        // Yield the executor before sleeping so other tasks aren't starved,
        // then wait 200 ms — much cheaper than the original 50 ms busy-poll.
        tokio::task::yield_now().await;
        tokio::time::sleep(std::time::Duration::from_millis(200)).await;
    }
 }
 /// Get the path where the MCP bridge binary is installed.
 #[tauri::command]
 pub fn mcp_bridge_path() -> String {
    crate::mcp::bridge_manager::bridge_path().to_string_lossy().to_string()
 }
 /// Get the active session context — last 20 lines of scrollback for a session.
 /// Called by the frontend when the user switches tabs, emitted to the copilot.
 #[tauri::command]
 pub fn mcp_get_session_context(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let buf = state.scrollback.get(&session_id)
        .ok_or_else(|| format!("No scrollback buffer for session {}", session_id))?;
    Ok(buf.read_lines(20))
 }
--- a/src-tauri/src/commands/mod.rs
+++ b/src-tauri/src/commands/mod.rs
@ -7,3 +7,11 @@ pub mod sftp_commands;
 pub mod rdp_commands;
 pub mod theme_commands;
 pub mod pty_commands;
 pub mod mcp_commands;
 pub mod scanner_commands;
 pub mod tools_commands;
 pub mod updater;
 pub mod tools_commands_r2;
 pub mod workspace_commands;
 pub mod docker_commands;
 pub mod window_commands;
--- a/src-tauri/src/commands/pty_commands.rs
+++ b/src-tauri/src/commands/pty_commands.rs
@ -18,7 +18,7 @@ pub fn spawn_local_shell(
    app_handle: AppHandle,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
-    state.pty.spawn(&shell_path, cols as u16, rows as u16, app_handle)
+    state.pty.spawn(&shell_path, cols as u16, rows as u16, app_handle, &state.scrollback)
 }
 #[tauri::command]
--- a/src-tauri/src/commands/rdp_commands.rs
+++ b/src-tauri/src/commands/rdp_commands.rs
@ -3,35 +3,53 @@
 //! Mirrors the pattern used by `ssh_commands.rs` — thin command wrappers that
 //! delegate to the `RdpService` via `State<AppState>`.
-use tauri::State;
+use tauri::{AppHandle, State};
 use tauri::ipc::Response;
 use crate::rdp::{RdpConfig, RdpSessionInfo};
 use crate::AppState;
 /// Connect to an RDP server.
 ///
 /// Performs the full connection handshake (TCP -> TLS -> CredSSP -> RDP) and
 /// starts streaming frame updates in the background.
 ///
 /// Returns the session UUID.
 #[tauri::command]
 pub fn connect_rdp(
    config: RdpConfig,
    app_handle: AppHandle,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
-    state.rdp.connect(config)
+    state.rdp.connect(config, app_handle)
 }
-/// Get the current frame buffer as a base64-encoded RGBA string.
+/// Get the dirty region since last call as raw RGBA bytes via binary IPC.
 ///
-/// The frontend decodes this and draws it onto a `<canvas>` element.
+/// Binary format: 8-byte header + pixel data
-/// Pixel format: RGBA, 4 bytes per pixel, row-major, top-left origin.
+///   Header: [x: u16, y: u16, width: u16, height: u16] (little-endian)
 ///   If header is all zeros, the payload is a full frame (width*height*4 bytes).
 ///   If header is non-zero, payload contains only the dirty rectangle pixels.
 /// Returns empty payload if nothing changed.
 #[tauri::command]
-pub async fn rdp_get_frame(
+pub fn rdp_get_frame(
    session_id: String,
    state: State<'_, AppState>,
-) -> Result<String, String> {
+) -> Result<Response, String> {
-    state.rdp.get_frame(&session_id).await
+    let (region, pixels) = state.rdp.get_frame(&session_id)?;
    if pixels.is_empty() {
        return Ok(Response::new(Vec::new()));
    }
    // Prepend 8-byte dirty rect header
    let mut out = Vec::with_capacity(8 + pixels.len());
    match region {
        Some(rect) => {
            out.extend_from_slice(&rect.x.to_le_bytes());
            out.extend_from_slice(&rect.y.to_le_bytes());
            out.extend_from_slice(&rect.width.to_le_bytes());
            out.extend_from_slice(&rect.height.to_le_bytes());
        }
        None => {
            out.extend_from_slice(&[0u8; 8]); // full frame marker
        }
    }
    out.extend_from_slice(&pixels);
    Ok(Response::new(out))
 }
 /// Send a mouse event to an RDP session.
@ -46,7 +64,7 @@ pub async fn rdp_get_frame(
 /// - 0x0100 = negative wheel direction
 /// - 0x0400 = horizontal wheel
 #[tauri::command]
-pub async fn rdp_send_mouse(
+pub fn rdp_send_mouse(
    session_id: String,
    x: u16,
    y: u16,
@ -64,7 +82,7 @@ pub async fn rdp_send_mouse(
 ///
 /// `pressed` is `true` for key-down, `false` for key-up.
 #[tauri::command]
-pub async fn rdp_send_key(
+pub fn rdp_send_key(
    session_id: String,
    scancode: u16,
    pressed: bool,
@ -75,7 +93,7 @@ pub async fn rdp_send_key(
 /// Send clipboard text to an RDP session by simulating keystrokes.
 #[tauri::command]
-pub async fn rdp_send_clipboard(
+pub fn rdp_send_clipboard(
    session_id: String,
    text: String,
    state: State<'_, AppState>,
@ -83,11 +101,34 @@ pub async fn rdp_send_clipboard(
    state.rdp.send_clipboard(&session_id, &text)
 }
 /// Force the next get_frame to return a full frame regardless of dirty state.
 /// Used when switching tabs or after resize to ensure the canvas is fully repainted.
 #[tauri::command]
 pub fn rdp_force_refresh(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.rdp.force_refresh(&session_id)
 }
 /// Resize the RDP session's desktop resolution.
 /// Sends a Display Control Virtual Channel request to the server.
 /// The server will re-render at the new resolution and send updated frames.
 #[tauri::command]
 pub fn rdp_resize(
    session_id: String,
    width: u16,
    height: u16,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
    state.rdp.resize(&session_id, width, height)
 }
 /// Disconnect an RDP session.
 ///
 /// Sends a graceful shutdown to the RDP server and removes the session.
 #[tauri::command]
-pub async fn disconnect_rdp(
+pub fn disconnect_rdp(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<(), String> {
@ -96,7 +137,7 @@ pub async fn disconnect_rdp(
 /// List all active RDP sessions (metadata only).
 #[tauri::command]
-pub async fn list_rdp_sessions(
+pub fn list_rdp_sessions(
    state: State<'_, AppState>,
 ) -> Result<Vec<RdpSessionInfo>, String> {
    Ok(state.rdp.list_sessions())
--- a/src-tauri/src/commands/scanner_commands.rs
+++ b/src-tauri/src/commands/scanner_commands.rs
@ -0,0 +1,44 @@
 //! Tauri commands for network scanning through SSH sessions.
 use tauri::State;
 use crate::scanner::{self, DiscoveredHost, PortResult};
 use crate::AppState;
 /// Discover hosts on the remote network via ARP + ping sweep.
 /// `subnet` should be the first 3 octets, e.g. "192.168.1"
 #[tauri::command]
 pub async fn scan_network(
    session_id: String,
    subnet: String,
    state: State<'_, AppState>,
 ) -> Result<Vec<DiscoveredHost>, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    scanner::scan_network(&session.handle, &subnet).await
 }
 /// Scan specific ports on a target host through an SSH session.
 #[tauri::command]
 pub async fn scan_ports(
    session_id: String,
    target: String,
    ports: Vec<u16>,
    state: State<'_, AppState>,
 ) -> Result<Vec<PortResult>, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    scanner::scan_ports(&session.handle, &target, &ports).await
 }
 /// Quick scan of common ports (22, 80, 443, 3389, etc.) on a target.
 #[tauri::command]
 pub async fn quick_scan(
    session_id: String,
    target: String,
    state: State<'_, AppState>,
 ) -> Result<Vec<PortResult>, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    scanner::quick_port_scan(&session.handle, &target).await
 }
--- a/src-tauri/src/commands/ssh_commands.rs
+++ b/src-tauri/src/commands/ssh_commands.rs
@ -32,6 +32,8 @@ pub async fn connect_ssh(
            cols,
            rows,
            &state.sftp,
            &state.scrollback,
            &state.error_watcher,
        )
        .await
 }
@ -63,6 +65,8 @@ pub async fn connect_ssh_with_key(
            cols,
            rows,
            &state.sftp,
            &state.scrollback,
            &state.error_watcher,
        )
        .await
 }
--- a/src-tauri/src/commands/tools_commands.rs
+++ b/src-tauri/src/commands/tools_commands.rs
@ -0,0 +1,188 @@
 //! Tauri commands for built-in tools: ping, traceroute, WoL, keygen, passgen.
 use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 // ── Ping ─────────────────────────────────────────────────────────────────────
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct PingResult {
    pub target: String,
    pub output: String,
 }
 /// Ping a host through an SSH session's exec channel.
 #[tauri::command]
 pub async fn tool_ping(
    session_id: String,
    target: String,
    count: Option<u32>,
    state: State<'_, AppState>,
 ) -> Result<PingResult, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let n = count.unwrap_or(4);
    let cmd = format!("ping -c {} {} 2>&1", n, shell_escape(&target));
    let output = exec_on_session(&session.handle, &cmd).await?;
    Ok(PingResult { target, output })
 }
 /// Traceroute through an SSH session's exec channel.
 #[tauri::command]
 pub async fn tool_traceroute(
    session_id: String,
    target: String,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let t = shell_escape(&target);
    let cmd = format!("traceroute {} 2>&1 || tracert {} 2>&1", t, t);
    exec_on_session(&session.handle, &cmd).await
 }
 // ── Wake on LAN ──────────────────────────────────────────────────────────────
 /// Send a Wake-on-LAN magic packet through an SSH session.
 /// The remote host broadcasts the WoL packet on its local network.
 #[tauri::command]
 pub async fn tool_wake_on_lan(
    session_id: String,
    mac_address: String,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    // Build WoL magic packet as a shell one-liner using python or perl (widely available)
    let mac_clean = mac_address.replace([':', '-'], "");
    if mac_clean.len() != 12 || !mac_clean.chars().all(|c| c.is_ascii_hexdigit()) {
        return Err(format!("Invalid MAC address: {}", mac_address));
    }
    let cmd = format!(
        r#"python3 -c "
 import socket, struct
 mac = bytes.fromhex({mac_clean_escaped})
 pkt = b'\xff'*6 + mac*16
 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
 s.sendto(pkt, ('255.255.255.255', 9))
 s.close()
 print('WoL packet sent to {mac_display_escaped}')
 " 2>&1 || echo "python3 not available — install python3 on remote host for WoL""#,
        mac_clean_escaped = shell_escape(&mac_clean),
        mac_display_escaped = shell_escape(&mac_address),
    );
    exec_on_session(&session.handle, &cmd).await
 }
 // ── SSH Key Generator ────────────────────────────────────────────────────────
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct GeneratedKey {
    pub private_key: String,
    pub public_key: String,
    pub fingerprint: String,
    pub key_type: String,
 }
 /// Generate an SSH key pair locally (no SSH session needed).
 #[tauri::command]
 pub fn tool_generate_ssh_key(
    key_type: String,
    comment: Option<String>,
 ) -> Result<GeneratedKey, String> {
    tool_generate_ssh_key_inner(&key_type, comment)
 }
 pub fn tool_generate_ssh_key_inner(
    key_type: &str,
    comment: Option<String>,
 ) -> Result<GeneratedKey, String> {
    use ssh_key::{Algorithm, HashAlg, LineEnding};
    let comment_str = comment.unwrap_or_else(|| "wraith-generated".to_string());
    let algorithm = match key_type.to_lowercase().as_str() {
        "ed25519" => Algorithm::Ed25519,
        "rsa" | "rsa-2048" => Algorithm::Rsa { hash: Some(ssh_key::HashAlg::Sha256) },
        "rsa-4096" => Algorithm::Rsa { hash: Some(ssh_key::HashAlg::Sha256) },
        _ => return Err(format!("Unsupported key type: {}. Use ed25519 or rsa", key_type)),
    };
    let private_key = ssh_key::PrivateKey::random(&mut ssh_key::rand_core::OsRng, algorithm)
        .map_err(|e| format!("Key generation failed: {}", e))?;
    let private_pem = private_key.to_openssh(LineEnding::LF)
        .map_err(|e| format!("Failed to encode private key: {}", e))?;
    let public_key = private_key.public_key();
    let public_openssh = public_key.to_openssh()
        .map_err(|e| format!("Failed to encode public key: {}", e))?;
    let fingerprint = public_key.fingerprint(HashAlg::Sha256).to_string();
    Ok(GeneratedKey {
        private_key: private_pem.to_string(),
        public_key: format!("{} {}", public_openssh, comment_str),
        fingerprint,
        key_type: key_type.to_lowercase(),
    })
 }
 // ── Password Generator ───────────────────────────────────────────────────────
 /// Generate a cryptographically secure random password.
 #[tauri::command]
 pub fn tool_generate_password(
    length: Option<usize>,
    uppercase: Option<bool>,
    lowercase: Option<bool>,
    digits: Option<bool>,
    symbols: Option<bool>,
 ) -> Result<String, String> {
    tool_generate_password_inner(length, uppercase, lowercase, digits, symbols)
 }
 pub fn tool_generate_password_inner(
    length: Option<usize>,
    uppercase: Option<bool>,
    lowercase: Option<bool>,
    digits: Option<bool>,
    symbols: Option<bool>,
 ) -> Result<String, String> {
    use rand::Rng;
    let len = length.unwrap_or(20).max(4).min(128);
    let use_upper = uppercase.unwrap_or(true);
    let use_lower = lowercase.unwrap_or(true);
    let use_digits = digits.unwrap_or(true);
    let use_symbols = symbols.unwrap_or(true);
    let mut charset = String::new();
    if use_upper { charset.push_str("ABCDEFGHIJKLMNOPQRSTUVWXYZ"); }
    if use_lower { charset.push_str("abcdefghijklmnopqrstuvwxyz"); }
    if use_digits { charset.push_str("0123456789"); }
    if use_symbols { charset.push_str("!@#$%^&*()-_=+[]{}|;:,.<>?"); }
    if charset.is_empty() {
        return Err("At least one character class must be enabled".to_string());
    }
    let chars: Vec<char> = charset.chars().collect();
    let mut rng = rand::rng();
    let password: String = (0..len)
        .map(|_| chars[rng.random_range(0..chars.len())])
        .collect();
    Ok(password)
 }
--- a/src-tauri/src/commands/tools_commands_r2.rs
+++ b/src-tauri/src/commands/tools_commands_r2.rs
@ -0,0 +1,184 @@
 //! Tauri commands for Tools Round 2: DNS, Whois, Bandwidth, Subnet Calculator.
 use tauri::State;
 use serde::Serialize;
 use crate::AppState;
 use crate::ssh::exec::exec_on_session;
 use crate::utils::shell_escape;
 // ── DNS Lookup ───────────────────────────────────────────────────────────────
 #[tauri::command]
 pub async fn tool_dns_lookup(
    session_id: String,
    domain: String,
    record_type: Option<String>,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let d = shell_escape(&domain);
    let rt = shell_escape(&record_type.unwrap_or_else(|| "A".to_string()));
    let cmd = format!(
        r#"dig {} {} +short 2>/dev/null || nslookup -type={} {} 2>/dev/null || host -t {} {} 2>/dev/null"#,
        d, rt, rt, d, rt, d
    );
    exec_on_session(&session.handle, &cmd).await
 }
 // ── Whois ────────────────────────────────────────────────────────────────────
 #[tauri::command]
 pub async fn tool_whois(
    session_id: String,
    target: String,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let cmd = format!("whois {} 2>&1 | head -80", shell_escape(&target));
    exec_on_session(&session.handle, &cmd).await
 }
 // ── Bandwidth Test ───────────────────────────────────────────────────────────
 #[tauri::command]
 pub async fn tool_bandwidth_iperf(
    session_id: String,
    server: String,
    duration: Option<u32>,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    let dur = duration.unwrap_or(5);
    let s = shell_escape(&server);
    let cmd = format!(
        "iperf3 -c {} -t {} --json 2>/dev/null || iperf3 -c {} -t {} 2>&1 || echo 'iperf3 not installed — run: apt install iperf3 / brew install iperf3'",
        s, dur, s, dur
    );
    exec_on_session(&session.handle, &cmd).await
 }
 #[tauri::command]
 pub async fn tool_bandwidth_speedtest(
    session_id: String,
    state: State<'_, AppState>,
 ) -> Result<String, String> {
    let session = state.ssh.get_session(&session_id)
        .ok_or_else(|| format!("SSH session {} not found", session_id))?;
    // Try multiple speedtest tools in order of preference
    let cmd = r#"
 if command -v speedtest-cli >/dev/null 2>&1; then
    speedtest-cli --simple 2>&1
 elif command -v speedtest >/dev/null 2>&1; then
    speedtest --simple 2>&1
 elif command -v curl >/dev/null 2>&1; then
    echo "=== Download speed (curl) ==="
    curl -o /dev/null -w "Download: %{speed_download} bytes/sec (%{size_download} bytes in %{time_total}s)\n" https://speed.cloudflare.com/__down?bytes=25000000 2>/dev/null
    echo "=== Upload speed (curl) ==="
    dd if=/dev/zero bs=1M count=10 2>/dev/null | curl -X POST -o /dev/null -w "Upload: %{speed_upload} bytes/sec (%{size_upload} bytes in %{time_total}s)\n" -d @- https://speed.cloudflare.com/__up 2>/dev/null
 else
    echo "No speedtest tool found. Install: pip install speedtest-cli"
 fi
 "#;
    exec_on_session(&session.handle, cmd).await
 }
 // ── Subnet Calculator ────────────────────────────────────────────────────────
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SubnetInfo {
    pub cidr: String,
    pub network: String,
    pub broadcast: String,
    pub netmask: String,
    pub wildcard: String,
    pub first_host: String,
    pub last_host: String,
    pub total_hosts: u64,
    pub usable_hosts: u64,
    pub prefix_length: u8,
    pub class: String,
    pub is_private: bool,
 }
 /// Pure Rust subnet calculator — no SSH session needed.
 #[tauri::command]
 pub fn tool_subnet_calc(cidr: String) -> Result<SubnetInfo, String> {
    tool_subnet_calc_inner(&cidr)
 }
 pub fn tool_subnet_calc_inner(cidr: &str) -> Result<SubnetInfo, String> {
    let cidr = cidr.to_string();
    let parts: Vec<&str> = cidr.split('/').collect();
    if parts.len() != 2 {
        return Err("Expected CIDR notation: e.g. 192.168.1.0/24".to_string());
    }
    let ip_str = parts[0];
    let prefix: u8 = parts[1].parse()
        .map_err(|_| format!("Invalid prefix length: {}", parts[1]))?;
    if prefix > 32 {
        return Err(format!("Prefix length must be 0-32, got {}", prefix));
    }
    let octets: Vec<u8> = ip_str.split('.')
        .map(|o| o.parse::<u8>())
        .collect::<Result<Vec<_>, _>>()
        .map_err(|_| format!("Invalid IP address: {}", ip_str))?;
    if octets.len() != 4 {
        return Err(format!("Invalid IP address: {}", ip_str));
    }
    let ip: u32 = (octets[0] as u32) << 24
        | (octets[1] as u32) << 16
        | (octets[2] as u32) << 8
        | (octets[3] as u32);
    let mask: u32 = if prefix == 0 { 0 } else { !0u32 << (32 - prefix) };
    let wildcard = !mask;
    let network = ip & mask;
    let broadcast = network | wildcard;
    let first_host = if prefix >= 31 { network } else { network + 1 };
    let last_host = if prefix >= 31 { broadcast } else { broadcast - 1 };
    let total: u64 = 1u64 << (32 - prefix as u64);
    let usable = if prefix >= 31 { total } else { total - 2 };
    let class = match octets[0] {
        0..=127 => "A",
        128..=191 => "B",
        192..=223 => "C",
        224..=239 => "D (Multicast)",
        _ => "E (Reserved)",
    };
    let is_private = matches!(
        (octets[0], octets[1]),
        (10, _) | (172, 16..=31) | (192, 168)
    );
    Ok(SubnetInfo {
        cidr: format!("{}/{}", to_ip(network), prefix),
        network: to_ip(network),
        broadcast: to_ip(broadcast),
        netmask: to_ip(mask),
        wildcard: to_ip(wildcard),
        first_host: to_ip(first_host),
        last_host: to_ip(last_host),
        total_hosts: total,
        usable_hosts: usable,
        prefix_length: prefix,
        class: class.to_string(),
        is_private,
    })
 }
 fn to_ip(val: u32) -> String {
    format!("{}.{}.{}.{}", val >> 24, (val >> 16) & 0xFF, (val >> 8) & 0xFF, val & 0xFF)
 }
--- a/src-tauri/src/commands/updater.rs
+++ b/src-tauri/src/commands/updater.rs
@ -0,0 +1,94 @@
 //! Version check against Gitea releases API.
 use serde::Serialize;
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct UpdateInfo {
    pub current_version: String,
    pub latest_version: String,
    pub update_available: bool,
    pub download_url: String,
    pub release_notes: String,
 }
 /// Check Gitea for the latest release and compare with current version.
 #[tauri::command]
 pub async fn check_for_updates(app_handle: tauri::AppHandle) -> Result<UpdateInfo, String> {
    // Read version from tauri.conf.json (patched by CI from git tag)
    // rather than CARGO_PKG_VERSION which is always 0.1.0
    let current = app_handle.config().version.clone().unwrap_or_else(|| "0.0.0".to_string());
    let client = reqwest::Client::builder()
        .timeout(std::time::Duration::from_secs(10))
        .build()
        .map_err(|e| format!("HTTP client error: {}", e))?;
    let resp = client
        .get("https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases?limit=1")
        .header("Accept", "application/json")
        .send()
        .await
        .map_err(|e| format!("Failed to check for updates: {}", e))?;
    let releases: Vec<serde_json::Value> = resp.json().await
        .map_err(|e| format!("Failed to parse releases: {}", e))?;
    let latest = releases.first()
        .ok_or_else(|| "No releases found".to_string())?;
    let tag = latest.get("tag_name")
        .and_then(|v| v.as_str())
        .unwrap_or("v0.0.0")
        .trim_start_matches('v')
        .to_string();
    let notes = latest.get("body")
        .and_then(|v| v.as_str())
        .unwrap_or("")
        .to_string();
    // Direct download from SeaweedFS
    let html_url = format!("https://files.command.vigilcyber.com/wraith/{}/", tag);
    let update_available = version_is_newer(&tag, &current);
    Ok(UpdateInfo {
        current_version: current,
        latest_version: tag,
        update_available,
        download_url: html_url,
        release_notes: notes,
    })
 }
 /// Compare semver strings. Returns true if `latest` is newer than `current`.
 fn version_is_newer(latest: &str, current: &str) -> bool {
    let parse = |v: &str| -> Vec<u32> {
        v.split('.').filter_map(|s| s.parse().ok()).collect()
    };
    let l = parse(latest);
    let c = parse(current);
    for i in 0..3 {
        let lv = l.get(i).copied().unwrap_or(0);
        let cv = c.get(i).copied().unwrap_or(0);
        if lv > cv { return true; }
        if lv < cv { return false; }
    }
    false
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn version_comparison() {
        assert!(version_is_newer("1.5.7", "1.5.6"));
        assert!(version_is_newer("1.6.0", "1.5.9"));
        assert!(version_is_newer("2.0.0", "1.9.9"));
        assert!(!version_is_newer("1.5.6", "1.5.6"));
        assert!(!version_is_newer("1.5.5", "1.5.6"));
        assert!(!version_is_newer("1.4.0", "1.5.0"));
    }
 }
--- a/src-tauri/src/commands/vault.rs
+++ b/src-tauri/src/commands/vault.rs
@ -1,4 +1,5 @@
 use tauri::State;
 use zeroize::Zeroize;
 use crate::vault::{self, VaultService};
 use crate::credentials::CredentialService;
@ -21,14 +22,15 @@ pub fn is_first_run(state: State<'_, AppState>) -> bool {
 /// Returns `Err` if the vault has already been set up or if any storage
 /// operation fails.
 #[tauri::command]
-pub fn create_vault(password: String, state: State<'_, AppState>) -> Result<(), String> {
+pub async fn create_vault(mut password: String, state: State<'_, AppState>) -> Result<(), String> {
    let result = async {
        if !state.is_first_run() {
            return Err("Vault already exists — use unlock instead of create".into());
        }
        let salt = vault::generate_salt();
        let key = vault::derive_key(&password, &salt);
-    let vs = VaultService::new(key);
+        let vs = VaultService::new(key.clone());
        // Persist the salt so we can re-derive the key on future unlocks.
        state.settings.set("vault_salt", &hex::encode(salt))?;
@ -39,10 +41,14 @@ pub fn create_vault(password: String, state: State<'_, AppState>) -> Result<(),
        // Activate the vault and credentials service for this session.
        let cred_svc = CredentialService::new(state.db.clone(), VaultService::new(key));
-    *state.credentials.lock().unwrap() = Some(cred_svc);
+        *state.credentials.lock().await = Some(cred_svc);
-    *state.vault.lock().unwrap() = Some(vs);
+        *state.vault.lock().await = Some(vs);
        Ok(())
    }.await;
    password.zeroize();
    result
 }
 /// Unlock an existing vault using the master password.
@ -52,7 +58,8 @@ pub fn create_vault(password: String, state: State<'_, AppState>) -> Result<(),
 ///
 /// Returns `Err("Incorrect master password")` if the password is wrong.
 #[tauri::command]
-pub fn unlock(password: String, state: State<'_, AppState>) -> Result<(), String> {
+pub async fn unlock(mut password: String, state: State<'_, AppState>) -> Result<(), String> {
    let result = async {
        let salt_hex = state
            .settings
            .get("vault_salt")
@ -62,7 +69,7 @@ pub fn unlock(password: String, state: State<'_, AppState>) -> Result<(), String
            .map_err(|e| format!("Stored vault salt is corrupt: {e}"))?;
        let key = vault::derive_key(&password, &salt);
-    let vs = VaultService::new(key);
+        let vs = VaultService::new(key.clone());
        // Verify the password by decrypting the check value.
        let check_blob = state
@ -80,14 +87,18 @@ pub fn unlock(password: String, state: State<'_, AppState>) -> Result<(), String
        // Activate the vault and credentials service for this session.
        let cred_svc = CredentialService::new(state.db.clone(), VaultService::new(key));
-    *state.credentials.lock().unwrap() = Some(cred_svc);
+        *state.credentials.lock().await = Some(cred_svc);
-    *state.vault.lock().unwrap() = Some(vs);
+        *state.vault.lock().await = Some(vs);
        Ok(())
    }.await;
    password.zeroize();
    result
 }
 /// Returns `true` if the vault is currently unlocked for this session.
 #[tauri::command]
-pub fn is_unlocked(state: State<'_, AppState>) -> bool {
+pub async fn is_unlocked(state: State<'_, AppState>) -> Result<bool, String> {
-    state.is_unlocked()
+    Ok(state.is_unlocked().await)
 }
--- a/src-tauri/src/commands/window_commands.rs
+++ b/src-tauri/src/commands/window_commands.rs
@ -0,0 +1,40 @@
 use tauri::AppHandle;
 use tauri::WebviewWindowBuilder;
 /// Open a child window from the Rust side using WebviewWindowBuilder.
 ///
 /// The `url` parameter supports hash fragments (e.g. "index.html#/tool/ping?sessionId=abc").
 /// WebviewUrl::App takes a PathBuf and cannot handle hash/query — so we load plain
 /// index.html and set the hash via JS after the window is created.
 #[tauri::command]
 pub fn open_child_window(
    app_handle: AppHandle,
    label: String,
    title: String,
    url: String,
    width: f64,
    height: f64,
 ) -> Result<(), String> {
    // Split "index.html#/tool/ping?sessionId=abc" into path and fragment
    let (path, hash) = match url.split_once('#') {
        Some((p, h)) => (p.to_string(), Some(format!("#{}", h))),
        None => (url.clone(), None),
    };
    let webview_url = tauri::WebviewUrl::App(path.into());
    let window = WebviewWindowBuilder::new(&app_handle, &label, webview_url)
        .title(&title)
        .inner_size(width, height)
        .resizable(true)
        .center()
        .build()
        .map_err(|e| format!("Failed to create window '{}': {}", label, e))?;
    // Set the hash fragment after the window loads — this triggers App.vue's
    // onMounted hash detection to render the correct tool/detached component.
    if let Some(hash) = hash {
        let _ = window.eval(&format!("window.location.hash = '{}';", hash));
    }
    Ok(())
 }
--- a/src-tauri/src/commands/workspace_commands.rs
+++ b/src-tauri/src/commands/workspace_commands.rs
@ -0,0 +1,16 @@
 //! Tauri commands for workspace persistence.
 use tauri::State;
 use crate::AppState;
 use crate::workspace::{WorkspaceSnapshot, WorkspaceTab};
 #[tauri::command]
 pub fn save_workspace(tabs: Vec<WorkspaceTab>, state: State<'_, AppState>) -> Result<(), String> {
    let snapshot = WorkspaceSnapshot { tabs };
    state.workspace.save(&snapshot)
 }
 #[tauri::command]
 pub fn load_workspace(state: State<'_, AppState>) -> Result<Option<WorkspaceSnapshot>, String> {
    Ok(state.workspace.load())
 }
--- a/src-tauri/src/connections/mod.rs
+++ b/src-tauri/src/connections/mod.rs
@ -19,6 +19,7 @@ use crate::db::Database;
 // ── domain types ──────────────────────────────────────────────────────────────
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct ConnectionGroup {
    pub id: i64,
    pub name: String,
@ -429,6 +430,54 @@ impl ConnectionService {
        Ok(records)
    }
    /// Batch-update sort_order for a list of connection IDs.
    pub fn reorder_connections(&self, ids: &[i64]) -> Result<(), String> {
        let conn = self.db.conn();
        conn.execute_batch("BEGIN")
            .map_err(|e| format!("Failed to begin reorder transaction: {e}"))?;
        let result = (|| {
            for (i, id) in ids.iter().enumerate() {
                conn.execute(
                    "UPDATE connections SET sort_order = ?1 WHERE id = ?2",
                    params![i as i64, id],
                )
                .map_err(|e| format!("Failed to reorder connection {id}: {e}"))?;
            }
            Ok(())
        })();
        if result.is_err() {
            let _ = conn.execute_batch("ROLLBACK");
        } else {
            conn.execute_batch("COMMIT")
                .map_err(|e| format!("Failed to commit reorder transaction: {e}"))?;
        }
        result
    }
    /// Batch-update sort_order for a list of group IDs.
    pub fn reorder_groups(&self, ids: &[i64]) -> Result<(), String> {
        let conn = self.db.conn();
        conn.execute_batch("BEGIN")
            .map_err(|e| format!("Failed to begin reorder transaction: {e}"))?;
        let result = (|| {
            for (i, id) in ids.iter().enumerate() {
                conn.execute(
                    "UPDATE groups SET sort_order = ?1 WHERE id = ?2",
                    params![i as i64, id],
                )
                .map_err(|e| format!("Failed to reorder group {id}: {e}"))?;
            }
            Ok(())
        })();
        if result.is_err() {
            let _ = conn.execute_batch("ROLLBACK");
        } else {
            conn.execute_batch("COMMIT")
                .map_err(|e| format!("Failed to commit reorder transaction: {e}"))?;
        }
        result
    }
 }
 // ── private helpers ───────────────────────────────────────────────────────────
--- a/src-tauri/src/db/mod.rs
+++ b/src-tauri/src/db/mod.rs
@ -31,10 +31,11 @@ impl Database {
    /// Acquire a lock on the underlying connection.
    ///
-    /// Panics if the mutex was poisoned (which only happens if a thread
+    /// Recovers gracefully from a poisoned mutex by taking the inner value.
-    /// panicked while holding the lock — a non-recoverable situation anyway).
+    /// A poisoned mutex means a thread panicked while holding the lock; the
    /// connection itself is still valid, so we can continue operating.
    pub fn conn(&self) -> std::sync::MutexGuard<'_, Connection> {
-        self.conn.lock().unwrap()
+        self.conn.lock().unwrap_or_else(|e| e.into_inner())
    }
    /// Run all embedded SQL migrations.
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@ -1,3 +1,12 @@
 // Global debug log macro — must be declared before modules that use it
 #[macro_export]
 macro_rules! wraith_log {
    ($($arg:tt)*) => {{
        let msg = format!($($arg)*);
        let _ = $crate::write_log(&$crate::data_directory().join("wraith.log"), &msg);
    }};
 }
 pub mod db;
 pub mod vault;
 pub mod settings;
@ -9,10 +18,12 @@ pub mod rdp;
 pub mod theme;
 pub mod workspace;
 pub mod pty;
 pub mod mcp;
 pub mod scanner;
 pub mod commands;
 pub mod utils;
 use std::path::PathBuf;
 use std::sync::Mutex;
 use db::Database;
 use vault::VaultService;
@ -25,19 +36,23 @@ use rdp::RdpService;
 use theme::ThemeService;
 use workspace::WorkspaceService;
 use pty::PtyService;
 use mcp::ScrollbackRegistry;
 use mcp::error_watcher::ErrorWatcher;
 pub struct AppState {
    pub db: Database,
-    pub vault: Mutex<Option<VaultService>>,
+    pub vault: tokio::sync::Mutex<Option<VaultService>>,
    pub settings: SettingsService,
    pub connections: ConnectionService,
-    pub credentials: Mutex<Option<CredentialService>>,
+    pub credentials: tokio::sync::Mutex<Option<CredentialService>>,
    pub ssh: SshService,
    pub sftp: SftpService,
    pub rdp: RdpService,
    pub theme: ThemeService,
    pub workspace: WorkspaceService,
    pub pty: PtyService,
    pub scrollback: ScrollbackRegistry,
    pub error_watcher: std::sync::Arc<ErrorWatcher>,
 }
 impl AppState {
@ -45,27 +60,34 @@ impl AppState {
        std::fs::create_dir_all(&data_dir)?;
        let database = Database::open(&data_dir.join("wraith.db"))?;
        database.migrate()?;
        let settings = SettingsService::new(database.clone());
        Ok(Self {
            db: database.clone(),
-            vault: Mutex::new(None),
+            vault: tokio::sync::Mutex::new(None),
            settings: SettingsService::new(database.clone()),
            connections: ConnectionService::new(database.clone()),
-            credentials: Mutex::new(None),
+            credentials: tokio::sync::Mutex::new(None),
            ssh: SshService::new(database.clone()),
            sftp: SftpService::new(),
            rdp: RdpService::new(),
-            theme: ThemeService::new(database.clone()),
+            theme: ThemeService::new(database),
-            workspace: WorkspaceService::new(SettingsService::new(database.clone())),
+            workspace: WorkspaceService::new(settings.clone()),
            settings,
            pty: PtyService::new(),
            scrollback: ScrollbackRegistry::new(),
            error_watcher: std::sync::Arc::new(ErrorWatcher::new()),
        })
    }
    pub fn clone_services(&self) -> (SshService, rdp::RdpService, SftpService, ScrollbackRegistry, std::sync::Arc<ErrorWatcher>) {
        (self.ssh.clone(), self.rdp.clone(), self.sftp.clone(), self.scrollback.clone(), self.error_watcher.clone())
    }
    pub fn is_first_run(&self) -> bool {
        self.settings.get("vault_salt").unwrap_or_default().is_empty()
    }
-    pub fn is_unlocked(&self) -> bool {
+    pub async fn is_unlocked(&self) -> bool {
-        self.vault.lock().unwrap().is_some()
+        self.vault.lock().await.is_some()
    }
 }
@ -79,13 +101,52 @@ pub fn data_directory() -> PathBuf {
    PathBuf::from(".")
 }
 /// Cached log file handle — opened once on first use, reused for all subsequent
 /// writes.  Avoids the open/close syscall pair that the original implementation
 /// paid on every `wraith_log!` invocation.
 static LOG_FILE: std::sync::OnceLock<std::sync::Mutex<std::fs::File>> = std::sync::OnceLock::new();
 fn write_log(path: &std::path::Path, msg: &str) -> std::io::Result<()> {
    use std::io::Write;
    let handle = LOG_FILE.get_or_init(|| {
        let file = std::fs::OpenOptions::new()
            .create(true)
            .append(true)
            .open(path)
            .expect("failed to open wraith.log");
        std::sync::Mutex::new(file)
    });
    let mut f = handle.lock().unwrap_or_else(|e| e.into_inner());
    let elapsed = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs();
    writeln!(f, "[{}] {}", elapsed, msg)
 }
 #[cfg_attr(mobile, tauri::mobile_entry_point)]
 pub fn run() {
-    let app_state = AppState::new(data_directory()).expect("Failed to init AppState");
+    // Install rustls crypto provider before any TLS operations (RDP needs this)
    let _ = tokio_rustls::rustls::crypto::aws_lc_rs::default_provider().install_default();
    // Initialize file-based logging to data_dir/wraith.log
    let log_path = data_directory().join("wraith.log");
    let _ = write_log(&log_path, "=== Wraith starting ===");
    let app_state = match AppState::new(data_directory()) {
        Ok(s) => s,
        Err(e) => {
            let _ = write_log(&log_path, &format!("FATAL: AppState init failed: {}", e));
            panic!("Failed to init AppState: {}", e);
        }
    };
    app_state.theme.seed_builtins();
    tauri::Builder::default()
        .plugin(tauri_plugin_shell::init())
        .plugin(tauri_plugin_updater::Builder::new().build())
        .manage(app_state)
        .setup(|app| {
            #[cfg(debug_assertions)]
@ -95,20 +156,85 @@ pub fn run() {
                    window.open_devtools();
                }
            }
-            let _ = app;
+
            // Start MCP and error watcher — completely non-fatal.
            {
                use tauri::Manager;
                let log_file = data_directory().join("wraith.log");
                let _ = write_log(&log_file, "Setup: starting MCP and error watcher");
                match std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                    app.state::<AppState>().inner().clone_services()
                })) {
                Ok(state) => {
                    let (ssh, rdp, sftp, scrollback, watcher) = state;
                    let _ = write_log(&log_file, "Setup: cloned services OK");
                    // Error watcher — std::thread, no tokio needed
                    let watcher_for_mcp = watcher.clone();
                    let app_handle = app.handle().clone();
                    let app_handle_for_mcp = app.handle().clone();
                    let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                        mcp::error_watcher::start_error_watcher(watcher, scrollback.clone(), app_handle);
                    }));
                    let _ = write_log(&log_file, "Setup: error watcher started");
                    // MCP HTTP server — needs async runtime
                    let log_file2 = log_file.clone();
                    let _ = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
                        tauri::async_runtime::spawn(async move {
                            match mcp::server::start_mcp_server(ssh, rdp, sftp, scrollback, app_handle_for_mcp, watcher_for_mcp).await {
                                Ok(port) => { let _ = write_log(&log_file2, &format!("MCP server started on localhost:{}", port)); }
                                Err(e) => { let _ = write_log(&log_file2, &format!("MCP server FAILED: {}", e)); }
                            }
                        });
                    }));
                    let _ = write_log(&log_file, "Setup: MCP spawn dispatched");
                    // Download/update MCP bridge binary if needed
                    let app_ver = app.config().version.clone().unwrap_or_else(|| "0.0.0".to_string());
                    let log_file3 = log_file.clone();
                    tauri::async_runtime::spawn(async move {
                        match mcp::bridge_manager::ensure_bridge(&app_ver).await {
                            Ok(()) => { let _ = write_log(&log_file3, "Setup: MCP bridge binary OK"); }
                            Err(e) => { let _ = write_log(&log_file3, &format!("Setup: MCP bridge download failed: {}", e)); }
                        }
                    });
                }
                Err(panic) => {
                    let msg = if let Some(s) = panic.downcast_ref::<String>() {
                        s.clone()
                    } else if let Some(s) = panic.downcast_ref::<&str>() {
                        s.to_string()
                    } else {
                        format!("{:?}", panic.type_id())
                    };
                    let _ = write_log(&log_file, &format!("MCP startup panicked: {}", msg));
                }
                }
            }
            Ok(())
        })
        .invoke_handler(tauri::generate_handler![
            commands::vault::is_first_run, commands::vault::create_vault, commands::vault::unlock, commands::vault::is_unlocked,
            commands::settings::get_setting, commands::settings::set_setting,
            commands::connections::list_connections, commands::connections::create_connection, commands::connections::get_connection, commands::connections::update_connection, commands::connections::delete_connection,
-            commands::connections::list_groups, commands::connections::create_group, commands::connections::delete_group, commands::connections::rename_group, commands::connections::search_connections,
+            commands::connections::list_groups, commands::connections::create_group, commands::connections::delete_group, commands::connections::rename_group, commands::connections::search_connections, commands::connections::reorder_connections, commands::connections::reorder_groups,
            commands::credentials::list_credentials, commands::credentials::create_password, commands::credentials::create_ssh_key, commands::credentials::delete_credential, commands::credentials::decrypt_password, commands::credentials::decrypt_ssh_key,
            commands::ssh_commands::connect_ssh, commands::ssh_commands::connect_ssh_with_key, commands::ssh_commands::ssh_write, commands::ssh_commands::ssh_resize, commands::ssh_commands::disconnect_ssh, commands::ssh_commands::disconnect_session, commands::ssh_commands::list_ssh_sessions,
            commands::sftp_commands::sftp_list, commands::sftp_commands::sftp_read_file, commands::sftp_commands::sftp_write_file, commands::sftp_commands::sftp_mkdir, commands::sftp_commands::sftp_delete, commands::sftp_commands::sftp_rename,
-            commands::rdp_commands::connect_rdp, commands::rdp_commands::rdp_get_frame, commands::rdp_commands::rdp_send_mouse, commands::rdp_commands::rdp_send_key, commands::rdp_commands::rdp_send_clipboard, commands::rdp_commands::disconnect_rdp, commands::rdp_commands::list_rdp_sessions,
+            commands::rdp_commands::connect_rdp, commands::rdp_commands::rdp_get_frame, commands::rdp_commands::rdp_force_refresh, commands::rdp_commands::rdp_send_mouse, commands::rdp_commands::rdp_send_key, commands::rdp_commands::rdp_send_clipboard, commands::rdp_commands::rdp_resize, commands::rdp_commands::disconnect_rdp, commands::rdp_commands::list_rdp_sessions,
            commands::theme_commands::list_themes, commands::theme_commands::get_theme,
            commands::pty_commands::list_available_shells, commands::pty_commands::spawn_local_shell, commands::pty_commands::pty_write, commands::pty_commands::pty_resize, commands::pty_commands::disconnect_pty,
            commands::mcp_commands::mcp_list_sessions, commands::mcp_commands::mcp_terminal_read, commands::mcp_commands::mcp_terminal_execute, commands::mcp_commands::mcp_get_session_context, commands::mcp_commands::mcp_bridge_path,
            commands::scanner_commands::scan_network, commands::scanner_commands::scan_ports, commands::scanner_commands::quick_scan,
            commands::tools_commands::tool_ping, commands::tools_commands::tool_traceroute, commands::tools_commands::tool_wake_on_lan, commands::tools_commands::tool_generate_ssh_key, commands::tools_commands::tool_generate_password,
            commands::tools_commands_r2::tool_dns_lookup, commands::tools_commands_r2::tool_whois, commands::tools_commands_r2::tool_bandwidth_iperf, commands::tools_commands_r2::tool_bandwidth_speedtest, commands::tools_commands_r2::tool_subnet_calc,
            commands::updater::check_for_updates,
            commands::workspace_commands::save_workspace, commands::workspace_commands::load_workspace,
            commands::docker_commands::docker_list_containers, commands::docker_commands::docker_list_images, commands::docker_commands::docker_list_volumes, commands::docker_commands::docker_action,
            commands::window_commands::open_child_window,
        ])
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
--- a/src-tauri/src/mcp/bridge_manager.rs
+++ b/src-tauri/src/mcp/bridge_manager.rs
@ -0,0 +1,85 @@
 //! MCP bridge binary self-management.
 //!
 //! On startup, checks if wraith-mcp-bridge exists in the data directory.
 //! If missing or outdated, downloads the correct version from Gitea packages.
 use std::path::PathBuf;
 /// Get the expected path for the bridge binary.
 pub fn bridge_path() -> PathBuf {
    let dir = crate::data_directory();
    if cfg!(windows) {
        dir.join("wraith-mcp-bridge.exe")
    } else {
        dir.join("wraith-mcp-bridge")
    }
 }
 /// Check if the bridge binary exists and is the correct version.
 /// If not, download it from Gitea packages.
 pub async fn ensure_bridge(app_version: &str) -> Result<(), String> {
    let path = bridge_path();
    let version_file = crate::data_directory().join("mcp-bridge-version");
    // Check if bridge exists and version matches
    if path.exists() {
        if let Ok(installed_ver) = std::fs::read_to_string(&version_file) {
            if installed_ver.trim() == app_version {
                wraith_log!("[MCP Bridge] v{} already installed at {}", app_version, path.display());
                return Ok(());
            }
        }
    }
    wraith_log!("[MCP Bridge] Downloading v{} to {}", app_version, path.display());
    let binary_name = if cfg!(windows) {
        "wraith-mcp-bridge.exe"
    } else {
        "wraith-mcp-bridge"
    };
    let url = format!(
        "https://files.command.vigilcyber.com/wraith/{}/{}",
        app_version, binary_name
    );
    let client = reqwest::Client::builder()
        .timeout(std::time::Duration::from_secs(30))
        .build()
        .map_err(|e| format!("HTTP client error: {}", e))?;
    let resp = client.get(&url).send().await
        .map_err(|e| format!("Failed to download MCP bridge: {}", e))?;
    if !resp.status().is_success() {
        return Err(format!("MCP bridge download failed: HTTP {}", resp.status()));
    }
    let bytes = resp.bytes().await
        .map_err(|e| format!("Failed to read MCP bridge response: {}", e))?;
    // Write the binary
    std::fs::write(&path, &bytes)
        .map_err(|e| format!("Failed to write MCP bridge to {}: {}", path.display(), e))?;
    // Make executable on Unix
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let mut perms = std::fs::metadata(&path)
            .map_err(|e| format!("Failed to read permissions: {}", e))?
            .permissions();
        perms.set_mode(0o755);
        std::fs::set_permissions(&path, perms)
            .map_err(|e| format!("Failed to set execute permission: {}", e))?;
    }
    // Write version marker
    std::fs::write(&version_file, app_version)
        .map_err(|e| format!("Failed to write version file: {}", e))?;
    wraith_log!("[MCP Bridge] v{} installed successfully ({} bytes)", app_version, bytes.len());
    Ok(())
 }
--- a/src-tauri/src/mcp/error_watcher.rs
+++ b/src-tauri/src/mcp/error_watcher.rs
@ -0,0 +1,115 @@
 //! Background error pattern scanner for terminal sessions.
 //!
 //! Watches scrollback buffers for common error patterns and emits
 //! `mcp:error:{session_id}` events to the frontend when detected.
 use std::sync::Arc;
 use dashmap::DashMap;
 use tauri::{AppHandle, Emitter};
 use crate::mcp::ScrollbackRegistry;
 /// Common error patterns to watch for across all sessions.
 const ERROR_PATTERNS: &[&str] = &[
    "Permission denied",
    "permission denied",
    "Connection refused",
    "connection refused",
    "No space left on device",
    "Disk quota exceeded",
    "Out of memory",
    "OOM",
    "Killed",
    "Segmentation fault",
    "segfault",
    "FATAL",
    "CRITICAL",
    "panic:",
    "stack overflow",
    "Too many open files",
    "Connection timed out",
    "Connection reset by peer",
    "Host key verification failed",
    "command not found",
    "No such file or directory",
 ];
 /// Tracks the last scanned position per session to avoid re-emitting.
 pub struct ErrorWatcher {
    last_scanned: DashMap<String, usize>,
 }
 impl ErrorWatcher {
    pub fn new() -> Self {
        Self { last_scanned: DashMap::new() }
    }
    /// Scan all registered sessions for new error patterns.
    /// Returns a list of (session_id, matched_line) pairs.
    pub fn scan(&self, scrollback: &ScrollbackRegistry) -> Vec<(String, String)> {
        let mut alerts = Vec::new();
        // Collect session IDs and positions first to avoid holding the iter
        let sessions: Vec<(String, usize)> = self.last_scanned.iter()
            .map(|entry| (entry.key().clone(), *entry.value()))
            .collect();
        for (session_id, last_pos) in sessions {
            if let Some(buf) = scrollback.get(&session_id) {
                let total = buf.total_written();
                if total <= last_pos {
                    continue;
                }
                // Only scan bytes written since the last check — avoids
                // reading the entire 64 KB ring buffer on every 2-second tick.
                let new_content = buf.read_since(last_pos);
                for line in new_content.lines() {
                    for pattern in ERROR_PATTERNS {
                        if line.contains(pattern) {
                            alerts.push((session_id.clone(), line.to_string()));
                            break;
                        }
                    }
                }
                self.last_scanned.insert(session_id, total);
            }
        }
        alerts
    }
    /// Register a session for watching.
    pub fn watch(&self, session_id: &str) {
        self.last_scanned.insert(session_id.to_string(), 0);
    }
    /// Stop watching a session.
    pub fn unwatch(&self, session_id: &str) {
        self.last_scanned.remove(session_id);
    }
 }
 /// Spawn a background task that scans for errors every 2 seconds.
 pub fn start_error_watcher(
    watcher: Arc<ErrorWatcher>,
    scrollback: ScrollbackRegistry,
    app_handle: AppHandle,
 ) {
    std::thread::spawn(move || {
        loop {
            std::thread::sleep(std::time::Duration::from_secs(2));
            let alerts = watcher.scan(&scrollback);
            for (session_id, line) in alerts {
                let _ = app_handle.emit("mcp:error", serde_json::json!({
                    "sessionId": session_id,
                    "message": line,
                }));
            }
        }
    });
 }
--- a/src-tauri/src/mcp/mod.rs
+++ b/src-tauri/src/mcp/mod.rs
@ -0,0 +1,46 @@
 //! MCP (Model Context Protocol) infrastructure for Wraith.
 //!
 //! Provides programmatic access to active sessions so AI tools running in the
 //! copilot panel can read terminal output, execute commands, and enumerate
 //! sessions.
 pub mod scrollback;
 pub mod server;
 pub mod error_watcher;
 pub mod bridge_manager;
 use std::sync::Arc;
 use dashmap::DashMap;
 use crate::mcp::scrollback::ScrollbackBuffer;
 /// Registry of scrollback buffers keyed by session ID.
 /// Shared between SSH/PTY output loops (writers) and MCP tools (readers).
 #[derive(Clone)]
 pub struct ScrollbackRegistry {
    buffers: Arc<DashMap<String, Arc<ScrollbackBuffer>>>,
 }
 impl ScrollbackRegistry {
    pub fn new() -> Self {
        Self { buffers: Arc::new(DashMap::new()) }
    }
    /// Create and register a new scrollback buffer for a session.
    pub fn create(&self, session_id: &str) -> Arc<ScrollbackBuffer> {
        let buf = Arc::new(ScrollbackBuffer::new());
        self.buffers.insert(session_id.to_string(), buf.clone());
        buf
    }
    /// Get the scrollback buffer for a session.
    pub fn get(&self, session_id: &str) -> Option<Arc<ScrollbackBuffer>> {
        self.buffers.get(session_id).map(|r| r.value().clone())
    }
    /// Remove a session's scrollback buffer.
    pub fn remove(&self, session_id: &str) {
        self.buffers.remove(session_id);
    }
 }
--- a/src-tauri/src/mcp/scrollback.rs
+++ b/src-tauri/src/mcp/scrollback.rs
@ -0,0 +1,285 @@
 //! Per-session scrollback buffer for MCP terminal_read.
 //!
 //! A thread-safe circular buffer that stores the last N bytes of terminal
 //! output. Both SSH and PTY output loops write to it. The MCP tools read
 //! from it without touching xterm.js or the frontend.
 use std::sync::Mutex;
 const DEFAULT_CAPACITY: usize = 64 * 1024; // 64KB per session
 /// Thread-safe circular buffer for terminal output.
 pub struct ScrollbackBuffer {
    inner: Mutex<RingBuffer>,
 }
 struct RingBuffer {
    data: Vec<u8>,
    capacity: usize,
    /// Write position (wraps around)
    write_pos: usize,
    /// Total bytes written (for detecting wrap)
    total_written: usize,
 }
 impl ScrollbackBuffer {
    pub fn new() -> Self {
        Self::with_capacity(DEFAULT_CAPACITY)
    }
    pub fn with_capacity(capacity: usize) -> Self {
        Self {
            inner: Mutex::new(RingBuffer {
                data: vec![0u8; capacity],
                capacity,
                write_pos: 0,
                total_written: 0,
            }),
        }
    }
    /// Append bytes to the buffer. Old data is overwritten when full.
    pub fn push(&self, bytes: &[u8]) {
        if bytes.is_empty() {
            return;
        }
        let mut buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
        let cap = buf.capacity;
        // If input exceeds capacity, only keep the last `cap` bytes
        let data = if bytes.len() > cap {
            &bytes[bytes.len() - cap..]
        } else {
            bytes
        };
        let write_pos = buf.write_pos;
        let first_len = (cap - write_pos).min(data.len());
        buf.data[write_pos..write_pos + first_len].copy_from_slice(&data[..first_len]);
        if first_len < data.len() {
            buf.data[..data.len() - first_len].copy_from_slice(&data[first_len..]);
        }
        buf.write_pos = (write_pos + data.len()) % cap;
        buf.total_written += bytes.len();
    }
    /// Read the last `n` lines from the buffer, with ANSI escape codes stripped.
    pub fn read_lines(&self, n: usize) -> String {
        let raw = self.read_raw();
        let text = strip_ansi(&raw);
        let lines: Vec<&str> = text.lines().collect();
        let start = lines.len().saturating_sub(n);
        lines[start..].join("\n")
    }
    /// Read all buffered content as raw bytes (ordered oldest→newest).
    pub fn read_raw(&self) -> String {
        let buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
        let bytes = if buf.total_written >= buf.capacity {
            // Buffer has wrapped — read from write_pos to end, then start to write_pos
            let mut out = Vec::with_capacity(buf.capacity);
            out.extend_from_slice(&buf.data[buf.write_pos..]);
            out.extend_from_slice(&buf.data[..buf.write_pos]);
            out
        } else {
            // Buffer hasn't wrapped yet
            buf.data[..buf.write_pos].to_vec()
        };
        String::from_utf8_lossy(&bytes).to_string()
    }
    /// Total bytes written since creation.
    pub fn total_written(&self) -> usize {
        self.inner.lock().unwrap_or_else(|e| e.into_inner()).total_written
    }
    /// Read only the bytes written after `position` (total_written offset),
    /// ordered oldest→newest, with ANSI codes stripped.
    ///
    /// Returns an empty string when there is nothing new since `position`.
    /// This is more efficient than `read_raw()` for incremental scanning because
    /// it avoids copying the full 64 KB ring buffer when only a small delta exists.
    pub fn read_since(&self, position: usize) -> String {
        let buf = self.inner.lock().unwrap_or_else(|e| e.into_inner());
        let total = buf.total_written;
        if total <= position {
            return String::new();
        }
        let new_bytes = total - position;
        let cap = buf.capacity;
        // How many bytes are actually stored in the ring (max = capacity)
        let stored = total.min(cap);
        // Clamp new_bytes to what's actually in the buffer
        let readable = new_bytes.min(stored);
        // Write position is where the *next* byte would go; reading backwards
        // from write_pos gives us the most recent `readable` bytes.
        let write_pos = buf.write_pos;
        let bytes = if readable <= write_pos {
            // Contiguous slice ending at write_pos
            buf.data[write_pos - readable..write_pos].to_vec()
        } else {
            // Wraps around: tail of buffer + head up to write_pos
            let tail_len = readable - write_pos;
            let tail_start = cap - tail_len;
            let mut out = Vec::with_capacity(readable);
            out.extend_from_slice(&buf.data[tail_start..]);
            out.extend_from_slice(&buf.data[..write_pos]);
            out
        };
        let raw = String::from_utf8_lossy(&bytes).to_string();
        strip_ansi(&raw)
    }
 }
 /// Strip ANSI escape sequences from text.
 fn strip_ansi(input: &str) -> String {
    let mut output = String::with_capacity(input.len());
    let mut chars = input.chars().peekable();
    while let Some(ch) = chars.next() {
        if ch == '\x1b' {
            // ESC sequence — consume until terminator
            if let Some(&next) = chars.peek() {
                if next == '[' {
                    chars.next(); // consume '['
                    // CSI sequence — consume until letter
                    while let Some(&c) = chars.peek() {
                        chars.next();
                        if c.is_ascii_alphabetic() || c == '~' || c == '@' {
                            break;
                        }
                    }
                } else if next == ']' {
                    chars.next(); // consume ']'
                    // OSC sequence — consume until BEL or ST
                    while let Some(&c) = chars.peek() {
                        chars.next();
                        if c == '\x07' {
                            break;
                        }
                        if c == '\x1b' {
                            if chars.peek() == Some(&'\\') {
                                chars.next();
                            }
                            break;
                        }
                    }
                } else {
                    chars.next(); // consume single-char escape
                }
            }
        } else if ch == '\r' {
            // Skip carriage returns for cleaner output
            continue;
        } else {
            output.push(ch);
        }
    }
    output
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn push_and_read_basic() {
        let buf = ScrollbackBuffer::new();
        buf.push(b"hello world\n");
        let lines = buf.read_lines(10);
        assert!(lines.contains("hello world"));
    }
    #[test]
    fn read_lines_limits_output() {
        let buf = ScrollbackBuffer::new();
        buf.push(b"line1\nline2\nline3\nline4\nline5\n");
        let lines = buf.read_lines(2);
        assert!(!lines.contains("line3"));
        assert!(lines.contains("line4"));
        assert!(lines.contains("line5"));
    }
    #[test]
    fn circular_buffer_wraps() {
        let buf = ScrollbackBuffer::with_capacity(16);
        buf.push(b"AAAAAAAAAAAAAAAA"); // fill 16 bytes
        buf.push(b"BBBB"); // overwrite first 4
        let raw = buf.read_raw();
        assert!(raw.starts_with("AAAAAAAAAAAA")); // 12 A's remain
        assert!(raw.ends_with("BBBB"));
    }
    #[test]
    fn strip_ansi_removes_csi() {
        let input = "\x1b[32mgreen\x1b[0m normal";
        assert_eq!(strip_ansi(input), "green normal");
    }
    #[test]
    fn strip_ansi_removes_osc() {
        let input = "\x1b]0;title\x07text";
        assert_eq!(strip_ansi(input), "text");
    }
    #[test]
    fn strip_ansi_preserves_plain_text() {
        let input = "no escapes here\njust text";
        assert_eq!(strip_ansi(input), "no escapes here\njust text");
    }
    #[test]
    fn empty_buffer_returns_empty() {
        let buf = ScrollbackBuffer::new();
        assert_eq!(buf.read_lines(10), "");
        assert_eq!(buf.total_written(), 0);
    }
    #[test]
    fn total_written_tracks_all_bytes() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"12345678"); // 8 bytes
        buf.push(b"ABCD"); // 4 more, wraps
        assert_eq!(buf.total_written(), 12);
    }
    #[test]
    fn push_empty_is_noop() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"hello");
        buf.push(b"");
        assert_eq!(buf.total_written(), 5);
        assert!(buf.read_raw().contains("hello"));
    }
    #[test]
    fn push_larger_than_capacity() {
        let buf = ScrollbackBuffer::with_capacity(4);
        buf.push(b"ABCDEFGH"); // 8 bytes into 4-byte buffer
        let raw = buf.read_raw();
        assert_eq!(raw, "EFGH"); // only last 4 bytes kept
        assert_eq!(buf.total_written(), 8);
    }
    #[test]
    fn push_exact_capacity() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"12345678");
        let raw = buf.read_raw();
        assert_eq!(raw, "12345678");
        assert_eq!(buf.total_written(), 8);
    }
    #[test]
    fn push_wrap_around_boundary() {
        let buf = ScrollbackBuffer::with_capacity(8);
        buf.push(b"123456"); // write_pos = 6
        buf.push(b"ABCD");  // wraps: 2 at end, 2 at start
        let raw = buf.read_raw();
        // Buffer: [C, D, 3, 4, 5, 6, A, B], write_pos=2
        // Read from pos 2: "3456AB" + wrap: no, read from write_pos to end then start
        assert_eq!(raw, "3456ABCD");
    }
 }
--- a/src-tauri/src/mcp/server.rs
+++ b/src-tauri/src/mcp/server.rs
@ -0,0 +1,631 @@
 //! Tiny HTTP server for MCP bridge communication.
 //!
 //! Runs on localhost:0 (random port) at Tauri startup. The port is written
 //! to ~/.wraith/mcp-port so the bridge binary can find it.
 use std::sync::Arc;
 use axum::{
    extract::State as AxumState,
    http::{Request, StatusCode},
    middleware::{self, Next},
    response::Response,
    routing::post,
    Json, Router,
 };
 use serde::{Deserialize, Serialize};
 use tokio::net::TcpListener;
 use crate::mcp::ScrollbackRegistry;
 use crate::rdp::RdpService;
 use crate::sftp::SftpService;
 use crate::ssh::exec::exec_on_session;
 use crate::ssh::session::SshService;
 use crate::utils::shell_escape;
 /// Shared state passed to axum handlers.
 pub struct McpServerState {
    pub ssh: SshService,
    pub rdp: RdpService,
    pub sftp: SftpService,
    pub scrollback: ScrollbackRegistry,
    pub app_handle: tauri::AppHandle,
    pub error_watcher: std::sync::Arc<crate::mcp::error_watcher::ErrorWatcher>,
    pub bearer_token: String,
 }
 /// Middleware that validates the `Authorization: Bearer <token>` header.
 async fn auth_middleware(
    AxumState(state): AxumState<Arc<McpServerState>>,
    req: Request<axum::body::Body>,
    next: Next,
 ) -> Result<Response, StatusCode> {
    let auth_header = req
        .headers()
        .get("authorization")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");
    let expected = format!("Bearer {}", state.bearer_token);
    if auth_header != expected {
        return Err(StatusCode::UNAUTHORIZED);
    }
    Ok(next.run(req).await)
 }
 #[derive(Deserialize)]
 struct TerminalReadRequest {
    session_id: String,
    lines: Option<usize>,
 }
 #[derive(Deserialize)]
 struct ScreenshotRequest {
    session_id: String,
 }
 #[derive(Deserialize)]
 struct SftpListRequest {
    session_id: String,
    path: String,
 }
 #[derive(Deserialize)]
 struct SftpReadRequest {
    session_id: String,
    path: String,
 }
 #[derive(Deserialize)]
 struct SftpWriteRequest {
    session_id: String,
    path: String,
    content: String,
 }
 #[derive(Deserialize)]
 struct TerminalTypeRequest {
    session_id: String,
    text: String,
    press_enter: Option<bool>,
 }
 #[derive(Deserialize)]
 struct TerminalExecuteRequest {
    session_id: String,
    command: String,
    timeout_ms: Option<u64>,
 }
 #[derive(Serialize)]
 struct McpResponse<T: Serialize> {
    ok: bool,
    data: Option<T>,
    error: Option<String>,
 }
 fn ok_response<T: Serialize>(data: T) -> Json<McpResponse<T>> {
    Json(McpResponse { ok: true, data: Some(data), error: None })
 }
 fn err_response<T: Serialize>(msg: String) -> Json<McpResponse<T>> {
    Json(McpResponse { ok: false, data: None, error: Some(msg) })
 }
 async fn handle_list_sessions(
    AxumState(state): AxumState<Arc<McpServerState>>,
 ) -> Json<McpResponse<Vec<serde_json::Value>>> {
    let mut sessions: Vec<serde_json::Value> = state.ssh.list_sessions()
        .into_iter()
        .map(|s| serde_json::json!({
            "id": s.id,
            "type": "ssh",
            "name": format!("{}@{}:{}", s.username, s.hostname, s.port),
            "host": s.hostname,
            "username": s.username,
        }))
        .collect();
    // Include RDP sessions
    for s in state.rdp.list_sessions() {
        sessions.push(serde_json::json!({
            "id": s.id,
            "type": "rdp",
            "name": s.hostname.clone(),
            "host": s.hostname,
            "width": s.width,
            "height": s.height,
        }));
    }
    ok_response(sessions)
 }
 async fn handle_sftp_list(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<SftpListRequest>,
 ) -> Json<McpResponse<Vec<serde_json::Value>>> {
    match state.sftp.list(&req.session_id, &req.path).await {
        Ok(entries) => {
            let items: Vec<serde_json::Value> = entries.into_iter().map(|e| {
                serde_json::json!({
                    "name": e.name,
                    "path": e.path,
                    "size": e.size,
                    "is_dir": e.is_dir,
                    "modified": e.mod_time,
                })
            }).collect();
            ok_response(items)
        }
        Err(e) => err_response(e),
    }
 }
 async fn handle_sftp_read(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<SftpReadRequest>,
 ) -> Json<McpResponse<String>> {
    match state.sftp.read_file(&req.session_id, &req.path).await {
        Ok(content) => ok_response(content),
        Err(e) => err_response(e),
    }
 }
 async fn handle_sftp_write(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<SftpWriteRequest>,
 ) -> Json<McpResponse<String>> {
    match state.sftp.write_file(&req.session_id, &req.path, &req.content).await {
        Ok(()) => ok_response("OK".to_string()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_screenshot(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<ScreenshotRequest>,
 ) -> Json<McpResponse<String>> {
    match state.rdp.screenshot_png_base64(&req.session_id) {
        Ok(b64) => ok_response(b64),
        Err(e) => err_response(e),
    }
 }
 async fn handle_terminal_type(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<TerminalTypeRequest>,
 ) -> Json<McpResponse<String>> {
    let text = if req.press_enter.unwrap_or(true) {
        format!("{}\r", req.text)
    } else {
        req.text.clone()
    };
    match state.ssh.write(&req.session_id, text.as_bytes()).await {
        Ok(()) => ok_response("sent".to_string()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_terminal_read(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<TerminalReadRequest>,
 ) -> Json<McpResponse<String>> {
    let n = req.lines.unwrap_or(50);
    match state.scrollback.get(&req.session_id) {
        Some(buf) => ok_response(buf.read_lines(n)),
        None => err_response(format!("No scrollback buffer for session {}", req.session_id)),
    }
 }
 async fn handle_terminal_execute(
    AxumState(state): AxumState<Arc<McpServerState>>,
    Json(req): Json<TerminalExecuteRequest>,
 ) -> Json<McpResponse<String>> {
    let timeout = req.timeout_ms.unwrap_or(5000);
    let marker = "__WRAITH_MCP_DONE__";
    let buf = match state.scrollback.get(&req.session_id) {
        Some(b) => b,
        None => return err_response(format!("No scrollback buffer for session {}", req.session_id)),
    };
    let before = buf.total_written();
    let full_cmd = format!("{}\recho {}\r", req.command, marker);
    if let Err(e) = state.ssh.write(&req.session_id, full_cmd.as_bytes()).await {
        return err_response(e);
    }
    let start = std::time::Instant::now();
    let timeout_dur = std::time::Duration::from_millis(timeout);
    loop {
        if start.elapsed() > timeout_dur {
            let raw = buf.read_raw();
            let total = buf.total_written();
            let new_bytes = total.saturating_sub(before);
            let output = if new_bytes > 0 && raw.len() >= new_bytes {
                &raw[raw.len() - new_bytes.min(raw.len())..]
            } else {
                ""
            };
            return ok_response(format!("[timeout after {}ms]\n{}", timeout, output));
        }
        let raw = buf.read_raw();
        if raw.contains(marker) {
            let total = buf.total_written();
            let new_bytes = total.saturating_sub(before);
            let output = if new_bytes > 0 && raw.len() >= new_bytes {
                raw[raw.len() - new_bytes.min(raw.len())..].to_string()
            } else {
                String::new()
            };
            let clean = output
                .lines()
                .filter(|line| !line.contains(marker))
                .collect::<Vec<_>>()
                .join("\n");
            return ok_response(clean.trim().to_string());
        }
        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
    }
 }
 // ── Tool handlers (all tools exposed to AI via MCP) ──────────────────────────
 #[derive(Deserialize)]
 struct ToolSessionTarget { session_id: String, target: String }
 #[derive(Deserialize)]
 struct ToolSessionOnly { session_id: String }
 #[derive(Deserialize)]
 struct ToolDnsRequest { session_id: String, domain: String, record_type: Option<String> }
 #[derive(Deserialize)]
 struct ToolWolRequest { session_id: String, mac_address: String }
 #[derive(Deserialize)]
 struct ToolScanNetworkRequest { session_id: String, subnet: String }
 #[derive(Deserialize)]
 struct ToolScanPortsRequest { session_id: String, target: String, ports: Option<Vec<u16>> }
 #[derive(Deserialize)]
 struct ToolSubnetRequest { cidr: String }
 #[derive(Deserialize)]
 struct ToolKeygenRequest { key_type: String, comment: Option<String> }
 #[derive(Deserialize)]
 struct ToolPassgenRequest { length: Option<usize>, uppercase: Option<bool>, lowercase: Option<bool>, digits: Option<bool>, symbols: Option<bool> }
 async fn handle_tool_ping(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("ping -c 4 {} 2>&1", shell_escape(&req.target))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_traceroute(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let t = shell_escape(&req.target);
    match exec_on_session(&session.handle, &format!("traceroute {} 2>&1 || tracert {} 2>&1", t, t)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_dns(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolDnsRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let rt = shell_escape(&req.record_type.unwrap_or_else(|| "A".to_string()));
    let d = shell_escape(&req.domain);
    match exec_on_session(&session.handle, &format!("dig {} {} +short 2>/dev/null || nslookup -type={} {} 2>/dev/null || host -t {} {} 2>/dev/null", d, rt, rt, d, rt, d)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_whois(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("whois {} 2>&1 | head -80", shell_escape(&req.target))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_wol(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolWolRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let mac_clean = req.mac_address.replace([':', '-'], "");
    let cmd = format!(r#"python3 -c "import socket;mac=bytes.fromhex({});pkt=b'\xff'*6+mac*16;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST,1);s.sendto(pkt,('255.255.255.255',9));s.close();print('WoL sent to {}')" 2>&1"#, shell_escape(&mac_clean), shell_escape(&req.mac_address));
    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_scan_network(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolScanNetworkRequest>) -> Json<McpResponse<serde_json::Value>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match crate::scanner::scan_network(&session.handle, &req.subnet).await {
        Ok(hosts) => ok_response(serde_json::to_value(hosts).unwrap_or_default()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_tool_scan_ports(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolScanPortsRequest>) -> Json<McpResponse<serde_json::Value>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let result = if let Some(ports) = req.ports {
        crate::scanner::scan_ports(&session.handle, &req.target, &ports).await
    } else {
        crate::scanner::quick_port_scan(&session.handle, &req.target).await
    };
    match result { Ok(r) => ok_response(serde_json::to_value(r).unwrap_or_default()), Err(e) => err_response(e) }
 }
 async fn handle_tool_subnet(_state: AxumState<Arc<McpServerState>>, Json(req): Json<ToolSubnetRequest>) -> Json<McpResponse<serde_json::Value>> {
    match crate::commands::tools_commands_r2::tool_subnet_calc_inner(&req.cidr) {
        Ok(info) => ok_response(serde_json::to_value(info).unwrap_or_default()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_tool_bandwidth(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionOnly>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let cmd = r#"if command -v speedtest-cli >/dev/null 2>&1; then speedtest-cli --simple 2>&1; elif command -v curl >/dev/null 2>&1; then curl -o /dev/null -w "Download: %{speed_download} bytes/sec\n" https://speed.cloudflare.com/__down?bytes=25000000 2>/dev/null; else echo "No speedtest tool found"; fi"#;
    match exec_on_session(&session.handle, cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_tool_keygen(_state: AxumState<Arc<McpServerState>>, Json(req): Json<ToolKeygenRequest>) -> Json<McpResponse<serde_json::Value>> {
    match crate::commands::tools_commands::tool_generate_ssh_key_inner(&req.key_type, req.comment) {
        Ok(key) => ok_response(serde_json::to_value(key).unwrap_or_default()),
        Err(e) => err_response(e),
    }
 }
 async fn handle_tool_passgen(_state: AxumState<Arc<McpServerState>>, Json(req): Json<ToolPassgenRequest>) -> Json<McpResponse<String>> {
    match crate::commands::tools_commands::tool_generate_password_inner(req.length, req.uppercase, req.lowercase, req.digits, req.symbols) {
        Ok(pw) => ok_response(pw),
        Err(e) => err_response(e),
    }
 }
 // ── Docker handlers ──────────────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct DockerActionRequest { session_id: String, action: String, target: String }
 #[derive(Deserialize)]
 struct DockerListRequest { session_id: String }
 #[derive(Deserialize)]
 struct DockerExecRequest { session_id: String, container: String, command: String }
 async fn handle_docker_ps(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerListRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, "docker ps -a --format '{{.Names}}|{{.Image}}|{{.Status}}|{{.Ports}}' 2>&1").await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_docker_action(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerActionRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let t = shell_escape(&req.target);
    let cmd = match req.action.as_str() {
        "start" => format!("docker start {} 2>&1", t),
        "stop" => format!("docker stop {} 2>&1", t),
        "restart" => format!("docker restart {} 2>&1", t),
        "remove" => format!("docker rm -f {} 2>&1", t),
        "logs" => format!("docker logs --tail 100 {} 2>&1", t),
        "builder-prune" => "docker builder prune -f 2>&1".to_string(),
        "system-prune" => "docker system prune -f 2>&1".to_string(),
        _ => return err_response(format!("Unknown action: {}", req.action)),
    };
    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_docker_exec(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<DockerExecRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let cmd = format!("docker exec {} {} 2>&1", shell_escape(&req.container), shell_escape(&req.command));
    match exec_on_session(&session.handle, &cmd).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Service/process handlers ─────────────────────────────────────────────────
 async fn handle_service_status(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let t = shell_escape(&req.target);
    match exec_on_session(&session.handle, &format!("systemctl status {} --no-pager 2>&1 || service {} status 2>&1", t, t)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_process_list(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<ToolSessionTarget>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    let filter = if req.target.is_empty() { "aux --sort=-%cpu | head -30".to_string() } else { format!("aux | grep -i {} | grep -v grep", shell_escape(&req.target)) };
    match exec_on_session(&session.handle, &format!("ps {}", filter)).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Git handlers ─────────────────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct GitRequest { session_id: String, path: String }
 async fn handle_git_status(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git status --short --branch 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_git_pull(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git pull 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 async fn handle_git_log(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<GitRequest>) -> Json<McpResponse<String>> {
    let session = match state.ssh.get_session(&req.session_id) { Some(s) => s, None => return err_response(format!("Session {} not found", req.session_id)) };
    match exec_on_session(&session.handle, &format!("cd {} && git log --oneline -20 2>&1", shell_escape(&req.path))).await { Ok(o) => ok_response(o), Err(e) => err_response(e) }
 }
 // ── Session creation handlers ────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct SshConnectRequest {
    hostname: String,
    port: Option<u16>,
    username: String,
    password: Option<String>,
    private_key_path: Option<String>,
 }
 async fn handle_ssh_connect(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<SshConnectRequest>) -> Json<McpResponse<String>> {
    use crate::ssh::session::AuthMethod;
    let port = req.port.unwrap_or(22);
    let auth = if let Some(key_path) = req.private_key_path {
        // Read key file
        let pem = match std::fs::read_to_string(&key_path) {
            Ok(p) => p,
            Err(e) => return err_response(format!("Failed to read key file {}: {}", key_path, e)),
        };
        AuthMethod::Key { private_key_pem: pem, passphrase: req.password }
    } else {
        AuthMethod::Password(req.password.unwrap_or_default())
    };
    match state.ssh.connect(
        state.app_handle.clone(),
        &req.hostname,
        port,
        &req.username,
        auth,
        120, 40,
        &state.sftp,
        &state.scrollback,
        &state.error_watcher,
    ).await {
        Ok(session_id) => ok_response(session_id),
        Err(e) => err_response(e),
    }
 }
 // ── RDP interaction handlers ─────────────────────────────────────────────────
 #[derive(Deserialize)]
 struct RdpClickRequest { session_id: String, x: u16, y: u16, button: Option<String> }
 #[derive(Deserialize)]
 struct RdpTypeRequest { session_id: String, text: String }
 #[derive(Deserialize)]
 struct RdpClipboardRequest { session_id: String, text: String }
 async fn handle_rdp_click(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpClickRequest>) -> Json<McpResponse<String>> {
    use crate::rdp::input::mouse_flags;
    let button_flag = match req.button.as_deref().unwrap_or("left") {
        "right" => mouse_flags::BUTTON2,
        "middle" => mouse_flags::BUTTON3,
        _ => mouse_flags::BUTTON1,
    };
    // Move to position
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, mouse_flags::MOVE) { return err_response(e); }
    // Click down
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, button_flag | mouse_flags::DOWN) { return err_response(e); }
    // Click up
    if let Err(e) = state.rdp.send_mouse(&req.session_id, req.x, req.y, button_flag) { return err_response(e); }
    ok_response(format!("clicked ({}, {})", req.x, req.y))
 }
 async fn handle_rdp_type(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpTypeRequest>) -> Json<McpResponse<String>> {
    // Set clipboard then simulate Ctrl+V to paste (most reliable for arbitrary text)
    if let Err(e) = state.rdp.send_clipboard(&req.session_id, &req.text) { return err_response(e); }
    // Small delay for clipboard to propagate, then Ctrl+V
    tokio::time::sleep(std::time::Duration::from_millis(50)).await;
    // Ctrl down
    let _ = state.rdp.send_key(&req.session_id, 0x001D, true);
    // V down
    let _ = state.rdp.send_key(&req.session_id, 0x002F, true);
    // V up
    let _ = state.rdp.send_key(&req.session_id, 0x002F, false);
    // Ctrl up
    let _ = state.rdp.send_key(&req.session_id, 0x001D, false);
    ok_response(format!("typed {} chars via clipboard paste", req.text.len()))
 }
 async fn handle_rdp_clipboard(AxumState(state): AxumState<Arc<McpServerState>>, Json(req): Json<RdpClipboardRequest>) -> Json<McpResponse<String>> {
    if let Err(e) = state.rdp.send_clipboard(&req.session_id, &req.text) { return err_response(e); }
    ok_response("clipboard set".to_string())
 }
 /// Start the MCP HTTP server and write the port to disk.
 pub async fn start_mcp_server(
    ssh: SshService,
    rdp: RdpService,
    sftp: SftpService,
    scrollback: ScrollbackRegistry,
    app_handle: tauri::AppHandle,
    error_watcher: std::sync::Arc<crate::mcp::error_watcher::ErrorWatcher>,
 ) -> Result<u16, String> {
    // Generate a cryptographically random bearer token for authentication
    use rand::Rng;
    let bearer_token: String = rand::rng()
        .sample_iter(&rand::distr::Alphanumeric)
        .take(64)
        .map(char::from)
        .collect();
    let state = Arc::new(McpServerState { ssh, rdp, sftp, scrollback, app_handle, error_watcher, bearer_token: bearer_token.clone() });
    let app = Router::new()
        .route("/mcp/sessions", post(handle_list_sessions))
        .route("/mcp/terminal/type", post(handle_terminal_type))
        .route("/mcp/terminal/read", post(handle_terminal_read))
        .route("/mcp/terminal/execute", post(handle_terminal_execute))
        .route("/mcp/screenshot", post(handle_screenshot))
        .route("/mcp/sftp/list", post(handle_sftp_list))
        .route("/mcp/sftp/read", post(handle_sftp_read))
        .route("/mcp/sftp/write", post(handle_sftp_write))
        .route("/mcp/tool/ping", post(handle_tool_ping))
        .route("/mcp/tool/traceroute", post(handle_tool_traceroute))
        .route("/mcp/tool/dns", post(handle_tool_dns))
        .route("/mcp/tool/whois", post(handle_tool_whois))
        .route("/mcp/tool/wol", post(handle_tool_wol))
        .route("/mcp/tool/scan-network", post(handle_tool_scan_network))
        .route("/mcp/tool/scan-ports", post(handle_tool_scan_ports))
        .route("/mcp/tool/subnet", post(handle_tool_subnet))
        .route("/mcp/tool/bandwidth", post(handle_tool_bandwidth))
        .route("/mcp/tool/keygen", post(handle_tool_keygen))
        .route("/mcp/tool/passgen", post(handle_tool_passgen))
        .route("/mcp/docker/ps", post(handle_docker_ps))
        .route("/mcp/docker/action", post(handle_docker_action))
        .route("/mcp/docker/exec", post(handle_docker_exec))
        .route("/mcp/service/status", post(handle_service_status))
        .route("/mcp/process/list", post(handle_process_list))
        .route("/mcp/git/status", post(handle_git_status))
        .route("/mcp/git/pull", post(handle_git_pull))
        .route("/mcp/git/log", post(handle_git_log))
        .route("/mcp/rdp/click", post(handle_rdp_click))
        .route("/mcp/rdp/type", post(handle_rdp_type))
        .route("/mcp/rdp/clipboard", post(handle_rdp_clipboard))
        .route("/mcp/ssh/connect", post(handle_ssh_connect))
        .layer(middleware::from_fn_with_state(state.clone(), auth_middleware))
        .with_state(state);
    let listener = TcpListener::bind("127.0.0.1:0").await
        .map_err(|e| format!("Failed to bind MCP server: {}", e))?;
    let port = listener.local_addr()
        .map_err(|e| format!("Failed to get MCP server port: {}", e))?
        .port();
    // Write port to well-known location
    let data_dir = crate::data_directory();
    let port_file = data_dir.join("mcp-port");
    std::fs::write(&port_file, port.to_string())
        .map_err(|e| format!("Failed to write MCP port file: {}", e))?;
    // Write bearer token to a separate file with restrictive permissions
    let token_file = data_dir.join("mcp-token");
    std::fs::write(&token_file, &bearer_token)
        .map_err(|e| format!("Failed to write MCP token file: {}", e))?;
    // Set owner-only read/write permissions (Unix)
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let _ = std::fs::set_permissions(&token_file, std::fs::Permissions::from_mode(0o600));
    }
    tokio::spawn(async move {
        axum::serve(listener, app).await.ok();
    });
    Ok(port)
 }
--- a/src-tauri/src/pty/mod.rs
+++ b/src-tauri/src/pty/mod.rs
@ -9,6 +9,8 @@ use portable_pty::{native_pty_system, Child, CommandBuilder, MasterPty, PtySize}
 use serde::Serialize;
 use tauri::{AppHandle, Emitter};
 use crate::mcp::ScrollbackRegistry;
 #[derive(Debug, Serialize, Clone)]
 pub struct ShellInfo {
    pub name: String,
@ -68,6 +70,10 @@ impl PtyService {
                    break;
                }
            }
            // WSL (Windows Subsystem for Linux)
            if std::path::Path::new(r"C:\Windows\System32\wsl.exe").exists() {
                shells.push(ShellInfo { name: "WSL".to_string(), path: r"C:\Windows\System32\wsl.exe".to_string() });
            }
        }
        shells
@ -80,8 +86,10 @@ impl PtyService {
        cols: u16,
        rows: u16,
        app_handle: AppHandle,
        scrollback: &ScrollbackRegistry,
    ) -> Result<String, String> {
        let session_id = uuid::Uuid::new_v4().to_string();
        wraith_log!("[PTY] Spawning shell: {} (session {})", shell_path, session_id);
        let pty_system = native_pty_system();
        let pair = pty_system
@ -112,6 +120,9 @@ impl PtyService {
        self.sessions.insert(session_id.clone(), session);
        // Create scrollback buffer for MCP terminal_read
        let scrollback_buf = scrollback.create(&session_id);
        // Output reader loop — runs in a dedicated OS thread because
        // portable-pty's reader is synchronous (std::io::Read) and
        // long-lived. Using std::thread::spawn avoids requiring a
@ -128,6 +139,7 @@ impl PtyService {
                        break;
                    }
                    Ok(n) => {
                        scrollback_buf.push(&buf[..n]);
                        let encoded = base64::engine::general_purpose::STANDARD.encode(&buf[..n]);
                        let _ = app.emit(&format!("pty:data:{}", sid), encoded);
                    }
--- a/src-tauri/src/rdp/mod.rs
+++ b/src-tauri/src/rdp/mod.rs
@ -8,11 +8,12 @@ use std::sync::atomic::{AtomicBool, Ordering};
 use base64::Engine;
 use dashmap::DashMap;
 use log::{error, info, warn};
 use tauri::Emitter;
 use serde::{Deserialize, Serialize};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio::net::TcpStream;
 use tokio::sync::mpsc;
-use tokio::sync::Mutex as TokioMutex;
+
 use ironrdp::connector::{self, ClientConnector, ConnectionResult, Credentials, DesktopSize};
 use ironrdp::graphics::image_processing::PixelFormat;
@ -62,32 +63,47 @@ enum InputEvent {
        pressed: bool,
    },
    Clipboard(String),
    Resize { width: u16, height: u16 },
    Disconnect,
 }
 /// Dirty rectangle from the last GraphicsUpdate — used for partial frame transfer.
 #[derive(Debug, Clone, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DirtyRect {
    pub x: u16,
    pub y: u16,
    pub width: u16,
    pub height: u16,
 }
 struct RdpSessionHandle {
    id: String,
    hostname: String,
    width: u16,
    height: u16,
-    frame_buffer: Arc<TokioMutex<Vec<u8>>>,
+    /// Frame buffer: RDP thread writes via RwLock write, IPC reads via RwLock read.
    front_buffer: Arc<std::sync::RwLock<Vec<u8>>>,
    /// Accumulated dirty region since last get_frame — union of all GraphicsUpdate rects.
    dirty_region: Arc<std::sync::Mutex<Option<DirtyRect>>>,
    frame_dirty: Arc<AtomicBool>,
    input_tx: mpsc::UnboundedSender<InputEvent>,
 }
 pub struct RdpService {
-    sessions: DashMap<String, Arc<RdpSessionHandle>>,
+    sessions: Arc<DashMap<String, Arc<RdpSessionHandle>>>,
 }
 impl RdpService {
    pub fn new() -> Self {
        Self {
-            sessions: DashMap::new(),
+            sessions: Arc::new(DashMap::new()),
        }
    }
-    pub fn connect(&self, config: RdpConfig) -> Result<String, String> {
+    pub fn connect(&self, config: RdpConfig, app_handle: tauri::AppHandle) -> Result<String, String> {
        let session_id = uuid::Uuid::new_v4().to_string();
        wraith_log!("[RDP] Connecting to {}:{} as {} (session {})", config.hostname, config.port, config.username, session_id);
        let width = config.width;
        let height = config.height;
        let hostname = config.hostname.clone();
@ -97,7 +113,8 @@ impl RdpService {
        for pixel in initial_buf.chunks_exact_mut(4) {
            pixel[3] = 255;
        }
-        let frame_buffer = Arc::new(TokioMutex::new(initial_buf));
+        let front_buffer = Arc::new(std::sync::RwLock::new(initial_buf));
        let dirty_region = Arc::new(std::sync::Mutex::new(None));
        let frame_dirty = Arc::new(AtomicBool::new(false));
        let (input_tx, input_rx) = mpsc::unbounded_channel();
@ -107,7 +124,8 @@ impl RdpService {
            hostname: hostname.clone(),
            width,
            height,
-            frame_buffer: frame_buffer.clone(),
+            front_buffer: front_buffer.clone(),
            dirty_region: dirty_region.clone(),
            frame_dirty: frame_dirty.clone(),
            input_tx,
        });
@ -119,6 +137,7 @@ impl RdpService {
        let (ready_tx, ready_rx) = std::sync::mpsc::channel::<Result<(), String>>();
        std::thread::spawn(move || {
            let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
            let rt = tokio::runtime::Builder::new_current_thread()
                .enable_all()
                .build()
@ -153,11 +172,14 @@ impl RdpService {
                if let Err(e) = run_active_session(
                    connection_result,
                    framed,
-                    frame_buffer,
+                    front_buffer,
                    dirty_region,
                    frame_dirty,
                    input_rx,
                    width as u16,
                    height as u16,
                    app_handle,
                    sid.clone(),
                )
                .await
                {
@ -166,6 +188,18 @@ impl RdpService {
                info!("RDP session {} ended", sid);
                sessions_ref.remove(&sid);
            });
            }));
            if let Err(panic) = result {
                let msg = if let Some(s) = panic.downcast_ref::<String>() {
                    s.clone()
                } else if let Some(s) = panic.downcast_ref::<&str>() {
                    s.to_string()
                } else {
                    "unknown panic".to_string()
                };
                let _ = crate::write_log(&crate::data_directory().join("wraith.log"), &format!("RDP thread PANIC: {}", msg));
                // ready_tx is dropped here, which triggers the "died unexpectedly" error
            }
        });
        match ready_rx.recv() {
@ -176,29 +210,81 @@ impl RdpService {
            }
            Err(_) => {
                self.sessions.remove(&session_id);
-                return Err("RDP connection thread died unexpectedly".into());
+                return Err("RDP connection thread panicked — check wraith.log for details".into());
            }
        }
        Ok(session_id)
    }
-    pub async fn get_frame(&self, session_id: &str) -> Result<String, String> {
+    /// Get the dirty region since the last call. Returns (region_metadata, pixel_bytes).
    /// The pixel bytes contain only the dirty rectangle in row-major RGBA order.
    /// If nothing changed, returns empty bytes. If the dirty region covers >50% of the
    /// frame, falls back to full frame for efficiency (avoids row-by-row extraction).
    pub fn get_frame(&self, session_id: &str) -> Result<(Option<DirtyRect>, Vec<u8>), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
-        if !handle.frame_dirty.swap(false, Ordering::Relaxed) {
+        if !handle.frame_dirty.swap(false, Ordering::Acquire) {
-            return Ok(String::new());
+            return Ok((None, Vec::new()));
        }
        let buf = handle.frame_buffer.lock().await;
        let encoded = base64::engine::general_purpose::STANDARD.encode(&*buf);
        Ok(encoded)
        }
-    pub async fn get_frame_raw(&self, session_id: &str) -> Result<Vec<u8>, String> {
+        let region = handle.dirty_region.lock().unwrap_or_else(|e| e.into_inner()).take();
        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
        let stride = handle.width as usize * 4;
        let total_pixels = handle.width as usize * handle.height as usize;
        match region {
            Some(rect) if (rect.width as usize * rect.height as usize) < total_pixels / 2 => {
                // Partial: extract only the dirty rectangle
                let rw = rect.width as usize;
                let rh = rect.height as usize;
                let rx = rect.x as usize;
                let ry = rect.y as usize;
                let mut out = Vec::with_capacity(rw * rh * 4);
                for row in ry..ry + rh {
                    let start = row * stride + rx * 4;
                    let end = start + rw * 4;
                    if end <= buf.len() {
                        out.extend_from_slice(&buf[start..end]);
                    }
                }
                Ok((Some(rect), out))
            }
            _ => {
                // Full frame: dirty region covers most of the screen or is missing
                Ok((None, buf.clone()))
            }
        }
    }
    pub fn get_frame_raw(&self, session_id: &str) -> Result<Vec<u8>, String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
-        let buf = handle.frame_buffer.lock().await;
+        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
        Ok(buf.clone())
    }
    /// Capture the current RDP frame as a base64-encoded PNG.
    pub fn screenshot_png_base64(&self, session_id: &str) -> Result<String, String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        let width = handle.width as u32;
        let height = handle.height as u32;
        let buf = handle.front_buffer.read().unwrap_or_else(|e| e.into_inner());
        // Encode RGBA raw bytes to PNG (fast compression for speed)
        let mut png_data = Vec::new();
        {
            let mut encoder = png::Encoder::new(&mut png_data, width, height);
            encoder.set_color(png::ColorType::Rgba);
            encoder.set_depth(png::BitDepth::Eight);
            encoder.set_compression(png::Compression::Fast);
            let mut writer = encoder.write_header()
                .map_err(|e| format!("PNG header error: {}", e))?;
            writer.write_image_data(&buf)
                .map_err(|e| format!("PNG encode error: {}", e))?;
        }
        Ok(base64::engine::general_purpose::STANDARD.encode(&png_data))
    }
    pub fn send_clipboard(&self, session_id: &str, text: &str) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        handle.input_tx.send(InputEvent::Clipboard(text.to_string())).map_err(|_| format!("RDP session {} input channel closed", session_id))
@ -214,6 +300,19 @@ impl RdpService {
        handle.input_tx.send(InputEvent::Key { scancode, pressed }).map_err(|_| format!("RDP session {} input channel closed", session_id))
    }
    pub fn force_refresh(&self, session_id: &str) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        // Clear any accumulated dirty region so get_frame returns the full buffer
        *handle.dirty_region.lock().unwrap_or_else(|e| e.into_inner()) = None;
        handle.frame_dirty.store(true, Ordering::Release);
        Ok(())
    }
    pub fn resize(&self, session_id: &str, width: u16, height: u16) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        handle.input_tx.send(InputEvent::Resize { width, height }).map_err(|_| format!("RDP session {} input channel closed", session_id))
    }
    pub fn disconnect(&self, session_id: &str) -> Result<(), String> {
        let handle = self.sessions.get(session_id).ok_or_else(|| format!("RDP session {} not found", session_id))?;
        let _ = handle.input_tx.send(InputEvent::Disconnect);
@ -233,7 +332,7 @@ impl RdpService {
 impl Clone for RdpService {
    fn clone(&self) -> Self {
-        unreachable!("RdpService should not be cloned — access via State<AppState>");
+        Self { sessions: self.sessions.clone() }
    }
 }
@ -267,7 +366,11 @@ fn build_connector_config(config: &RdpConfig) -> Result<connector::Config, Strin
        request_data: None,
        autologon: false,
        enable_audio_playback: false,
-        performance_flags: PerformanceFlags::default(),
+        performance_flags: PerformanceFlags::DISABLE_WALLPAPER
            | PerformanceFlags::DISABLE_MENUANIMATIONS
            | PerformanceFlags::DISABLE_CURSOR_SHADOW
            | PerformanceFlags::ENABLE_FONT_SMOOTHING
            | PerformanceFlags::ENABLE_DESKTOP_COMPOSITION,
        desktop_scale_factor: 0,
        hardware_id: None,
        license_cache: None,
@ -297,7 +400,7 @@ async fn establish_connection(config: connector::Config, hostname: &str, port: u
    Ok((connection_result, upgraded_framed))
 }
-async fn run_active_session(connection_result: ConnectionResult, framed: UpgradedFramed, frame_buffer: Arc<TokioMutex<Vec<u8>>>, frame_dirty: Arc<AtomicBool>, mut input_rx: mpsc::UnboundedReceiver<InputEvent>, width: u16, height: u16) -> Result<(), String> {
+async fn run_active_session(connection_result: ConnectionResult, framed: UpgradedFramed, front_buffer: Arc<std::sync::RwLock<Vec<u8>>>, dirty_region: Arc<std::sync::Mutex<Option<DirtyRect>>>, frame_dirty: Arc<AtomicBool>, mut input_rx: mpsc::UnboundedReceiver<InputEvent>, mut width: u16, mut height: u16, app_handle: tauri::AppHandle, session_id: String) -> Result<(), String> {
    let (mut reader, mut writer) = split_tokio_framed(framed);
    let mut image = DecodedImage::new(PixelFormat::RgbA32, width, height);
    let mut active_stage = ActiveStage::new(connection_result);
@ -349,17 +452,68 @@ async fn run_active_session(connection_result: ConnectionResult, framed: Upgrade
                        }
                        all_outputs
                    }
                    Some(InputEvent::Resize { width: new_w, height: new_h }) => {
                        // Ensure dimensions are within RDP spec (200-8192, even width)
                        let w = (new_w.max(200).min(8192) & !1) as u32;
                        let h = new_h.max(200).min(8192) as u32;
                        if let Some(Ok(resize_frame)) = active_stage.encode_resize(w, h, None, None) {
                            writer.write_all(&resize_frame).await.map_err(|e| format!("Failed to send resize: {}", e))?;
                            // Reallocate image and front buffer for new dimensions
                            image = DecodedImage::new(PixelFormat::RgbA32, w as u16, h as u16);
                            let buf_size = w as usize * h as usize * 4;
                            let mut new_buf = vec![0u8; buf_size];
                            for pixel in new_buf.chunks_exact_mut(4) { pixel[3] = 255; }
                            *front_buffer.write().unwrap_or_else(|e| e.into_inner()) = new_buf;
                            width = w as u16;
                            height = h as u16;
                            info!("RDP session {} resized to {}x{}", session_id, width, height);
                        }
                        Vec::new()
                    }
                }
            }
        };
        for out in outputs {
            match out {
                ActiveStageOutput::ResponseFrame(frame) => { writer.write_all(&frame).await.map_err(|e| format!("Failed to write RDP response frame: {}", e))?; }
-                ActiveStageOutput::GraphicsUpdate(_region) => {
+                ActiveStageOutput::GraphicsUpdate(region) => {
-                    let mut buf = frame_buffer.lock().await;
+                    let rx = region.left as usize;
                    let ry = region.top as usize;
                    let rr = (region.right as usize).saturating_add(1).min(width as usize);
                    let rb = (region.bottom as usize).saturating_add(1).min(height as usize);
                    let stride = width as usize * 4;
                    // Copy only the dirty rectangle rows from decoded image → front buffer
                    {
                        let src = image.data();
-                    if src.len() == buf.len() { buf.copy_from_slice(src); } else { *buf = src.to_vec(); }
+                        let mut front = front_buffer.write().unwrap_or_else(|e| e.into_inner());
-                    frame_dirty.store(true, Ordering::Relaxed);
+                        for row in ry..rb {
                            let src_start = row * stride + rx * 4;
                            let src_end = row * stride + rr * 4;
                            if src_end <= src.len() && src_end <= front.len() {
                                front[src_start..src_end].copy_from_slice(&src[src_start..src_end]);
                            }
                        }
                    }
                    // Accumulate dirty region (union of all rects since last get_frame)
                    {
                        let new_rect = DirtyRect { x: rx as u16, y: ry as u16, width: (rr - rx) as u16, height: (rb - ry) as u16 };
                        let mut dr = dirty_region.lock().unwrap_or_else(|e| e.into_inner());
                        *dr = Some(match dr.take() {
                            None => new_rect,
                            Some(prev) => {
                                let x = prev.x.min(new_rect.x);
                                let y = prev.y.min(new_rect.y);
                                let r = (prev.x + prev.width).max(new_rect.x + new_rect.width);
                                let b = (prev.y + prev.height).max(new_rect.y + new_rect.height);
                                DirtyRect { x, y, width: r - x, height: b - y }
                            }
                        });
                    }
                    frame_dirty.store(true, Ordering::Release);
                    let _ = app_handle.emit(&format!("rdp:frame:{}", session_id), ());
                }
                ActiveStageOutput::Terminate(reason) => { info!("RDP session terminated: {:?}", reason); return Ok(()); }
                ActiveStageOutput::DeactivateAll(_) => { warn!("RDP server sent DeactivateAll — reconnection not yet implemented"); return Ok(()); }
--- a/src-tauri/src/scanner/mod.rs
+++ b/src-tauri/src/scanner/mod.rs
@ -0,0 +1,255 @@
 //! Network scanner tools — IP discovery, port scanning, and network mapping
 //! through SSH exec channels. No agent installation required.
 //!
 //! All scans run on the REMOTE host through the existing SSH connection,
 //! giving visibility into the remote network without direct access.
 use std::sync::Arc;
 use russh::client::Handle;
 use russh::ChannelMsg;
 use serde::Serialize;
 use tokio::sync::Mutex as TokioMutex;
 use crate::ssh::session::SshClient;
 use crate::utils::shell_escape;
 #[derive(Debug, Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct DiscoveredHost {
    pub ip: String,
    pub mac: Option<String>,
    pub hostname: Option<String>,
    pub vendor: Option<String>,
    pub open_ports: Vec<u16>,
    pub services: Vec<String>,
 }
 #[derive(Debug, Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct PortResult {
    pub port: u16,
    pub open: bool,
    pub service: String,
 }
 /// Well-known port → service name mapping for common ports.
 fn service_name(port: u16) -> &'static str {
    match port {
        21 => "FTP",
        22 => "SSH",
        23 => "Telnet",
        25 => "SMTP",
        53 => "DNS",
        80 => "HTTP",
        110 => "POP3",
        135 => "RPC",
        139 => "NetBIOS",
        143 => "IMAP",
        443 => "HTTPS",
        445 => "SMB",
        993 => "IMAPS",
        995 => "POP3S",
        1433 => "MSSQL",
        1521 => "Oracle",
        3306 => "MySQL",
        3389 => "RDP",
        5432 => "PostgreSQL",
        5900 => "VNC",
        6379 => "Redis",
        8080 => "HTTP-Alt",
        8443 => "HTTPS-Alt",
        27017 => "MongoDB",
        _ => "unknown",
    }
 }
 /// Validate that `subnet` contains exactly three dot-separated octet groups,
 /// each consisting only of 1–3 ASCII digits (e.g. "192.168.1").
 /// Returns an error string if the format is invalid.
 fn validate_subnet(subnet: &str) -> Result<(), String> {
    let parts: Vec<&str> = subnet.split('.').collect();
    if parts.len() != 3 {
        return Err(format!(
            "Invalid subnet '{}': expected three octets (e.g. 192.168.1)",
            subnet
        ));
    }
    for part in &parts {
        if part.is_empty() || part.len() > 3 || !part.chars().all(|c| c.is_ascii_digit()) {
            return Err(format!(
                "Invalid subnet '{}': each octet must be 1–3 decimal digits",
                subnet
            ));
        }
    }
    Ok(())
 }
 /// Discover hosts on the remote network using ARP table and ping sweep.
 pub async fn scan_network(
    handle: &Arc<TokioMutex<Handle<SshClient>>>,
    subnet: &str,
 ) -> Result<Vec<DiscoveredHost>, String> {
    // Validate subnet format before using it in remote shell commands.
    validate_subnet(subnet)?;
    // Script that works on Linux and macOS:
    // 1. Ping sweep the subnet to populate ARP cache
    // 2. Read ARP table for IP/MAC pairs
    // 3. Try reverse DNS for hostnames
    let escaped_subnet = shell_escape(subnet);
    let script = format!(r#"
 OS=$(uname -s 2>/dev/null)
 SUBNET={escaped_subnet}
 # Ping sweep (background, fast)
 if [ "$OS" = "Linux" ]; then
    for i in $(seq 1 254); do
        ping -c 1 -W 1 "$SUBNET.$i" > /dev/null 2>&1 &
    done
    wait
 elif [ "$OS" = "Darwin" ]; then
    for i in $(seq 1 254); do
        ping -c 1 -t 1 "$SUBNET.$i" > /dev/null 2>&1 &
    done
    wait
 fi
 # Read ARP table
 if [ "$OS" = "Linux" ]; then
    arp -n 2>/dev/null | grep -v incomplete | awk 'NR>1 {{printf "%s|%s\n", $1, $3}}'
 elif [ "$OS" = "Darwin" ]; then
    arp -a 2>/dev/null | grep -v incomplete | awk '{{gsub(/[()]/, ""); printf "%s|%s\n", $2, $4}}'
 fi
 "#);
    let output = exec_command(handle, &script).await
        .ok_or_else(|| "Failed to execute network scan".to_string())?;
    let mut hosts = Vec::new();
    for line in output.lines() {
        let parts: Vec<&str> = line.split('|').collect();
        if parts.len() >= 2 && !parts[0].is_empty() {
            let ip = parts[0].trim().to_string();
            let mac = if parts[1].trim().is_empty() || parts[1].trim() == "(incomplete)" {
                None
            } else {
                Some(parts[1].trim().to_string())
            };
            hosts.push(DiscoveredHost {
                ip,
                mac,
                hostname: None,
                vendor: None,
                open_ports: Vec::new(),
                services: Vec::new(),
            });
        }
    }
    // Try reverse DNS for each host
    if !hosts.is_empty() {
        let ips: Vec<String> = hosts.iter().map(|h| h.ip.clone()).collect();
        let dns_script = ips.iter()
            .map(|ip| format!("echo \"{}|$(host {} 2>/dev/null | awk '/domain name pointer/ {{print $NF}}' | sed 's/\\.$//')\"", ip, ip))
            .collect::<Vec<_>>()
            .join("\n");
        if let Some(dns_output) = exec_command(handle, &dns_script).await {
            for line in dns_output.lines() {
                let parts: Vec<&str> = line.split('|').collect();
                if parts.len() >= 2 && !parts[1].is_empty() {
                    if let Some(host) = hosts.iter_mut().find(|h| h.ip == parts[0]) {
                        host.hostname = Some(parts[1].to_string());
                    }
                }
            }
        }
    }
    Ok(hosts)
 }
 /// Scan specific ports on a target host through the SSH session.
 pub async fn scan_ports(
    handle: &Arc<TokioMutex<Handle<SshClient>>>,
    target: &str,
    ports: &[u16],
 ) -> Result<Vec<PortResult>, String> {
    // Validate target — /dev/tcp requires a bare hostname/IP, not a shell-quoted value.
    // Only allow alphanumeric, dots, hyphens, and colons (for IPv6).
    if !target.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-' || c == ':') {
        return Err(format!("Invalid target for port scan: {}", target));
    }
    // Use bash /dev/tcp for port scanning — no nmap required
    let port_checks: Vec<String> = ports.iter()
        .map(|p| format!(
            "(echo >/dev/tcp/{target}/{p}) 2>/dev/null && echo \"{p}|open\" || echo \"{p}|closed\""
        ))
        .collect();
    // Run in parallel batches of 20 for speed
    let mut results = Vec::new();
    for chunk in port_checks.chunks(20) {
        let script = chunk.join(" &\n") + " &\nwait";
        let output = exec_command(handle, &script).await
            .ok_or_else(|| "Port scan exec failed".to_string())?;
        for line in output.lines() {
            let parts: Vec<&str> = line.split('|').collect();
            if parts.len() >= 2 {
                if let Ok(port) = parts[0].parse::<u16>() {
                    results.push(PortResult {
                        port,
                        open: parts[1] == "open",
                        service: service_name(port).to_string(),
                    });
                }
            }
        }
    }
    results.sort_by_key(|r| r.port);
    Ok(results)
 }
 /// Quick scan of common ports on a target.
 pub async fn quick_port_scan(
    handle: &Arc<TokioMutex<Handle<SshClient>>>,
    target: &str,
 ) -> Result<Vec<PortResult>, String> {
    let common_ports: Vec<u16> = vec![
        21, 22, 23, 25, 53, 80, 110, 135, 139, 143,
        443, 445, 993, 995, 1433, 1521, 3306, 3389,
        5432, 5900, 6379, 8080, 8443, 27017,
    ];
    scan_ports(handle, target, &common_ports).await
 }
 async fn exec_command(handle: &Arc<TokioMutex<Handle<SshClient>>>, cmd: &str) -> Option<String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session().await.ok()?
    };
    channel.exec(true, cmd).await.ok()?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) {
                    output.push_str(text);
                }
            }
            Some(ChannelMsg::Eof) | Some(ChannelMsg::Close) | None => break,
            Some(ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Some(output)
 }
--- a/src-tauri/src/settings/mod.rs
+++ b/src-tauri/src/settings/mod.rs
@ -8,6 +8,7 @@ use crate::db::Database;
 ///
 /// All operations acquire the shared DB mutex for their duration and
 /// return immediately — no async needed for a local SQLite store.
 #[derive(Clone)]
 pub struct SettingsService {
    db: Database,
 }
--- a/src-tauri/src/sftp/mod.rs
+++ b/src-tauri/src/sftp/mod.rs
@ -5,7 +5,6 @@
 //! provides all file operations needed by the frontend.
 use std::sync::Arc;
 use std::time::{Duration, UNIX_EPOCH};
 use dashmap::DashMap;
 use log::{debug, info};
@ -35,9 +34,6 @@ pub struct FileEntry {
 /// Format a Unix timestamp (seconds since epoch) as "Mon DD HH:MM".
 fn format_mtime(unix_secs: u32) -> String {
    // Build a SystemTime from the raw epoch value.
    let st = UNIX_EPOCH + Duration::from_secs(unix_secs as u64);
    // Convert to seconds-since-epoch for manual formatting.  We avoid pulling
    // in chrono just for this; a simple manual decomposition is sufficient for
    // the "Mar 17 14:30" display format expected by the frontend.
@ -54,12 +50,10 @@ fn format_mtime(unix_secs: u32) -> String {
    let era = if z >= 0 { z } else { z - 146_096 } / 146_097;
    let doe = z - era * 146_097;
    let yoe = (doe - doe / 1_460 + doe / 36_524 - doe / 146_096) / 365;
    let y = yoe + era * 400;
    let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
    let mp = (5 * doy + 2) / 153;
    let d = doy - (153 * mp + 2) / 5 + 1;
    let m = if mp < 10 { mp + 3 } else { mp - 9 };
    let _y = if m <= 2 { y + 1 } else { y };
    let month = match m {
        1 => "Jan",
@ -77,9 +71,6 @@ fn format_mtime(unix_secs: u32) -> String {
        _ => "???",
    };
    // Suppress unused variable warning — st is only used as a sanity anchor.
    let _ = st;
    format!("{} {:2} {:02}:{:02}", month, d, hours, minutes)
 }
@ -94,17 +85,18 @@ fn format_permissions(raw: Option<u32>) -> String {
 // ── SFTP service ─────────────────────────────────────────────────────────────
 /// Manages SFTP sessions keyed by SSH session ID.
 #[derive(Clone)]
 pub struct SftpService {
    /// One `SftpSession` per SSH session, behind a mutex so async commands can
    /// take a shared reference to the `SftpService` and still mutably borrow
    /// individual sessions.
-    clients: DashMap<String, Arc<TokioMutex<SftpSession>>>,
+    clients: Arc<DashMap<String, Arc<TokioMutex<SftpSession>>>>,
 }
 impl SftpService {
    pub fn new() -> Self {
        Self {
-            clients: DashMap::new(),
+            clients: Arc::new(DashMap::new()),
        }
    }
@ -318,7 +310,7 @@ impl SftpService {
    ) -> Result<Arc<TokioMutex<SftpSession>>, String> {
        self.clients
            .get(session_id)
-            .map(|r| r.clone())
+            .map(|r| r.value().clone())
            .ok_or_else(|| format!("No SFTP client for session {}", session_id))
    }
 }
--- a/src-tauri/src/ssh/cwd.rs
+++ b/src-tauri/src/ssh/cwd.rs
@ -16,6 +16,7 @@ use russh::ChannelMsg;
 use tauri::{AppHandle, Emitter};
 use tokio::sync::watch;
 use tokio::sync::Mutex as TokioMutex;
 use tokio_util::sync::CancellationToken;
 use crate::ssh::session::SshClient;
@ -39,13 +40,15 @@ impl CwdTracker {
    /// Spawn a background tokio task that polls `pwd` every 2 seconds on a
    /// separate exec channel.
    ///
-    /// The task runs until the SSH connection is closed or the channel cannot
+    /// The task runs until cancelled via the `CancellationToken`, or until the
-    /// be opened. CWD changes are emitted as `ssh:cwd:{session_id}` events.
+    /// SSH connection is closed or the channel cannot be opened.
    /// CWD changes are emitted as `ssh:cwd:{session_id}` events.
    pub fn start(
        &self,
        handle: Arc<TokioMutex<Handle<SshClient>>>,
        app_handle: AppHandle,
        session_id: String,
        cancel: CancellationToken,
    ) {
        let sender = self._sender.clone();
@ -56,6 +59,10 @@ impl CwdTracker {
            let mut previous_cwd = String::new();
            loop {
                if cancel.is_cancelled() {
                    break;
                }
                // Open a fresh exec channel for each `pwd` invocation.
                // Some SSH servers do not allow multiple exec requests on a
                // single channel, so we open a new one each time.
@ -119,8 +126,11 @@ impl CwdTracker {
                    }
                }
-                // Wait 2 seconds before the next poll.
+                // Wait 2 seconds before the next poll, or cancel.
-                tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
+                tokio::select! {
                    _ = tokio::time::sleep(tokio::time::Duration::from_secs(2)) => {}
                    _ = cancel.cancelled() => { break; }
                }
            }
            debug!("CWD tracker for session {} stopped", session_id);
--- a/src-tauri/src/ssh/exec.rs
+++ b/src-tauri/src/ssh/exec.rs
@ -0,0 +1,51 @@
 //! Shared SSH exec-channel helper used by commands, MCP handlers, and tools.
 //!
 //! Opens a one-shot exec channel on an existing SSH handle, runs `cmd`, collects
 //! all stdout/stderr, and returns it as a `String`.  The caller is responsible
 //! for ensuring the session is still alive.
 use std::sync::Arc;
 use tokio::sync::Mutex as TokioMutex;
 use crate::ssh::session::SshClient;
 /// Execute `cmd` on a separate exec channel and return all output as a `String`.
 ///
 /// Locks the handle for only as long as it takes to open the channel, then
 /// releases it before reading — this avoids holding the lock while waiting on
 /// remote I/O.
 pub async fn exec_on_session(
    handle: &Arc<TokioMutex<russh::client::Handle<SshClient>>>,
    cmd: &str,
 ) -> Result<String, String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session()
            .await
            .map_err(|e| format!("Exec channel failed: {}", e))?
    };
    channel
        .exec(true, cmd)
        .await
        .map_err(|e| format!("Exec failed: {}", e))?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(russh::ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) {
                    output.push_str(text);
                }
            }
            Some(russh::ChannelMsg::Eof)
            | Some(russh::ChannelMsg::Close)
            | None => break,
            Some(russh::ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Ok(output)
 }
--- a/src-tauri/src/ssh/mod.rs
+++ b/src-tauri/src/ssh/mod.rs
@ -1,3 +1,5 @@
 pub mod session;
 pub mod host_key;
 pub mod cwd;
 pub mod monitor;
 pub mod exec;
--- a/src-tauri/src/ssh/monitor.rs
+++ b/src-tauri/src/ssh/monitor.rs
@ -0,0 +1,197 @@
 //! Remote system monitoring via SSH exec channels.
 //!
 //! Periodically runs lightweight system commands over a separate exec channel
 //! (same pattern as CWD tracker) and emits stats to the frontend.
 //! No agent installation required — uses standard POSIX and platform commands.
 use std::sync::Arc;
 use log::warn;
 use russh::client::Handle;
 use russh::ChannelMsg;
 use serde::Serialize;
 use tauri::{AppHandle, Emitter};
 use tokio::sync::Mutex as TokioMutex;
 use tokio_util::sync::CancellationToken;
 use crate::ssh::session::SshClient;
 #[derive(Debug, Serialize, Clone, Default)]
 #[serde(rename_all = "camelCase")]
 pub struct SystemStats {
    pub cpu_percent: f64,
    pub mem_used_mb: u64,
    pub mem_total_mb: u64,
    pub mem_percent: f64,
    pub disk_used_gb: f64,
    pub disk_total_gb: f64,
    pub disk_percent: f64,
    pub net_rx_bytes: u64,
    pub net_tx_bytes: u64,
    pub os_type: String,
 }
 /// Spawn a background task that polls system stats every 5 seconds.
 ///
 /// The task runs until cancelled via the `CancellationToken`, or until the
 /// SSH connection is closed.
 pub fn start_monitor(
    handle: Arc<TokioMutex<Handle<SshClient>>>,
    app_handle: AppHandle,
    session_id: String,
    cancel: CancellationToken,
 ) {
    tokio::spawn(async move {
        // Brief delay to let the shell start up
        tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
        let mut consecutive_timeouts: u32 = 0;
        loop {
            if cancel.is_cancelled() {
                break;
            }
            let stats = collect_stats(&handle).await;
            match stats {
                Some(stats) => {
                    consecutive_timeouts = 0;
                    let _ = app_handle.emit(
                        &format!("ssh:monitor:{}", session_id),
                        &stats,
                    );
                }
                None => {
                    consecutive_timeouts += 1;
                    if consecutive_timeouts >= 3 {
                        warn!(
                            "SSH monitor for session {}: 3 consecutive failures, stopping",
                            session_id
                        );
                        break;
                    }
                }
            }
            // Wait 5 seconds before the next poll, or cancel.
            tokio::select! {
                _ = tokio::time::sleep(tokio::time::Duration::from_secs(5)) => {}
                _ = cancel.cancelled() => { break; }
            }
        }
    });
 }
 async fn collect_stats(handle: &Arc<TokioMutex<Handle<SshClient>>>) -> Option<SystemStats> {
    // Single command that works cross-platform: detect OS then gather stats
    let script = r#"
 OS=$(uname -s 2>/dev/null || echo "Unknown")
 if [ "$OS" = "Linux" ]; then
    CPU=$(grep 'cpu ' /proc/stat | awk '{usage=($2+$4)*100/($2+$4+$5)} END {printf "%.1f", usage}')
    MEM=$(free -m 2>/dev/null | awk '/^Mem:/ {printf "%d %d", $3, $2}')
    DISK=$(df -BG / 2>/dev/null | awk 'NR==2 {gsub("G",""); printf "%s %s", $3, $2}')
    NET=$(cat /proc/net/dev 2>/dev/null | awk '/eth0:|ens|enp|wlan0:/ {gsub(":",""); printf "%s %s", $2, $10; exit}')
    echo "WRAITH_STATS:$OS:$CPU:$MEM:$DISK:$NET"
 elif [ "$OS" = "Darwin" ]; then
    CPU=$(ps -A -o %cpu | awk '{s+=$1} END {printf "%.1f", s/4}')
    MEM_PAGES=$(vm_stat 2>/dev/null | awk '/Pages active/ {gsub(/\./,""); print $3}')
    MEM_TOTAL=$(sysctl -n hw.memsize 2>/dev/null | awk '{printf "%d", $1/1048576}')
    MEM_USED=$(echo "$MEM_PAGES" | awk -v t="$MEM_TOTAL" '{printf "%d", $1*4096/1048576}')
    DISK=$(df -g / 2>/dev/null | awk 'NR==2 {printf "%s %s", $3, $2}')
    NET=$(netstat -ib 2>/dev/null | awk '/en0/ && /Link/ {printf "%s %s", $7, $10; exit}')
    echo "WRAITH_STATS:$OS:$CPU:$MEM_USED $MEM_TOTAL:$DISK:$NET"
 else
    echo "WRAITH_STATS:$OS:0:0 0:0 0:0 0"
 fi
 "#;
    let output = exec_command(handle, script).await?;
    for line in output.lines() {
        if let Some(rest) = line.strip_prefix("WRAITH_STATS:") {
            return parse_stats(rest);
        }
    }
    None
 }
 fn parse_stats(raw: &str) -> Option<SystemStats> {
    let parts: Vec<&str> = raw.split(':').collect();
    if parts.len() < 5 {
        return None;
    }
    let os_type = parts[0].to_string();
    let cpu_percent = parts[1].parse::<f64>().unwrap_or(0.0);
    let mem_parts: Vec<&str> = parts[2].split_whitespace().collect();
    let mem_used = mem_parts.first().and_then(|s| s.parse::<u64>().ok()).unwrap_or(0);
    let mem_total = mem_parts.get(1).and_then(|s| s.parse::<u64>().ok()).unwrap_or(1);
    let mem_percent = if mem_total > 0 { (mem_used as f64 / mem_total as f64) * 100.0 } else { 0.0 };
    let disk_parts: Vec<&str> = parts[3].split_whitespace().collect();
    let disk_used = disk_parts.first().and_then(|s| s.parse::<f64>().ok()).unwrap_or(0.0);
    let disk_total = disk_parts.get(1).and_then(|s| s.parse::<f64>().ok()).unwrap_or(1.0);
    let disk_percent = if disk_total > 0.0 { (disk_used / disk_total) * 100.0 } else { 0.0 };
    let net_parts: Vec<&str> = parts.get(4).unwrap_or(&"0 0").split_whitespace().collect();
    let net_rx = net_parts.first().and_then(|s| s.parse::<u64>().ok()).unwrap_or(0);
    let net_tx = net_parts.get(1).and_then(|s| s.parse::<u64>().ok()).unwrap_or(0);
    Some(SystemStats {
        cpu_percent,
        mem_used_mb: mem_used,
        mem_total_mb: mem_total,
        mem_percent,
        disk_used_gb: disk_used,
        disk_total_gb: disk_total,
        disk_percent,
        net_rx_bytes: net_rx,
        net_tx_bytes: net_tx,
        os_type,
    })
 }
 /// Execute a command on a separate exec channel with a 10-second timeout.
 async fn exec_command(handle: &Arc<TokioMutex<Handle<SshClient>>>, cmd: &str) -> Option<String> {
    let result = tokio::time::timeout(
        std::time::Duration::from_secs(10),
        exec_command_inner(handle, cmd),
    )
    .await;
    match result {
        Ok(output) => output,
        Err(_) => {
            warn!("SSH monitor exec_command timed out after 10s");
            None
        }
    }
 }
 async fn exec_command_inner(handle: &Arc<TokioMutex<Handle<SshClient>>>, cmd: &str) -> Option<String> {
    let mut channel = {
        let h = handle.lock().await;
        h.channel_open_session().await.ok()?
    };
    channel.exec(true, cmd).await.ok()?;
    let mut output = String::new();
    loop {
        match channel.wait().await {
            Some(ChannelMsg::Data { ref data }) => {
                if let Ok(text) = std::str::from_utf8(data.as_ref()) {
                    output.push_str(text);
                }
            }
            Some(ChannelMsg::Eof) | Some(ChannelMsg::Close) | None => break,
            Some(ChannelMsg::ExitStatus { .. }) => {}
            _ => {}
        }
    }
    Some(output)
 }
--- a/src-tauri/src/ssh/session.rs
+++ b/src-tauri/src/ssh/session.rs
@ -12,9 +12,12 @@ use tokio::sync::Mutex as TokioMutex;
 use tokio::sync::mpsc;
 use crate::db::Database;
 use crate::mcp::ScrollbackRegistry;
 use crate::mcp::error_watcher::ErrorWatcher;
 use crate::sftp::SftpService;
 use crate::ssh::cwd::CwdTracker;
 use crate::ssh::host_key::{HostKeyResult, HostKeyStore};
 use tokio_util::sync::CancellationToken;
 pub enum AuthMethod {
    Password(String),
@ -45,6 +48,7 @@ pub struct SshSession {
    pub handle: Arc<TokioMutex<Handle<SshClient>>>,
    pub command_tx: mpsc::UnboundedSender<ChannelCommand>,
    pub cwd_tracker: Option<CwdTracker>,
    pub cancel_token: CancellationToken,
 }
 pub struct SshClient {
@ -72,18 +76,20 @@ impl client::Handler for SshClient {
    }
 }
 #[derive(Clone)]
 pub struct SshService {
-    sessions: DashMap<String, Arc<SshSession>>,
+    sessions: Arc<DashMap<String, Arc<SshSession>>>,
    db: Database,
 }
 impl SshService {
    pub fn new(db: Database) -> Self {
-        Self { sessions: DashMap::new(), db }
+        Self { sessions: Arc::new(DashMap::new()), db }
    }
-    pub async fn connect(&self, app_handle: AppHandle, hostname: &str, port: u16, username: &str, auth: AuthMethod, cols: u32, rows: u32, sftp_service: &SftpService) -> Result<String, String> {
+    pub async fn connect(&self, app_handle: AppHandle, hostname: &str, port: u16, username: &str, auth: AuthMethod, cols: u32, rows: u32, sftp_service: &SftpService, scrollback: &ScrollbackRegistry, error_watcher: &ErrorWatcher) -> Result<String, String> {
        let session_id = uuid::Uuid::new_v4().to_string();
        wraith_log!("[SSH] Connecting to {}:{} as {} (session {})", hostname, port, username, session_id);
        let config = Arc::new(russh::client::Config::default());
        let handler = SshClient { host_key_store: HostKeyStore::new(self.db.clone()), hostname: hostname.to_string(), port };
@ -131,10 +137,11 @@ impl SshService {
        let channel_id = channel.id();
        let handle = Arc::new(TokioMutex::new(handle));
        let (command_tx, mut command_rx) = mpsc::unbounded_channel::<ChannelCommand>();
        let cancel_token = CancellationToken::new();
        let cwd_tracker = CwdTracker::new();
-        cwd_tracker.start(handle.clone(), app_handle.clone(), session_id.clone());
+        cwd_tracker.start(handle.clone(), app_handle.clone(), session_id.clone(), cancel_token.clone());
-        let session = Arc::new(SshSession { id: session_id.clone(), hostname: hostname.to_string(), port, username: username.to_string(), channel_id, handle: handle.clone(), command_tx: command_tx.clone(), cwd_tracker: Some(cwd_tracker) });
+        let session = Arc::new(SshSession { id: session_id.clone(), hostname: hostname.to_string(), port, username: username.to_string(), channel_id, handle: handle.clone(), command_tx: command_tx.clone(), cwd_tracker: Some(cwd_tracker), cancel_token: cancel_token.clone() });
        self.sessions.insert(session_id.clone(), session);
        {   let h = handle.lock().await;
@ -147,6 +154,32 @@ impl SshService {
            }
        }
        wraith_log!("[SSH] Connected and authenticated: {}", session_id);
        // Create scrollback buffer for MCP terminal_read
        let scrollback_buf = scrollback.create(&session_id);
        error_watcher.watch(&session_id);
        // Start remote monitoring if enabled (runs on a separate exec channel)
        crate::ssh::monitor::start_monitor(handle.clone(), app_handle.clone(), session_id.clone(), cancel_token.clone());
        // Inject OSC 7 CWD reporting hook into the user's shell.
        // This enables SFTP CWD following on all platforms (Linux, macOS, FreeBSD).
        // Sent via the PTY channel so it configures the interactive shell.
        // Wrapped in stty -echo/echo so the command is invisible to the user,
        // then clear the line with \r and overwrite with spaces.
        {
            let osc7_hook = concat!(
                " stty -echo; ",
                "__wraith_osc7() { printf '\\e]7;file://localhost/%s\\a' \"$(pwd | sed 's/ /%20/g')\"; }; ",
                "if [ -n \"$ZSH_VERSION\" ]; then precmd() { __wraith_osc7; }; ",
                "elif [ -n \"$BASH_VERSION\" ]; then PROMPT_COMMAND=__wraith_osc7; fi; ",
                "stty echo; clear; cd ~\n"
            );
            let h = handle.lock().await;
            let _ = h.data(channel_id, CryptoVec::from_slice(osc7_hook.as_bytes())).await;
        }
        // Output reader loop — owns the Channel exclusively.
        // Writes go through Handle::data() so no shared mutex is needed.
        let sid = session_id.clone();
@ -157,10 +190,16 @@ impl SshService {
                    msg = channel.wait() => {
                        match msg {
                            Some(ChannelMsg::Data { ref data }) => {
                                scrollback_buf.push(data.as_ref());
                                // Passive OSC 7 CWD detection — scan without modifying stream
                                if let Some(cwd) = extract_osc7_cwd(data.as_ref()) {
                                    let _ = app.emit(&format!("ssh:cwd:{}", sid), &cwd);
                                }
                                let encoded = base64::engine::general_purpose::STANDARD.encode(data.as_ref());
                                let _ = app.emit(&format!("ssh:data:{}", sid), encoded);
                            }
                            Some(ChannelMsg::ExtendedData { ref data, .. }) => {
                                scrollback_buf.push(data.as_ref());
                                let encoded = base64::engine::general_purpose::STANDARD.encode(data.as_ref());
                                let _ = app.emit(&format!("ssh:data:{}", sid), encoded);
                            }
@ -210,6 +249,8 @@ impl SshService {
    pub async fn disconnect(&self, session_id: &str, sftp_service: &SftpService) -> Result<(), String> {
        let (_, session) = self.sessions.remove(session_id).ok_or_else(|| format!("Session {} not found", session_id))?;
        // Cancel background tasks (CWD tracker, monitor) before tearing down the connection.
        session.cancel_token.cancel();
        let _ = session.command_tx.send(ChannelCommand::Shutdown);
        {   let handle = session.handle.lock().await; let _ = handle.disconnect(Disconnect::ByApplication, "", "en").await; }
        sftp_service.remove_client(session_id);
@ -217,7 +258,7 @@ impl SshService {
    }
    pub fn get_session(&self, session_id: &str) -> Option<Arc<SshSession>> {
-        self.sessions.get(session_id).map(|entry| entry.clone())
+        self.sessions.get(session_id).map(|r| r.value().clone())
    }
    pub fn list_sessions(&self) -> Vec<SessionInfo> {
@ -329,6 +370,60 @@ fn extract_dek_iv(pem_text: &str) -> Result<[u8; 16], String> {
    Err("No DEK-Info: AES-128-CBC header found in encrypted PEM".to_string())
 }
 /// Passively extract CWD from OSC 7 escape sequences in terminal output.
 /// Format: \e]7;file://hostname/path\a  or  \e]7;file://hostname/path\e\\
 /// Returns the path portion without modifying the data stream.
 fn extract_osc7_cwd(data: &[u8]) -> Option<String> {
    let text = std::str::from_utf8(data).ok()?;
    // Look for OSC 7 pattern: \x1b]7;file://
    let marker = "\x1b]7;file://";
    let start = text.find(marker)?;
    let after_marker = &text[start + marker.len()..];
    // Skip hostname (everything up to the next /)
    let path_start = after_marker.find('/')?;
    let path_part = &after_marker[path_start..];
    // Find the terminator: BEL (\x07) or ST (\x1b\\)
    let end = path_part.find('\x07')
        .or_else(|| path_part.find("\x1b\\").map(|i| i));
    let path = match end {
        Some(e) => &path_part[..e],
        None => path_part, // Might be split across chunks — take what we have
    };
    if path.is_empty() {
        None
    } else {
        // URL-decode the path (spaces encoded as %20, etc.)
        // Strip any stray quotes from shell printf output
        let decoded = percent_decode(path);
        let clean = decoded.trim_matches('"').trim_matches('\'').to_string();
        if clean.is_empty() { None } else { Some(clean) }
    }
 }
 fn percent_decode(input: &str) -> String {
    let mut bytes: Vec<u8> = Vec::with_capacity(input.len());
    let mut chars = input.chars();
    while let Some(ch) = chars.next() {
        if ch == '%' {
            let hex: String = chars.by_ref().take(2).collect();
            if let Ok(byte) = u8::from_str_radix(&hex, 16) {
                bytes.push(byte);
            } else {
                bytes.extend_from_slice(b"%");
                bytes.extend_from_slice(hex.as_bytes());
            }
        } else {
            let mut buf = [0u8; 4];
            bytes.extend_from_slice(ch.encode_utf8(&mut buf).as_bytes());
        }
    }
    String::from_utf8_lossy(&bytes).into_owned()
 }
 /// Resolve a private key string — if it looks like PEM content, return as-is.
 /// If it looks like a file path, read the file. Strip BOM and normalize.
 fn resolve_private_key(input: &str) -> Result<String, String> {
--- a/src-tauri/src/theme/mod.rs
+++ b/src-tauri/src/theme/mod.rs
@ -59,6 +59,7 @@ struct BuiltinTheme {
 // ── service ───────────────────────────────────────────────────────────────────
 #[derive(Clone)]
 pub struct ThemeService {
    db: Database,
 }
@ -253,7 +254,7 @@ impl ThemeService {
                    t.bright_blue, t.bright_magenta, t.bright_cyan, t.bright_white,
                ],
            ) {
-                eprintln!("theme::seed_builtins: failed to seed '{}': {}", t.name, e);
+                wraith_log!("theme::seed_builtins: failed to seed '{}': {}", t.name, e);
            }
        }
    }
@ -272,7 +273,7 @@ impl ThemeService {
        ) {
            Ok(s) => s,
            Err(e) => {
-                eprintln!("theme::list: failed to prepare query: {}", e);
+                wraith_log!("theme::list: failed to prepare query: {}", e);
                return vec![];
            }
        };
@ -280,12 +281,12 @@ impl ThemeService {
        match stmt.query_map([], map_theme_row) {
            Ok(rows) => rows
                .filter_map(|r| {
-                    r.map_err(|e| eprintln!("theme::list: row error: {}", e))
+                    r.map_err(|e| wraith_log!("theme::list: row error: {}", e))
                        .ok()
                })
                .collect(),
            Err(e) => {
-                eprintln!("theme::list: query failed: {}", e);
+                wraith_log!("theme::list: query failed: {}", e);
                vec![]
            }
        }
--- a/src-tauri/src/utils.rs
+++ b/src-tauri/src/utils.rs
@ -0,0 +1,19 @@
 //! Shared utility functions.
 /// Escape a string for safe interpolation into a POSIX shell command.
 ///
 /// Wraps the input in single quotes and escapes any embedded single quotes
 /// using the `'\''` technique. This prevents command injection when building
 /// shell commands from user-supplied values.
 ///
 /// # Examples
 ///
 /// ```
 /// # use wraith_lib::utils::shell_escape;
 /// assert_eq!(shell_escape("hello"), "'hello'");
 /// assert_eq!(shell_escape("it's"), "'it'\\''s'");
 /// assert_eq!(shell_escape(";rm -rf /"), "';rm -rf /'");
 /// ```
 pub fn shell_escape(input: &str) -> String {
    format!("'{}'", input.replace('\'', "'\\''"))
 }
--- a/src-tauri/src/vault/mod.rs
+++ b/src-tauri/src/vault/mod.rs
@ -4,6 +4,7 @@ use aes_gcm::{
    Aes256Gcm, Key, Nonce,
 };
 use argon2::{Algorithm, Argon2, Params, Version};
 use zeroize::Zeroizing;
 // ---------------------------------------------------------------------------
 // VaultService
@ -21,18 +22,18 @@ use argon2::{Algorithm, Argon2, Params, Version};
 /// The version prefix allows a future migration to a different algorithm
 /// without breaking existing stored blobs.
 pub struct VaultService {
-    key: [u8; 32],
+    key: Zeroizing<[u8; 32]>,
 }
 impl VaultService {
-    pub fn new(key: [u8; 32]) -> Self {
+    pub fn new(key: Zeroizing<[u8; 32]>) -> Self {
        Self { key }
    }
    /// Encrypt `plaintext` and return a `v1:{iv_hex}:{sealed_hex}` blob.
    pub fn encrypt(&self, plaintext: &str) -> Result<String, String> {
        // Build the AES-256-GCM cipher from our key.
-        let key = Key::<Aes256Gcm>::from_slice(&self.key);
+        let key = Key::<Aes256Gcm>::from_slice(&*self.key);
        let cipher = Aes256Gcm::new(key);
        // Generate a random 12-byte nonce (96-bit is the GCM standard).
@ -71,7 +72,7 @@ impl VaultService {
            ));
        }
-        let key = Key::<Aes256Gcm>::from_slice(&self.key);
+        let key = Key::<Aes256Gcm>::from_slice(&*self.key);
        let cipher = Aes256Gcm::new(key);
        let nonce = Nonce::from_slice(&iv_bytes);
@ -95,7 +96,7 @@ impl VaultService {
 ///   t = 3 iterations
 ///   m = 65536 KiB (64 MiB) memory
 ///   p = 4 parallelism lanes
-pub fn derive_key(password: &str, salt: &[u8]) -> [u8; 32] {
+pub fn derive_key(password: &str, salt: &[u8]) -> Zeroizing<[u8; 32]> {
    let params = Params::new(
        65536, // m_cost: 64 MiB
        3,     // t_cost: iterations
@ -106,9 +107,9 @@ pub fn derive_key(password: &str, salt: &[u8]) -> [u8; 32] {
    let argon2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
-    let mut output_key = [0u8; 32];
+    let mut output_key = Zeroizing::new([0u8; 32]);
    argon2
-        .hash_password_into(password.as_bytes(), salt, &mut output_key)
+        .hash_password_into(password.as_bytes(), salt, &mut *output_key)
        .expect("Argon2id key derivation failed");
    output_key
--- a/src-tauri/src/workspace/mod.rs
+++ b/src-tauri/src/workspace/mod.rs
@ -24,6 +24,7 @@ pub struct WorkspaceSnapshot {
 const SNAPSHOT_KEY: &str = "workspace_snapshot";
 const CLEAN_SHUTDOWN_KEY: &str = "clean_shutdown";
 #[derive(Clone)]
 pub struct WorkspaceService {
    settings: SettingsService,
 }
@ -47,7 +48,7 @@ impl WorkspaceService {
    pub fn load(&self) -> Option<WorkspaceSnapshot> {
        let json = self.settings.get(SNAPSHOT_KEY)?;
        serde_json::from_str(&json)
-            .map_err(|e| eprintln!("workspace::load: failed to deserialize snapshot: {e}"))
+            .map_err(|e| wraith_log!("workspace::load: failed to deserialize snapshot: {e}"))
            .ok()
    }
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -17,13 +17,15 @@
        "minWidth": 800,
        "minHeight": 600,
        "decorations": true,
-        "resizable": true
+        "resizable": true,
        "dragDropEnabled": false,
        "additionalBrowserArgs": "--enable-gpu-rasterization --enable-zero-copy --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection"
      }
    ],
    "security": {
      "csp": null
    },
-    "withGlobalTauri": true
+    "withGlobalTauri": false
  },
  "bundle": {
    "active": true,
@ -47,6 +49,12 @@
  "plugins": {
    "shell": {
      "open": true
    },
    "updater": {
      "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDNCRkQ2OUY2OEY0Q0ZFQkYKUldTLy9reVA5bW45T3dUQ1R5OFNCenVhL2srTXlLcHR4cFNaeCtJSmJUSTZKSUNHVTRIbWZwanEK",
      "endpoints": [
        "https://files.command.vigilcyber.com/wraith/update.json"
      ]
    }
  }
 }
--- a/src/App.vue
+++ b/src/App.vue
@ -1,27 +1,67 @@
 <script setup lang="ts">
-import { onMounted } from "vue";
+import { ref, onMounted, onErrorCaptured, defineAsyncComponent } from "vue";
 import { useAppStore } from "@/stores/app.store";
 import UnlockLayout from "@/layouts/UnlockLayout.vue";
 import ToolWindow from "@/components/tools/ToolWindow.vue";
-// MainLayout is the full app shell — lazy-load it so the unlock screen is
+const MainLayout = defineAsyncComponent({
-// instant and the heavy editor/terminal code only lands after auth.
+  loader: () => import("@/layouts/MainLayout.vue"),
-import { defineAsyncComponent } from "vue";
+  onError(error) { console.error("[App] MainLayout load failed:", error); },
-const MainLayout = defineAsyncComponent(
+});
-  () => import("@/layouts/MainLayout.vue")
+const DetachedSession = defineAsyncComponent({
-);
+  loader: () => import("@/components/session/DetachedSession.vue"),
  onError(error) { console.error("[App] DetachedSession load failed:", error); },
 });
 const app = useAppStore();
 const appError = ref<string | null>(null);
 const isToolMode = ref(false);
 const isDetachedMode = ref(false);
 const toolName = ref("");
 const toolSessionId = ref("");
 onErrorCaptured((err) => {
  appError.value = err instanceof Error ? err.message : String(err);
  console.error("[App] Uncaught error:", err);
  return false;
 });
 /** Parse hash and set mode flags. Called on mount and on hashchange. */
 function applyHash(hash: string): void {
  if (hash.startsWith("#/tool/")) {
    isToolMode.value = true;
    const rest = hash.substring(7);
    const [name, query] = rest.split("?");
    toolName.value = name;
    toolSessionId.value = new URLSearchParams(query || "").get("sessionId") || "";
  } else if (hash.startsWith("#/detached-session")) {
    isDetachedMode.value = true;
  }
 }
 onMounted(async () => {
  // Check hash at load time (present if JS-side WebviewWindow set it in the URL)
  applyHash(window.location.hash);
  // Also listen for hash changes (Rust-side window sets hash via eval after load)
  window.addEventListener("hashchange", () => applyHash(window.location.hash));
  // Only init vault for the main app window (no hash)
  if (!isToolMode.value && !isDetachedMode.value) {
    await app.checkVaultState();
  }
 });
 </script>
 <template>
-  <div class="app-root">
+  <div v-if="appError" class="fixed inset-0 z-50 flex items-center justify-center bg-[#0d1117] text-red-400 p-8 text-sm font-mono whitespace-pre-wrap">
-    <!-- Show the unlock/create-vault screen until the store confirms we're in -->
+    {{ appError }}
  </div>
  <DetachedSession v-else-if="isDetachedMode" />
  <ToolWindow v-else-if="isToolMode" :tool="toolName" :session-id="toolSessionId" />
  <div v-else class="app-root">
    <UnlockLayout v-if="!app.isUnlocked" />
    <!-- Once unlocked, mount the full application shell -->
    <MainLayout v-else />
  </div>
 </template>
--- a/src/assets/css/terminal.css
+++ b/src/assets/css/terminal.css
@ -2,7 +2,7 @@
 .terminal-container {
  width: 100%;
-  height: 100%;
+  min-height: 0;
  position: relative;
  overflow: hidden;
  background: var(--wraith-bg-primary);
@ -20,14 +20,16 @@
  height: 100%;
 }
-/* Selection styling */
+/* WKWebView focus fix: xterm.js hides its helper textarea with opacity: 0,
-.terminal-container .xterm-selection div {
+   width/height: 0, left: -9999em. macOS WKWebView doesn't reliably focus
-  background-color: rgba(88, 166, 255, 0.3) !important;
+   elements with zero dimensions positioned off-screen. Override to keep it
-}
+   within the viewport with non-zero dimensions so focus events fire. */
-
+.terminal-container .xterm .xterm-helper-textarea {
-/* Cursor styling */
+  left: 0 !important;
-.terminal-container .xterm-cursor-layer {
+  top: 0 !important;
-  z-index: 4;
+  width: 1px !important;
  height: 1px !important;
  opacity: 0.01 !important;
 }
 /* Scrollbar inside terminal */
--- a/src/components/ai/CopilotPanel.vue
+++ b/src/components/ai/CopilotPanel.vue
@ -1,5 +1,14 @@
 <template>
-  <div class="flex flex-col h-full bg-[var(--wraith-bg-secondary)] border-l border-[var(--wraith-border)] w-[640px]">
+  <div class="flex h-full relative">
    <!-- Drag handle for resizing -->
    <div
      class="w-1 cursor-col-resize hover:bg-[var(--wraith-accent-blue)] active:bg-[var(--wraith-accent-blue)] transition-colors shrink-0"
      @pointerdown="startResize"
    />
    <div
      class="flex flex-col h-full bg-[var(--wraith-bg-secondary)] border-l border-[var(--wraith-border)] flex-1 min-w-0"
      :style="{ width: panelWidth + 'px' }"
    >
    <!-- Header -->
    <div class="p-3 border-b border-[var(--wraith-border)] flex items-center justify-between gap-2">
      <span class="text-xs font-bold tracking-widest text-[var(--wraith-accent-blue)]">AI COPILOT</span>
@ -28,6 +37,14 @@
        >
          Kill
        </button>
        <button
          v-if="connected"
          class="px-2 py-0.5 text-[10px] rounded border border-[var(--wraith-border)] text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          title="Inject available MCP tools into the chat"
          @click="injectTools"
        >
          Tools
        </button>
      </div>
    </div>
@ -45,18 +62,27 @@
      </button>
    </div>
-    <!-- Empty state -->
+    <!-- Empty state with quick-launch presets -->
-    <div v-else class="flex-1 flex flex-col items-center justify-center gap-2 p-4">
+    <div v-else class="flex-1 flex flex-col items-center justify-center gap-3 p-4">
      <p class="text-xs text-[var(--wraith-text-muted)] text-center">
-        Select a shell and click Launch to start a local terminal.
+        Select a shell and click Launch, or use a preset:
      </p>
      <div v-if="presets.length" class="flex flex-col gap-1.5 w-full max-w-[200px]">
        <button
          v-for="preset in presets"
          :key="preset.name"
          class="px-3 py-1.5 text-xs rounded bg-[var(--wraith-bg-tertiary)] border border-[var(--wraith-border)] text-[var(--wraith-text-secondary)] hover:text-[var(--wraith-text-primary)] hover:border-[var(--wraith-accent-blue)] transition-colors cursor-pointer text-left"
          @click="launchPreset(preset)"
        >
          {{ preset.name }}
        </button>
      </div>
      <p class="text-[10px] text-[var(--wraith-text-muted)] text-center">
-        Run <code class="text-[var(--wraith-accent-blue)]">claude</code>,
+        Configure presets in Settings → AI Copilot
        <code class="text-[var(--wraith-accent-blue)]">gemini</code>, or
        <code class="text-[var(--wraith-accent-blue)]">codex</code> here.
      </p>
    </div>
    </div>
  </div>
 </template>
 <script setup lang="ts">
@ -67,6 +93,33 @@ import { useTerminal } from "@/composables/useTerminal";
 interface ShellInfo { name: string; path: string; }
 // Resizable panel
 const panelWidth = ref(640);
 function startResize(e: PointerEvent): void {
  e.preventDefault();
  const startX = e.clientX;
  const startWidth = panelWidth.value;
  function onMove(ev: PointerEvent): void {
    // Dragging left increases width (panel is on the right side)
    const delta = startX - ev.clientX;
    panelWidth.value = Math.max(320, Math.min(1200, startWidth + delta));
  }
  function onUp(): void {
    document.removeEventListener("pointermove", onMove);
    document.removeEventListener("pointerup", onUp);
  }
  document.addEventListener("pointermove", onMove);
  document.addEventListener("pointerup", onUp);
 }
 interface LaunchPreset { name: string; shell: string; command: string; }
 const presets = ref<LaunchPreset[]>([]);
 const shells = ref<ShellInfo[]>([]);
 const selectedShell = ref("");
 const connected = ref(false);
@ -88,6 +141,56 @@ async function loadShells(): Promise<void> {
  }
 }
 async function loadPresets(): Promise<void> {
  try {
    const raw = await invoke<string | null>("get_setting", { key: "copilot_presets" });
    if (raw) {
      presets.value = JSON.parse(raw);
    } else {
      // Seed with sensible defaults
      presets.value = [
        { name: "Claude Code", shell: "", command: "claude" },
        { name: "Gemini CLI", shell: "", command: "gemini" },
        { name: "Codex CLI", shell: "", command: "codex" },
      ];
    }
  } catch {
    presets.value = [];
  }
 }
 async function launchPreset(preset: LaunchPreset): Promise<void> {
  const shell = preset.shell || selectedShell.value;
  if (!shell) return;
  selectedShell.value = shell;
  await launch();
  // Wait for the shell prompt before sending the command.
  // Poll the scrollback for a prompt indicator (PS>, $, #, %, >)
  if (sessionId && connected.value) {
    const maxWait = 5000;
    const start = Date.now();
    const poll = setInterval(async () => {
      if (Date.now() - start > maxWait) {
        clearInterval(poll);
        // Send anyway after timeout
        invoke("pty_write", { sessionId, data: preset.command + "\r" }).catch(() => {});
        return;
      }
      try {
        const lines = await invoke<string>("mcp_terminal_read", { sessionId, lines: 3 });
        const lastLine = lines.split("\n").pop()?.trim() || "";
        // Detect common shell prompts
        if (lastLine.endsWith("$") || lastLine.endsWith("#") || lastLine.endsWith("%") || lastLine.endsWith(">") || lastLine.endsWith("PS>")) {
          clearInterval(poll);
          invoke("pty_write", { sessionId, data: preset.command + "\r" }).catch(() => {});
        }
      } catch {
        // Scrollback not ready yet, keep polling
      }
    }, 200);
  }
 }
 async function launch(): Promise<void> {
  if (!selectedShell.value) return;
  sessionEnded.value = false;
@ -100,10 +203,12 @@ async function launch(): Promise<void> {
    });
    connected.value = true;
-    await nextTick();
+    // Instantiate terminal synchronously (before any further awaits) now that
-
+    // sessionId is known. Cleanup is owned by this component's onBeforeUnmount.
    if (containerRef.value) {
    terminalInstance = useTerminal(sessionId, "pty");
    nextTick(() => {
      if (containerRef.value && terminalInstance) {
        terminalInstance.mount(containerRef.value);
        // Fit after mount to get real dimensions, then resize the PTY
@ -119,6 +224,7 @@ async function launch(): Promise<void> {
          }
        }, 50);
      }
    });
    // Listen for shell exit
    closeUnlisten = await listen(`pty:close:${sessionId}`, () => {
@ -131,6 +237,44 @@ async function launch(): Promise<void> {
  }
 }
 function injectTools(): void {
  if (!sessionId || !connected.value) return;
  const toolsPrompt = [
    "You have access to these Wraith MCP tools via the wraith-mcp-bridge:",
    "",
    "SESSION MANAGEMENT:",
    "  list_sessions — List all active SSH/RDP/PTY sessions",
    "",
    "TERMINAL:",
    "  terminal_read(session_id, lines?) — Read recent terminal output (ANSI stripped)",
    "  terminal_execute(session_id, command, timeout_ms?) — Run a command and capture output",
    "  terminal_screenshot(session_id) — Capture RDP session as PNG",
    "",
    "SFTP:",
    "  sftp_list(session_id, path) — List remote directory",
    "  sftp_read(session_id, path) — Read remote file",
    "  sftp_write(session_id, path, content) — Write remote file",
    "",
    "NETWORK:",
    "  network_scan(session_id, subnet) — Discover devices on subnet (ARP + ping sweep)",
    "  port_scan(session_id, target, ports?) — Scan TCP ports",
    "  ping(session_id, target) — Ping a host",
    "  traceroute(session_id, target) — Traceroute to host",
    "  dns_lookup(session_id, domain, record_type?) — DNS lookup",
    "  whois(session_id, target) — Whois lookup",
    "  wake_on_lan(session_id, mac_address) — Send WoL magic packet",
    "  bandwidth_test(session_id) — Internet speed test",
    "",
    "UTILITIES (no session needed):",
    "  subnet_calc(cidr) — Calculate subnet details",
    "  generate_ssh_key(key_type, comment?) — Generate SSH key pair",
    "  generate_password(length?, uppercase?, lowercase?, digits?, symbols?) — Generate password",
    "",
  ].join("\n");
  invoke("pty_write", { sessionId, data: toolsPrompt + "\r" }).catch(() => {});
 }
 function kill(): void {
  if (sessionId) {
    invoke("disconnect_pty", { sessionId }).catch(() => {});
@ -151,7 +295,10 @@ function cleanup(): void {
  sessionId = "";
 }
-onMounted(loadShells);
+onMounted(() => {
  loadShells();
  loadPresets();
 });
 onBeforeUnmount(() => {
  if (connected.value) kill();
--- a/src/components/common/CommandPalette.vue
+++ b/src/components/common/CommandPalette.vue
@ -116,9 +116,9 @@ const connectionStore = useConnectionStore();
 const sessionStore = useSessionStore();
 const emit = defineEmits<{
-  (e: "open-import"): void;
+  "open-import": [];
-  (e: "open-settings"): void;
+  "open-settings": [];
-  (e: "open-new-connection", protocol?: "ssh" | "rdp"): void;
+  "open-new-connection": [protocol?: "ssh" | "rdp"];
 }>();
 const actions: PaletteAction[] = [
--- a/src/components/common/SettingsModal.vue
+++ b/src/components/common/SettingsModal.vue
@ -154,6 +154,56 @@
              </div>
            </template>
            <!-- AI Copilot -->
            <template v-if="activeSection === 'copilot'">
              <h4 class="text-xs font-semibold text-[var(--wraith-text-muted)] uppercase tracking-wider mb-3">Launch Presets</h4>
              <p class="text-[10px] text-[var(--wraith-text-muted)] mb-3">
                Configure quick-launch buttons for the AI copilot panel. Each preset spawns a shell and runs the command.
              </p>
              <div class="space-y-2">
                <div
                  v-for="(preset, idx) in copilotPresets"
                  :key="idx"
                  class="flex items-center gap-2"
                >
                  <input
                    v-model="preset.name"
                    type="text"
                    placeholder="Name"
                    class="w-24 px-2 py-1 text-xs rounded bg-[#0d1117] border border-[#30363d] text-[var(--wraith-text-primary)] outline-none focus:border-[var(--wraith-accent-blue)]"
                  />
                  <input
                    v-model="preset.command"
                    type="text"
                    placeholder="Command (e.g. claude --dangerously-skip-permissions)"
                    class="flex-1 px-2 py-1 text-xs rounded bg-[#0d1117] border border-[#30363d] text-[var(--wraith-text-primary)] outline-none focus:border-[var(--wraith-accent-blue)] font-mono"
                  />
                  <button
                    class="text-[var(--wraith-text-muted)] hover:text-[var(--wraith-accent-red)] transition-colors cursor-pointer text-sm"
                    @click="copilotPresets.splice(idx, 1)"
                  >
                    &times;
                  </button>
                </div>
              </div>
              <div class="flex gap-2 mt-3">
                <button
                  class="px-3 py-1.5 text-xs rounded border border-[#30363d] text-[var(--wraith-text-secondary)] hover:bg-[#30363d] transition-colors cursor-pointer"
                  @click="copilotPresets.push({ name: '', shell: '', command: '' })"
                >
                  + Add Preset
                </button>
                <button
                  class="px-3 py-1.5 text-xs rounded bg-[var(--wraith-accent-blue)] text-black font-bold transition-colors cursor-pointer"
                  @click="saveCopilotPresets"
                >
                  Save
                </button>
              </div>
            </template>
            <!-- About -->
            <template v-if="activeSection === 'about'">
              <h4 class="text-xs font-semibold text-[var(--wraith-text-muted)] uppercase tracking-wider mb-3">About</h4>
@ -183,6 +233,30 @@
                  </div>
                </div>
                <!-- Update check -->
                <div class="pt-2">
                  <button
                    class="w-full px-3 py-2 text-xs font-bold rounded bg-[var(--wraith-accent-blue)] text-black cursor-pointer disabled:opacity-40"
                    :disabled="updateChecking"
                    @click="checkUpdates"
                  >
                    {{ updateChecking ? "Checking..." : "Check for Updates" }}
                  </button>
                  <div v-if="updateInfo" class="mt-2 p-3 rounded bg-[#0d1117] border border-[#30363d]">
                    <template v-if="updateInfo.updateAvailable">
                      <p class="text-xs text-[#3fb950] mb-1">Update available: v{{ updateInfo.latestVersion }}</p>
                      <p v-if="updateInfo.releaseNotes" class="text-[10px] text-[var(--wraith-text-muted)] mb-2 max-h-20 overflow-auto">{{ updateInfo.releaseNotes }}</p>
                      <button
                        class="w-full px-3 py-1.5 text-xs font-bold rounded bg-[#238636] text-white cursor-pointer"
                        @click="downloadUpdate"
                      >
                        Download v{{ updateInfo.latestVersion }}
                      </button>
                    </template>
                    <p v-else class="text-xs text-[var(--wraith-text-muted)]">You're on the latest version.</p>
                  </div>
                </div>
                <div class="flex gap-2 pt-2">
                  <a
                    href="#"
@ -221,12 +295,46 @@
 <script setup lang="ts">
 import { ref, watch, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { getVersion } from "@tauri-apps/api/app";
 import { open as shellOpen } from "@tauri-apps/plugin-shell";
-type Section = "general" | "terminal" | "vault" | "about";
+type Section = "general" | "terminal" | "vault" | "copilot" | "about";
 interface CopilotPreset { name: string; shell: string; command: string; }
 const visible = ref(false);
 const activeSection = ref<Section>("general");
 const copilotPresets = ref<CopilotPreset[]>([]);
 interface UpdateCheckInfo {
  currentVersion: string;
  latestVersion: string;
  updateAvailable: boolean;
  downloadUrl: string;
  releaseNotes: string;
 }
 const updateChecking = ref(false);
 const updateInfo = ref<UpdateCheckInfo | null>(null);
 async function checkUpdates(): Promise<void> {
  updateChecking.value = true;
  updateInfo.value = null;
  try {
    updateInfo.value = await invoke<UpdateCheckInfo>("check_for_updates");
  } catch (err) {
    alert(`Update check failed: ${err}`);
  }
  updateChecking.value = false;
 }
 async function downloadUpdate(): Promise<void> {
  if (!updateInfo.value?.downloadUrl) return;
  try {
    await shellOpen(updateInfo.value.downloadUrl);
  } catch {
    window.open(updateInfo.value.downloadUrl, "_blank");
  }
 }
 const currentVersion = ref("loading...");
 const sections = [
@ -245,6 +353,11 @@ const sections = [
    label: "Vault",
    icon: `<svg viewBox="0 0 16 16" fill="currentColor" class="w-3.5 h-3.5"><path d="M4 4v2h-.25A1.75 1.75 0 0 0 2 7.75v5.5c0 .966.784 1.75 1.75 1.75h8.5A1.75 1.75 0 0 0 14 13.25v-5.5A1.75 1.75 0 0 0 12.25 6H12V4a4 4 0 1 0-8 0Zm6.5 2V4a2.5 2.5 0 0 0-5 0v2ZM8 9.5a1.5 1.5 0 0 1 .5 2.915V13.5a.5.5 0 0 1-1 0v-1.085A1.5 1.5 0 0 1 8 9.5Z"/></svg>`,
  },
  {
    id: "copilot" as const,
    label: "AI Copilot",
    icon: `<svg viewBox="0 0 16 16" fill="currentColor" class="w-3.5 h-3.5"><path d="M5.5 8.5 9 5l-2-.5L4 7.5l1.5 1ZM1 2.75C1 1.784 1.784 1 2.75 1h10.5c.966 0 1.75.784 1.75 1.75v10.5A1.75 1.75 0 0 1 13.25 15H2.75A1.75 1.75 0 0 1 1 13.25Zm1.75-.25a.25.25 0 0 0-.25.25v10.5c0 .138.112.25.25.25h10.5a.25.25 0 0 0 .25-.25V2.75a.25.25 0 0 0-.25-.25Z"/></svg>`,
  },
  {
    id: "about" as const,
    label: "About",
@ -273,6 +386,9 @@ const settings = ref({
 /** Load saved settings from Rust backend on mount. */
 onMounted(async () => {
  // Populate version from Tauri app config
  try { currentVersion.value = await getVersion(); } catch { currentVersion.value = "unknown"; }
  try {
    const [protocol, sidebarW, theme, fontSize, scrollback] = await Promise.all([
      invoke<string | null>("get_setting", { key: "default_protocol" }),
@ -306,9 +422,16 @@ watch(
  () => settings.value.defaultProtocol,
  (val) => invoke("set_setting", { key: "default_protocol", value: val }).catch(console.error),
 );
 let sidebarWidthDebounce: ReturnType<typeof setTimeout>;
 watch(
  () => settings.value.sidebarWidth,
-  (val) => invoke("set_setting", { key: "sidebar_width", value: String(val) }).catch(console.error),
+  (val) => {
    clearTimeout(sidebarWidthDebounce);
    sidebarWidthDebounce = setTimeout(
      () => invoke("set_setting", { key: "sidebar_width", value: String(val) }).catch(console.error),
      300,
    );
  },
 );
 watch(
  () => settings.value.terminalTheme,
@ -326,6 +449,33 @@ watch(
 function open(): void {
  visible.value = true;
  activeSection.value = "general";
  loadCopilotPresets();
 }
 async function loadCopilotPresets(): Promise<void> {
  try {
    const raw = await invoke<string | null>("get_setting", { key: "copilot_presets" });
    if (raw) {
      copilotPresets.value = JSON.parse(raw);
    } else {
      copilotPresets.value = [
        { name: "Claude Code", shell: "", command: "claude" },
        { name: "Gemini CLI", shell: "", command: "gemini" },
        { name: "Codex CLI", shell: "", command: "codex" },
      ];
    }
  } catch {
    copilotPresets.value = [];
  }
 }
 async function saveCopilotPresets(): Promise<void> {
  try {
    const json = JSON.stringify(copilotPresets.value.filter(p => p.name && p.command));
    await invoke("set_setting", { key: "copilot_presets", value: json });
  } catch (err) {
    console.error("Failed to save copilot presets:", err);
  }
 }
 function close(): void {
--- a/src/components/common/StatusBar.vue
+++ b/src/components/common/StatusBar.vue
@ -1,5 +1,5 @@
 <template>
-  <div class="h-6 flex items-center justify-between px-4 bg-[var(--wraith-bg-secondary)] border-t border-[var(--wraith-border)] text-[10px] text-[var(--wraith-text-muted)] shrink-0">
+  <div class="h-[48px] flex items-center justify-between px-6 bg-[var(--wraith-bg-secondary)] border-t border-[var(--wraith-border)] text-base text-[var(--wraith-text-muted)] shrink-0">
    <!-- Left: connection info -->
    <div class="flex items-center gap-3">
      <template v-if="sessionStore.activeSession">
@ -47,7 +47,7 @@ const connectionStore = useConnectionStore();
 const activeThemeName = ref("Default");
 const emit = defineEmits<{
-  (e: "open-theme-picker"): void;
+  "open-theme-picker": [];
 }>();
 const connectionInfo = computed(() => {
--- a/src/components/common/ThemePicker.vue
+++ b/src/components/common/ThemePicker.vue
@ -112,6 +112,8 @@ export interface ThemeDefinition {
  brightMagenta: string;
  brightCyan: string;
  brightWhite: string;
  selectionBackground?: string;
  selectionForeground?: string;
  isBuiltin?: boolean;
 }
--- a/src/components/rdp/RdpView.vue
+++ b/src/components/rdp/RdpView.vue
@ -28,7 +28,8 @@
 </template>
 <script setup lang="ts">
-import { ref, onMounted, onBeforeUnmount, watch } from "vue";
+import { ref, computed, onMounted, onBeforeUnmount, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useRdp, MouseFlag } from "@/composables/useRdp";
 const props = defineProps<{
@ -42,8 +43,8 @@ const containerRef = ref<HTMLElement | null>(null);
 const canvasWrapper = ref<HTMLElement | null>(null);
 const canvasRef = ref<HTMLCanvasElement | null>(null);
-const rdpWidth = props.width ?? 1920;
+const rdpWidth = computed(() => props.width ?? 1920);
-const rdpHeight = props.height ?? 1080;
+const rdpHeight = computed(() => props.height ?? 1080);
 const {
  connected,
@ -76,8 +77,8 @@ function toRdpCoords(e: MouseEvent): { x: number; y: number } | null {
  if (!canvas) return null;
  const rect = canvas.getBoundingClientRect();
-  const scaleX = rdpWidth / rect.width;
+  const scaleX = canvas.width / rect.width;
-  const scaleY = rdpHeight / rect.height;
+  const scaleY = canvas.height / rect.height;
  return {
    x: Math.floor((e.clientX - rect.left) * scaleX),
@ -153,25 +154,95 @@ function handleKeyUp(e: KeyboardEvent): void {
  sendKey(props.sessionId, e.code, false);
 }
 let resizeObserver: ResizeObserver | null = null;
 let resizeTimeout: ReturnType<typeof setTimeout> | null = null;
 onMounted(() => {
  if (canvasRef.value) {
-    startFrameLoop(props.sessionId, canvasRef.value, rdpWidth, rdpHeight);
+    startFrameLoop(props.sessionId, canvasRef.value, rdpWidth.value, rdpHeight.value);
  }
  // Watch container size and request server-side RDP resize (debounced 500ms)
  if (canvasWrapper.value) {
    resizeObserver = new ResizeObserver((entries) => {
      const entry = entries[0];
      if (!entry || !connected.value) return;
      const { width: cw, height: ch } = entry.contentRect;
      if (cw < 200 || ch < 200) return;
      // Round to even width (RDP spec requirement)
      const newW = Math.round(cw) & ~1;
      const newH = Math.round(ch);
      if (resizeTimeout) clearTimeout(resizeTimeout);
      resizeTimeout = setTimeout(() => {
        invoke("rdp_resize", {
          sessionId: props.sessionId,
          width: newW,
          height: newH,
        }).then(() => {
          if (canvasRef.value) {
            canvasRef.value.width = newW;
            canvasRef.value.height = newH;
          }
          // Force full frame after resize so canvas gets a clean repaint
          setTimeout(() => {
            invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
          }, 200);
        }).catch((err: unknown) => {
          console.warn("[RdpView] resize failed:", err);
        });
      }, 500);
    });
    resizeObserver.observe(canvasWrapper.value);
  }
 });
 onBeforeUnmount(() => {
  stopFrameLoop();
  if (resizeObserver) { resizeObserver.disconnect(); resizeObserver = null; }
  if (resizeTimeout) { clearTimeout(resizeTimeout); resizeTimeout = null; }
 });
-// Focus canvas when this tab becomes active and keyboard is grabbed
+// Focus canvas, re-check dimensions, and force full frame on tab switch.
 // Uses 300ms delay to let the flex layout fully settle (copilot panel toggle, etc.)
 watch(
  () => props.isActive,
  (active) => {
-    if (active && keyboardGrabbed.value && canvasRef.value) {
+    if (!active || !canvasRef.value) return;
    // Immediate focus so keyboard works right away
    if (keyboardGrabbed.value) canvasRef.value.focus();
    // Immediate force refresh to show SOMETHING while we check dimensions
    invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
    // Delayed dimension check — layout needs time to settle
    setTimeout(() => {
-        canvasRef.value?.focus();
+      const wrapper = canvasWrapper.value;
-      }, 0);
+      const canvas = canvasRef.value;
      if (!wrapper || !canvas) return;
      const { width: cw, height: ch } = wrapper.getBoundingClientRect();
      const newW = Math.round(cw) & ~1;
      const newH = Math.round(ch);
      if (newW >= 200 && newH >= 200 && (newW !== canvas.width || newH !== canvas.height)) {
        invoke("rdp_resize", {
          sessionId: props.sessionId,
          width: newW,
          height: newH,
        }).then(() => {
          if (canvas) {
            canvas.width = newW;
            canvas.height = newH;
          }
          setTimeout(() => {
            invoke("rdp_force_refresh", { sessionId: props.sessionId }).catch(() => {});
          }, 500);
        }).catch(() => {});
      }
    }, 300);
  },
 );
 </script>
@ -196,9 +267,8 @@ watch(
 }
 .rdp-canvas {
-  max-width: 100%;
+  width: 100%;
-  max-height: 100%;
+  height: 100%;
  object-fit: contain;
  cursor: default;
  outline: none;
  image-rendering: auto;
--- a/src/components/session/DetachedSession.vue
+++ b/src/components/session/DetachedSession.vue
@ -0,0 +1,75 @@
 <template>
  <div class="h-screen w-screen flex flex-col bg-[#0d1117]">
    <!-- Minimal title bar -->
    <div class="h-8 flex items-center justify-between px-3 bg-[#161b22] border-b border-[#30363d] shrink-0" data-tauri-drag-region>
      <span class="text-xs text-[#8b949e]">{{ sessionName }}</span>
      <span class="text-[10px] text-[#484f58]">Detached — close to reattach</span>
    </div>
    <!-- Terminal -->
    <div ref="containerRef" class="flex-1 min-h-0" />
    <!-- Monitor bar for SSH sessions -->
    <MonitorBar v-if="protocol === 'ssh'" :session-id="sessionId" />
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted, onBeforeUnmount } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { getCurrentWindow } from "@tauri-apps/api/window";
 import { useTerminal } from "@/composables/useTerminal";
 import MonitorBar from "@/components/terminal/MonitorBar.vue";
 const sessionId = ref("");
 const sessionName = ref("Detached Session");
 const protocol = ref("ssh");
 const containerRef = ref<HTMLElement | null>(null);
 // Parse session info from URL hash synchronously so backend type is known at setup time
 const hash = window.location.hash;
 const params = new URLSearchParams(hash.split("?")[1] || "");
 const _initialSessionId = params.get("sessionId") || "";
 const _initialProtocol = params.get("protocol") || "ssh";
 const _backend = (_initialProtocol === "local" ? "pty" : "ssh") as 'ssh' | 'pty';
 const terminalInstance = useTerminal(_initialSessionId, _backend);
 onMounted(async () => {
  sessionId.value = _initialSessionId;
  sessionName.value = decodeURIComponent(params.get("name") || "Detached Session");
  protocol.value = _initialProtocol;
  if (!sessionId.value || !containerRef.value) return;
  terminalInstance.mount(containerRef.value);
  setTimeout(() => {
    terminalInstance.fit();
    terminalInstance.terminal.focus();
    const resizeCmd = _backend === "ssh" ? "ssh_resize" : "pty_resize";
    invoke(resizeCmd, {
      sessionId: sessionId.value,
      cols: terminalInstance.terminal.cols,
      rows: terminalInstance.terminal.rows,
    }).catch(() => {});
  }, 50);
  // On window close, emit event so main window reattaches the tab
  const appWindow = getCurrentWindow();
  appWindow.onCloseRequested(async () => {
    // Emit a custom event that the main window listens for
    const { emit } = await import("@tauri-apps/api/event");
    await emit("session:reattach", {
      sessionId: sessionId.value,
      name: sessionName.value,
      protocol: protocol.value,
    });
  });
 });
 onBeforeUnmount(() => {
  terminalInstance.destroy();
 });
 </script>
--- a/src/components/session/SessionContainer.vue
+++ b/src/components/session/SessionContainer.vue
@ -14,6 +14,19 @@
      />
    </div>
    <!-- Local PTY views — v-show keeps xterm alive across tab switches -->
    <div
      v-for="session in localSessions"
      :key="session.id"
      v-show="session.id === sessionStore.activeSessionId"
      class="absolute inset-0"
    >
      <LocalTerminalView
        :session-id="session.id"
        :is-active="session.id === sessionStore.activeSessionId"
      />
    </div>
    <!-- RDP views — toolbar + canvas, kept alive via v-show -->
    <div
      v-for="session in rdpSessions"
@ -60,6 +73,7 @@ import { computed, ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useSessionStore } from "@/stores/session.store";
 import TerminalView from "@/components/terminal/TerminalView.vue";
 import LocalTerminalView from "@/components/terminal/LocalTerminalView.vue";
 import RdpView from "@/components/rdp/RdpView.vue";
 import RdpToolbar from "@/components/rdp/RdpToolbar.vue";
 import { ScancodeMap } from "@/composables/useRdp";
@ -77,12 +91,17 @@ function setTerminalRef(sessionId: string, el: unknown): void {
 const sessionStore = useSessionStore();
 // Only render sessions that are active (not detached to separate windows)
 const sshSessions = computed(() =>
-  sessionStore.sessions.filter((s) => s.protocol === "ssh"),
+  sessionStore.sessions.filter((s) => s.protocol === "ssh" && s.active),
 );
 const localSessions = computed(() =>
  sessionStore.sessions.filter((s) => s.protocol === "local" && s.active),
 );
 const rdpSessions = computed(() =>
-  sessionStore.sessions.filter((s) => s.protocol === "rdp"),
+  sessionStore.sessions.filter((s) => s.protocol === "rdp" && s.active),
 );
 /**
--- a/src/components/session/TabBadge.vue
+++ b/src/components/session/TabBadge.vue
@ -31,17 +31,21 @@ import { computed } from "vue";
 const props = defineProps<{
  /** Connection protocol — drives the protocol-dot colour. */
-  protocol: "ssh" | "rdp";
+  protocol: "ssh" | "rdp" | "local";
  /** Username from the active session (if known). */
  username?: string;
  /** Raw tags from the connection record. */
  tags?: string[];
  /** Connection status — drives the dot colour. */
  status?: "connected" | "disconnected";
 }>();
-/** Green for SSH, blue for RDP. */
+/** Green=connected SSH, blue=connected RDP, purple=local, red=disconnected. */
-const protocolDotClass = computed(() =>
+const protocolDotClass = computed(() => {
-  props.protocol === "ssh" ? "bg-[#3fb950]" : "bg-[#1f6feb]",
+  if (props.status === "disconnected") return "bg-[#f85149]";
-);
+  if (props.protocol === "local") return "bg-[#bc8cff]";
  return props.protocol === "ssh" ? "bg-[#3fb950]" : "bg-[#1f6feb]";
 });
 /** True when the session is running as root or Administrator. */
 const isRoot = computed(() => {
--- a/src/components/session/TabBar.vue
+++ b/src/components/session/TabBar.vue
@ -2,23 +2,35 @@
  <div class="flex items-center bg-[var(--wraith-bg-secondary)] border-b border-[var(--wraith-border)] h-9 shrink-0">
    <!-- Tabs -->
    <div class="flex items-center overflow-x-auto min-w-0">
-      <button
+      <div
-        v-for="session in sessionStore.sessions"
+        v-for="(session, index) in sessionStore.sessions"
        :key="session.id"
-        class="group flex items-center gap-1.5 px-3 h-9 text-xs whitespace-nowrap border-r border-[var(--wraith-border)] transition-all duration-500 cursor-pointer shrink-0"
+        draggable="true"
        role="tab"
        class="group flex items-center gap-1.5 px-3 h-9 text-xs whitespace-nowrap border-r border-[var(--wraith-border)] transition-all duration-500 cursor-pointer shrink-0 select-none"
        :class="[
          session.id === sessionStore.activeSessionId
            ? 'bg-[var(--wraith-bg-primary)] text-[var(--wraith-text-primary)] border-b-2 border-b-[var(--wraith-accent-blue)]'
            : 'text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-secondary)] hover:bg-[var(--wraith-bg-tertiary)]',
          isRootUser(session) ? 'border-t-2 border-t-[#f8514966]' : '',
          dragOverIndex === index ? 'border-l-2 border-l-[var(--wraith-accent-blue)]' : '',
          session.hasActivity && session.id !== sessionStore.activeSessionId ? 'animate-pulse text-[var(--wraith-accent-blue)]' : '',
          !session.active ? 'opacity-40 italic' : '',
        ]"
        @click="sessionStore.activateSession(session.id)"
        @dragstart="onDragStart(index, $event)"
        @dragover.prevent="onDragOver(index)"
        @dragleave="dragOverIndex = -1"
        @drop.prevent="onDrop(index)"
        @dragend="draggedIndex = -1; dragOverIndex = -1"
        @contextmenu.prevent="showTabMenu($event, session)"
      >
        <!-- Badge: protocol dot + root dot + env pills -->
        <TabBadge
          :protocol="session.protocol"
          :username="session.username"
          :tags="getSessionTags(session)"
          :status="session.status"
        />
        <span>{{ session.name }}</span>
@ -30,20 +42,54 @@
        >
          &times;
        </span>
-      </button>
+      </div>
    </div>
-    <!-- New tab button -->
+    <!-- New tab button with shell dropdown -->
    <div class="relative shrink-0">
      <button
-      class="flex items-center justify-center w-9 h-9 text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-primary)] hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer shrink-0"
+        class="flex items-center justify-center w-9 h-9 text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-primary)] hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer"
-      title="New session"
+        title="New local terminal"
        @click="toggleShellMenu"
        @blur="closeShellMenuDeferred"
      >
        +
      </button>
      <div
        v-if="shellMenuOpen"
        class="absolute top-full right-0 mt-0.5 w-48 bg-[#161b22] border border-[#30363d] rounded-lg shadow-2xl overflow-hidden z-50 py-1"
      >
        <button
          v-for="shell in availableShells"
          :key="shell.path"
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
          @mousedown.prevent="spawnShell(shell)"
        >
          {{ shell.name }}
        </button>
        <div v-if="availableShells.length === 0" class="px-4 py-2 text-xs text-[var(--wraith-text-muted)]">
          No shells found
        </div>
      </div>
    </div>
    <!-- Tab context menu -->
    <Teleport to="body">
      <div v-if="tabMenu.visible" class="fixed z-[100] w-44 bg-[#161b22] border border-[#30363d] rounded-lg shadow-2xl overflow-hidden py-1"
        :style="{ top: tabMenu.y + 'px', left: tabMenu.x + 'px' }">
        <button class="w-full px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          @click="detachTab">Detach to Window</button>
        <div class="border-t border-[#30363d] my-1" />
        <button class="w-full px-4 py-2 text-xs text-left text-[var(--wraith-accent-red)] hover:bg-[#30363d] cursor-pointer"
          @click="closeMenuTab">Close</button>
      </div>
      <div v-if="tabMenu.visible" class="fixed inset-0 z-[99]" @click="tabMenu.visible = false" @contextmenu.prevent="tabMenu.visible = false" />
    </Teleport>
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted, onBeforeUnmount } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useSessionStore, type Session } from "@/stores/session.store";
 import { useConnectionStore } from "@/stores/connection.store";
 import TabBadge from "@/components/session/TabBadge.vue";
@ -51,6 +97,110 @@ import TabBadge from "@/components/session/TabBadge.vue";
 const sessionStore = useSessionStore();
 const connectionStore = useConnectionStore();
 // Shell menu for + button
 interface ShellInfo { name: string; path: string; }
 const availableShells = ref<ShellInfo[]>([]);
 const shellMenuOpen = ref(false);
 function toggleShellMenu(): void {
  shellMenuOpen.value = !shellMenuOpen.value;
 }
 function closeShellMenuDeferred(): void {
  setTimeout(() => { shellMenuOpen.value = false; }, 150);
 }
 async function spawnShell(shell: ShellInfo): Promise<void> {
  shellMenuOpen.value = false;
  await sessionStore.spawnLocalTab(shell.name, shell.path);
 }
 // Tab right-click context menu
 const tabMenu = ref<{ visible: boolean; x: number; y: number; session: Session | null }>({
  visible: false, x: 0, y: 0, session: null,
 });
 function showTabMenu(event: MouseEvent, session: Session): void {
  tabMenu.value = { visible: true, x: event.clientX, y: event.clientY, session };
 }
 async function detachTab(): Promise<void> {
  const session = tabMenu.value.session;
  tabMenu.value.visible = false;
  if (!session) return;
  // Mark as detached in the store
  session.active = false;
  // Open a new Tauri window for this session
  try {
    await invoke("open_child_window", {
      label: `detached-${session.id.substring(0, 8)}-${Date.now()}`,
      title: `${session.name} — Wraith`,
      url: `index.html#/detached-session?sessionId=${session.id}&name=${encodeURIComponent(session.name)}&protocol=${session.protocol}`,
      width: 900, height: 600,
    });
  } catch (err) { console.error("Detach window error:", err); }
 }
 function closeMenuTab(): void {
  const session = tabMenu.value.session;
  tabMenu.value.visible = false;
  if (session) sessionStore.closeSession(session.id);
 }
 import { listen } from "@tauri-apps/api/event";
 import type { UnlistenFn } from "@tauri-apps/api/event";
 let unlistenReattach: UnlistenFn | null = null;
 onMounted(async () => {
  try {
    availableShells.value = await invoke<ShellInfo[]>("list_available_shells");
  } catch {
    availableShells.value = [];
  }
  unlistenReattach = await listen<{ sessionId: string; name: string; protocol: string }>("session:reattach", (event) => {
    const { sessionId } = event.payload;
    const session = sessionStore.sessions.find(s => s.id === sessionId);
    if (session) {
      session.active = true;
      sessionStore.activateSession(sessionId);
    }
  });
 });
 onBeforeUnmount(() => {
  unlistenReattach?.();
 });
 // Drag-and-drop tab reordering
 const draggedIndex = ref(-1);
 const dragOverIndex = ref(-1);
 function onDragStart(index: number, event: DragEvent): void {
  draggedIndex.value = index;
  if (event.dataTransfer) {
    event.dataTransfer.effectAllowed = "move";
    event.dataTransfer.setData("text/plain", String(index));
  }
 }
 function onDragOver(index: number): void {
  if (draggedIndex.value !== -1 && draggedIndex.value !== index) {
    dragOverIndex.value = index;
  }
 }
 function onDrop(toIndex: number): void {
  if (draggedIndex.value !== -1 && draggedIndex.value !== toIndex) {
    sessionStore.moveSession(draggedIndex.value, toIndex);
  }
  draggedIndex.value = -1;
  dragOverIndex.value = -1;
 }
 /** Get tags for a session's underlying connection. */
 function getSessionTags(session: Session): string[] {
  const conn = connectionStore.connections.find((c) => c.id === session.connectionId);
--- a/src/components/sftp/FileTree.vue
+++ b/src/components/sftp/FileTree.vue
@ -98,6 +98,7 @@
          :class="{ 'bg-[var(--wraith-bg-tertiary)] ring-1 ring-inset ring-[var(--wraith-accent-blue)]': selectedEntry?.path === entry.path }"
          @click="selectedEntry = entry"
          @dblclick="handleEntryDblClick(entry)"
          @contextmenu.prevent="openContextMenu($event, entry)"
        >
          <!-- Icon -->
          <svg
@ -136,6 +137,62 @@
      </template>
    </div>
    <!-- Context menu -->
    <Teleport to="body">
      <div
        v-if="contextMenu.visible"
        class="fixed z-[100] w-44 bg-[#161b22] border border-[#30363d] rounded-lg shadow-2xl overflow-hidden py-1"
        :style="{ top: contextMenu.y + 'px', left: contextMenu.x + 'px' }"
        @click="contextMenu.visible = false"
        @contextmenu.prevent
      >
        <button
          v-if="!contextMenu.entry?.isDir"
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          @click="handleEdit(contextMenu.entry!)"
        >
          Edit
        </button>
        <button
          v-if="!contextMenu.entry?.isDir"
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          @click="selectedEntry = contextMenu.entry!; handleDownload()"
        >
          Download
        </button>
        <button
          v-if="contextMenu.entry?.isDir"
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          @click="navigateTo(contextMenu.entry!.path)"
        >
          Open Folder
        </button>
        <button
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] cursor-pointer"
          @click="handleRename(contextMenu.entry!)"
        >
          Rename
        </button>
        <div class="border-t border-[#30363d] my-1" />
        <button
          class="w-full flex items-center gap-2 px-4 py-2 text-xs text-left text-[var(--wraith-accent-red)] hover:bg-[#30363d] cursor-pointer"
          @click="selectedEntry = contextMenu.entry!; handleDelete()"
        >
          Delete
        </button>
      </div>
    </Teleport>
    <!-- Click-away handler to close context menu -->
    <Teleport to="body">
      <div
        v-if="contextMenu.visible"
        class="fixed inset-0 z-[99]"
        @click="contextMenu.visible = false"
        @contextmenu.prevent="contextMenu.visible = false"
      />
    </Teleport>
    <!-- Follow terminal toggle -->
    <div class="flex items-center gap-2 px-3 py-1.5 border-t border-[var(--wraith-border)]">
      <label class="flex items-center gap-1.5 cursor-pointer text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-secondary)] transition-colors">
@ -151,7 +208,7 @@
 </template>
 <script setup lang="ts">
-import { ref } from "vue";
+import { ref, toRef } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useSftp, type FileEntry } from "@/composables/useSftp";
 import { useTransfers } from "@/composables/useTransfers";
@ -164,12 +221,41 @@ const emit = defineEmits<{
  openFile: [entry: FileEntry];
 }>();
-const { currentPath, entries, isLoading, followTerminal, navigateTo, goUp, refresh } = useSftp(props.sessionId);
+const { currentPath, entries, isLoading, followTerminal, navigateTo, goUp, refresh } = useSftp(toRef(props, 'sessionId'));
 const { addTransfer, completeTransfer, failTransfer } = useTransfers();
 /** Currently selected entry (single-click to select, double-click to open/navigate). */
 const selectedEntry = ref<FileEntry | null>(null);
 /** Right-click context menu state. */
 const contextMenu = ref<{ visible: boolean; x: number; y: number; entry: FileEntry | null }>({
  visible: false, x: 0, y: 0, entry: null,
 });
 function openContextMenu(event: MouseEvent, entry: FileEntry): void {
  selectedEntry.value = entry;
  contextMenu.value = { visible: true, x: event.clientX, y: event.clientY, entry };
 }
 function handleEdit(entry: FileEntry): void {
  emit("openFile", entry);
 }
 async function handleRename(entry: FileEntry): Promise<void> {
  const newName = prompt("Rename to:", entry.name);
  if (!newName || !newName.trim() || newName.trim() === entry.name) return;
  const parentPath = entry.path.substring(0, entry.path.lastIndexOf("/"));
  const newPath = parentPath + "/" + newName.trim();
  try {
    await invoke("sftp_rename", { sessionId: props.sessionId, oldPath: entry.path, newPath });
    await refresh();
  } catch (err) {
    console.error("SFTP rename error:", err);
  }
 }
 /** Hidden file input element used for the upload flow. */
 const fileInputRef = ref<HTMLInputElement | null>(null);
@ -285,6 +371,31 @@ function handleFileSelected(event: Event): void {
    failTransfer(transferId);
  };
  // Guard: the backend sftp_write_file command accepts a UTF-8 string only.
  // Binary files (images, archives, executables, etc.) will be corrupted if
  // sent as text. Warn and abort for known binary extensions or large files.
  const BINARY_EXTENSIONS = new Set([
    "png", "jpg", "jpeg", "gif", "webp", "bmp", "ico", "tiff", "svg",
    "zip", "tar", "gz", "bz2", "xz", "7z", "rar", "zst",
    "exe", "dll", "so", "dylib", "bin", "elf",
    "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx",
    "mp3", "mp4", "avi", "mkv", "mov", "flac", "wav", "ogg",
    "ttf", "otf", "woff", "woff2",
    "db", "sqlite", "sqlite3",
  ]);
  const ext = file.name.split(".").pop()?.toLowerCase() ?? "";
  const isBinary = BINARY_EXTENSIONS.has(ext);
  const isLarge = file.size > 1 * 1024 * 1024; // 1 MB
  if (isBinary || isLarge) {
    const reason = isBinary
      ? `"${ext}" files are binary and cannot be safely uploaded as text`
      : `file is ${(file.size / (1024 * 1024)).toFixed(1)} MB — only text files under 1 MB are supported`;
    alert(`Upload blocked: ${reason}.\n\nBinary file upload support will be added in a future release.`);
    failTransfer(transferId);
    return;
  }
  reader.readAsText(file);
 }
--- a/src/components/sftp/TransferProgress.vue
+++ b/src/components/sftp/TransferProgress.vue
@ -52,11 +52,15 @@
 </template>
 <script setup lang="ts">
-import { ref } from "vue";
+import { ref, watch } from "vue";
 import { useTransfers } from "@/composables/useTransfers";
 const expanded = ref(false);
 const { transfers } = useTransfers();
 // Auto-expand when transfers become active, collapse when all are gone
-const { transfers } = useTransfers();
+watch(() => transfers.value.length, (newLen, oldLen) => {
  if (newLen > 0 && oldLen === 0) expanded.value = true;
  if (newLen === 0) expanded.value = false;
 });
 </script>
--- a/src/components/sidebar/ConnectionTree.vue
+++ b/src/components/sidebar/ConnectionTree.vue
@ -28,10 +28,17 @@
      <!-- Only show groups that have matching connections during search -->
      <div v-if="!connectionStore.searchQuery || connectionStore.groupHasResults(group.id)">
        <!-- Group header -->
-        <button
+        <div
-          class="w-full flex items-center gap-1.5 px-3 py-1.5 text-xs hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer"
+          class="w-full flex items-center gap-1.5 px-3 py-1.5 text-xs hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer select-none"
          :class="{ 'border-t-2 border-t-[var(--wraith-accent-blue)]': dragOverGroupId === group.id }"
          draggable="true"
          @click="toggleGroup(group.id)"
          @contextmenu.prevent="showGroupMenu($event, group)"
          @dragstart="onGroupDragStart(group, $event)"
          @dragover.prevent="onGroupDragOver(group)"
          @dragleave="dragOverGroupId = null"
          @drop.prevent="onGroupDrop(group)"
          @dragend="resetDragState"
        >
          <!-- Chevron -->
          <svg
@ -58,16 +65,23 @@
          <span class="ml-auto text-[var(--wraith-text-muted)] text-[10px]">
            {{ connectionStore.connectionsByGroup(group.id).length }}
          </span>
-        </button>
+        </div>
        <!-- Connections in group -->
        <div v-if="expandedGroups.has(group.id)">
-          <button
+          <div
            v-for="conn in connectionStore.connectionsByGroup(group.id)"
            :key="conn.id"
-            class="w-full flex items-center gap-2 pl-8 pr-3 py-1.5 text-xs hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer"
+            draggable="true"
            class="w-full flex items-center gap-2 pl-8 pr-3 py-1.5 text-xs hover:bg-[var(--wraith-bg-tertiary)] transition-colors cursor-pointer select-none"
            :class="{ 'border-t-2 border-t-[var(--wraith-accent-blue)]': dragOverConnId === conn.id }"
            @dblclick="handleConnect(conn)"
            @contextmenu.prevent="showConnectionMenu($event, conn)"
            @dragstart="onConnDragStart(conn, group.id, $event)"
            @dragover.prevent="onConnDragOver(conn)"
            @dragleave="dragOverConnId = null"
            @drop.prevent="onConnDrop(conn, group.id)"
            @dragend="resetDragState"
          >
            <!-- Protocol dot -->
            <span
@ -82,7 +96,7 @@
            >
              {{ tag }}
            </span>
-          </button>
+          </div>
        </div>
      </div>
    </template>
@ -96,7 +110,7 @@
 </template>
 <script setup lang="ts">
-import { ref } from "vue";
+import { ref, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useConnectionStore, type Connection, type Group } from "@/stores/connection.store";
 import { useSessionStore } from "@/stores/session.store";
@ -118,11 +132,107 @@ const sessionStore = useSessionStore();
 const contextMenu = ref<InstanceType<typeof ContextMenu> | null>(null);
 const editDialog = ref<InstanceType<typeof ConnectionEditDialog> | null>(null);
 // ── Drag and drop reordering ──────────────────────────────────────────────────
 const dragOverGroupId = ref<number | null>(null);
 const dragOverConnId = ref<number | null>(null);
 let draggedGroup: Group | null = null;
 let draggedConn: { conn: Connection; fromGroupId: number } | null = null;
 function onGroupDragStart(group: Group, event: DragEvent): void {
  draggedGroup = group;
  draggedConn = null;
  event.dataTransfer?.setData("text/plain", `group:${group.id}`);
 }
 function onGroupDragOver(target: Group): void {
  if (draggedGroup && draggedGroup.id !== target.id) {
    dragOverGroupId.value = target.id;
  }
  // Allow dropping connections onto groups to move them
  if (draggedConn) {
    dragOverGroupId.value = target.id;
  }
 }
 async function onGroupDrop(target: Group): Promise<void> {
  if (draggedGroup && draggedGroup.id !== target.id) {
    const groups = connectionStore.groups;
    const fromIdx = groups.findIndex(g => g.id === draggedGroup!.id);
    const toIdx = groups.findIndex(g => g.id === target.id);
    if (fromIdx !== -1 && toIdx !== -1) {
      const [moved] = groups.splice(fromIdx, 1);
      groups.splice(toIdx, 0, moved);
      // Persist new order
      const ids = groups.map(g => g.id);
      invoke("reorder_groups", { ids }).catch(console.error);
    }
  }
  if (draggedConn && draggedConn.fromGroupId !== target.id) {
    try {
      await invoke("update_connection", { id: draggedConn.conn.id, input: { groupId: target.id } });
      await connectionStore.loadAll();
    } catch (err) { console.error("Failed to move connection:", err); }
  }
  resetDragState();
 }
 function onConnDragStart(conn: Connection, groupId: number, event: DragEvent): void {
  draggedConn = { conn, fromGroupId: groupId };
  draggedGroup = null;
  event.dataTransfer?.setData("text/plain", `conn:${conn.id}`);
 }
 function onConnDragOver(target: Connection): void {
  if (draggedConn && draggedConn.conn.id !== target.id) {
    dragOverConnId.value = target.id;
  }
 }
 async function onConnDrop(target: Connection, targetGroupId: number): Promise<void> {
  if (draggedConn && draggedConn.conn.id !== target.id) {
    if (draggedConn.fromGroupId !== targetGroupId) {
      try {
        await invoke("update_connection", { id: draggedConn.conn.id, input: { groupId: targetGroupId } });
        await connectionStore.loadAll();
      } catch (err) { console.error("Failed to move connection:", err); }
    } else {
      const conns = connectionStore.connectionsByGroup(targetGroupId);
      const fromIdx = conns.findIndex(c => c.id === draggedConn!.conn.id);
      const toIdx = conns.findIndex(c => c.id === target.id);
      if (fromIdx !== -1 && toIdx !== -1) {
        const [moved] = conns.splice(fromIdx, 1);
        conns.splice(toIdx, 0, moved);
        // Persist new order
        const ids = conns.map(c => c.id);
        invoke("reorder_connections", { ids }).catch(console.error);
      }
    }
  }
  resetDragState();
 }
 function resetDragState(): void {
  draggedGroup = null;
  draggedConn = null;
  dragOverGroupId.value = null;
  dragOverConnId.value = null;
 }
 // All groups expanded by default
 const expandedGroups = ref<Set<number>>(
  new Set(connectionStore.groups.map((g) => g.id)),
 );
 // Auto-expand groups added after initial load
 watch(() => connectionStore.groups, (newGroups) => {
  for (const group of newGroups) {
    if (!expandedGroups.value.has(group.id)) {
      expandedGroups.value.add(group.id);
    }
  }
 }, { deep: true });
 function toggleGroup(groupId: number): void {
  if (expandedGroups.value.has(groupId)) {
    expandedGroups.value.delete(groupId);
--- a/src/components/sidebar/SidebarToggle.vue
+++ b/src/components/sidebar/SidebarToggle.vue
@ -5,11 +5,11 @@
      :key="tab.id"
      class="flex-1 py-2 text-xs font-medium text-center transition-colors cursor-pointer"
      :class="
-        modelValue === tab.id
+        model === tab.id
          ? 'text-[var(--wraith-accent-blue)] border-b-2 border-[var(--wraith-accent-blue)]'
          : 'text-[var(--wraith-text-muted)] hover:text-[var(--wraith-text-secondary)]'
      "
-      @click="emit('update:modelValue', tab.id)"
+      @click="model = tab.id"
    >
      {{ tab.label }}
    </button>
@ -24,11 +24,5 @@ const tabs = [
  { id: "sftp" as const, label: "SFTP" },
 ];
-defineProps<{
+const model = defineModel<SidebarTab>();
  modelValue: SidebarTab;
 }>();
 const emit = defineEmits<{
  "update:modelValue": [tab: SidebarTab];
 }>();
 </script>
--- a/src/components/terminal/LocalTerminalView.vue
+++ b/src/components/terminal/LocalTerminalView.vue
@ -0,0 +1,112 @@
 <template>
  <div class="flex flex-col h-full">
    <div
      ref="containerRef"
      class="terminal-container flex-1"
      @click="terminal.focus()"
    />
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted, onBeforeUnmount, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useTerminal } from "@/composables/useTerminal";
 import { useSessionStore } from "@/stores/session.store";
 import "@/assets/css/terminal.css";
 const props = defineProps<{
  sessionId: string;
  isActive: boolean;
 }>();
 const sessionStore = useSessionStore();
 const containerRef = ref<HTMLElement | null>(null);
 const { terminal, mount, fit, destroy } = useTerminal(props.sessionId, "pty");
 /** Apply the session store's active theme to this local terminal instance. */
 function applyTheme(): void {
  const theme = sessionStore.activeTheme;
  if (!theme) return;
  terminal.options.theme = {
    background: theme.background,
    foreground: theme.foreground,
    cursor: theme.cursor,
    cursorAccent: theme.background,
    selectionBackground: theme.selectionBackground ?? "#264f78",
    selectionForeground: theme.selectionForeground ?? "#ffffff",
    selectionInactiveBackground: theme.selectionBackground ?? "#264f78",
    black: theme.black,
    red: theme.red,
    green: theme.green,
    yellow: theme.yellow,
    blue: theme.blue,
    magenta: theme.magenta,
    cyan: theme.cyan,
    white: theme.white,
    brightBlack: theme.brightBlack,
    brightRed: theme.brightRed,
    brightGreen: theme.brightGreen,
    brightYellow: theme.brightYellow,
    brightBlue: theme.brightBlue,
    brightMagenta: theme.brightMagenta,
    brightCyan: theme.brightCyan,
    brightWhite: theme.brightWhite,
  };
  if (containerRef.value) {
    containerRef.value.style.backgroundColor = theme.background;
  }
  terminal.refresh(0, terminal.rows - 1);
 }
 onMounted(() => {
  if (containerRef.value) {
    mount(containerRef.value);
  }
  // Apply current theme immediately if one is already active
  if (sessionStore.activeTheme) {
    applyTheme();
  }
  setTimeout(() => {
    fit();
    terminal.focus();
    invoke("pty_resize", {
      sessionId: props.sessionId,
      cols: terminal.cols,
      rows: terminal.rows,
    }).catch(() => {});
  }, 50);
 });
 watch(
  () => props.isActive,
  (active) => {
    if (active) {
      requestAnimationFrame(() => {
        requestAnimationFrame(() => {
          fit();
          terminal.focus();
          invoke("pty_resize", {
            sessionId: props.sessionId,
            cols: terminal.cols,
            rows: terminal.rows,
          }).catch(() => {});
        });
      });
    }
  },
 );
 // Watch for theme changes and apply to this local terminal
 watch(() => sessionStore.activeTheme, (newTheme) => {
  if (newTheme) applyTheme();
 }, { deep: true });
 onBeforeUnmount(() => {
  destroy();
 });
 </script>
--- a/src/components/terminal/MonitorBar.vue
+++ b/src/components/terminal/MonitorBar.vue
@ -0,0 +1,97 @@
 <template>
  <div
    v-if="stats"
    class="flex items-center gap-4 px-6 h-[48px] bg-[var(--wraith-bg-tertiary)] border-t border-[var(--wraith-border)] text-base font-mono shrink-0 select-none"
  >
    <!-- CPU -->
    <span class="flex items-center gap-1">
      <span class="text-[var(--wraith-text-muted)]">CPU</span>
      <span :class="colorClass(stats.cpuPercent, 50, 80)">{{ stats.cpuPercent.toFixed(0) }}%</span>
    </span>
    <!-- RAM -->
    <span class="flex items-center gap-1">
      <span class="text-[var(--wraith-text-muted)]">RAM</span>
      <span :class="colorClass(stats.memPercent, 50, 80)">{{ stats.memUsedMb }}M/{{ stats.memTotalMb }}M ({{ stats.memPercent.toFixed(0) }}%)</span>
    </span>
    <!-- Disk -->
    <span class="flex items-center gap-1">
      <span class="text-[var(--wraith-text-muted)]">DISK</span>
      <span :class="colorClass(stats.diskPercent, 70, 90)">{{ stats.diskUsedGb.toFixed(0) }}G/{{ stats.diskTotalGb.toFixed(0) }}G ({{ stats.diskPercent.toFixed(0) }}%)</span>
    </span>
    <!-- Network -->
    <span class="flex items-center gap-1">
      <span class="text-[var(--wraith-text-muted)]">NET</span>
      <span class="text-[var(--wraith-text-secondary)]">{{ formatBytes(stats.netRxBytes) }}↓ {{ formatBytes(stats.netTxBytes) }}↑</span>
    </span>
    <!-- OS -->
    <span class="text-[var(--wraith-text-muted)] ml-auto">{{ stats.osType }}</span>
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted, onBeforeUnmount, watch } from "vue";
 import { listen, type UnlistenFn } from "@tauri-apps/api/event";
 const props = defineProps<{
  sessionId: string;
 }>();
 interface SystemStats {
  cpuPercent: number;
  memUsedMb: number;
  memTotalMb: number;
  memPercent: number;
  diskUsedGb: number;
  diskTotalGb: number;
  diskPercent: number;
  netRxBytes: number;
  netTxBytes: number;
  osType: string;
 }
 const stats = ref<SystemStats | null>(null);
 let unlistenFn: UnlistenFn | null = null;
 let subscribeGeneration = 0;
 function colorClass(value: number, warnThreshold: number, critThreshold: number): string {
  if (value >= critThreshold) return "text-[#f85149]"; // red
  if (value >= warnThreshold) return "text-[#e3b341]"; // amber
  return "text-[#3fb950]"; // green
 }
 function formatBytes(bytes: number): string {
  if (bytes >= 1073741824) return (bytes / 1073741824).toFixed(1) + "G";
  if (bytes >= 1048576) return (bytes / 1048576).toFixed(1) + "M";
  if (bytes >= 1024) return (bytes / 1024).toFixed(0) + "K";
  return bytes + "B";
 }
 async function subscribe(): Promise<void> {
  const gen = ++subscribeGeneration;
  if (unlistenFn) unlistenFn();
  const fn = await listen<SystemStats>(`ssh:monitor:${props.sessionId}`, (event) => {
    stats.value = event.payload;
  });
  if (gen !== subscribeGeneration) {
    // A newer subscribe() call has already taken over — discard this listener
    fn();
    return;
  }
  unlistenFn = fn;
 }
 onMounted(subscribe);
 watch(() => props.sessionId, () => {
  stats.value = null;
  subscribe();
 });
 onBeforeUnmount(() => {
  if (unlistenFn) unlistenFn();
 });
 </script>
--- a/src/components/terminal/TerminalView.vue
+++ b/src/components/terminal/TerminalView.vue
@ -52,13 +52,19 @@
      @click="handleFocus"
      @focus="handleFocus"
    />
    <!-- Remote monitoring bar -->
    <MonitorBar :session-id="props.sessionId" />
  </div>
 </template>
 <script setup lang="ts">
-import { ref, nextTick, onMounted, watch } from "vue";
+import { ref, nextTick, onMounted, onBeforeUnmount, watch } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { useTerminal } from "@/composables/useTerminal";
 import { useSessionStore } from "@/stores/session.store";
 import MonitorBar from "@/components/terminal/MonitorBar.vue";
 import type { IDisposable } from "@xterm/xterm";
 import "@/assets/css/terminal.css";
 const props = defineProps<{
@ -69,6 +75,11 @@ const props = defineProps<{
 const sessionStore = useSessionStore();
 const containerRef = ref<HTMLElement | null>(null);
 const { terminal, searchAddon, mount, fit } = useTerminal(props.sessionId);
 let resizeDisposable: IDisposable | null = null;
 function handleFocus(): void {
  terminal.focus();
 }
 // --- Search state ---
 const searchVisible = ref(false);
@ -134,7 +145,7 @@ onMounted(() => {
  }
  // Track terminal dimensions in the session store
-  terminal.onResize(({ cols, rows }) => {
+  resizeDisposable = terminal.onResize(({ cols, rows }) => {
    sessionStore.setTerminalDimensions(props.sessionId, cols, rows);
  });
@ -145,15 +156,27 @@ onMounted(() => {
  }, 50);
 });
-// Re-fit and focus terminal when switching back to this tab
+// Re-fit and focus terminal when switching back to this tab.
 // Must wait for the container to have real dimensions after becoming visible.
 watch(
  () => props.isActive,
  (active) => {
    if (active) {
-      setTimeout(() => {
+      // Double rAF ensures the container has been laid out by the browser
      requestAnimationFrame(() => {
        requestAnimationFrame(() => {
          fit();
          terminal.focus();
-      }, 0);
+          // Also notify the backend of the correct size
          const session = sessionStore.sessions.find(s => s.id === props.sessionId);
          const resizeCmd = session?.protocol === "local" ? "pty_resize" : "ssh_resize";
          invoke(resizeCmd, {
            sessionId: props.sessionId,
            cols: terminal.cols,
            rows: terminal.rows,
          }).catch(() => {});
        });
      });
    }
  },
 );
@ -166,6 +189,10 @@ function applyTheme(): void {
    background: theme.background,
    foreground: theme.foreground,
    cursor: theme.cursor,
    cursorAccent: theme.background,
    selectionBackground: theme.selectionBackground ?? "#264f78",
    selectionForeground: theme.selectionForeground ?? "#ffffff",
    selectionInactiveBackground: theme.selectionBackground ?? "#264f78",
    black: theme.black,
    red: theme.red,
    green: theme.green,
@ -183,14 +210,27 @@ function applyTheme(): void {
    brightCyan: theme.brightCyan,
    brightWhite: theme.brightWhite,
  };
  // Sync the container background so areas outside the canvas match the theme
  if (containerRef.value) {
    containerRef.value.style.backgroundColor = theme.background;
  }
  // Force xterm.js to repaint all visible rows with the new theme colors
  terminal.refresh(0, terminal.rows - 1);
 }
-// Watch for theme changes in the session store and apply to this terminal
+// Watch for theme changes in the session store and apply to this terminal.
 // Uses deep comparison because the theme is an object — a shallow watch may miss
 // updates if Pinia returns the same reactive proxy wrapper after reassignment.
 watch(() => sessionStore.activeTheme, (newTheme) => {
  if (newTheme) applyTheme();
-});
+}, { deep: true });
-function handleFocus(): void {
+onBeforeUnmount(() => {
-  terminal.focus();
+  if (resizeDisposable) {
-}
+    resizeDisposable.dispose();
    resizeDisposable = null;
  }
 });
 </script>
--- a/src/components/tools/BandwidthTest.vue
+++ b/src/components/tools/BandwidthTest.vue
@ -0,0 +1,43 @@
 <template>
  <ToolShell ref="shell" placeholder="Select a mode and click Run Test">
    <template #default="{ running }">
      <select v-model="mode" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none cursor-pointer">
        <option value="speedtest">Internet Speed Test</option>
        <option value="iperf">iperf3 (LAN)</option>
      </select>
      <template v-if="mode === 'iperf'">
        <input v-model="server" type="text" placeholder="iperf3 server IP" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-40" />
        <input v-model.number="duration" type="number" min="1" max="60" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-16" />
        <span class="text-xs text-[#484f58]">sec</span>
      </template>
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="run">
        {{ running ? "Testing..." : "Run Test" }}
      </button>
    </template>
  </ToolShell>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const mode = ref("speedtest");
 const server = ref("");
 const duration = ref(5);
 const shell = ref<InstanceType<typeof ToolShell> | null>(null);
 async function run(): Promise<void> {
  if (mode.value === "iperf" && !server.value) {
    shell.value?.setOutput("Enter an iperf3 server IP");
    return;
  }
  shell.value?.execute(() => {
    if (mode.value === "iperf") {
      return invoke<string>("tool_bandwidth_iperf", { sessionId: props.sessionId, server: server.value, duration: duration.value });
    }
    return invoke<string>("tool_bandwidth_speedtest", { sessionId: props.sessionId });
  });
 }
 </script>
--- a/src/components/tools/DnsLookup.vue
+++ b/src/components/tools/DnsLookup.vue
@ -0,0 +1,29 @@
 <template>
  <ToolShell ref="shell" placeholder="Enter a domain and click Lookup">
    <template #default="{ running }">
      <input v-model="domain" type="text" placeholder="Domain name" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="lookup" />
      <select v-model="recordType" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none cursor-pointer">
        <option v-for="t in ['A','AAAA','MX','NS','TXT','CNAME','SOA','SRV','PTR']" :key="t" :value="t">{{ t }}</option>
      </select>
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="lookup">Lookup</button>
    </template>
  </ToolShell>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const domain = ref("");
 const recordType = ref("A");
 const shell = ref<InstanceType<typeof ToolShell> | null>(null);
 async function lookup(): Promise<void> {
  if (!domain.value) return;
  shell.value?.execute(() =>
    invoke<string>("tool_dns_lookup", { sessionId: props.sessionId, domain: domain.value, recordType: recordType.value })
  );
 }
 </script>
--- a/src/components/tools/DockerPanel.vue
+++ b/src/components/tools/DockerPanel.vue
@ -0,0 +1,117 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-3">
    <!-- Tabs -->
    <div class="flex items-center gap-2">
      <button v-for="t in ['containers','images','volumes']" :key="t"
        class="px-3 py-1 text-xs rounded cursor-pointer transition-colors"
        :class="tab === t ? 'bg-[#58a6ff] text-black font-bold' : 'bg-[#21262d] text-[#8b949e] hover:text-white'"
        @click="tab = t; refresh()"
      >{{ t.charAt(0).toUpperCase() + t.slice(1) }}</button>
      <div class="ml-auto flex gap-1">
        <button class="px-2 py-1 text-[10px] rounded bg-[#21262d] text-[#8b949e] hover:text-white cursor-pointer" @click="refresh">Refresh</button>
        <button class="px-2 py-1 text-[10px] rounded bg-[#da3633] text-white cursor-pointer" @click="action('builder-prune', '')">Builder Prune</button>
        <button class="px-2 py-1 text-[10px] rounded bg-[#da3633] text-white cursor-pointer" @click="action('system-prune', '')">System Prune</button>
      </div>
    </div>
    <!-- Containers -->
    <div v-if="tab === 'containers'" class="flex-1 overflow-auto border border-[#30363d] rounded">
      <table class="w-full text-xs"><thead class="bg-[#161b22] sticky top-0"><tr>
        <th class="text-left px-3 py-2 text-[#8b949e]">Name</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Image</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Status</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Actions</th>
      </tr></thead><tbody>
        <tr v-for="c in containers" :key="c.id" class="border-t border-[#21262d] hover:bg-[#161b22]">
          <td class="px-3 py-1.5 font-mono">{{ c.name }}</td>
          <td class="px-3 py-1.5 text-[#8b949e]">{{ c.image }}</td>
          <td class="px-3 py-1.5" :class="c.status.startsWith('Up') ? 'text-[#3fb950]' : 'text-[#8b949e]'">{{ c.status }}</td>
          <td class="px-3 py-1.5 flex gap-1">
            <button v-if="!c.status.startsWith('Up')" class="px-1.5 py-0.5 text-[10px] rounded bg-[#238636] text-white cursor-pointer" @click="action('start', c.name)">Start</button>
            <button v-if="c.status.startsWith('Up')" class="px-1.5 py-0.5 text-[10px] rounded bg-[#e3b341] text-black cursor-pointer" @click="action('stop', c.name)">Stop</button>
            <button class="px-1.5 py-0.5 text-[10px] rounded bg-[#1f6feb] text-white cursor-pointer" @click="action('restart', c.name)">Restart</button>
            <button class="px-1.5 py-0.5 text-[10px] rounded bg-[#21262d] text-[#8b949e] cursor-pointer" @click="viewLogs(c.name)">Logs</button>
            <button class="px-1.5 py-0.5 text-[10px] rounded bg-[#da3633] text-white cursor-pointer" @click="action('remove', c.name)">Remove</button>
          </td>
        </tr>
      </tbody></table>
    </div>
    <!-- Images -->
    <div v-if="tab === 'images'" class="flex-1 overflow-auto border border-[#30363d] rounded">
      <table class="w-full text-xs"><thead class="bg-[#161b22] sticky top-0"><tr>
        <th class="text-left px-3 py-2 text-[#8b949e]">Repository</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Tag</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Size</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Actions</th>
      </tr></thead><tbody>
        <tr v-for="img in images" :key="img.id" class="border-t border-[#21262d] hover:bg-[#161b22]">
          <td class="px-3 py-1.5 font-mono">{{ img.repository }}</td>
          <td class="px-3 py-1.5">{{ img.tag }}</td>
          <td class="px-3 py-1.5 text-[#8b949e]">{{ img.size }}</td>
          <td class="px-3 py-1.5"><button class="px-1.5 py-0.5 text-[10px] rounded bg-[#da3633] text-white cursor-pointer" @click="action('remove-image', img.id)">Remove</button></td>
        </tr>
      </tbody></table>
    </div>
    <!-- Volumes -->
    <div v-if="tab === 'volumes'" class="flex-1 overflow-auto border border-[#30363d] rounded">
      <table class="w-full text-xs"><thead class="bg-[#161b22] sticky top-0"><tr>
        <th class="text-left px-3 py-2 text-[#8b949e]">Name</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Driver</th>
        <th class="text-left px-3 py-2 text-[#8b949e]">Actions</th>
      </tr></thead><tbody>
        <tr v-for="v in volumes" :key="v.name" class="border-t border-[#21262d] hover:bg-[#161b22]">
          <td class="px-3 py-1.5 font-mono">{{ v.name }}</td>
          <td class="px-3 py-1.5 text-[#8b949e]">{{ v.driver }}</td>
          <td class="px-3 py-1.5"><button class="px-1.5 py-0.5 text-[10px] rounded bg-[#da3633] text-white cursor-pointer" @click="action('remove-volume', v.name)">Remove</button></td>
        </tr>
      </tbody></table>
    </div>
    <!-- Output -->
    <pre v-if="output" class="max-h-32 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-2 text-[10px] font-mono text-[#e0e0e0]">{{ output }}</pre>
    <div class="text-[10px] text-[#484f58]">{{ containers.length }} containers · {{ images.length }} images · {{ volumes.length }} volumes</div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 interface DockerContainer { id: string; name: string; image: string; status: string; ports: string; }
 interface DockerImage { repository: string; tag: string; id: string; size: string; }
 interface DockerVolume { name: string; driver: string; mountpoint: string; }
 const props = defineProps<{ sessionId: string }>();
 const tab = ref("containers");
 const containers = ref<DockerContainer[]>([]);
 const images = ref<DockerImage[]>([]);
 const volumes = ref<DockerVolume[]>([]);
 const output = ref("");
 async function refresh(): Promise<void> {
  try {
    if (tab.value === "containers") containers.value = await invoke("docker_list_containers", { sessionId: props.sessionId, all: true });
    if (tab.value === "images") images.value = await invoke("docker_list_images", { sessionId: props.sessionId });
    if (tab.value === "volumes") volumes.value = await invoke("docker_list_volumes", { sessionId: props.sessionId });
  } catch (err) { output.value = String(err); }
 }
 async function action(act: string, target: string): Promise<void> {
  try {
    output.value = await invoke<string>("docker_action", { sessionId: props.sessionId, action: act, target });
    await refresh();
  } catch (err) { output.value = String(err); }
 }
 async function viewLogs(name: string): Promise<void> {
  try { output.value = await invoke<string>("docker_action", { sessionId: props.sessionId, action: "logs", target: name }); }
  catch (err) { output.value = String(err); }
 }
 onMounted(refresh);
 </script>
--- a/src/components/tools/FileEditor.vue
+++ b/src/components/tools/FileEditor.vue
@ -0,0 +1,107 @@
 <template>
  <div class="flex flex-col h-full bg-[#0d1117]">
    <!-- Toolbar -->
    <div class="flex items-center gap-2 px-3 py-2 bg-[#161b22] border-b border-[#30363d] shrink-0">
      <span class="text-xs text-[#8b949e] font-mono truncate flex-1">{{ filePath }}</span>
      <span v-if="modified" class="text-[10px] text-[#e3b341]">modified</span>
      <button
        class="px-3 py-1 text-xs font-bold rounded bg-[#238636] text-white cursor-pointer disabled:opacity-40"
        :disabled="saving || !modified"
        @click="save"
      >
        {{ saving ? "Saving..." : "Save" }}
      </button>
    </div>
    <!-- Editor area -->
    <div ref="editorContainer" class="flex-1 min-h-0" />
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const props = defineProps<{
  sessionId: string;
 }>();
 const filePath = ref("");
 const content = ref("");
 const modified = ref(false);
 const saving = ref(false);
 const editorContainer = ref<HTMLElement | null>(null);
 let editorContent = "";
 onMounted(async () => {
  // Parse path from URL
  const params = new URLSearchParams(window.location.hash.split("?")[1] || "");
  filePath.value = decodeURIComponent(params.get("path") || "");
  if (!filePath.value || !props.sessionId) return;
  // Load file content
  try {
    content.value = await invoke<string>("sftp_read_file", {
      sessionId: props.sessionId,
      path: filePath.value,
    });
    editorContent = content.value;
  } catch (err) {
    content.value = `Error loading file: ${err}`;
  }
  // Create a simple textarea editor (CodeMirror can be added later)
  if (editorContainer.value) {
    const textarea = document.createElement("textarea");
    textarea.value = content.value;
    textarea.spellcheck = false;
    textarea.style.cssText = `
      width: 100%; height: 100%; resize: none; border: none; outline: none;
      background: #0d1117; color: #e0e0e0; padding: 12px; font-size: 13px;
      font-family: 'Cascadia Mono', 'Cascadia Code', Consolas, 'JetBrains Mono', monospace;
      line-height: 1.5; tab-size: 4;
    `;
    textarea.addEventListener("input", () => {
      editorContent = textarea.value;
      modified.value = editorContent !== content.value;
    });
    textarea.addEventListener("keydown", (e) => {
      // Ctrl+S to save
      if ((e.ctrlKey || e.metaKey) && e.key === "s") {
        e.preventDefault();
        save();
      }
      // Tab inserts spaces
      if (e.key === "Tab") {
        e.preventDefault();
        const start = textarea.selectionStart;
        const end = textarea.selectionEnd;
        textarea.value = textarea.value.substring(0, start) + "    " + textarea.value.substring(end);
        textarea.selectionStart = textarea.selectionEnd = start + 4;
        editorContent = textarea.value;
        modified.value = true;
      }
    });
    editorContainer.value.appendChild(textarea);
    textarea.focus();
  }
 });
 async function save(): Promise<void> {
  if (!modified.value || saving.value) return;
  saving.value = true;
  try {
    await invoke("sftp_write_file", {
      sessionId: props.sessionId,
      path: filePath.value,
      content: editorContent,
    });
    content.value = editorContent;
    modified.value = false;
  } catch (err) {
    alert(`Save failed: ${err}`);
  }
  saving.value = false;
 }
 </script>
--- a/src/components/tools/HelpWindow.vue
+++ b/src/components/tools/HelpWindow.vue
@ -0,0 +1,219 @@
 <template>
  <div class="flex flex-col h-full">
    <!-- Tabs -->
    <div class="flex items-center gap-1 px-4 py-2 bg-[#161b22] border-b border-[#30363d] shrink-0">
      <button v-for="t in tabs" :key="t.id"
        class="px-3 py-1 text-xs rounded cursor-pointer transition-colors"
        :class="activeTab === t.id ? 'bg-[#58a6ff] text-black font-bold' : 'text-[#8b949e] hover:text-white'"
        @click="activeTab = t.id"
      >{{ t.label }}</button>
    </div>
    <div class="flex-1 overflow-auto p-6">
      <!-- Getting Started -->
      <div v-if="activeTab === 'guide'" class="prose-wraith">
        <h2>Getting Started with Wraith</h2>
        <p>Wraith is a native desktop SSH/SFTP/RDP client with an integrated AI copilot.</p>
        <h3>Creating a Connection</h3>
        <ol>
          <li>Click <strong>File &rarr; New Connection</strong> or the <strong>+ Host</strong> button in the sidebar</li>
          <li>Enter hostname, port, and protocol (SSH or RDP)</li>
          <li>Optionally link a credential from the vault</li>
          <li>Double-click the connection to connect</li>
        </ol>
        <h3>Quick Connect</h3>
        <p>Type <code>user@host:port</code> in the Quick Connect bar and press Enter.</p>
        <h3>AI Copilot</h3>
        <p>Press <strong>Ctrl+Shift+G</strong> to open the AI copilot panel. Select a shell, click Launch, and run your AI CLI (Claude Code, Gemini, Codex).</p>
        <p>Configure one-click launch presets in <strong>Settings &rarr; AI Copilot</strong>.</p>
        <h3>Local Terminals</h3>
        <p>Click the <strong>+</strong> button in the tab bar to open a local shell (PowerShell, CMD, Git Bash, WSL, bash, zsh).</p>
        <h3>SFTP Browser</h3>
        <p>Switch to the <strong>SFTP</strong> tab in the sidebar. It follows the active SSH session and tracks the current working directory.</p>
        <p>Right-click files for Edit, Download, Rename, Delete.</p>
        <h3>Tab Management</h3>
        <ul>
          <li><strong>Drag tabs</strong> to reorder</li>
          <li><strong>Right-click tab</strong> &rarr; Detach to Window (pop out to separate window)</li>
          <li>Close the detached window to reattach</li>
          <li>Tabs pulse blue when there's new activity in the background</li>
        </ul>
        <h3>Remote Monitoring</h3>
        <p>Every SSH session shows a monitoring bar at the bottom with CPU, RAM, disk, and network stats — polled every 5 seconds. No agent needed.</p>
      </div>
      <!-- Keyboard Shortcuts -->
      <div v-if="activeTab === 'shortcuts'" class="prose-wraith">
        <h2>Keyboard Shortcuts</h2>
        <table>
          <thead><tr><th>Shortcut</th><th>Action</th></tr></thead>
          <tbody>
            <tr><td><kbd>Ctrl+K</kbd></td><td>Command Palette</td></tr>
            <tr><td><kbd>Ctrl+Shift+G</kbd></td><td>Toggle AI Copilot</td></tr>
            <tr><td><kbd>Ctrl+B</kbd></td><td>Toggle Sidebar</td></tr>
            <tr><td><kbd>Ctrl+W</kbd></td><td>Close Active Tab</td></tr>
            <tr><td><kbd>Ctrl+Tab</kbd></td><td>Next Tab</td></tr>
            <tr><td><kbd>Ctrl+Shift+Tab</kbd></td><td>Previous Tab</td></tr>
            <tr><td><kbd>Ctrl+1-9</kbd></td><td>Switch to Tab N</td></tr>
            <tr><td><kbd>Ctrl+F</kbd></td><td>Find in Terminal</td></tr>
            <tr><td><kbd>Ctrl+S</kbd></td><td>Save (in editor windows)</td></tr>
          </tbody>
        </table>
        <h3>Terminal</h3>
        <table>
          <thead><tr><th>Action</th><th>How</th></tr></thead>
          <tbody>
            <tr><td>Copy</td><td>Select text (auto-copies)</td></tr>
            <tr><td>Paste</td><td>Right-click</td></tr>
          </tbody>
        </table>
      </div>
      <!-- MCP Integration -->
      <div v-if="activeTab === 'mcp'" class="prose-wraith">
        <h2>MCP Integration (AI Tool Access)</h2>
        <p>Wraith includes an MCP (Model Context Protocol) server that gives AI CLI tools programmatic access to your active sessions.</p>
        <h3>Setup</h3>
        <p>The MCP bridge binary is automatically downloaded to:</p>
        <pre>{{ bridgePath }}</pre>
        <p>Register with Claude Code:</p>
        <pre>claude mcp add wraith -- "{{ bridgePath }}"</pre>
        <h3>Available MCP Tools (18)</h3>
        <h4>Session Management</h4>
        <table>
          <thead><tr><th>Tool</th><th>Description</th></tr></thead>
          <tbody>
            <tr><td><code>list_sessions</code></td><td>List all active SSH/RDP/PTY sessions</td></tr>
          </tbody>
        </table>
        <h4>Terminal</h4>
        <table>
          <thead><tr><th>Tool</th><th>Description</th></tr></thead>
          <tbody>
            <tr><td><code>terminal_read</code></td><td>Read recent terminal output (ANSI stripped)</td></tr>
            <tr><td><code>terminal_execute</code></td><td>Run a command and capture output</td></tr>
            <tr><td><code>terminal_screenshot</code></td><td>Capture RDP frame as PNG</td></tr>
          </tbody>
        </table>
        <h4>SFTP</h4>
        <table>
          <thead><tr><th>Tool</th><th>Description</th></tr></thead>
          <tbody>
            <tr><td><code>sftp_list</code></td><td>List remote directory</td></tr>
            <tr><td><code>sftp_read</code></td><td>Read remote file</td></tr>
            <tr><td><code>sftp_write</code></td><td>Write remote file</td></tr>
          </tbody>
        </table>
        <h4>Network</h4>
        <table>
          <thead><tr><th>Tool</th><th>Description</th></tr></thead>
          <tbody>
            <tr><td><code>network_scan</code></td><td>ARP + ping sweep subnet discovery</td></tr>
            <tr><td><code>port_scan</code></td><td>TCP port scan</td></tr>
            <tr><td><code>ping</code></td><td>Ping a host</td></tr>
            <tr><td><code>traceroute</code></td><td>Traceroute to host</td></tr>
            <tr><td><code>dns_lookup</code></td><td>DNS query (A, MX, TXT, etc.)</td></tr>
            <tr><td><code>whois</code></td><td>Whois lookup</td></tr>
            <tr><td><code>wake_on_lan</code></td><td>Send WoL magic packet</td></tr>
            <tr><td><code>bandwidth_test</code></td><td>Internet speed test</td></tr>
          </tbody>
        </table>
        <h4>Utilities (no session needed)</h4>
        <table>
          <thead><tr><th>Tool</th><th>Description</th></tr></thead>
          <tbody>
            <tr><td><code>subnet_calc</code></td><td>Subnet calculator</td></tr>
            <tr><td><code>generate_ssh_key</code></td><td>Generate SSH key pair</td></tr>
            <tr><td><code>generate_password</code></td><td>Generate secure password</td></tr>
          </tbody>
        </table>
        <h3>How It Works</h3>
        <ol>
          <li>Wraith starts an HTTP server on <code>localhost</code> (random port)</li>
          <li>Port written to <code>mcp-port</code> in data directory</li>
          <li>Bridge binary reads the port and proxies JSON-RPC over stdio</li>
          <li>AI CLI spawns the bridge as an MCP server</li>
        </ol>
      </div>
      <!-- About -->
      <div v-if="activeTab === 'about'" class="prose-wraith">
        <h2>About Wraith</h2>
        <p class="text-2xl font-bold tracking-widest text-[#58a6ff]">WRAITH</p>
        <p>Exists everywhere, all at once.</p>
        <table>
          <tbody>
            <tr><td>Version</td><td>{{ version }}</td></tr>
            <tr><td>Runtime</td><td>Tauri v2 + Rust</td></tr>
            <tr><td>Frontend</td><td>Vue 3 + TypeScript</td></tr>
            <tr><td>Terminal</td><td>xterm.js 6</td></tr>
            <tr><td>SSH</td><td>russh 0.48</td></tr>
            <tr><td>RDP</td><td>ironrdp 0.14</td></tr>
            <tr><td>License</td><td>Proprietary</td></tr>
            <tr><td>Publisher</td><td>Vigilance Cyber / Vigilsynth</td></tr>
          </tbody>
        </table>
      </div>
    </div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref, onMounted } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { getVersion } from "@tauri-apps/api/app";
 const tabs = [
  { id: "guide", label: "Getting Started" },
  { id: "shortcuts", label: "Shortcuts" },
  { id: "mcp", label: "MCP Integration" },
  { id: "about", label: "About" },
 ];
 const activeTab = ref("guide");
 const bridgePath = ref("loading...");
 const version = ref("loading...");
 onMounted(async () => {
  // Read initial tab from URL
  const params = new URLSearchParams(window.location.hash.split("?")[1] || "");
  const page = params.get("page");
  if (page && tabs.some(t => t.id === page)) activeTab.value = page;
  try { version.value = await getVersion(); } catch { version.value = "unknown"; }
  try { bridgePath.value = await invoke<string>("mcp_bridge_path"); } catch { bridgePath.value = "unknown"; }
 });
 </script>
 <style scoped>
 .prose-wraith h2 { font-size: 16px; font-weight: 700; color: #e0e0e0; margin-bottom: 12px; }
 .prose-wraith h3 { font-size: 13px; font-weight: 600; color: #8b949e; margin-top: 20px; margin-bottom: 8px; text-transform: uppercase; letter-spacing: 0.05em; }
 .prose-wraith h4 { font-size: 12px; font-weight: 600; color: #58a6ff; margin-top: 16px; margin-bottom: 6px; }
 .prose-wraith p { font-size: 12px; color: #8b949e; margin-bottom: 8px; line-height: 1.6; }
 .prose-wraith ol, .prose-wraith ul { font-size: 12px; color: #8b949e; margin-bottom: 8px; padding-left: 20px; }
 .prose-wraith li { margin-bottom: 4px; line-height: 1.5; }
 .prose-wraith code { background: #161b22; border: 1px solid #30363d; border-radius: 4px; padding: 1px 5px; font-size: 11px; color: #e0e0e0; }
 .prose-wraith pre { background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 10px 14px; font-size: 11px; color: #e0e0e0; overflow-x: auto; margin-bottom: 8px; font-family: 'Cascadia Mono', monospace; }
 .prose-wraith kbd { background: #21262d; border: 1px solid #484f58; border-radius: 3px; padding: 1px 5px; font-size: 10px; color: #e0e0e0; }
 .prose-wraith table { width: 100%; font-size: 12px; border-collapse: collapse; margin-bottom: 12px; }
 .prose-wraith th { text-align: left; padding: 6px 10px; background: #161b22; color: #8b949e; font-weight: 500; border-bottom: 1px solid #30363d; }
 .prose-wraith td { padding: 5px 10px; color: #e0e0e0; border-bottom: 1px solid #21262d; }
 .prose-wraith strong { color: #e0e0e0; }
 </style>
--- a/src/components/tools/NetworkScanner.vue
+++ b/src/components/tools/NetworkScanner.vue
@ -0,0 +1,90 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-3">
    <div class="flex items-center gap-2">
      <label class="text-xs text-[#8b949e]">Subnet (first 3 octets):</label>
      <input v-model="subnet" type="text" placeholder="192.168.1" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-40" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="scanning" @click="scan">
        {{ scanning ? "Scanning..." : "Scan Network" }}
      </button>
      <button v-if="hosts.length" class="px-3 py-1.5 text-xs rounded border border-[#30363d] text-[#8b949e] hover:text-white cursor-pointer" @click="exportCsv">Export CSV</button>
    </div>
    <div class="flex-1 overflow-auto border border-[#30363d] rounded">
      <table class="w-full text-xs">
        <thead class="bg-[#161b22] sticky top-0">
          <tr>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">IP Address</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">Hostname</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">MAC Address</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">Open Ports</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">Actions</th>
          </tr>
        </thead>
        <tbody>
          <tr v-for="host in hosts" :key="host.ip" class="border-t border-[#21262d] hover:bg-[#161b22]">
            <td class="px-3 py-1.5 font-mono">{{ host.ip }}</td>
            <td class="px-3 py-1.5">{{ host.hostname || "—" }}</td>
            <td class="px-3 py-1.5 font-mono text-[#8b949e]">{{ host.mac || "—" }}</td>
            <td class="px-3 py-1.5">
              <span v-if="host.openPorts.length" class="text-[#3fb950]">{{ host.openPorts.join(", ") }}</span>
              <button v-else class="text-[#58a6ff] hover:underline cursor-pointer" @click="quickScanHost(host)">scan</button>
            </td>
            <td class="px-3 py-1.5 flex gap-1">
              <button class="px-2 py-0.5 text-[10px] rounded bg-[#238636] text-white cursor-pointer" @click="connectSsh(host)">SSH</button>
              <button class="px-2 py-0.5 text-[10px] rounded bg-[#1f6feb] text-white cursor-pointer" @click="connectRdp(host)">RDP</button>
            </td>
          </tr>
          <tr v-if="!hosts.length && !scanning">
            <td colspan="5" class="px-3 py-8 text-center text-[#484f58]">Enter a subnet and click Scan</td>
          </tr>
        </tbody>
      </table>
    </div>
    <div class="text-[10px] text-[#484f58]">{{ hosts.length }} hosts found • Scanning through session {{ sessionId.substring(0, 8) }}...</div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const props = defineProps<{ sessionId: string }>();
 interface Host { ip: string; mac: string | null; hostname: string | null; vendor: string | null; openPorts: number[]; services: string[]; }
 const subnet = ref("192.168.1");
 const hosts = ref<Host[]>([]);
 const scanning = ref(false);
 async function scan(): Promise<void> {
  scanning.value = true;
  try {
    hosts.value = await invoke<Host[]>("scan_network", { sessionId: props.sessionId, subnet: subnet.value });
  } catch (err) { alert(err); }
  scanning.value = false;
 }
 async function quickScanHost(host: Host): Promise<void> {
  try {
    const results = await invoke<{ port: number; open: boolean; service: string }[]>("quick_scan", { sessionId: props.sessionId, target: host.ip });
    host.openPorts = results.filter(r => r.open).map(r => r.port);
  } catch (err) { console.error(err); }
 }
 function connectSsh(host: Host): void { alert(`TODO: Open SSH tab to ${host.ip}`); }
 function connectRdp(host: Host): void { alert(`TODO: Open RDP tab to ${host.ip}`); }
 function exportCsv(): void {
  const lines = ["IP,Hostname,MAC,OpenPorts"];
  for (const h of hosts.value) {
    lines.push(`${h.ip},"${h.hostname || ""}","${h.mac || ""}","${h.openPorts.join(";")}"`);
  }
  const blob = new Blob([lines.join("\n")], { type: "text/csv" });
  const a = document.createElement("a");
  a.href = URL.createObjectURL(blob);
  a.download = `wraith-scan-${subnet.value}-${Date.now()}.csv`;
  a.click();
  setTimeout(() => URL.revokeObjectURL(a.href), 1000);
 }
 </script>
--- a/src/components/tools/PasswordGen.vue
+++ b/src/components/tools/PasswordGen.vue
@ -0,0 +1,67 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-4">
    <h2 class="text-sm font-bold text-[#58a6ff]">Password Generator</h2>
    <div class="flex items-center gap-3">
      <div>
        <label class="block text-xs text-[#8b949e] mb-1">Length</label>
        <input v-model.number="length" type="number" min="4" max="128" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-20" />
      </div>
      <div class="flex items-center gap-3 self-end">
        <label class="flex items-center gap-1 text-xs text-[#8b949e] cursor-pointer"><input v-model="uppercase" type="checkbox" class="accent-[#58a6ff]" /> A-Z</label>
        <label class="flex items-center gap-1 text-xs text-[#8b949e] cursor-pointer"><input v-model="lowercase" type="checkbox" class="accent-[#58a6ff]" /> a-z</label>
        <label class="flex items-center gap-1 text-xs text-[#8b949e] cursor-pointer"><input v-model="digits" type="checkbox" class="accent-[#58a6ff]" /> 0-9</label>
        <label class="flex items-center gap-1 text-xs text-[#8b949e] cursor-pointer"><input v-model="symbols" type="checkbox" class="accent-[#58a6ff]" /> !@#</label>
      </div>
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#238636] text-white cursor-pointer self-end" @click="generate">Generate</button>
    </div>
    <div v-if="password" class="flex items-center gap-2">
      <input readonly :value="password" class="flex-1 px-3 py-2 text-lg font-mono rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] select-all" @click="($event.target as HTMLInputElement).select()" />
      <button class="px-3 py-2 text-xs rounded bg-[#58a6ff] text-black font-bold cursor-pointer" @click="copy">Copy</button>
    </div>
    <div v-if="history.length" class="flex-1 overflow-auto">
      <h3 class="text-xs text-[#8b949e] mb-2">History</h3>
      <div v-for="(pw, i) in history" :key="i" class="flex items-center gap-2 py-1 border-b border-[#21262d]">
        <span class="flex-1 font-mono text-xs text-[#8b949e] truncate">{{ pw }}</span>
        <button class="text-[10px] text-[#58a6ff] hover:underline cursor-pointer" @click="copyText(pw)">copy</button>
      </div>
    </div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const length = ref(20);
 const uppercase = ref(true);
 const lowercase = ref(true);
 const digits = ref(true);
 const symbols = ref(true);
 const password = ref("");
 const history = ref<string[]>([]);
 async function generate(): Promise<void> {
  try {
    password.value = await invoke<string>("tool_generate_password", {
      length: length.value,
      uppercase: uppercase.value,
      lowercase: lowercase.value,
      digits: digits.value,
      symbols: symbols.value,
    });
    history.value.unshift(password.value);
    if (history.value.length > 20) history.value.pop();
  } catch (err) { alert(err); }
 }
 function copy(): void {
  navigator.clipboard.writeText(password.value).catch(() => {});
 }
 function copyText(text: string): void {
  navigator.clipboard.writeText(text).catch(() => {});
 }
 </script>
--- a/src/components/tools/PingTool.vue
+++ b/src/components/tools/PingTool.vue
@ -0,0 +1,28 @@
 <template>
  <ToolShell ref="shell" placeholder="Enter a host and click Ping">
    <template #default="{ running }">
      <input v-model="target" type="text" placeholder="Host to ping" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="ping" />
      <input v-model.number="count" type="number" min="1" max="100" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-16" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="ping">Ping</button>
    </template>
  </ToolShell>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
 const count = ref(4);
 const shell = ref<InstanceType<typeof ToolShell> | null>(null);
 async function ping(): Promise<void> {
  if (!target.value) return;
  shell.value?.execute(async () => {
    const result = await invoke<{ target: string; output: string }>("tool_ping", { sessionId: props.sessionId, target: target.value, count: count.value });
    return result.output;
  });
 }
 </script>
--- a/src/components/tools/PortScanner.vue
+++ b/src/components/tools/PortScanner.vue
@ -0,0 +1,81 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-3">
    <div class="flex items-center gap-2">
      <input v-model="target" type="text" placeholder="Target IP or hostname" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-44" />
      <input v-model="portRange" type="text" placeholder="Ports: 1-1024 or 22,80,443" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-48" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="scanning" @click="scan">
        {{ scanning ? "Scanning..." : "Scan" }}
      </button>
      <button class="px-3 py-1.5 text-xs rounded border border-[#30363d] text-[#8b949e] hover:text-white cursor-pointer disabled:opacity-40" :disabled="scanning" @click="quickScan">Quick Scan</button>
    </div>
    <div class="flex-1 overflow-auto border border-[#30363d] rounded">
      <table class="w-full text-xs">
        <thead class="bg-[#161b22] sticky top-0">
          <tr>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium w-20">Port</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium w-20">State</th>
            <th class="text-left px-3 py-2 text-[#8b949e] font-medium">Service</th>
          </tr>
        </thead>
        <tbody>
          <tr v-for="r in results" :key="r.port" class="border-t border-[#21262d]">
            <td class="px-3 py-1.5 font-mono">{{ r.port }}</td>
            <td class="px-3 py-1.5" :class="r.open ? 'text-[#3fb950]' : 'text-[#484f58]'">{{ r.open ? "open" : "closed" }}</td>
            <td class="px-3 py-1.5">{{ r.service }}</td>
          </tr>
        </tbody>
      </table>
    </div>
    <div class="text-[10px] text-[#484f58]">{{ results.filter(r => r.open).length }} open / {{ results.length }} scanned</div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
 const portRange = ref("1-1024");
 const results = ref<{ port: number; open: boolean; service: string }[]>([]);
 const scanning = ref(false);
 function parsePorts(input: string): number[] {
  const ports: number[] = [];
  for (const part of input.split(",")) {
    const trimmed = part.trim();
    if (trimmed.includes("-")) {
      const [start, end] = trimmed.split("-").map(Number);
      if (!isNaN(start) && !isNaN(end)) {
        for (let p = start; p <= Math.min(end, 65535); p++) ports.push(p);
      }
    } else {
      const p = Number(trimmed);
      if (!isNaN(p) && p > 0 && p <= 65535) ports.push(p);
    }
  }
  return ports;
 }
 async function scan(): Promise<void> {
  if (!target.value) return;
  scanning.value = true;
  try {
    const ports = parsePorts(portRange.value);
    results.value = await invoke("scan_ports", { sessionId: props.sessionId, target: target.value, ports });
  } catch (err) { alert(err); }
  scanning.value = false;
 }
 async function quickScan(): Promise<void> {
  if (!target.value) return;
  scanning.value = true;
  try {
    results.value = await invoke("quick_scan", { sessionId: props.sessionId, target: target.value });
  } catch (err) { alert(err); }
  scanning.value = false;
 }
 </script>
--- a/src/components/tools/SshKeyGen.vue
+++ b/src/components/tools/SshKeyGen.vue
@ -0,0 +1,90 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-4">
    <h2 class="text-sm font-bold text-[#58a6ff]">SSH Key Generator</h2>
    <div class="flex items-center gap-3">
      <div>
        <label class="block text-xs text-[#8b949e] mb-1">Key Type</label>
        <select v-model="keyType" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none cursor-pointer">
          <option value="ed25519">Ed25519 (recommended)</option>
          <option value="rsa">RSA 2048</option>
        </select>
      </div>
      <div class="flex-1">
        <label class="block text-xs text-[#8b949e] mb-1">Comment</label>
        <input v-model="comment" type="text" placeholder="user@host" class="w-full px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff]" />
      </div>
      <div class="self-end">
        <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#238636] text-white cursor-pointer" @click="generate">Generate</button>
      </div>
    </div>
    <template v-if="key">
      <div>
        <div class="flex items-center justify-between mb-1">
          <label class="text-xs text-[#8b949e]">Public Key</label>
          <button class="text-[10px] text-[#58a6ff] hover:underline cursor-pointer" @click="copy(key.publicKey)">Copy</button>
        </div>
        <textarea readonly :value="key.publicKey" rows="2" class="w-full px-3 py-2 text-xs font-mono rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] resize-none" />
      </div>
      <div>
        <div class="flex items-center justify-between mb-1">
          <label class="text-xs text-[#8b949e]">Private Key</label>
          <button class="text-[10px] text-[#58a6ff] hover:underline cursor-pointer" @click="copy(key.privateKey)">Copy</button>
        </div>
        <textarea readonly :value="key.privateKey" rows="8" class="w-full px-3 py-2 text-xs font-mono rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] resize-none" />
      </div>
      <div class="flex items-center gap-3">
        <div class="text-xs text-[#8b949e]">
          Fingerprint: <span class="font-mono text-[#e0e0e0]">{{ key.fingerprint }}</span>
        </div>
        <button class="px-3 py-1 text-xs rounded bg-[#58a6ff] text-black font-bold cursor-pointer" @click="savePrivateKey">Save Private Key</button>
        <button class="px-3 py-1 text-xs rounded border border-[#30363d] text-[#8b949e] hover:text-white cursor-pointer" @click="savePublicKey">Save Public Key</button>
      </div>
    </template>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const keyType = ref("ed25519");
 const comment = ref("");
 interface GeneratedKey { privateKey: string; publicKey: string; fingerprint: string; keyType: string; }
 const key = ref<GeneratedKey | null>(null);
 async function generate(): Promise<void> {
  try {
    key.value = await invoke<GeneratedKey>("tool_generate_ssh_key", { keyType: keyType.value, comment: comment.value || null });
  } catch (err) { alert(err); }
 }
 function copy(text: string): void {
  navigator.clipboard.writeText(text).catch(() => {});
 }
 function saveFile(content: string, filename: string): void {
  const blob = new Blob([content], { type: "text/plain" });
  const a = document.createElement("a");
  a.href = URL.createObjectURL(blob);
  a.download = filename;
  a.click();
  URL.revokeObjectURL(a.href);
 }
 function savePrivateKey(): void {
  if (!key.value) return;
  const ext = key.value.keyType === "ed25519" ? "id_ed25519" : "id_rsa";
  saveFile(key.value.privateKey, ext);
 }
 function savePublicKey(): void {
  if (!key.value) return;
  const ext = key.value.keyType === "ed25519" ? "id_ed25519.pub" : "id_rsa.pub";
  saveFile(key.value.publicKey, ext);
 }
 </script>
--- a/src/components/tools/SubnetCalc.vue
+++ b/src/components/tools/SubnetCalc.vue
@ -0,0 +1,49 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-4">
    <div class="flex items-center gap-2">
      <input v-model="cidr" type="text" placeholder="192.168.1.0/24" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] w-48 font-mono" @keydown.enter="calc" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer" @click="calc">Calculate</button>
      <div class="flex items-center gap-1 ml-2">
        <button v-for="quick in ['/8','/16','/24','/25','/26','/27','/28','/29','/30','/32']" :key="quick"
          class="px-1.5 py-0.5 text-[10px] rounded bg-[#21262d] text-[#8b949e] hover:text-white hover:bg-[#30363d] cursor-pointer"
          @click="cidr = cidr.replace(/\/\d+$/, '') + quick; calc()"
        >{{ quick }}</button>
      </div>
    </div>
    <div v-if="info" class="grid grid-cols-2 gap-x-6 gap-y-2 text-xs">
      <div><span class="text-[#8b949e]">CIDR:</span> <span class="font-mono">{{ info.cidr }}</span></div>
      <div><span class="text-[#8b949e]">Class:</span> {{ info.class }} <span v-if="info.isPrivate" class="text-[#3fb950]">(Private)</span></div>
      <div><span class="text-[#8b949e]">Network:</span> <span class="font-mono">{{ info.network }}</span></div>
      <div><span class="text-[#8b949e]">Broadcast:</span> <span class="font-mono">{{ info.broadcast }}</span></div>
      <div><span class="text-[#8b949e]">Netmask:</span> <span class="font-mono">{{ info.netmask }}</span></div>
      <div><span class="text-[#8b949e]">Wildcard:</span> <span class="font-mono">{{ info.wildcard }}</span></div>
      <div><span class="text-[#8b949e]">First Host:</span> <span class="font-mono">{{ info.firstHost }}</span></div>
      <div><span class="text-[#8b949e]">Last Host:</span> <span class="font-mono">{{ info.lastHost }}</span></div>
      <div><span class="text-[#8b949e]">Total Hosts:</span> {{ info.totalHosts.toLocaleString() }}</div>
      <div><span class="text-[#8b949e]">Usable Hosts:</span> {{ info.usableHosts.toLocaleString() }}</div>
      <div><span class="text-[#8b949e]">Prefix Length:</span> /{{ info.prefixLength }}</div>
    </div>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const cidr = ref("192.168.1.0/24");
 interface SubnetInfo {
  cidr: string; network: string; broadcast: string; netmask: string; wildcard: string;
  firstHost: string; lastHost: string; totalHosts: number; usableHosts: number;
  prefixLength: number; class: string; isPrivate: boolean;
 }
 const info = ref<SubnetInfo | null>(null);
 async function calc(): Promise<void> {
  if (!cidr.value) return;
  try { info.value = await invoke<SubnetInfo>("tool_subnet_calc", { cidr: cidr.value }); }
  catch (err) { alert(err); }
 }
 </script>
--- a/src/components/tools/ToolShell.vue
+++ b/src/components/tools/ToolShell.vue
@ -0,0 +1,37 @@
 <script setup lang="ts">
 import { ref } from "vue";
 defineProps<{
  placeholder?: string;
 }>();
 const output = ref("");
 const running = ref(false);
 async function execute(fn: () => Promise<string>): Promise<void> {
  running.value = true;
  output.value = "";
  try {
    output.value = await fn();
  } catch (err: unknown) {
    output.value = `Error: ${err instanceof Error ? err.message : String(err)}`;
  } finally {
    running.value = false;
  }
 }
 function setOutput(value: string): void {
  output.value = value;
 }
 defineExpose({ execute, setOutput, output, running });
 </script>
 <template>
  <div class="flex flex-col h-full p-4 gap-3">
    <div class="flex items-center gap-2">
      <slot :running="running" />
    </div>
    <pre class="flex-1 overflow-auto bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono whitespace-pre-wrap text-[#e0e0e0]">{{ output || placeholder || "Ready." }}</pre>
  </div>
 </template>
--- a/src/components/tools/ToolWindow.vue
+++ b/src/components/tools/ToolWindow.vue
@ -0,0 +1,43 @@
 <template>
  <div class="h-screen w-screen flex flex-col bg-[#0d1117] text-[#e0e0e0]">
    <NetworkScanner v-if="tool === 'network-scanner'" :session-id="sessionId" />
    <PortScanner v-else-if="tool === 'port-scanner'" :session-id="sessionId" />
    <PingTool v-else-if="tool === 'ping'" :session-id="sessionId" />
    <TracerouteTool v-else-if="tool === 'traceroute'" :session-id="sessionId" />
    <WakeOnLan v-else-if="tool === 'wake-on-lan'" :session-id="sessionId" />
    <DnsLookup v-else-if="tool === 'dns-lookup'" :session-id="sessionId" />
    <WhoisTool v-else-if="tool === 'whois'" :session-id="sessionId" />
    <BandwidthTest v-else-if="tool === 'bandwidth'" :session-id="sessionId" />
    <SubnetCalc v-else-if="tool === 'subnet-calc'" />
    <DockerPanel v-else-if="tool === 'docker'" :session-id="sessionId" />
    <FileEditor v-else-if="tool === 'editor'" :session-id="sessionId" />
    <SshKeyGen v-else-if="tool === 'ssh-keygen'" />
    <PasswordGen v-else-if="tool === 'password-gen'" />
    <HelpWindow v-else-if="tool === 'help'" />
    <div v-else class="flex-1 flex items-center justify-center text-sm text-[#484f58]">
      Unknown tool: {{ tool }}
    </div>
  </div>
 </template>
 <script setup lang="ts">
 import NetworkScanner from "./NetworkScanner.vue";
 import PortScanner from "./PortScanner.vue";
 import PingTool from "./PingTool.vue";
 import TracerouteTool from "./TracerouteTool.vue";
 import WakeOnLan from "./WakeOnLan.vue";
 import DnsLookup from "./DnsLookup.vue";
 import WhoisTool from "./WhoisTool.vue";
 import BandwidthTest from "./BandwidthTest.vue";
 import SubnetCalc from "./SubnetCalc.vue";
 import DockerPanel from "./DockerPanel.vue";
 import FileEditor from "./FileEditor.vue";
 import SshKeyGen from "./SshKeyGen.vue";
 import PasswordGen from "./PasswordGen.vue";
 import HelpWindow from "./HelpWindow.vue";
 defineProps<{
  tool: string;
  sessionId: string;
 }>();
 </script>
--- a/src/components/tools/TracerouteTool.vue
+++ b/src/components/tools/TracerouteTool.vue
@ -0,0 +1,25 @@
 <template>
  <ToolShell ref="shell" placeholder="Enter a host and click Trace">
    <template #default="{ running }">
      <input v-model="target" type="text" placeholder="Host to trace" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="trace" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="trace">Trace</button>
    </template>
  </ToolShell>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
 const shell = ref<InstanceType<typeof ToolShell> | null>(null);
 async function trace(): Promise<void> {
  if (!target.value) return;
  shell.value?.execute(() =>
    invoke<string>("tool_traceroute", { sessionId: props.sessionId, target: target.value })
  );
 }
 </script>
--- a/src/components/tools/WakeOnLan.vue
+++ b/src/components/tools/WakeOnLan.vue
@ -0,0 +1,32 @@
 <template>
  <div class="flex flex-col h-full p-4 gap-4">
    <h2 class="text-sm font-bold text-[#58a6ff]">Wake on LAN</h2>
    <p class="text-xs text-[#8b949e]">Send a magic packet through the remote host to wake a machine on the same network.</p>
    <div class="flex items-center gap-2">
      <input v-model="macAddress" type="text" placeholder="MAC address (AA:BB:CC:DD:EE:FF)" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1 font-mono" @keydown.enter="wake" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="sending" @click="wake">Wake</button>
    </div>
    <pre v-if="result" class="bg-[#161b22] border border-[#30363d] rounded p-3 text-xs font-mono text-[#e0e0e0]">{{ result }}</pre>
  </div>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 const props = defineProps<{ sessionId: string }>();
 const macAddress = ref("");
 const result = ref("");
 const sending = ref(false);
 async function wake(): Promise<void> {
  if (!macAddress.value) return;
  sending.value = true;
  try {
    result.value = await invoke<string>("tool_wake_on_lan", { sessionId: props.sessionId, macAddress: macAddress.value });
  } catch (err) { result.value = String(err); }
  sending.value = false;
 }
 </script>
--- a/src/components/tools/WhoisTool.vue
+++ b/src/components/tools/WhoisTool.vue
@ -0,0 +1,25 @@
 <template>
  <ToolShell ref="shell" placeholder="Enter a domain or IP and click Whois">
    <template #default="{ running }">
      <input v-model="target" type="text" placeholder="Domain or IP" class="px-3 py-1.5 text-sm rounded bg-[#161b22] border border-[#30363d] text-[#e0e0e0] outline-none focus:border-[#58a6ff] flex-1" @keydown.enter="lookup" />
      <button class="px-4 py-1.5 text-sm font-bold rounded bg-[#58a6ff] text-black cursor-pointer disabled:opacity-40" :disabled="running" @click="lookup">Whois</button>
    </template>
  </ToolShell>
 </template>
 <script setup lang="ts">
 import { ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import ToolShell from "./ToolShell.vue";
 const props = defineProps<{ sessionId: string }>();
 const target = ref("");
 const shell = ref<InstanceType<typeof ToolShell> | null>(null);
 async function lookup(): Promise<void> {
  if (!target.value) return;
  shell.value?.execute(() =>
    invoke<string>("tool_whois", { sessionId: props.sessionId, target: target.value })
  );
 }
 </script>
--- a/src/composables/useKeyboardShortcuts.ts
+++ b/src/composables/useKeyboardShortcuts.ts
@ -0,0 +1,106 @@
 import { onMounted, onBeforeUnmount } from "vue";
 import type { Ref } from "vue";
 import type { useSessionStore } from "@/stores/session.store";
 interface KeyboardShortcutActions {
  sessionStore: ReturnType<typeof useSessionStore>;
  sidebarVisible: Ref<boolean>;
  copilotVisible: Ref<boolean>;
  openCommandPalette: () => void;
  openActiveSearch: () => void;
 }
 export function useKeyboardShortcuts(actions: KeyboardShortcutActions): void {
  const { sessionStore, sidebarVisible, copilotVisible, openCommandPalette, openActiveSearch } = actions;
  function handleKeydown(event: KeyboardEvent): void {
    const target = event.target as HTMLElement;
    const isInputFocused =
      target.tagName === "INPUT" ||
      target.tagName === "TEXTAREA" ||
      target.tagName === "SELECT";
    const ctrl = event.ctrlKey || event.metaKey;
    // Ctrl+K — command palette (fires even when input is focused)
    if (ctrl && event.key === "k") {
      event.preventDefault();
      openCommandPalette();
      return;
    }
    if (isInputFocused) return;
    // Ctrl+W — close active tab
    if (ctrl && event.key === "w") {
      event.preventDefault();
      const active = sessionStore.activeSession;
      if (active) sessionStore.closeSession(active.id);
      return;
    }
    // Ctrl+Tab — next tab
    if (ctrl && event.key === "Tab" && !event.shiftKey) {
      event.preventDefault();
      const sessions = sessionStore.sessions;
      if (sessions.length < 2) return;
      const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId);
      const next = sessions[(idx + 1) % sessions.length];
      sessionStore.activateSession(next.id);
      return;
    }
    // Ctrl+Shift+Tab — previous tab
    if (ctrl && event.key === "Tab" && event.shiftKey) {
      event.preventDefault();
      const sessions = sessionStore.sessions;
      if (sessions.length < 2) return;
      const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId);
      const prev = sessions[(idx - 1 + sessions.length) % sessions.length];
      sessionStore.activateSession(prev.id);
      return;
    }
    // Ctrl+1-9 — jump to tab by index
    if (ctrl && event.key >= "1" && event.key <= "9") {
      const tabIndex = parseInt(event.key, 10) - 1;
      const sessions = sessionStore.sessions;
      if (tabIndex < sessions.length) {
        event.preventDefault();
        sessionStore.activateSession(sessions[tabIndex].id);
      }
      return;
    }
    // Ctrl+B — toggle sidebar
    if (ctrl && event.key === "b") {
      event.preventDefault();
      sidebarVisible.value = !sidebarVisible.value;
      return;
    }
    // Ctrl+Shift+G — toggle AI copilot
    if (ctrl && event.shiftKey && event.key.toLowerCase() === "g") {
      event.preventDefault();
      copilotVisible.value = !copilotVisible.value;
      return;
    }
    // Ctrl+F — terminal search (SSH sessions only)
    if (ctrl && event.key === "f") {
      const active = sessionStore.activeSession;
      if (active?.protocol === "ssh") {
        event.preventDefault();
        openActiveSearch();
      }
      return;
    }
  }
  onMounted(() => {
    document.addEventListener("keydown", handleKeydown);
  });
  onBeforeUnmount(() => {
    document.removeEventListener("keydown", handleKeydown);
  });
 }
--- a/src/composables/useRdp.ts
+++ b/src/composables/useRdp.ts
@ -1,4 +1,5 @@
 import { ref, onBeforeUnmount } from "vue";
 import type { Ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 /**
@ -152,13 +153,13 @@ export function jsKeyToScancode(code: string): number | null {
 export interface UseRdpReturn {
  /** Whether the RDP session is connected (first frame received) */
-  connected: ReturnType<typeof ref<boolean>>;
+  connected: Ref<boolean>;
  /** Whether keyboard capture is enabled */
-  keyboardGrabbed: ReturnType<typeof ref<boolean>>;
+  keyboardGrabbed: Ref<boolean>;
  /** Whether clipboard sync is enabled */
-  clipboardSync: ReturnType<typeof ref<boolean>>;
+  clipboardSync: Ref<boolean>;
-  /** Fetch the current frame as RGBA ImageData */
+  /** Fetch and render the dirty region directly to a canvas context */
-  fetchFrame: (sessionId: string, width: number, height: number) => Promise<ImageData | null>;
+  fetchAndRender: (sessionId: string, width: number, height: number, ctx: CanvasRenderingContext2D) => Promise<boolean>;
  /** Send a mouse event to the backend */
  sendMouse: (sessionId: string, x: number, y: number, flags: number) => void;
  /** Send a key event to the backend */
@ -184,7 +185,7 @@ export interface UseRdpReturn {
 * Composable that manages an RDP session's rendering and input.
 *
 * Uses Tauri's invoke() to call Rust commands:
- *   rdp_get_frame   → base64 RGBA string
+ *   rdp_get_frame   → raw RGBA ArrayBuffer (binary IPC)
 *   rdp_send_mouse  → fire-and-forget
 *   rdp_send_key    → fire-and-forget
 *   rdp_send_clipboard → fire-and-forget
@ -195,47 +196,53 @@ export function useRdp(): UseRdpReturn {
  const clipboardSync = ref(false);
  let animFrameId: number | null = null;
-  let frameCount = 0;
+  let unlistenFrame: (() => void) | null = null;
  /**
-   * Fetch the current frame from the Rust RDP backend.
+   * Fetch the dirty region from the Rust RDP backend and apply it to the canvas.
   *
-   * rdp_get_frame returns raw RGBA bytes (width*height*4) serialised as a
+   * Binary format from backend: 8-byte header + pixel data
-   * base64 string over Tauri's IPC bridge. We decode it to Uint8ClampedArray
+   *   Header: [x: u16, y: u16, w: u16, h: u16] (little-endian)
-   * and wrap in an ImageData for putImageData().
+   *   If header is all zeros → full frame (width*height*4 bytes)
   *   If header is non-zero → dirty rectangle (w*h*4 bytes)
   *
   * Returns true if a frame was rendered, false if nothing changed.
   */
-  async function fetchFrame(
+  async function fetchAndRender(
    sessionId: string,
    width: number,
    height: number,
-  ): Promise<ImageData | null> {
+    ctx: CanvasRenderingContext2D,
-    let raw: string;
+  ): Promise<boolean> {
    let raw: ArrayBuffer;
    try {
-      raw = await invoke<string>("rdp_get_frame", { sessionId });
+      raw = await invoke<ArrayBuffer>("rdp_get_frame", { sessionId });
    } catch {
-      // Session may not be connected yet or backend returned an error — skip frame
+      return false;
      return null;
    }
-    if (!raw || raw.length === 0) return null;
+    if (!raw || raw.byteLength <= 8) return false;
-    // Decode base64 → binary string → Uint8ClampedArray
+    const view = new DataView(raw);
-    const binaryStr = atob(raw);
+    const rx = view.getUint16(0, true);
-    const bytes = new Uint8ClampedArray(binaryStr.length);
+    const ry = view.getUint16(2, true);
-    for (let i = 0; i < binaryStr.length; i++) {
+    const rw = view.getUint16(4, true);
-      bytes[i] = binaryStr.charCodeAt(i);
+    const rh = view.getUint16(6, true);
-    }
+    const pixelData = new Uint8ClampedArray(raw, 8);
-    // Validate: RGBA requires exactly width * height * 4 bytes
+    if (rx === 0 && ry === 0 && rw === 0 && rh === 0) {
      // Full frame
      const expected = width * height * 4;
-    if (bytes.length !== expected) {
+      if (pixelData.length !== expected) return false;
-      console.warn(
+      ctx.putImageData(new ImageData(pixelData, width, height), 0, 0);
-        `[useRdp] Frame size mismatch: got ${bytes.length}, expected ${expected}`,
+    } else {
-      );
+      // Dirty rectangle — apply at offset
-      return null;
+      const expected = rw * rh * 4;
      if (pixelData.length !== expected) return false;
      ctx.putImageData(new ImageData(pixelData, rw, rh), rx, ry);
    }
-    return new ImageData(bytes, width, height);
+    return true;
  }
  /**
@ -303,26 +310,36 @@ export function useRdp(): UseRdpReturn {
    canvas.width = width;
    canvas.height = height;
-    function renderLoop(): void {
+    let fetchPending = false;
-      frameCount++;
+    let rafScheduled = false;
-      // Throttle to ~30fps by skipping odd-numbered rAF ticks
+    // Fetch and render dirty region when backend signals new frame data.
-      if (frameCount % 2 === 0) {
+    // Uses rAF to coalesce rapid events into one fetch per display frame.
-        fetchFrame(sessionId, width, height).then((imageData) => {
+    function scheduleFrameFetch(): void {
-          if (imageData && ctx) {
+      if (rafScheduled) return;
-            ctx.putImageData(imageData, 0, 0);
+      rafScheduled = true;
-            // Mark connected on first successful frame
+      animFrameId = requestAnimationFrame(async () => {
-            if (!connected.value) {
+        rafScheduled = false;
-              connected.value = true;
+        if (fetchPending) return;
-            }
+        fetchPending = true;
-          }
+        if (!ctx) return;
        const rendered = await fetchAndRender(sessionId, width, height, ctx);
        fetchPending = false;
        if (rendered && !connected.value) connected.value = true;
      });
    }
-      animFrameId = requestAnimationFrame(renderLoop);
+    // Listen for frame events from the backend (push model)
-    }
+    import("@tauri-apps/api/event").then(({ listen }) => {
      listen(`rdp:frame:${sessionId}`, () => {
        scheduleFrameFetch();
      }).then((unlisten) => {
        unlistenFrame = unlisten;
      });
    });
-    animFrameId = requestAnimationFrame(renderLoop);
+    // Initial poll in case frames arrived before listener was set up
    scheduleFrameFetch();
  }
  /**
@ -333,8 +350,11 @@ export function useRdp(): UseRdpReturn {
      cancelAnimationFrame(animFrameId);
      animFrameId = null;
    }
    if (unlistenFrame !== null) {
      unlistenFrame();
      unlistenFrame = null;
    }
    connected.value = false;
    frameCount = 0;
  }
  function toggleKeyboardGrab(): void {
@ -353,7 +373,7 @@ export function useRdp(): UseRdpReturn {
    connected,
    keyboardGrabbed,
    clipboardSync,
-    fetchFrame,
+    fetchAndRender,
    sendMouse,
    sendKey,
    sendClipboard,
--- a/src/composables/useSftp.ts
+++ b/src/composables/useSftp.ts
@ -1,4 +1,4 @@
-import { ref, onBeforeUnmount, type Ref } from "vue";
+import { ref, watch, onBeforeUnmount, type Ref } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { listen, type UnlistenFn } from "@tauri-apps/api/event";
@ -21,20 +21,29 @@ export interface UseSftpReturn {
  refresh: () => Promise<void>;
 }
 // Persist the last browsed path per session so switching tabs restores position
 const sessionPaths: Record<string, string> = {};
 /** Remove a session's saved path from the module-level cache. Call on session close. */
 export function cleanupSession(sessionId: string): void {
  delete sessionPaths[sessionId];
 }
 /**
 * Composable that manages SFTP file browsing state.
- * Calls the Rust SFTP commands via Tauri invoke.
+ * Accepts a reactive session ID ref so it reinitializes on tab switch
 * without destroying the component.
 */
-export function useSftp(sessionId: string): UseSftpReturn {
+export function useSftp(sessionIdRef: Ref<string>): UseSftpReturn {
  const currentPath = ref("/");
  const entries = ref<FileEntry[]>([]);
  const isLoading = ref(false);
  const followTerminal = ref(true);
  // Holds the unlisten function returned by listen() — called on cleanup.
  let unlistenCwd: UnlistenFn | null = null;
  let currentSessionId = "";
-  async function listDirectory(path: string): Promise<FileEntry[]> {
+  async function listDirectory(sessionId: string, path: string): Promise<FileEntry[]> {
    try {
      const result = await invoke<FileEntry[]>("sftp_list", { sessionId, path });
      return result ?? [];
@ -45,10 +54,12 @@ export function useSftp(sessionId: string): UseSftpReturn {
  }
  async function navigateTo(path: string): Promise<void> {
    if (!currentSessionId) return;
    isLoading.value = true;
    try {
      currentPath.value = path;
-      entries.value = await listDirectory(path);
+      sessionPaths[currentSessionId] = path;
      entries.value = await listDirectory(currentSessionId, path);
    } finally {
      isLoading.value = false;
    }
@ -68,25 +79,63 @@ export function useSftp(sessionId: string): UseSftpReturn {
    await navigateTo(currentPath.value);
  }
-  // Listen for CWD changes from the Rust backend (OSC 7 tracking).
+  async function switchToSession(sessionId: string): Promise<void> {
-  // listen() returns Promise<UnlistenFn> — store it for cleanup.
+    if (!sessionId) {
-  listen<string>(`ssh:cwd:${sessionId}`, (event) => {
+      entries.value = [];
      return;
    }
    // Save current path for the old session
    if (currentSessionId) {
      sessionPaths[currentSessionId] = currentPath.value;
    }
    // Unlisten old CWD events
    if (unlistenCwd) {
      unlistenCwd();
      unlistenCwd = null;
    }
    currentSessionId = sessionId;
    // Restore saved path or default to root
    const savedPath = sessionPaths[sessionId] || "/";
    currentPath.value = savedPath;
    // Load the directory
    isLoading.value = true;
    try {
      entries.value = await listDirectory(sessionId, savedPath);
    } finally {
      isLoading.value = false;
    }
    // Listen for CWD changes on the new session
    try {
      unlistenCwd = await listen<string>(`ssh:cwd:${sessionId}`, (event) => {
        if (!followTerminal.value) return;
        const newPath = event.payload;
        if (newPath && newPath !== currentPath.value) {
          navigateTo(newPath);
        }
  }).then((unlisten) => {
    unlistenCwd = unlisten;
      });
    } catch {
      // Event listener setup failed — non-fatal
    }
  }
  // React to session ID changes
  watch(sessionIdRef, (newId) => {
    switchToSession(newId);
  }, { immediate: true });
  onBeforeUnmount(() => {
    if (currentSessionId) {
      sessionPaths[currentSessionId] = currentPath.value;
    }
    if (unlistenCwd) unlistenCwd();
  });
  // Load home directory on init
  navigateTo("/home");
  return {
    currentPath,
    entries,
--- a/src/composables/useTerminal.ts
+++ b/src/composables/useTerminal.ts
@ -5,6 +5,7 @@ import { SearchAddon } from "@xterm/addon-search";
 import { WebLinksAddon } from "@xterm/addon-web-links";
 import { invoke } from "@tauri-apps/api/core";
 import { listen, type UnlistenFn } from "@tauri-apps/api/event";
 import { useSessionStore } from "@/stores/session.store";
 import "@xterm/xterm/css/xterm.css";
 /** MobaXTerm Classic–inspired terminal theme colors. */
@ -13,8 +14,9 @@ const defaultTheme = {
  foreground: "#e0e0e0",
  cursor: "#58a6ff",
  cursorAccent: "#0d1117",
-  selectionBackground: "rgba(88, 166, 255, 0.3)",
+  selectionBackground: "#264f78",
  selectionForeground: "#ffffff",
  selectionInactiveBackground: "#264f78",
  black: "#0d1117",
  red: "#f85149",
  green: "#3fb950",
@ -69,7 +71,9 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
    cursorStyle: "block",
    scrollback: 10000,
    allowProposedApi: true,
-    convertEol: backend === 'ssh',
+    // SSH always needs EOL conversion. PTY needs it on Windows (ConPTY sends bare \n)
    // but not on Unix (PTY driver handles LF→CRLF). navigator.platform is the simplest check.
    convertEol: backend === 'ssh' || navigator.platform.startsWith('Win'),
    rightClickSelectsWord: false,
  });
@ -152,6 +156,7 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
    // cell widths — producing tiny dashes and 200+ column terminals.
    document.fonts.ready.then(() => {
      fitAddon.fit();
      terminal.focus();
    });
    // Right-click paste on the terminal's DOM element
@ -160,7 +165,17 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
    // Subscribe to SSH output events for this session.
    // Tauri v2 listen() callback receives { payload: T } — the base64 string
    // is in event.payload (not event.data as in Wails).
    // Throttle activity marking to avoid Vue reactivity storms
    let lastActivityMark = 0;
    unlistenPromise = listen<string>(dataEvent, (event) => {
      // Mark tab activity at most once per second
      const now = Date.now();
      if (now - lastActivityMark > 1000) {
        lastActivityMark = now;
        try { useSessionStore().markActivity(sessionId); } catch {}
      }
      const b64data = event.payload;
      try {
@ -187,9 +202,12 @@ export function useTerminal(sessionId: string, backend: 'ssh' | 'pty' = 'ssh'):
      unlistenFn = fn;
    });
-    // Auto-fit when the container resizes
+    // Auto-fit when the container resizes — but only if visible
-    resizeObserver = new ResizeObserver(() => {
+    resizeObserver = new ResizeObserver((entries) => {
      const entry = entries[0];
      if (entry && entry.contentRect.width > 50 && entry.contentRect.height > 50) {
        fitAddon.fit();
      }
    });
    resizeObserver.observe(container);
  }
--- a/src/layouts/MainLayout.vue
+++ b/src/layouts/MainLayout.vue
@ -50,6 +50,138 @@
            </button>
          </div>
        </div>
        <!-- Tools menu -->
        <div class="relative">
          <button
            class="text-xs text-[var(--wraith-text-secondary)] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer px-2 py-1 rounded hover:bg-[var(--wraith-bg-tertiary)]"
            @click="showToolsMenu = !showToolsMenu"
            @blur="closeToolsMenuDeferred"
          >
            Tools
          </button>
          <div
            v-if="showToolsMenu"
            class="absolute top-full left-0 mt-0.5 w-56 bg-[#161b22] border border-[#30363d] rounded-lg shadow-2xl overflow-hidden z-50 py-1"
          >
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('network-scanner')"
            >
              <span class="flex-1">Network Scanner</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('port-scanner')"
            >
              <span class="flex-1">Port Scanner</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('ping')"
            >
              <span class="flex-1">Ping</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('traceroute')"
            >
              <span class="flex-1">Traceroute</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('dns-lookup')"
            >
              <span class="flex-1">DNS Lookup</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('whois')"
            >
              <span class="flex-1">Whois</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('bandwidth')"
            >
              <span class="flex-1">Bandwidth Test</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('subnet-calc')"
            >
              <span class="flex-1">Subnet Calculator</span>
            </button>
            <div class="border-t border-[#30363d] my-1" />
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('docker')"
            >
              <span class="flex-1">Docker Manager</span>
            </button>
            <div class="border-t border-[#30363d] my-1" />
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('wake-on-lan')"
            >
              <span class="flex-1">Wake on LAN</span>
            </button>
            <div class="border-t border-[#30363d] my-1" />
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('ssh-keygen')"
            >
              <span class="flex-1">SSH Key Generator</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleToolAction('password-gen')"
            >
              <span class="flex-1">Password Generator</span>
            </button>
          </div>
        </div>
        <!-- Help menu -->
        <div class="relative">
          <button
            class="text-xs text-[var(--wraith-text-secondary)] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer px-2 py-1 rounded hover:bg-[var(--wraith-bg-tertiary)]"
            @click="showHelpMenu = !showHelpMenu"
            @blur="closeHelpMenuDeferred"
          >
            Help
          </button>
          <div
            v-if="showHelpMenu"
            class="absolute top-full left-0 mt-0.5 w-56 bg-[#161b22] border border-[#30363d] rounded-lg shadow-2xl overflow-hidden z-50 py-1"
          >
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleHelpAction('guide')"
            >
              <span class="flex-1">Getting Started</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleHelpAction('shortcuts')"
            >
              <span class="flex-1">Keyboard Shortcuts</span>
            </button>
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleHelpAction('mcp')"
            >
              <span class="flex-1">MCP Integration</span>
            </button>
            <div class="border-t border-[#30363d] my-1" />
            <button
              class="w-full flex items-center gap-3 px-4 py-2 text-xs text-left text-[var(--wraith-text-secondary)] hover:bg-[#30363d] hover:text-[var(--wraith-text-primary)] transition-colors cursor-pointer"
              @mousedown.prevent="handleHelpAction('about')"
            >
              <span class="flex-1">About Wraith</span>
            </button>
          </div>
        </div>
      </div>
      <!-- Quick Connect -->
@ -151,15 +283,6 @@
        <!-- Tab bar -->
        <TabBar />
        <!-- Inline file editor -->
        <EditorWindow
          v-if="editorFile"
          :content="editorFile.content"
          :file-path="editorFile.path"
          :session-id="editorFile.sessionId"
          @close="editorFile = null"
        />
        <!-- Session area -->
        <SessionContainer ref="sessionContainer" />
      </div>
@ -185,6 +308,7 @@
 <script setup lang="ts">
 import { ref, computed, onMounted, onUnmounted } from "vue";
 import { useKeyboardShortcuts } from "@/composables/useKeyboardShortcuts";
 import { invoke } from "@tauri-apps/api/core";
 import { getCurrentWindow } from "@tauri-apps/api/window";
 import { useAppStore } from "@/stores/app.store";
@ -201,7 +325,6 @@ import SettingsModal from "@/components/common/SettingsModal.vue";
 import ConnectionEditDialog from "@/components/connections/ConnectionEditDialog.vue";
 import FileTree from "@/components/sftp/FileTree.vue";
 import TransferProgress from "@/components/sftp/TransferProgress.vue";
 import EditorWindow from "@/components/editor/EditorWindow.vue";
 import CopilotPanel from "@/components/ai/CopilotPanel.vue";
 import type { FileEntry } from "@/composables/useSftp";
@ -226,14 +349,75 @@ const connectionEditDialog = ref<InstanceType<typeof ConnectionEditDialog> | nul
 const statusBar = ref<InstanceType<typeof StatusBar> | null>(null);
 const sessionContainer = ref<InstanceType<typeof SessionContainer> | null>(null);
 interface EditorFile { path: string; content: string; sessionId: string; }
 const editorFile = ref<EditorFile | null>(null);
 const showFileMenu = ref(false);
 const showToolsMenu = ref(false);
 const showHelpMenu = ref(false);
 function closeFileMenuDeferred(): void {
  setTimeout(() => { showFileMenu.value = false; }, 150);
 }
 function closeToolsMenuDeferred(): void {
  setTimeout(() => { showToolsMenu.value = false; }, 150);
 }
 function closeHelpMenuDeferred(): void {
  setTimeout(() => { showHelpMenu.value = false; }, 150);
 }
 async function handleHelpAction(page: string): Promise<void> {
  showHelpMenu.value = false;
  try {
    await invoke("open_child_window", {
      label: `help-${page}-${Date.now()}`,
      title: "Wraith — Help",
      url: `index.html#/tool/help?page=${page}`,
      width: 750, height: 600,
    });
  } catch (err) { console.error("Help window error:", err); alert("Window error: " + String(err)); }
 }
 async function handleToolAction(tool: string): Promise<void> {
  showToolsMenu.value = false;
  // Tools that don't need a session
  const localTools = ["ssh-keygen", "password-gen", "subnet-calc"];
  if (!localTools.includes(tool) && !activeSessionId.value) {
    alert("Connect to a server first — network tools run through SSH sessions.");
    return;
  }
  const toolConfig: Record<string, { title: string; width: number; height: number }> = {
    "network-scanner": { title: "Network Scanner", width: 800, height: 600 },
    "port-scanner": { title: "Port Scanner", width: 700, height: 500 },
    "ping": { title: "Ping", width: 600, height: 400 },
    "traceroute": { title: "Traceroute", width: 600, height: 500 },
    "dns-lookup": { title: "DNS Lookup", width: 600, height: 400 },
    "whois": { title: "Whois", width: 700, height: 500 },
    "bandwidth": { title: "Bandwidth Test", width: 700, height: 450 },
    "subnet-calc": { title: "Subnet Calculator", width: 650, height: 350 },
    "docker": { title: "Docker Manager", width: 900, height: 600 },
    "wake-on-lan": { title: "Wake on LAN", width: 500, height: 300 },
    "ssh-keygen": { title: "SSH Key Generator", width: 700, height: 500 },
    "password-gen": { title: "Password Generator", width: 500, height: 400 },
  };
  const config = toolConfig[tool];
  if (!config) return;
  const sessionId = activeSessionId.value || "";
  try {
    await invoke("open_child_window", {
      label: `tool-${tool}-${Date.now()}`,
      title: `Wraith — ${config.title}`,
      url: `index.html#/tool/${tool}?sessionId=${sessionId}`,
      width: config.width, height: config.height,
    });
  } catch (err) { console.error("Tool window error:", err); alert("Tool window error: " + String(err)); }
 }
 async function handleFileMenuAction(action: string): Promise<void> {
  showFileMenu.value = false;
  switch (action) {
@ -251,9 +435,15 @@ function handleThemeSelect(theme: ThemeDefinition): void {
 async function handleOpenFile(entry: FileEntry): Promise<void> {
  if (!activeSessionId.value) return;
  try {
-    const content = await invoke<string>("sftp_read_file", { sessionId: activeSessionId.value, path: entry.path });
+    const fileName = entry.path.split("/").pop() || entry.path;
-    editorFile.value = { path: entry.path, content, sessionId: activeSessionId.value };
+    const sessionId = activeSessionId.value;
-  } catch (err) { console.error("Failed to open SFTP file:", err); }
+    await invoke("open_child_window", {
      label: `editor-${Date.now()}`,
      title: `${fileName} — Wraith Editor`,
      url: `index.html#/tool/editor?sessionId=${sessionId}&path=${encodeURIComponent(entry.path)}`,
      width: 800, height: 600,
    });
  } catch (err) { console.error("Failed to open editor:", err); }
 }
 async function handleQuickConnect(): Promise<void> {
@ -279,27 +469,81 @@ async function handleQuickConnect(): Promise<void> {
  } catch (err) { console.error("Quick connect failed:", err); }
 }
-function handleKeydown(event: KeyboardEvent): void {
+useKeyboardShortcuts({
-  const target = event.target as HTMLElement;
+  sessionStore,
-  const isInputFocused = target.tagName === "INPUT" || target.tagName === "TEXTAREA" || target.tagName === "SELECT";
+  sidebarVisible,
-  const ctrl = event.ctrlKey || event.metaKey;
+  copilotVisible,
-  if (ctrl && event.key === "k") { event.preventDefault(); commandPalette.value?.toggle(); return; }
+  openCommandPalette: () => commandPalette.value?.toggle(),
-  if (isInputFocused) return;
+  openActiveSearch: () => sessionContainer.value?.openActiveSearch(),
-  if (ctrl && event.key === "w") { event.preventDefault(); const active = sessionStore.activeSession; if (active) sessionStore.closeSession(active.id); return; }
+});
-  if (ctrl && event.key === "Tab" && !event.shiftKey) { event.preventDefault(); const sessions = sessionStore.sessions; if (sessions.length < 2) return; const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId); const next = sessions[(idx + 1) % sessions.length]; sessionStore.activateSession(next.id); return; }
+
-  if (ctrl && event.key === "Tab" && event.shiftKey) { event.preventDefault(); const sessions = sessionStore.sessions; if (sessions.length < 2) return; const idx = sessions.findIndex((s) => s.id === sessionStore.activeSessionId); const prev = sessions[(idx - 1 + sessions.length) % sessions.length]; sessionStore.activateSession(prev.id); return; }
+let workspaceSaveInterval: ReturnType<typeof setInterval> | null = null;
-  if (ctrl && event.key >= "1" && event.key <= "9") { const tabIndex = parseInt(event.key, 10) - 1; const sessions = sessionStore.sessions; if (tabIndex < sessions.length) { event.preventDefault(); sessionStore.activateSession(sessions[tabIndex].id); } return; }
+
-  if (ctrl && event.key === "b") { event.preventDefault(); sidebarVisible.value = !sidebarVisible.value; return; }
+function handleBeforeUnload(e: BeforeUnloadEvent): void {
-  if (ctrl && event.shiftKey && event.key.toLowerCase() === "g") { event.preventDefault(); copilotVisible.value = !copilotVisible.value; return; }
+  if (sessionStore.sessions.length > 0) {
-  if (ctrl && event.key === "f") { const active = sessionStore.activeSession; if (active?.protocol === "ssh") { event.preventDefault(); sessionContainer.value?.openActiveSearch(); } return; }
+    e.preventDefault();
  }
 }
 onMounted(async () => {
-  document.addEventListener("keydown", handleKeydown);
+  // Confirm before closing if sessions are active (synchronous — won't hang)
  window.addEventListener("beforeunload", handleBeforeUnload);
  await connectionStore.loadAll();
  // Restore saved theme so every terminal opens with the user's preferred colors
  try {
    const savedThemeName = await invoke<string | null>("get_setting", { key: "active_theme" });
    if (savedThemeName) {
      const themes = await invoke<Array<{ name: string; foreground: string; background: string; cursor: string; black: string; red: string; green: string; yellow: string; blue: string; magenta: string; cyan: string; white: string; brightBlack: string; brightRed: string; brightGreen: string; brightYellow: string; brightBlue: string; brightMagenta: string; brightCyan: string; brightWhite: string }>>("list_themes");
      const theme = themes?.find(t => t.name === savedThemeName);
      if (theme) {
        sessionStore.setTheme(theme);
        statusBar.value?.setThemeName(theme.name);
      }
    }
  } catch {}
  // Restore workspace — reconnect saved tabs (non-blocking, non-fatal)
  setTimeout(async () => {
    try {
      const workspace = await invoke<{ tabs: { connectionId: number; protocol: string; position: number }[] } | null>("load_workspace");
      if (workspace?.tabs?.length) {
        for (const tab of workspace.tabs.sort((a, b) => a.position - b.position)) {
          try { await sessionStore.connect(tab.connectionId); } catch {}
        }
      }
    } catch {}
  }, 500);
  // Auto-save workspace every 30 seconds instead of on close
  // (onCloseRequested was hanging the window close on Windows)
  workspaceSaveInterval = setInterval(() => {
    const tabs = sessionStore.sessions
      .filter(s => s.protocol === "ssh" || s.protocol === "rdp")
      .map((s, i) => ({ connectionId: s.connectionId, protocol: s.protocol, position: i }));
    if (tabs.length > 0) {
      invoke("save_workspace", { tabs }).catch(() => {});
    }
  }, 30000);
  // Check for updates on startup via Tauri updater plugin (non-blocking)
  invoke<{ currentVersion: string; latestVersion: string; updateAvailable: boolean; downloadUrl: string }>("check_for_updates")
    .then((info) => {
      if (info.updateAvailable) {
        if (confirm(`Wraith v${info.latestVersion} is available (you have v${info.currentVersion}). Open download page?`)) {
          import("@tauri-apps/plugin-shell").then(({ open }) => open(info.downloadUrl)).catch(() => window.open(info.downloadUrl, "_blank"));
        }
      }
    })
    .catch(() => {});
 });
 onUnmounted(() => {
-  document.removeEventListener("keydown", handleKeydown);
+  window.removeEventListener("beforeunload", handleBeforeUnload);
  if (workspaceSaveInterval !== null) {
    clearInterval(workspaceSaveInterval);
    workspaceSaveInterval = null;
  }
 });
 </script>
--- a/src/layouts/UnlockLayout.vue
+++ b/src/layouts/UnlockLayout.vue
@ -50,68 +50,25 @@ const displayError = computed(() => localError.value ?? app.error);
 </script>
 <template>
-  <div
+  <div class="h-full flex items-center justify-center bg-[var(--wraith-bg-primary)]">
-    class="unlock-root"
+    <div class="w-full max-w-[400px] p-10 bg-[var(--wraith-bg-secondary)] border border-[var(--wraith-border)] rounded-xl shadow-[0_8px_32px_rgba(0,0,0,0.5)]">
    style="
      height: 100%;
      display: flex;
      align-items: center;
      justify-content: center;
      background-color: var(--wraith-bg-primary);
    "
  >
    <div
      class="unlock-card"
      style="
        width: 100%;
        max-width: 400px;
        padding: 2.5rem;
        background-color: var(--wraith-bg-secondary);
        border: 1px solid var(--wraith-border);
        border-radius: 12px;
        box-shadow: 0 8px 32px rgba(0, 0, 0, 0.5);
      "
    >
      <!-- Logo -->
-      <div style="text-align: center; margin-bottom: 2rem">
+      <div class="text-center mb-8">
-        <span
+        <span class="text-[2rem] font-extrabold tracking-[0.3em] text-[var(--wraith-accent-blue)] uppercase font-['Inter',monospace]">
          style="
            font-size: 2rem;
            font-weight: 800;
            letter-spacing: 0.3em;
            color: var(--wraith-accent-blue);
            text-transform: uppercase;
            font-family: 'Inter', monospace;
          "
        >
          WRAITH
        </span>
-        <p
+        <p class="mt-2 text-[0.8rem] text-[var(--wraith-text-muted)] tracking-[0.15em] uppercase">
          style="
            margin: 0.5rem 0 0;
            font-size: 0.8rem;
            color: var(--wraith-text-muted);
            letter-spacing: 0.15em;
            text-transform: uppercase;
          "
        >
          {{ isFirstRun ? "Initialize Secure Vault" : "Secure Desktop" }}
        </p>
      </div>
      <!-- Form -->
-      <form @submit.prevent="handleSubmit" style="display: flex; flex-direction: column; gap: 1rem">
+      <form @submit.prevent="handleSubmit" class="flex flex-col gap-4">
        <!-- Master password -->
        <div>
          <label
            for="master-password"
-            style="
+            class="block mb-[0.4rem] text-[0.8rem] text-[var(--wraith-text-secondary)] tracking-[0.05em]"
              display: block;
              margin-bottom: 0.4rem;
              font-size: 0.8rem;
              color: var(--wraith-text-secondary);
              letter-spacing: 0.05em;
            "
          >
            MASTER PASSWORD
          </label>
@ -122,20 +79,7 @@ const displayError = computed(() => localError.value ?? app.error);
            autocomplete="current-password"
            placeholder="Enter master password"
            :disabled="loading"
-            style="
+            class="w-full px-[0.9rem] py-[0.65rem] bg-[var(--wraith-bg-tertiary)] border border-[var(--wraith-border)] rounded-[6px] text-[var(--wraith-text-primary)] text-[0.95rem] outline-none transition-colors duration-150 box-border focus:border-[var(--wraith-accent-blue)]"
              width: 100%;
              padding: 0.65rem 0.9rem;
              background-color: var(--wraith-bg-tertiary);
              border: 1px solid var(--wraith-border);
              border-radius: 6px;
              color: var(--wraith-text-primary);
              font-size: 0.95rem;
              outline: none;
              transition: border-color 0.15s ease;
              box-sizing: border-box;
            "
            @focus="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-accent-blue)'"
            @blur="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-border)'"
          />
        </div>
@ -143,13 +87,7 @@ const displayError = computed(() => localError.value ?? app.error);
        <div v-if="isFirstRun">
          <label
            for="confirm-password"
-            style="
+            class="block mb-[0.4rem] text-[0.8rem] text-[var(--wraith-text-secondary)] tracking-[0.05em]"
              display: block;
              margin-bottom: 0.4rem;
              font-size: 0.8rem;
              color: var(--wraith-text-secondary);
              letter-spacing: 0.05em;
            "
          >
            CONFIRM PASSWORD
          </label>
@ -160,28 +98,9 @@ const displayError = computed(() => localError.value ?? app.error);
            autocomplete="new-password"
            placeholder="Confirm master password"
            :disabled="loading"
-            style="
+            class="w-full px-[0.9rem] py-[0.65rem] bg-[var(--wraith-bg-tertiary)] border border-[var(--wraith-border)] rounded-[6px] text-[var(--wraith-text-primary)] text-[0.95rem] outline-none transition-colors duration-150 box-border focus:border-[var(--wraith-accent-blue)]"
              width: 100%;
              padding: 0.65rem 0.9rem;
              background-color: var(--wraith-bg-tertiary);
              border: 1px solid var(--wraith-border);
              border-radius: 6px;
              color: var(--wraith-text-primary);
              font-size: 0.95rem;
              outline: none;
              transition: border-color 0.15s ease;
              box-sizing: border-box;
            "
            @focus="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-accent-blue)'"
            @blur="($event.target as HTMLInputElement).style.borderColor = 'var(--wraith-border)'"
          />
-          <p
+          <p class="mt-[0.4rem] text-[0.75rem] text-[var(--wraith-text-muted)]">
            style="
              margin: 0.4rem 0 0;
              font-size: 0.75rem;
              color: var(--wraith-text-muted);
            "
          >
            Minimum 12 characters. This password cannot be recovered.
          </p>
        </div>
@ -189,14 +108,7 @@ const displayError = computed(() => localError.value ?? app.error);
        <!-- Error message -->
        <div
          v-if="displayError"
-          style="
+          class="px-[0.9rem] py-[0.6rem] bg-[rgba(248,81,73,0.1)] border border-[rgba(248,81,73,0.3)] rounded-[6px] text-[var(--wraith-accent-red)] text-[0.85rem]"
            padding: 0.6rem 0.9rem;
            background-color: rgba(248, 81, 73, 0.1);
            border: 1px solid rgba(248, 81, 73, 0.3);
            border-radius: 6px;
            color: var(--wraith-accent-red);
            font-size: 0.85rem;
          "
        >
          {{ displayError }}
        </div>
@ -205,22 +117,8 @@ const displayError = computed(() => localError.value ?? app.error);
        <button
          type="submit"
          :disabled="loading"
-          style="
+          class="w-full py-[0.7rem] mt-2 bg-[var(--wraith-accent-blue)] text-[#0d1117] font-bold text-[0.9rem] tracking-[0.08em] uppercase border-none rounded-[6px] transition-[opacity,background-color] duration-150"
-            width: 100%;
+          :class="loading ? 'opacity-60 cursor-not-allowed' : 'cursor-pointer'"
            padding: 0.7rem;
            margin-top: 0.5rem;
            background-color: var(--wraith-accent-blue);
            color: #0d1117;
            font-weight: 700;
            font-size: 0.9rem;
            letter-spacing: 0.08em;
            text-transform: uppercase;
            border: none;
            border-radius: 6px;
            cursor: pointer;
            transition: opacity 0.15s ease, background-color 0.15s ease;
          "
          :style="{ opacity: loading ? '0.6' : '1', cursor: loading ? 'not-allowed' : 'pointer' }"
        >
          <span v-if="loading">
            {{ isFirstRun ? "Creating vault..." : "Unlocking..." }}
@ -232,14 +130,7 @@ const displayError = computed(() => localError.value ?? app.error);
      </form>
      <!-- Footer hint -->
-      <p
+      <p class="mt-6 text-center text-[0.75rem] text-[var(--wraith-text-muted)]">
        style="
          margin: 1.5rem 0 0;
          text-align: center;
          font-size: 0.75rem;
          color: var(--wraith-text-muted);
        "
      >
        <template v-if="isFirstRun">
          Your vault will be encrypted with AES-256-GCM.
        </template>
--- a/src/stores/connection.store.ts
+++ b/src/stores/connection.store.ts
@ -51,22 +51,33 @@ export const useConnectionStore = defineStore("connection", () => {
    );
  });
-  /** Get connections belonging to a specific group. */
+  /** Memoized map of groupId → filtered connections. Recomputes only when connections or searchQuery change. */
-  function connectionsByGroup(groupId: number): Connection[] {
+  const connectionsByGroupMap = computed<Record<number, Connection[]>>(() => {
    const q = searchQuery.value.toLowerCase().trim();
-    const groupConns = connections.value.filter((c) => c.groupId === groupId);
+    const map: Record<number, Connection[]> = {};
-    if (!q) return groupConns;
+    for (const c of connections.value) {
-    return groupConns.filter(
+      if (c.groupId === null) continue;
-      (c) =>
+      if (q) {
        const match =
          c.name.toLowerCase().includes(q) ||
          c.hostname.toLowerCase().includes(q) ||
-        c.tags?.some((t) => t.toLowerCase().includes(q)),
+          c.tags?.some((t) => t.toLowerCase().includes(q));
-    );
+        if (!match) continue;
      }
      if (!map[c.groupId]) map[c.groupId] = [];
      map[c.groupId].push(c);
    }
    return map;
  });
  /** Get connections belonging to a specific group. */
  function connectionsByGroup(groupId: number): Connection[] {
    return connectionsByGroupMap.value[groupId] ?? [];
  }
  /** Check if a group has any matching connections (for search filtering). */
  function groupHasResults(groupId: number): boolean {
-    return connectionsByGroup(groupId).length > 0;
+    return (connectionsByGroupMap.value[groupId]?.length ?? 0) > 0;
  }
  /** Load connections from the Rust backend. */
@ -101,6 +112,7 @@ export const useConnectionStore = defineStore("connection", () => {
    groups,
    searchQuery,
    filteredConnections,
    connectionsByGroupMap,
    connectionsByGroup,
    groupHasResults,
    loadConnections,
--- a/src/stores/session.store.ts
+++ b/src/stores/session.store.ts
@ -1,6 +1,8 @@
 import { defineStore } from "pinia";
 import { ref, computed } from "vue";
 import { invoke } from "@tauri-apps/api/core";
 import { listen } from "@tauri-apps/api/event";
 import type { UnlistenFn } from "@tauri-apps/api/event";
 import { useConnectionStore } from "@/stores/connection.store";
 import type { ThemeDefinition } from "@/components/common/ThemePicker.vue";
@ -8,9 +10,11 @@ export interface Session {
  id: string;
  connectionId: number;
  name: string;
-  protocol: "ssh" | "rdp";
+  protocol: "ssh" | "rdp" | "local";
  active: boolean;
  username?: string;
  status: "connected" | "disconnected";
  hasActivity: boolean;
 }
 export interface TerminalDimensions {
@ -36,8 +40,42 @@ export const useSessionStore = defineStore("session", () => {
  const sessionCount = computed(() => sessions.value.length);
  const sessionUnlisteners = new Map<string, Array<UnlistenFn>>();
  // Listen for backend close/exit events to update session status
  async function setupStatusListeners(sessionId: string): Promise<void> {
    const unlisteners: UnlistenFn[] = [];
    unlisteners.push(await listen(`ssh:close:${sessionId}`, () => markDisconnected(sessionId)));
    unlisteners.push(await listen(`ssh:exit:${sessionId}`, () => markDisconnected(sessionId)));
    sessionUnlisteners.set(sessionId, unlisteners);
  }
  function markDisconnected(sessionId: string): void {
    const session = sessions.value.find((s) => s.id === sessionId);
    if (session) session.status = "disconnected";
  }
  function activateSession(id: string): void {
    activeSessionId.value = id;
    // Clear activity indicator when switching to tab
    const session = sessions.value.find(s => s.id === id);
    if (session) session.hasActivity = false;
  }
  /** Mark a background tab as having new activity. */
  function markActivity(sessionId: string): void {
    if (sessionId === activeSessionId.value) return; // don't flash the active tab
    const session = sessions.value.find(s => s.id === sessionId);
    if (session) session.hasActivity = true;
  }
  /** Reorder sessions by moving a tab from one index to another. */
  function moveSession(fromIndex: number, toIndex: number): void {
    if (fromIndex === toIndex) return;
    if (fromIndex < 0 || toIndex < 0) return;
    if (fromIndex >= sessions.value.length || toIndex >= sessions.value.length) return;
    const [moved] = sessions.value.splice(fromIndex, 1);
    sessions.value.splice(toIndex, 0, moved);
  }
  async function closeSession(id: string): Promise<void> {
@ -48,7 +86,9 @@ export const useSessionStore = defineStore("session", () => {
    // Disconnect the backend session using the protocol-appropriate command
    try {
-      if (session.protocol === "rdp") {
+      if (session.protocol === "local") {
        await invoke("disconnect_pty", { sessionId: session.id });
      } else if (session.protocol === "rdp") {
        await invoke("disconnect_rdp", { sessionId: session.id });
      } else {
        await invoke("disconnect_session", { sessionId: session.id });
@ -57,6 +97,12 @@ export const useSessionStore = defineStore("session", () => {
      console.error("Failed to disconnect session:", err);
    }
    const unlisteners = sessionUnlisteners.get(id);
    if (unlisteners) {
      unlisteners.forEach((fn) => fn());
      sessionUnlisteners.delete(id);
    }
    sessions.value.splice(idx, 1);
    if (activeSessionId.value === id) {
@ -80,38 +126,31 @@ export const useSessionStore = defineStore("session", () => {
    return count === 0 ? baseName : `${baseName} (${count + 1})`;
  }
-  /**
+  type CredentialRow = { id: number; name: string; username: string | null; domain?: string | null; credentialType: string; sshKeyId: number | null };
   * Connect to a server by connection ID.
   * Multiple sessions to the same host are allowed (MobaXTerm-style).
   * Each gets its own tab with a disambiguated name like "Asgard (2)".
   *
   * For Tauri: we must resolve the connection details ourselves and pass
   * hostname/port/username/password directly to connect_ssh, because the
   * Rust side has no knowledge of connection IDs — the vault owns credentials.
   */
  async function connect(connectionId: number): Promise<void> {
    const connectionStore = useConnectionStore();
    const conn = connectionStore.connections.find((c) => c.id === connectionId);
    if (!conn) return;
-    connecting.value = true;
+  async function resolveCredentials(credentialId: number): Promise<CredentialRow | null> {
    try {
-      if (conn.protocol === "ssh") {
+      const allCreds = await invoke<CredentialRow[]>("list_credentials");
      return allCreds.find((c) => c.id === credentialId) ?? null;
    } catch (credErr) {
      console.warn("Failed to resolve credential:", credErr);
      return null;
    }
  }
  async function connectSsh(
    conn: { id: number; name: string; hostname: string; port: number; credentialId?: number | null },
    connectionId: number,
  ): Promise<void> {
    let sessionId: string;
    let resolvedUsername = "";
    let resolvedPassword = "";
        // If connection has a linked credential, decrypt it from the vault
    if (conn.credentialId) {
-          try {
+      const cred = await resolveCredentials(conn.credentialId);
            const allCreds = await invoke<{ id: number; name: string; username: string | null; credentialType: string; sshKeyId: number | null }[]>("list_credentials");
            const cred = allCreds.find((c) => c.id === conn.credentialId);
      if (cred) {
        resolvedUsername = cred.username ?? "";
        if (cred.credentialType === "ssh_key" && cred.sshKeyId) {
                // SSH key auth — decrypt key from vault
          const [privateKey, passphrase] = await invoke<[string, string]>("decrypt_ssh_key", { sshKeyId: cred.sshKeyId });
          sessionId = await invoke<string>("connect_ssh_with_key", {
            hostname: conn.hostname,
@ -122,7 +161,6 @@ export const useSessionStore = defineStore("session", () => {
            cols: 120,
            rows: 40,
          });
          sessions.value.push({
            id: sessionId,
            connectionId,
@ -130,24 +168,20 @@ export const useSessionStore = defineStore("session", () => {
            protocol: "ssh",
            active: true,
            username: resolvedUsername,
            status: "connected",
            hasActivity: false,
          });
          setupStatusListeners(sessionId);
          activeSessionId.value = sessionId;
-                return; // early return — key auth handled
+          return;
        } else {
                // Password auth — decrypt password from vault
          resolvedPassword = await invoke<string>("decrypt_password", { credentialId: cred.id });
        }
      }
          } catch (credErr) {
            console.warn("Failed to resolve credential, will prompt:", credErr);
          }
    }
    try {
-          if (!resolvedUsername) {
+      if (!resolvedUsername) throw new Error("NO_CREDENTIALS");
            // No credential linked — prompt immediately
            throw new Error("NO_CREDENTIALS");
          }
      sessionId = await invoke<string>("connect_ssh", {
        hostname: conn.hostname,
        port: conn.port,
@ -157,20 +191,13 @@ export const useSessionStore = defineStore("session", () => {
        rows: 40,
      });
    } catch (sshErr: unknown) {
-          const errMsg = sshErr instanceof Error
+      const errMsg = sshErr instanceof Error ? sshErr.message : typeof sshErr === "string" ? sshErr : String(sshErr);
            ? sshErr.message
            : typeof sshErr === "string"
              ? sshErr
              : String(sshErr);
          // If no credentials or auth failed, prompt for username/password
      const errLower = errMsg.toLowerCase();
      if (errLower.includes("no_credentials") || errLower.includes("unable to authenticate") || errLower.includes("authentication") || errLower.includes("rejected")) {
        const username = window.prompt(`Username for ${conn.hostname}:`, resolvedUsername || "root");
        if (!username) throw new Error("Connection cancelled");
        const password = window.prompt(`Password for ${username}@${conn.hostname}:`);
        if (password === null) throw new Error("Connection cancelled");
        resolvedUsername = username;
        sessionId = await invoke<string>("connect_ssh", {
          hostname: conn.hostname,
@ -192,15 +219,31 @@ export const useSessionStore = defineStore("session", () => {
      protocol: "ssh",
      active: true,
      username: resolvedUsername,
      status: "connected",
      hasActivity: false,
    });
    setupStatusListeners(sessionId);
    activeSessionId.value = sessionId;
-      } else if (conn.protocol === "rdp") {
+  }
  async function connectRdp(
    conn: { id: number; name: string; hostname: string; port: number; credentialId?: number | null; options?: string },
    connectionId: number,
  ): Promise<void> {
    let username = "";
    let password = "";
    let domain = "";
-        // Extract stored credentials from connection options JSON if present
+    if (conn.credentialId) {
-        if (conn.options) {
+      const cred = await resolveCredentials(conn.credentialId);
      if (cred && cred.credentialType === "password") {
        username = cred.username ?? "";
        domain = cred.domain ?? "";
        password = await invoke<string>("decrypt_password", { credentialId: cred.id });
      }
    }
    if (!username && conn.options) {
      try {
        const opts = JSON.parse(conn.options);
        if (opts?.username) username = opts.username;
@ -214,53 +257,19 @@ export const useSessionStore = defineStore("session", () => {
    let sessionId: string;
    try {
      sessionId = await invoke<string>("connect_rdp", {
-            config: {
+        config: { hostname: conn.hostname, port: conn.port, username, password, domain, width: 1920, height: 1080 },
              hostname: conn.hostname,
              port: conn.port,
              username,
              password,
              domain,
              width: 1920,
              height: 1080,
            },
      });
    } catch (rdpErr: unknown) {
-          const errMsg =
+      const errMsg = rdpErr instanceof Error ? rdpErr.message : typeof rdpErr === "string" ? rdpErr : String(rdpErr);
-            rdpErr instanceof Error
+      if (errMsg.includes("NO_CREDENTIALS") || errMsg.includes("authentication") || errMsg.includes("logon failure")) {
-              ? rdpErr.message
+        const promptedUsername = prompt(`Username for ${conn.hostname}:`, "Administrator");
              : typeof rdpErr === "string"
                ? rdpErr
                : String(rdpErr);
          // If credentials are missing or rejected, prompt the operator
          if (
            errMsg.includes("NO_CREDENTIALS") ||
            errMsg.includes("authentication") ||
            errMsg.includes("logon failure")
          ) {
            const promptedUsername = prompt(
              `Username for ${conn.hostname}:`,
              "Administrator",
            );
        if (!promptedUsername) throw new Error("Connection cancelled");
-            const promptedPassword = prompt(
+        const promptedPassword = prompt(`Password for ${promptedUsername}@${conn.hostname}:`);
              `Password for ${promptedUsername}@${conn.hostname}:`,
            );
        if (promptedPassword === null) throw new Error("Connection cancelled");
        const promptedDomain = prompt(`Domain (leave blank if none):`, "") ?? "";
        username = promptedUsername;
        sessionId = await invoke<string>("connect_rdp", {
-              config: {
+          config: { hostname: conn.hostname, port: conn.port, username: promptedUsername, password: promptedPassword, domain: promptedDomain, width: 1920, height: 1080 },
                hostname: conn.hostname,
                port: conn.port,
                username: promptedUsername,
                password: promptedPassword,
                domain: promptedDomain,
                width: 1920,
                height: 1080,
              },
        });
      } else {
        throw rdpErr;
@ -274,20 +283,69 @@ export const useSessionStore = defineStore("session", () => {
      protocol: "rdp",
      active: true,
      username,
      status: "connected",
      hasActivity: false,
    });
    activeSessionId.value = sessionId;
  }
  /**
   * Connect to a server by connection ID.
   * Multiple sessions to the same host are allowed (MobaXTerm-style).
   * Each gets its own tab with a disambiguated name like "Asgard (2)".
   */
  async function connect(connectionId: number): Promise<void> {
    const connectionStore = useConnectionStore();
    const conn = connectionStore.connections.find((c) => c.id === connectionId);
    if (!conn) return;
    connecting.value = true;
    try {
      if (conn.protocol === "ssh") {
        await connectSsh(conn, connectionId);
      } else if (conn.protocol === "rdp") {
        await connectRdp(conn, connectionId);
      }
    } catch (err: unknown) {
      const msg = err instanceof Error ? err.message : typeof err === "string" ? err : String(err);
      console.error("Connection failed:", msg);
      lastError.value = msg;
      // Show error as native alert so it's visible without DevTools
      alert(`Connection failed: ${msg}`);
    } finally {
      connecting.value = false;
    }
  }
  /** Spawn a local shell as a full-size tab. */
  async function spawnLocalTab(shellName: string, shellPath: string): Promise<void> {
    try {
      const sessionId = await invoke<string>("spawn_local_shell", {
        shellPath,
        cols: 120,
        rows: 40,
      });
      sessions.value.push({
        id: sessionId,
        connectionId: 0,
        name: shellName,
        protocol: "local",
        active: true,
        status: "connected",
        hasActivity: false,
      });
      // Listen for PTY close
      const unlistenPty = await listen(`pty:close:${sessionId}`, () => markDisconnected(sessionId));
      sessionUnlisteners.set(sessionId, [unlistenPty]);
      activeSessionId.value = sessionId;
    } catch (err: unknown) {
      const msg = err instanceof Error ? err.message : String(err);
      alert(`Failed to spawn local shell: ${msg}`);
    }
  }
  /** Apply a theme to all active terminal instances. */
  function setTheme(theme: ThemeDefinition): void {
    activeTheme.value = theme;
@ -317,6 +375,9 @@ export const useSessionStore = defineStore("session", () => {
    activateSession,
    closeSession,
    connect,
    spawnLocalTab,
    moveSession,
    markActivity,
    setTheme,
    setTerminalDimensions,
  };
--- a/vite.config.ts
+++ b/vite.config.ts
@ -1,10 +1,20 @@
-import { defineConfig } from "vite";
+import { defineConfig, type Plugin } from "vite";
 import vue from "@vitejs/plugin-vue";
 import tailwindcss from "@tailwindcss/vite";
 import { resolve } from "path";
 /** Strip crossorigin attribute from HTML — WKWebView + Tauri custom protocol compatibility. */
 function stripCrossOrigin(): Plugin {
  return {
    name: "strip-crossorigin",
    transformIndexHtml(html) {
      return html.replace(/ crossorigin/g, "");
    },
  };
 }
 export default defineConfig({
-  plugins: [vue(), tailwindcss()],
+  plugins: [vue(), tailwindcss(), stripCrossOrigin()],
  resolve: {
    alias: {
      "@": resolve(__dirname, "src"),
@ -23,5 +33,9 @@ export default defineConfig({
    target: ["es2021", "chrome100", "safari13"],
    minify: !process.env.TAURI_DEBUG ? "esbuild" : false,
    sourcemap: !!process.env.TAURI_DEBUG,
    // Disable crossorigin attribute on script/link tags — WKWebView on
    // macOS may reject CORS-mode requests for Tauri's custom tauri://
    // protocol in dynamically created child WebviewWindows.
    crossOriginLoading: false,
  },
 });
		`@ -1 +1 @@`
			`{"default":{"identifier":"default","description":"Default capabilities for the main Wraith window","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:window:default","shell:allow-open"]}}`				`{"default":{"identifier":"default","description":"Default capabilities for the main Wraith window","local":true,"windows":["main","tool-","detached-","editor-","help-"],"permissions":["core:default","core:event:default","core:window:default","core:window:allow-create","core:webview:default","core:webview:allow-create-webview-window","shell:allow-open","updater:default"]}}`