Refactor mutation resolver to include NotificationMutations and remove unused import in notifications model

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Localization**
* Updated translations across 24 languages including Arabic, Bengali,
German, Spanish, French, Japanese, Korean, Portuguese, and Russian for
OS update eligibility messages, driver update status notifications, and
license/trial key expiration messaging to improve international user
experience.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

.cursor/rules/web-testing-rules.mdc

@@ -241,4 +241,3 @@ const pinia = createTestingPinia({
 - Set initial state for focused testing
 - Test computed properties by accessing them directly
 - Verify state changes by updating the store
-

.github/workflows/build-artifacts.yml

@@ -0,0 +1,201 @@
+name: Build Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        required: false
+        description: "Git ref to checkout (commit SHA, branch, or tag)"
+      version_override:
+        type: string
+        required: false
+        description: "Override version (for manual releases)"
+    outputs:
+      build_number:
+        description: "Build number for the artifacts"
+        value: ${{ jobs.build-api.outputs.build_number }}
+    secrets:
+      VITE_ACCOUNT:
+        required: true
+      VITE_CONNECT:
+        required: true
+      VITE_UNRAID_NET:
+        required: true
+      VITE_CALLBACK_KEY:
+        required: true
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN:
+        required: false
+
+jobs:
+  build-api:
+    name: Build API
+    runs-on: ubuntu-latest
+    outputs:
+      build_number: ${{ steps.buildnumber.outputs.build_number }}
+    defaults:
+      run:
+        working-directory: api
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        name: Install pnpm
+        with:
+          run_install: false
+
+      - name: Install Node
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: ".nvmrc"
+          cache: 'pnpm'
+
+      - name: Cache APT Packages
+        uses: awalsh128/cache-apt-pkgs-action@v1.5.3
+        with:
+          packages: bash procps python3 libvirt-dev jq zstd git build-essential
+          version: 1.0
+
+      - name: PNPM Install
+        run: |
+          cd ${{ github.workspace }}
+          pnpm install --frozen-lockfile
+
+      - name: Get Git Short Sha and API version
+        id: vars
+        run: |
+          GIT_SHA=$(git rev-parse --short HEAD)
+          IS_TAGGED=$(git describe --tags --abbrev=0 --exact-match || echo '')
+          PACKAGE_LOCK_VERSION=$(jq -r '.version' package.json)
+          API_VERSION=${{ inputs.version_override && format('"{0}"', inputs.version_override) || '${PACKAGE_LOCK_VERSION}' }}
+          if [ -z "${{ inputs.version_override }}" ] && [ -z "$IS_TAGGED" ]; then
+            API_VERSION="${PACKAGE_LOCK_VERSION}+${GIT_SHA}"
+          fi
+          export API_VERSION
+          echo "API_VERSION=${API_VERSION}" >> $GITHUB_ENV
+          echo "PACKAGE_LOCK_VERSION=${PACKAGE_LOCK_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Generate build number
+        id: buildnumber
+        uses: onyxmueller/build-tag-number@v1
+        with:
+          token: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN || github.token }}
+          prefix: ${{ inputs.version_override || steps.vars.outputs.PACKAGE_LOCK_VERSION }}
+
+      - name: Build
+        run: |
+          pnpm run build:release
+          tar -czf deploy/unraid-api.tgz -C deploy/pack/ .
+
+      - name: Upload tgz to Github artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: unraid-api
+          path: ${{ github.workspace }}/api/deploy/unraid-api.tgz
+
+  build-unraid-ui-webcomponents:
+    name: Build Unraid UI Library (Webcomponent Version)
+    defaults:
+      run:
+        working-directory: unraid-ui
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - uses: pnpm/action-setup@v4
+        name: Install pnpm
+        with:
+          run_install: false
+
+      - name: Install Node
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: ".nvmrc"
+          cache: 'pnpm'
+
+      - name: Cache APT Packages
+        uses: awalsh128/cache-apt-pkgs-action@v1.5.3
+        with:
+          packages: bash procps python3 libvirt-dev jq zstd git build-essential
+          version: 1.0
+
+      - name: Install dependencies
+        run: |
+          cd ${{ github.workspace }}
+          pnpm install --frozen-lockfile --filter @unraid/ui
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Build
+        run: pnpm run build:wc
+
+      - name: Upload Artifact to Github
+        uses: actions/upload-artifact@v4
+        with:
+          name: unraid-wc-ui
+          path: unraid-ui/dist-wc/
+
+  build-web:
+    name: Build Web App
+    defaults:
+      run:
+        working-directory: web
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Create env file
+        run: |
+          touch .env
+          echo VITE_ACCOUNT=${{ secrets.VITE_ACCOUNT }} >> .env
+          echo VITE_CONNECT=${{ secrets.VITE_CONNECT }} >> .env
+          echo VITE_UNRAID_NET=${{ secrets.VITE_UNRAID_NET }} >> .env
+          echo VITE_CALLBACK_KEY=${{ secrets.VITE_CALLBACK_KEY }} >> .env
+
+      - uses: pnpm/action-setup@v4
+        name: Install pnpm
+        with:
+          run_install: false
+
+      - name: Install Node
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: ".nvmrc"
+          cache: 'pnpm'
+
+      - name: PNPM Install
+        run: |
+          cd ${{ github.workspace }}
+          pnpm install --frozen-lockfile --filter @unraid/web --filter @unraid/ui
+
+      - name: Build Unraid UI
+        run: |
+          cd ${{ github.workspace }}/unraid-ui
+          pnpm run build
+
+      - name: Lint files
+        run: pnpm run lint
+
+      - name: Type Check
+        run: pnpm run type-check
+
+      - name: Build
+        run: pnpm run build
+
+      - name: Upload build to Github artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: unraid-wc-rich
+          path: web/dist
+

.github/workflows/build-plugin.yml

@@ -27,6 +27,15 @@ on:
         type: string
         required: true
         description: "Build number for the plugin builds"
+      ref:
+        type: string
+        required: false
+        description: "Git ref (commit SHA, branch, or tag) to checkout"
+      TRIGGER_PRODUCTION_RELEASE:
+        type: boolean
+        required: false
+        default: false
+        description: "Whether to automatically trigger the release-production workflow (default: false)"
     secrets:
       CF_ACCESS_KEY_ID:
         required: true
@@ -49,6 +58,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v5
         with:
+          ref: ${{ inputs.ref }}
           fetch-depth: 0
 
       - uses: pnpm/action-setup@v4
@@ -68,7 +78,21 @@ jobs:
           GIT_SHA=$(git rev-parse --short HEAD)
           IS_TAGGED=$(git describe --tags --abbrev=0 --exact-match || echo '')
           PACKAGE_LOCK_VERSION=$(jq -r '.version' package.json)
-          API_VERSION=$([[ -n "$IS_TAGGED" ]] && echo "$PACKAGE_LOCK_VERSION" || echo "${PACKAGE_LOCK_VERSION}+${GIT_SHA}")
+          
+          # For release builds, trust the release tag version to avoid stale checkouts
+          if [ "${{ inputs.RELEASE_CREATED }}" = "true" ] && [ -n "${{ inputs.RELEASE_TAG }}" ]; then
+            TAG_VERSION="${{ inputs.RELEASE_TAG }}"
+            TAG_VERSION="${TAG_VERSION#v}" # trim leading v if present
+
+            if [ "$TAG_VERSION" != "$PACKAGE_LOCK_VERSION" ]; then
+              echo "::warning::Release tag version ($TAG_VERSION) does not match package.json version ($PACKAGE_LOCK_VERSION). Using tag version for TXZ naming."
+            fi
+
+            API_VERSION="$TAG_VERSION"
+          else
+            API_VERSION=$([[ -n "$IS_TAGGED" ]] && echo "$PACKAGE_LOCK_VERSION" || echo "${PACKAGE_LOCK_VERSION}+${GIT_SHA}")
+          fi
+
           echo "API_VERSION=${API_VERSION}" >> $GITHUB_OUTPUT
 
       - name: Install dependencies
@@ -136,7 +160,7 @@ jobs:
           done  
 
       - name: Workflow Dispatch and wait
-        if: inputs.RELEASE_CREATED == 'true'
+        if: inputs.RELEASE_CREATED == 'true' && inputs.TRIGGER_PRODUCTION_RELEASE == true
         uses: the-actions-org/workflow-dispatch@v4.0.0
         with:
           workflow: release-production.yml

.github/workflows/claude-code-review.yml

@@ -1,103 +0,0 @@
-name: Claude Code Review
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-    # Skip reviews for non-code changes
-    paths-ignore:
-      - "**/*.md"
-      - "**/package-lock.json"
-      - "**/pnpm-lock.yaml"
-      - "**/.gitignore"
-      - "**/LICENSE"
-      - "**/*.config.js"
-      - "**/*.config.ts"
-      - "**/tsconfig.json"
-      - "**/.github/workflows/*.yml"
-      - "**/docs/**"
-
-jobs:
-  claude-review:
-    # Skip review for bot PRs and WIP/skip-review PRs
-    # Only run if changes are significant (>10 lines)
-    if: |
-      (github.event.pull_request.additions > 10 || github.event.pull_request.deletions > 10) &&
-      !contains(github.event.pull_request.title, '[skip-review]') &&
-      !contains(github.event.pull_request.title, '[WIP]') &&
-      !endsWith(github.event.pull_request.user.login, '[bot]') &&
-      github.event.pull_request.user.login != 'dependabot' &&
-      github.event.pull_request.user.login != 'renovate'
-    
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-    
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code Review
-        id: claude-review
-        uses: anthropics/claude-code-action@beta
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-
-          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
-          # model: "claude-opus-4-20250514"
-          
-          # Direct prompt for automated review (no @claude mention needed)
-          direct_prompt: |
-            IMPORTANT: Review ONLY the DIFF/CHANGESET - the actual lines that were added or modified in this PR.
-            DO NOT review the entire file context, only analyze the specific changes being made.
-            
-            Look for HIGH-PRIORITY issues in the CHANGED LINES ONLY:
-            
-            1. CRITICAL BUGS: Logic errors, null pointer issues, infinite loops, race conditions
-            2. SECURITY: SQL injection, XSS, authentication bypass, exposed secrets, unsafe operations
-            3. BREAKING CHANGES: API contract violations, removed exports, changed function signatures
-            4. DATA LOSS RISKS: Destructive operations without safeguards, missing data validation
-            
-            DO NOT comment on:
-            - Code that wasn't changed in this PR
-            - Style, formatting, or documentation
-            - Test coverage (unless tests are broken by the changes)
-            - Minor optimizations or best practices
-            - Existing code issues that weren't introduced by this PR
-            
-            If you find no critical issues in the DIFF, respond with: "✅ No critical issues found in changes"
-            
-            Keep response under 10 lines. Reference specific line numbers from the diff when reporting issues.
-
-          # Optional: Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
-          use_sticky_comment: true
-          
-          # Context-aware review based on PR characteristics
-          # Uncomment to enable different review strategies based on context
-          # direct_prompt: |
-          #   ${{ 
-          #   (github.event.pull_request.additions > 500) && 
-          #   'Large PR detected. Focus only on architectural issues and breaking changes. Skip minor issues.' ||
-          #   contains(github.event.pull_request.title, 'fix') && 
-          #   'Bug fix PR: Verify the fix addresses the root cause and check for regression risks.' ||
-          #   contains(github.event.pull_request.title, 'deps') && 
-          #   'Dependency update: Check for breaking changes and security advisories only.' ||
-          #   contains(github.event.pull_request.title, 'refactor') && 
-          #   'Refactor PR: Verify no behavior changes and check for performance regressions.' ||
-          #   contains(github.event.pull_request.title, 'feat') && 
-          #   'New feature: Check for security issues, edge cases, and integration problems only.' ||
-          #   'Standard review: Check for critical bugs, security issues, and breaking changes only.'
-          #   }}
-          
-          # Optional: Add specific tools for running tests or linting
-          # allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"
-          
-          # Optional: Skip review for certain conditions
-          # if: |
-          #   !contains(github.event.pull_request.title, '[skip-review]') &&
-          #   !contains(github.event.pull_request.title, '[WIP]')
-

.github/workflows/claude.yml

@@ -1,64 +0,0 @@
-name: Claude Code
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code
-        id: claude
-        uses: anthropics/claude-code-action@beta
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-
-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-          
-          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
-          # model: "claude-opus-4-20250514"
-          
-          # Optional: Customize the trigger phrase (default: @claude)
-          # trigger_phrase: "/claude"
-          
-          # Optional: Trigger when specific user is assigned to an issue
-          # assignee_trigger: "claude-bot"
-          
-          # Optional: Allow Claude to run specific commands
-          # allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
-          
-          # Optional: Add custom instructions for Claude to customize its behavior for your project
-          # custom_instructions: |
-          #   Follow our coding standards
-          #   Ensure all new code has tests
-          #   Use TypeScript for new files
-          
-          # Optional: Custom environment variables for Claude
-          # claude_env: |
-          #   NODE_ENV: test
-

.github/workflows/generate-release-notes.yml

@@ -0,0 +1,210 @@
+name: Generate Release Notes
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version number (e.g., 4.25.3)'
+        required: true
+        type: string
+      target_commitish:
+        description: 'Commit SHA or branch (leave empty for current HEAD)'
+        required: false
+        type: string
+      release_notes:
+        description: 'Custom release notes (leave empty to auto-generate)'
+        required: false
+        type: string
+    outputs:
+      release_notes:
+        description: 'Generated or provided release notes'
+        value: ${{ jobs.generate.outputs.release_notes }}
+    secrets:
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN:
+        required: true
+
+jobs:
+  generate:
+    name: Generate Release Notes
+    runs-on: ubuntu-latest
+    outputs:
+      release_notes: ${{ steps.generate_notes.outputs.release_notes }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.target_commitish || github.ref }}
+          fetch-depth: 0
+          token: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Generate Release Notes
+        id: generate_notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG_NAME="v${{ inputs.version }}"
+          VERSION="${{ inputs.version }}"
+          
+          if [ -n "${{ inputs.release_notes }}" ]; then
+            NOTES="${{ inputs.release_notes }}"
+          else
+            CHANGELOG_PATH="api/CHANGELOG.md"
+            
+            if [ -f "$CHANGELOG_PATH" ]; then
+              echo "Extracting release notes from CHANGELOG.md for version ${VERSION}"
+              
+              NOTES=$(awk -v ver="$VERSION" '
+                BEGIN { 
+                  found=0; capture=0; output="";
+                  gsub(/\./, "\\.", ver);
+                }
+                /^## \[/ {
+                  if (capture) exit;
+                  if ($0 ~ "\\[" ver "\\]") {
+                    found=1;
+                    capture=1;
+                  }
+                }
+                capture { 
+                  if (output != "") output = output "\n";
+                  output = output $0;
+                }
+                END {
+                  if (found) print output;
+                  else exit 1;
+                }
+              ' "$CHANGELOG_PATH") || EXTRACTION_STATUS=$?
+              
+              if [ ${EXTRACTION_STATUS:-0} -eq 0 ] && [ -n "$NOTES" ]; then
+                echo "✓ Found release notes in CHANGELOG.md"
+              else
+                echo "⚠ Version ${VERSION} not found in CHANGELOG.md, generating with conventional-changelog"
+                
+                PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+                CHANGELOG_GENERATED=false
+                
+                if [ -n "$PREV_TAG" ]; then
+                  echo "Generating changelog from ${PREV_TAG}..HEAD using conventional-changelog"
+                  
+                  npm install -g conventional-changelog-cli
+                  
+                  TEMP_NOTES=$(mktemp)
+                  conventional-changelog -p conventionalcommits \
+                    --release-count 1 \
+                    --output-unreleased \
+                    > "$TEMP_NOTES" 2>/dev/null || true
+                  
+                  if [ -s "$TEMP_NOTES" ]; then
+                    NOTES=$(cat "$TEMP_NOTES")
+                    
+                    if [ -n "$NOTES" ]; then
+                      echo "✓ Generated changelog with conventional-changelog"
+                      CHANGELOG_GENERATED=true
+                      
+                      TEMP_CHANGELOG=$(mktemp)
+                      {
+                        if [ -f "$CHANGELOG_PATH" ]; then
+                          head -n 1 "$CHANGELOG_PATH"
+                          echo ""
+                          echo "$NOTES"
+                          echo ""
+                          tail -n +2 "$CHANGELOG_PATH"
+                        else
+                          echo "# Changelog"
+                          echo ""
+                          echo "$NOTES"
+                        fi
+                      } > "$TEMP_CHANGELOG"
+                      
+                      mv "$TEMP_CHANGELOG" "$CHANGELOG_PATH"
+                      echo "✓ Updated CHANGELOG.md with generated notes"
+                    else
+                      echo "⚠ conventional-changelog produced empty output, using GitHub auto-generation"
+                      NOTES=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+                        -f tag_name="${TAG_NAME}" \
+                        -f target_commitish="${{ inputs.target_commitish || github.sha }}" \
+                        -f previous_tag_name="${PREV_TAG}" \
+                        --jq '.body')
+                    fi
+                  else
+                    echo "⚠ conventional-changelog failed, using GitHub auto-generation"
+                    NOTES=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+                      -f tag_name="${TAG_NAME}" \
+                      -f target_commitish="${{ inputs.target_commitish || github.sha }}" \
+                      -f previous_tag_name="${PREV_TAG}" \
+                      --jq '.body')
+                  fi
+                  
+                  rm -f "$TEMP_NOTES"
+                else
+                  echo "⚠ No previous tag found, using GitHub auto-generation"
+                  NOTES=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+                    -f tag_name="${TAG_NAME}" \
+                    -f target_commitish="${{ inputs.target_commitish || github.sha }}" \
+                    --jq '.body' || echo "Release ${VERSION}")
+                fi
+                
+                if [ "$CHANGELOG_GENERATED" = true ]; then
+                  BRANCH_OR_SHA="${{ inputs.target_commitish || github.ref }}"
+                  
+                  if git show-ref --verify --quiet "refs/heads/${BRANCH_OR_SHA}"; then
+                    echo ""
+                    echo "=========================================="
+                    echo "CHANGELOG GENERATED AND COMMITTED"
+                    echo "=========================================="
+                    echo ""
+                    
+                    git config user.name "github-actions[bot]"
+                    git config user.email "github-actions[bot]@users.noreply.github.com"
+                    
+                    BEFORE_SHA=$(git rev-parse HEAD)
+                    
+                    git add "$CHANGELOG_PATH"
+                    git commit -m "chore: add changelog for version ${VERSION}"
+                    git push origin "HEAD:${BRANCH_OR_SHA}"
+                    
+                    AFTER_SHA=$(git rev-parse HEAD)
+                    
+                    echo "✓ Changelog committed and pushed successfully"
+                    echo ""
+                    echo "Previous SHA: ${BEFORE_SHA}"
+                    echo "New SHA:      ${AFTER_SHA}"
+                    echo ""
+                    echo "⚠️  CRITICAL: A new commit was created, but github.sha is immutable."
+                    echo "⚠️  github.sha = ${BEFORE_SHA} (original workflow trigger)"
+                    echo "⚠️  The release tag must point to ${AFTER_SHA} (with changelog)"
+                    echo ""
+                    echo "Re-run this workflow to create the release with the correct commit."
+                    echo ""
+                    exit 1
+                  else
+                    echo "⚠ Target is a commit SHA, not a branch. Cannot push changelog updates."
+                    echo "Changelog was generated but not committed."
+                  fi
+                fi
+              fi
+            else
+              echo "⚠ CHANGELOG.md not found, using GitHub auto-generation"
+              PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+              
+              if [ -n "$PREV_TAG" ]; then
+                NOTES=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+                  -f tag_name="${TAG_NAME}" \
+                  -f target_commitish="${{ inputs.target_commitish || github.sha }}" \
+                  -f previous_tag_name="${PREV_TAG}" \
+                  --jq '.body')
+              else
+                NOTES="Release ${VERSION}"
+              fi
+            fi
+          fi
+          
+          echo "release_notes<<EOF" >> $GITHUB_OUTPUT
+          echo "$NOTES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+

.github/workflows/main.yml

@@ -154,173 +154,15 @@ jobs:
           files: ./coverage/coverage-final.json,../web/coverage/coverage-final.json,../unraid-ui/coverage/coverage-final.json,../packages/unraid-api-plugin-connect/coverage/coverage-final.json,../packages/unraid-shared/coverage/coverage-final.json
           fail_ci_if_error: false
 
-  build-api:
-    name: Build API
-    runs-on: ubuntu-latest
-    outputs:
-      build_number: ${{ steps.buildnumber.outputs.build_number }}
-    defaults:
-      run:
-        working-directory: api
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v5
-
-      - uses: pnpm/action-setup@v4
-        name: Install pnpm
-        with:
-          run_install: false
-
-      - name: Install Node
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: ".nvmrc"
-          cache: 'pnpm'
-
-      - name: Cache APT Packages
-        uses: awalsh128/cache-apt-pkgs-action@v1.5.3
-        with:
-          packages: bash procps python3 libvirt-dev jq zstd git build-essential
-          version: 1.0
-
-      - name: PNPM Install
-        run: |
-          cd ${{ github.workspace }}
-          pnpm install --frozen-lockfile
-
-      - name: Build
-        run: pnpm run build
-
-      - name: Get Git Short Sha and API version
-        id: vars
-        run: |
-          GIT_SHA=$(git rev-parse --short HEAD)
-          IS_TAGGED=$(git describe --tags --abbrev=0 --exact-match || echo '')
-          PACKAGE_LOCK_VERSION=$(jq -r '.version' package.json)
-          API_VERSION=$([[ -n "$IS_TAGGED" ]] && echo "$PACKAGE_LOCK_VERSION" || echo "${PACKAGE_LOCK_VERSION}+${GIT_SHA}")
-          export API_VERSION
-          echo "API_VERSION=${API_VERSION}" >> $GITHUB_ENV
-          echo "PACKAGE_LOCK_VERSION=${PACKAGE_LOCK_VERSION}" >> $GITHUB_OUTPUT
-
-      - name: Generate build number
-        id: buildnumber
-        uses: onyxmueller/build-tag-number@v1
-        with:
-          token: ${{secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN}}
-          prefix: ${{steps.vars.outputs.PACKAGE_LOCK_VERSION}}
-
-      - name: Build
-        run: |
-          pnpm run build:release
-          tar -czf deploy/unraid-api.tgz -C deploy/pack/ .
-
-      - name: Upload tgz to Github artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: unraid-api
-          path: ${{ github.workspace }}/api/deploy/unraid-api.tgz
-
-  build-unraid-ui-webcomponents:
-    name: Build Unraid UI Library (Webcomponent Version)
-    defaults:
-      run:
-        working-directory: unraid-ui
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v5
-
-      - uses: pnpm/action-setup@v4
-        name: Install pnpm
-        with:
-          run_install: false
-
-      - name: Install Node
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: ".nvmrc"
-          cache: 'pnpm'
-
-      - name: Cache APT Packages
-        uses: awalsh128/cache-apt-pkgs-action@v1.5.3
-        with:
-          packages: bash procps python3 libvirt-dev jq zstd git build-essential
-          version: 1.0
-
-      - name: Install dependencies
-        run: |
-          cd ${{ github.workspace }}
-          pnpm install --frozen-lockfile --filter @unraid/ui
-
-      - name: Lint
-        run: pnpm run lint
-
-      - name: Build
-        run: pnpm run build:wc
-
-      - name: Upload Artifact to Github
-        uses: actions/upload-artifact@v4
-        with:
-          name: unraid-wc-ui
-          path: unraid-ui/dist-wc/
-
-  build-web:
-    # needs: [build-unraid-ui]
-    name: Build Web App
-    defaults:
-      run:
-        working-directory: web
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v5
-
-      - name: Create env file
-        run: |
-          touch .env
-          echo VITE_ACCOUNT=${{ secrets.VITE_ACCOUNT }} >> .env
-          echo VITE_CONNECT=${{ secrets.VITE_CONNECT }} >> .env
-          echo VITE_UNRAID_NET=${{ secrets.VITE_UNRAID_NET }} >> .env
-          echo VITE_CALLBACK_KEY=${{ secrets.VITE_CALLBACK_KEY }} >> .env
-
-      - uses: pnpm/action-setup@v4
-        name: Install pnpm
-        with:
-          run_install: false
-
-      - name: Install Node
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: ".nvmrc"
-          cache: 'pnpm'
-
-      - name: PNPM Install
-        run: |
-          cd ${{ github.workspace }}
-          pnpm install --frozen-lockfile --filter @unraid/web --filter @unraid/ui
-
-      - name: Build Unraid UI
-        run: |
-          cd ${{ github.workspace }}/unraid-ui
-          pnpm run build
-
-      - name: Lint files
-        run: pnpm run lint
-
-      - name: Type Check
-        run: pnpm run type-check
-
-      - name: Test
-        run: pnpm run test:ci
-
-      - name: Build
-        run: pnpm run build
-
-      - name: Upload build to Github artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: unraid-wc-rich
-          path: web/dist
+  build-artifacts:
+    name: Build All Artifacts
+    uses: ./.github/workflows/build-artifacts.yml
+    secrets:
+      VITE_ACCOUNT: ${{ secrets.VITE_ACCOUNT }}
+      VITE_CONNECT: ${{ secrets.VITE_CONNECT }}
+      VITE_UNRAID_NET: ${{ secrets.VITE_UNRAID_NET }}
+      VITE_CALLBACK_KEY: ${{ secrets.VITE_CALLBACK_KEY }}
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
 
   release-please:
     name: Release Please
@@ -329,15 +171,15 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs:
       - test-api
-      - build-api
-      - build-web
-      - build-unraid-ui-webcomponents
+      - build-artifacts
     permissions:
       contents: write
       pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
 
       - id: release
         uses: googleapis/release-please-action@v4
@@ -348,17 +190,15 @@ jobs:
   build-plugin-staging-pr:
     name: Build and Deploy Plugin
     needs:
-      - build-api
-      - build-web
-      - build-unraid-ui-webcomponents
+      - build-artifacts
       - test-api
     uses: ./.github/workflows/build-plugin.yml
     with:
-      RELEASE_CREATED: false
+      RELEASE_CREATED: 'false'
       TAG: ${{ github.event.pull_request.number && format('PR{0}', github.event.pull_request.number) || '' }}
       BUCKET_PATH: ${{ github.event.pull_request.number && format('unraid-api/tag/PR{0}', github.event.pull_request.number) || 'unraid-api' }}
       BASE_URL: "https://preview.dl.unraid.net/unraid-api"
-      BUILD_NUMBER: ${{ needs.build-api.outputs.build_number }}
+      BUILD_NUMBER: ${{ needs.build-artifacts.outputs.build_number }}
     secrets:
       CF_ACCESS_KEY_ID: ${{ secrets.CF_ACCESS_KEY_ID }}
       CF_SECRET_ACCESS_KEY: ${{ secrets.CF_SECRET_ACCESS_KEY }}
@@ -370,15 +210,16 @@ jobs:
     name: Build and Deploy Production Plugin
     needs:
       - release-please
-      - build-api
+      - build-artifacts
     uses: ./.github/workflows/build-plugin.yml
     with:
-      RELEASE_CREATED: true
+      RELEASE_CREATED: 'true'
       RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }}
       TAG: ""
       BUCKET_PATH: unraid-api
       BASE_URL: "https://stable.dl.unraid.net/unraid-api"
-      BUILD_NUMBER: ${{ needs.build-api.outputs.build_number }}
+      BUILD_NUMBER: ${{ needs.build-artifacts.outputs.build_number }}
+      TRIGGER_PRODUCTION_RELEASE: true
     secrets:
       CF_ACCESS_KEY_ID: ${{ secrets.CF_ACCESS_KEY_ID }}
       CF_SECRET_ACCESS_KEY: ${{ secrets.CF_SECRET_ACCESS_KEY }}

.github/workflows/manual-release.yml

@@ -0,0 +1,239 @@
+name: Manual Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to release (e.g., 4.25.3)'
+        required: true
+        type: string
+      target_commitish:
+        description: 'Commit SHA or branch (leave empty for current HEAD)'
+        required: false
+        type: string
+      release_notes:
+        description: 'Release notes/changelog (leave empty to auto-generate from commits)'
+        required: false
+        type: string
+      prerelease:
+        description: 'Mark as prerelease'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  validate-version:
+    name: Validate and Update Package Versions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.target_commitish || github.ref }}
+          fetch-depth: 0
+          token: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Check and Update Package Versions
+        run: |
+          EXPECTED_VERSION="${{ inputs.version }}"
+          MISMATCHES_FOUND=false
+          
+          PACKAGE_JSONS=(
+            "package.json"
+            "api/package.json"
+            "web/package.json"
+            "unraid-ui/package.json"
+            "plugin/package.json"
+            "packages/unraid-shared/package.json"
+            "packages/unraid-api-plugin-health/package.json"
+            "packages/unraid-api-plugin-generator/package.json"
+            "packages/unraid-api-plugin-connect/package.json"
+          )
+          
+          echo "Checking package.json versions against expected version: ${EXPECTED_VERSION}"
+          
+          for pkg in "${PACKAGE_JSONS[@]}"; do
+            if [ -f "$pkg" ]; then
+              CURRENT_VERSION=$(node -p "require('./$pkg').version")
+              if [ "$CURRENT_VERSION" != "$EXPECTED_VERSION" ]; then
+                echo "❌ Version mismatch in $pkg: $CURRENT_VERSION != $EXPECTED_VERSION"
+                MISMATCHES_FOUND=true
+                
+                # Detect indentation by checking the first property line
+                INDENT_SPACES=$(head -10 "$pkg" | grep '^ *"' | head -1 | sed 's/".*//g' | wc -c)
+                INDENT_SPACES=$((INDENT_SPACES - 1))
+                
+                jq --indent "$INDENT_SPACES" --arg version "$EXPECTED_VERSION" '.version = $version' "$pkg" > "$pkg.tmp" && mv "$pkg.tmp" "$pkg"
+                echo "✓ Updated $pkg to version $EXPECTED_VERSION"
+              else
+                echo "✓ $pkg version matches: $CURRENT_VERSION"
+              fi
+            fi
+          done
+          
+          if [ "$MISMATCHES_FOUND" = true ]; then
+            echo ""
+            echo "=========================================="
+            echo "Version mismatches found!"
+            echo "=========================================="
+            echo ""
+            
+            BRANCH_OR_SHA="${{ inputs.target_commitish || github.ref }}"
+            
+            if git show-ref --verify --quiet "refs/heads/${BRANCH_OR_SHA}"; then
+              echo "Creating commit with version updates and pushing to branch: ${BRANCH_OR_SHA}"
+              
+              git config user.name "github-actions[bot]"
+              git config user.email "github-actions[bot]@users.noreply.github.com"
+              
+              BEFORE_SHA=$(git rev-parse HEAD)
+              
+              git add ${PACKAGE_JSONS[@]}
+              git commit -m "chore: update package versions to ${{ inputs.version }}"
+              git push origin "HEAD:${BRANCH_OR_SHA}"
+              
+              AFTER_SHA=$(git rev-parse HEAD)
+              
+              echo ""
+              echo "=========================================="
+              echo "WORKFLOW MUST BE RE-RUN"
+              echo "=========================================="
+              echo ""
+              echo "✓ Version updates committed and pushed successfully"
+              echo ""
+              echo "Previous SHA: ${BEFORE_SHA}"
+              echo "New SHA:      ${AFTER_SHA}"
+              echo ""
+              echo "⚠️  CRITICAL: A new commit was created, but github.sha is immutable."
+              echo "⚠️  github.sha = ${BEFORE_SHA} (original workflow trigger)"
+              echo "⚠️  The release tag must point to ${AFTER_SHA} (with version updates)"
+              echo ""
+              echo "Re-run this workflow to create the release with the correct commit."
+              echo ""
+              exit 1
+            else
+              echo "Target is a commit SHA, not a branch. Cannot push version updates."
+              echo "Please update the package.json versions manually and re-run the workflow."
+              exit 1
+            fi
+          fi
+          
+          echo ""
+          echo "✓ All package.json versions match the expected version: ${EXPECTED_VERSION}"
+
+  build-artifacts:
+    name: Build All Artifacts
+    needs:
+      - validate-version
+    uses: ./.github/workflows/build-artifacts.yml
+    with:
+      ref: ${{ inputs.target_commitish || github.ref }}
+      version_override: ${{ inputs.version }}
+    secrets:
+      VITE_ACCOUNT: ${{ secrets.VITE_ACCOUNT }}
+      VITE_CONNECT: ${{ secrets.VITE_CONNECT }}
+      VITE_UNRAID_NET: ${{ secrets.VITE_UNRAID_NET }}
+      VITE_CALLBACK_KEY: ${{ secrets.VITE_CALLBACK_KEY }}
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
+
+  generate-release-notes:
+    name: Generate Release Notes
+    needs:
+      - build-artifacts
+    uses: ./.github/workflows/generate-release-notes.yml
+    with:
+      version: ${{ inputs.version }}
+      target_commitish: ${{ inputs.target_commitish || github.ref }}
+      release_notes: ${{ inputs.release_notes }}
+    secrets:
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
+
+  create-release:
+    name: Create GitHub Release (Draft)
+    runs-on: ubuntu-latest
+    needs:
+      - generate-release-notes
+    outputs:
+      tag_name: ${{ steps.create_release.outputs.tag_name }}
+      release_notes: ${{ needs.generate-release-notes.outputs.release_notes }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.target_commitish || github.ref }}
+          fetch-depth: 0
+
+      - name: Create or Update Release as Draft
+        id: create_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG_NAME="v${{ inputs.version }}"
+          TARGET="${{ inputs.target_commitish || github.sha }}"
+          
+          echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
+          
+          if gh release view "${TAG_NAME}" > /dev/null 2>&1; then
+            echo "Release ${TAG_NAME} already exists, updating as draft..."
+            gh release edit "${TAG_NAME}" \
+              --draft \
+              --notes "${{ needs.generate-release-notes.outputs.release_notes }}" \
+              ${{ inputs.prerelease && '--prerelease' || '' }}
+          else
+            echo "Creating new draft release ${TAG_NAME}..."
+            git tag "${TAG_NAME}" "${TARGET}" || true
+            git push origin "${TAG_NAME}" || true
+            
+            gh release create "${TAG_NAME}" \
+              --draft \
+              --title "${{ inputs.version }}" \
+              --notes "${{ needs.generate-release-notes.outputs.release_notes }}" \
+              --target "${TARGET}" \
+              ${{ inputs.prerelease && '--prerelease' || '' }}
+          fi
+
+  build-plugin-production:
+    name: Build and Deploy Production Plugin
+    needs:
+      - create-release
+      - build-artifacts
+    uses: ./.github/workflows/build-plugin.yml
+    with:
+      RELEASE_CREATED: 'true'
+      RELEASE_TAG: ${{ needs.create-release.outputs.tag_name }}
+      TAG: ""
+      BUCKET_PATH: unraid-api
+      BASE_URL: "https://stable.dl.unraid.net/unraid-api"
+      BUILD_NUMBER: ${{ needs.build-artifacts.outputs.build_number }}
+      ref: ${{ inputs.target_commitish || github.ref }}
+    secrets:
+      CF_ACCESS_KEY_ID: ${{ secrets.CF_ACCESS_KEY_ID }}
+      CF_SECRET_ACCESS_KEY: ${{ secrets.CF_SECRET_ACCESS_KEY }}
+      CF_BUCKET_PREVIEW: ${{ secrets.CF_BUCKET_PREVIEW }}
+      CF_ENDPOINT: ${{ secrets.CF_ENDPOINT }}
+      UNRAID_BOT_GITHUB_ADMIN_TOKEN: ${{ secrets.UNRAID_BOT_GITHUB_ADMIN_TOKEN }}
+
+  publish-release:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    needs:
+      - create-release
+      - build-plugin-production
+    steps:
+      - name: Publish Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG_NAME="${{ needs.create-release.outputs.tag_name }}"
+          echo "Publishing release ${TAG_NAME}..."
+          gh release edit "${TAG_NAME}" --draft=false --repo ${{ github.repository }}
+

.github/workflows/publish-schema.yml

@@ -0,0 +1,30 @@
+name: Publish GraphQL Schema
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'api/generated-schema.graphql'
+  workflow_dispatch:
+
+jobs:
+  publish-schema:
+    name: Publish Schema to Apollo Studio
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: Install Apollo Rover CLI
+        run: |
+          curl -sSL https://rover.apollo.dev/nix/latest | sh
+          echo "$HOME/.rover/bin" >> $GITHUB_PATH
+
+      - name: Publish schema to Apollo Studio
+        env:
+          APOLLO_KEY: ${{ secrets.APOLLO_KEY }}
+        run: |
+          rover graph publish Unraid-API@current \
+            --schema api/generated-schema.graphql
+

.gitignore

@@ -123,3 +123,6 @@ api/dev/Unraid.net/myservers.cfg
 # local Mise settings
 .mise.toml
 
+# Compiled test pages (generated from Nunjucks templates)
+web/public/test-pages/*.html
+

.release-please-manifest.json

@@ -1 +1 @@
-{".":"4.24.0"}
+{".":"4.27.2"}

@tailwind-shared/base-utilities.css

@@ -1,7 +1,8 @@
 @custom-variant dark (&:where(.dark, .dark *));
 
 /* Utility defaults for web components (when we were using shadow DOM) */
-:host {
+:host,
+.unapi {
     --tw-divide-y-reverse: 0;
     --tw-border-style: solid;
     --tw-font-weight: initial;
@@ -61,7 +62,7 @@
 }
 */
 
-body {
+.unapi {
     --color-alpha: #1c1b1b;
     --color-beta: #f2f2f2;
     --color-gamma: #999999;
@@ -73,13 +74,14 @@ body {
     --ring-shadow: 0 0 var(--color-beta);
   }
 
-button:not(:disabled),
-[role='button']:not(:disabled) {
+.unapi button:not(:disabled),
+.unapi [role='button']:not(:disabled) {
   cursor: pointer;
 }
 
 /* Font size overrides for SSO button component */
-unraid-sso-button {
+.unapi unraid-sso-button,
+unraid-sso-button.unapi {
   --text-xs: 0.75rem;
   --text-sm: 0.875rem;
   --text-base: 1rem;
@@ -93,4 +95,4 @@ unraid-sso-button {
   --text-7xl: 4.5rem;
   --text-8xl: 6rem;
   --text-9xl: 8rem;
-}
+}

@tailwind-shared/theme-variants.css

@@ -5,13 +5,7 @@
  */
 
 /* Default/White Theme */
-:root,
-.theme-white {
-  --header-text-primary: #ffffff;
-  --header-text-secondary: #999999;
-  --header-background-color: #1c1b1b;
-  --header-gradient-start: rgba(28, 27, 27, 0);
-  --header-gradient-end: rgba(28, 27, 27, 0.7);
+.Theme--white {
   --color-border: #383735;
   --color-alpha: #ff8c2f;
   --color-beta: #1c1b1b;
@@ -20,13 +14,8 @@
 }
 
 /* Black Theme */
-.theme-black,
-.theme-black.dark {
-  --header-text-primary: #1c1b1b;
-  --header-text-secondary: #999999;
-  --header-background-color: #f2f2f2;
-  --header-gradient-start: rgba(242, 242, 242, 0);
-  --header-gradient-end: rgba(242, 242, 242, 0.7);
+.Theme--black,
+.Theme--black.dark {
   --color-border: #e0e0e0;
   --color-alpha: #ff8c2f;
   --color-beta: #f2f2f2;
@@ -35,12 +24,7 @@
 }
 
 /* Gray Theme */
-.theme-gray {
-  --header-text-primary: #ffffff;
-  --header-text-secondary: #999999;
-  --header-background-color: #1c1b1b;
-  --header-gradient-start: rgba(28, 27, 27, 0);
-  --header-gradient-end: rgba(28, 27, 27, 0.7);
+.Theme--gray {
   --color-border: #383735;
   --color-alpha: #ff8c2f;
   --color-beta: #383735;
@@ -49,12 +33,7 @@
 }
 
 /* Azure Theme */
-.theme-azure {
-  --header-text-primary: #1c1b1b;
-  --header-text-secondary: #999999;
-  --header-background-color: #f2f2f2;
-  --header-gradient-start: rgba(242, 242, 242, 0);
-  --header-gradient-end: rgba(242, 242, 242, 0.7);
+.Theme--azure {
   --color-border: #5a8bb8;
   --color-alpha: #ff8c2f;
   --color-beta: #e7f2f8;
@@ -66,27 +45,3 @@
 .dark {
   --color-border: #383735;
 }
-
-/* 
- * Dynamic color variables for user overrides from GraphQL
- * These are set via JavaScript and override the theme defaults
- * Using :root with class for higher specificity to override theme classes
- */
-:root.has-custom-header-text {
-  --header-text-primary: var(--custom-header-text-primary);
-  --color-header-text-primary: var(--custom-header-text-primary);
-}
-
-:root.has-custom-header-meta {
-  --header-text-secondary: var(--custom-header-text-secondary);
-  --color-header-text-secondary: var(--custom-header-text-secondary);
-}
-
-:root.has-custom-header-bg {
-  --header-background-color: var(--custom-header-background-color);
-  --color-header-background: var(--custom-header-background-color);
-  --header-gradient-start: var(--custom-header-gradient-start);
-  --header-gradient-end: var(--custom-header-gradient-end);
-  --color-header-gradient-start: var(--custom-header-gradient-start);
-  --color-header-gradient-end: var(--custom-header-gradient-end);
-}

api/.env.development

@@ -32,3 +32,4 @@ CHOKIDAR_USEPOLLING=true
 LOG_TRANSPORT=console
 LOG_LEVEL=trace
 ENABLE_NEXT_DOCKER_RELEASE=true
+SKIP_CONNECT_PLUGIN_CHECK=true

api/.eslintrc.ts

@@ -42,7 +42,10 @@ export default tseslint.config(
                 'ignorePackages',
                 {
                     js: 'always',
-                    ts: 'always',
+                    mjs: 'always',
+                    cjs: 'always',
+                    ts: 'never',
+                    tsx: 'never',
                 },
             ],
             'no-restricted-globals': [

api/CHANGELOG.md

@@ -1,5 +1,112 @@
 # Changelog
 
+## [4.27.2](https://github.com/unraid/api/compare/v4.27.1...v4.27.2) (2025-11-21)
+
+
+### Bug Fixes
+
+* issue with header flashing + issue with trial date ([64875ed](https://github.com/unraid/api/commit/64875edbba786a0d1ba0113c9e9a3d38594eafcc))
+
+## [4.27.1](https://github.com/unraid/api/compare/v4.27.0...v4.27.1) (2025-11-21)
+
+
+### Bug Fixes
+
+* missing translations for expiring trials ([#1800](https://github.com/unraid/api/issues/1800)) ([36c1049](https://github.com/unraid/api/commit/36c104915ece203a3cac9e1a13e0c325e536a839))
+* resolve header flash when background color is set ([#1796](https://github.com/unraid/api/issues/1796)) ([dc9a036](https://github.com/unraid/api/commit/dc9a036c73d8ba110029364e0d044dc24c7d0dfa))
+
+## [4.27.0](https://github.com/unraid/api/compare/v4.26.2...v4.27.0) (2025-11-19)
+
+
+### Features
+
+* remove Unraid API log download functionality ([#1793](https://github.com/unraid/api/issues/1793)) ([e4a9b82](https://github.com/unraid/api/commit/e4a9b8291b049752a9ff59b17ff50cf464fe0535))
+
+
+### Bug Fixes
+
+* auto-uninstallation of connect api plugin ([#1791](https://github.com/unraid/api/issues/1791)) ([e734043](https://github.com/unraid/api/commit/e7340431a58821ec1b4f5d1b452fba6613b01fa5))
+
+## [4.26.2](https://github.com/unraid/api/compare/v4.26.1...v4.26.2) (2025-11-19)
+
+
+### Bug Fixes
+
+* **theme:** Missing header background color ([e2fdf6c](https://github.com/unraid/api/commit/e2fdf6cadbd816559b8c82546c2bc771a81ffa9e))
+
+## [4.26.1](https://github.com/unraid/api/compare/v4.26.0...v4.26.1) (2025-11-18)
+
+
+### Bug Fixes
+
+* **theme:** update theme class naming and scoping logic ([b28ef1e](https://github.com/unraid/api/commit/b28ef1ea334cb4842f01fa992effa7024185c6c9))
+
+## [4.26.0](https://github.com/unraid/api/compare/v4.25.3...v4.26.0) (2025-11-17)
+
+
+### Features
+
+* add cpu power query & subscription ([#1745](https://github.com/unraid/api/issues/1745)) ([d7aca81](https://github.com/unraid/api/commit/d7aca81c60281bfa47fb9113929c1ead6ed3361b))
+* add schema publishing to apollo studio ([#1772](https://github.com/unraid/api/issues/1772)) ([7e13202](https://github.com/unraid/api/commit/7e13202aa1c02803095bb72bb1bcb2472716f53a))
+* add workflow_dispatch trigger to schema publishing workflow ([818e7ce](https://github.com/unraid/api/commit/818e7ce997059663e07efcf1dab706bf0d7fc9da))
+* apollo studio readme link ([c4cd0c6](https://github.com/unraid/api/commit/c4cd0c63520deec15d735255f38811f0360fe3a1))
+* **cli:** make `unraid-api plugins remove` scriptable ([#1774](https://github.com/unraid/api/issues/1774)) ([64eb9ce](https://github.com/unraid/api/commit/64eb9ce9b5d1ff4fb1f08d9963522c5d32221ba7))
+* use persisted theme css to fix flashes on header ([#1784](https://github.com/unraid/api/issues/1784)) ([854b403](https://github.com/unraid/api/commit/854b403fbd85220a3012af58ce033cf0b8418516))
+
+
+### Bug Fixes
+
+* **api:** decode html entities before parsing notifications ([#1768](https://github.com/unraid/api/issues/1768)) ([42406e7](https://github.com/unraid/api/commit/42406e795da1e5b95622951a467722dde72d51a8))
+* **connect:** disable api plugin if unraid plugin is absent ([#1773](https://github.com/unraid/api/issues/1773)) ([c264a18](https://github.com/unraid/api/commit/c264a1843cf115e8cc1add1ab4f12fdcc932405a))
+* detection of flash backup activation state ([#1769](https://github.com/unraid/api/issues/1769)) ([d18eaf2](https://github.com/unraid/api/commit/d18eaf2364e0c04992c52af38679ff0a0c570440))
+* re-add missing header gradient styles ([#1787](https://github.com/unraid/api/issues/1787)) ([f8a6785](https://github.com/unraid/api/commit/f8a6785e9c92f81acaef76ac5eb78a4a769e69da))
+* respect OS safe mode in plugin loader ([#1775](https://github.com/unraid/api/issues/1775)) ([92af3b6](https://github.com/unraid/api/commit/92af3b61156cabae70368cf5222a2f7ac5b4d083))
+
+## [4.25.3](https://github.com/unraid/unraid-api/compare/v4.25.2...v4.25.3) (2025-10-22)
+
+
+### Bug Fixes
+
+* flaky watch on boot drive's dynamix config ([ec7aa06](https://github.com/unraid/unraid-api/commit/ec7aa06d4a5fb1f0e84420266b0b0d7ee09a3663))
+
+## [4.25.2](https://github.com/unraid/api/compare/v4.25.1...v4.25.2) (2025-09-30)
+
+
+### Bug Fixes
+
+* enhance activation code modal visibility logic ([#1733](https://github.com/unraid/api/issues/1733)) ([e57ec00](https://github.com/unraid/api/commit/e57ec00627e54ce76d903fd0fa8686ad02b393f3))
+
+## [4.25.1](https://github.com/unraid/api/compare/v4.25.0...v4.25.1) (2025-09-30)
+
+
+### Bug Fixes
+
+* add cache busting to web component extractor ([#1731](https://github.com/unraid/api/issues/1731)) ([0d165a6](https://github.com/unraid/api/commit/0d165a608740505bdc505dcf69fb615225969741))
+* Connect won't appear within Apps - Previous Apps ([#1727](https://github.com/unraid/api/issues/1727)) ([d73953f](https://github.com/unraid/api/commit/d73953f8ff3d7425c0aed32d16236ededfd948e1))
+
+## [4.25.0](https://github.com/unraid/api/compare/v4.24.1...v4.25.0) (2025-09-26)
+
+
+### Features
+
+* add Tailwind scoping plugin and integrate into Vite config ([#1722](https://github.com/unraid/api/issues/1722)) ([b7afaf4](https://github.com/unraid/api/commit/b7afaf463243b073e1ab1083961a16a12ac6c4a3))
+* notification filter controls pill buttons ([#1718](https://github.com/unraid/api/issues/1718)) ([661865f](https://github.com/unraid/api/commit/661865f97611cf802f239fde8232f3109281dde6))
+
+
+### Bug Fixes
+
+* enable auth guard for nested fields - thanks [@ingel81](https://github.com/ingel81) ([7bdeca8](https://github.com/unraid/api/commit/7bdeca8338a3901f15fde06fd7aede3b0c16e087))
+* enhance user context validation in auth module ([#1726](https://github.com/unraid/api/issues/1726)) ([cd5eff1](https://github.com/unraid/api/commit/cd5eff11bcb4398581472966cb7ec124eac7ad0a))
+
+## [4.24.1](https://github.com/unraid/api/compare/v4.24.0...v4.24.1) (2025-09-23)
+
+
+### Bug Fixes
+
+* cleanup leftover removed packages on upgrade ([#1719](https://github.com/unraid/api/issues/1719)) ([9972a5f](https://github.com/unraid/api/commit/9972a5f178f9a251e6c129d85c5f11cfd25e6281))
+* enhance version comparison logic in installation script ([d9c561b](https://github.com/unraid/api/commit/d9c561bfebed0c553fe4bfa26b088ae71ca59755))
+* issue with incorrect permissions on viewer / other roles ([378cdb7](https://github.com/unraid/api/commit/378cdb7f102f63128dd236c13f1a3745902d5a2c))
+
 ## [4.24.0](https://github.com/unraid/api/compare/v4.23.1...v4.24.0) (2025-09-18)
 
 

api/README.md

@@ -71,6 +71,10 @@ unraid-api report -vv
 
 If you found this file you're likely a developer. If you'd like to know more about the API and when it's available please join [our discord](https://discord.unraid.net/).
 
+## Internationalization
+
+- Run `pnpm --filter @unraid/api i18n:extract` to scan the Nest.js source for translation helper usages and update `src/i18n/en.json` with any new keys. The extractor keeps existing translations intact and appends new keys with their English source text.
+
 ## License
 
 Copyright Lime Technology Inc. All rights reserved.

api/dev/configs/api.json

@@ -1,5 +1,5 @@
 {
-  "version": "4.22.2",
+  "version": "4.25.3",
   "extraOrigins": [],
   "sandbox": true,
   "ssoSubIds": [],

api/dev/notifications/unread/Hashtag_Test_1730937650.notify

@@ -0,0 +1,6 @@
+timestamp=1730937600
+event=Hashtag Test
+subject=Warning [UNRAID] - #1 OS is cooking
+description=Disk 1 temperature has reached #epic # levels of proportion
+importance=warning
+

api/dev/notifications/unread/Temperature_Test_1730937600.notify

@@ -0,0 +1,6 @@
+timestamp=1730937600
+event=Temperature Test
+subject=Warning [UNRAID] - High disk temperature detected: 45 °C
+description=Disk 1 temperature has reached 45&#8201;&#176;C (threshold: 40&#8201;&#176;C)<br><br>Current temperatures:<br>Parity - 32&#8201;&#176;C [OK]<br>Disk 1 - 45&#8201;&#176;C [WARNING]<br>Disk 2 - 38&#8201;&#176;C [OK]<br>Cache - 28&#8201;&#176;C [OK]<br><br>Please check cooling system.
+importance=warning
+

api/generated-schema.graphql

@@ -1391,6 +1391,19 @@ type CpuLoad {
   percentSteal: Float!
 }
 
+type CpuPackages implements Node {
+  id: PrefixedID!
+
+  """Total CPU package power draw (W)"""
+  totalPower: Float!
+
+  """Power draw per package (W)"""
+  power: [Float!]!
+
+  """Temperature per package (°C)"""
+  temp: [Float!]!
+}
+
 type CpuUtilization implements Node {
   id: PrefixedID!
 
@@ -1454,6 +1467,12 @@ type InfoCpu implements Node {
 
   """CPU feature flags"""
   flags: [String!]
+
+  """
+  Per-package array of core/thread pairs, e.g. [[[0,1],[2,3]], [[4,5],[6,7]]]
+  """
+  topology: [[[Int!]!]!]!
+  packages: CpuPackages!
 }
 
 type MemoryLayout implements Node {
@@ -2642,6 +2661,7 @@ type Subscription {
   arraySubscription: UnraidArray!
   logFile(path: String!): LogFileContent!
   systemMetricsCpu: CpuUtilization!
+  systemMetricsCpuTelemetry: CpuPackages!
   systemMetricsMemory: MemoryUtilization!
   upsUpdates: UPSDevice!
 }

api/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@unraid/api",
-    "version": "4.24.0",
+    "version": "4.27.2",
     "main": "src/cli/index.ts",
     "type": "module",
     "corepack": {
@@ -30,6 +30,8 @@
         "// GraphQL Codegen": "",
         "codegen": "graphql-codegen --config codegen.ts",
         "codegen:watch": "graphql-codegen --config codegen.ts --watch",
+        "// Internationalization": "",
+        "i18n:extract": "node ./scripts/extract-translations.mjs",
         "// Code Quality": "",
         "lint": "eslint --config .eslintrc.ts src/",
         "lint:fix": "eslint --fix --config .eslintrc.ts src/",
@@ -114,6 +116,7 @@
         "graphql-subscriptions": "3.0.0",
         "graphql-tag": "2.12.6",
         "graphql-ws": "6.0.6",
+        "html-entities": "^2.6.0",
         "ini": "5.0.0",
         "ip": "2.0.1",
         "jose": "6.0.13",

api/scripts/extract-translations.mjs

@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+
+import { readFile, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+import { glob } from 'glob';
+import ts from 'typescript';
+
+const projectRoot = process.cwd();
+const sourcePatterns = 'src/**/*.{ts,js}';
+const ignorePatterns = [
+  '**/__tests__/**',
+  '**/__test__/**',
+  '**/*.spec.ts',
+  '**/*.spec.js',
+  '**/*.test.ts',
+  '**/*.test.js',
+];
+
+const englishLocaleFile = path.resolve(projectRoot, 'src/i18n/en.json');
+
+const identifierTargets = new Set(['t', 'translate']);
+const propertyTargets = new Set([
+  'i18n.t',
+  'i18n.translate',
+  'ctx.t',
+  'this.translate',
+  'this.i18n.translate',
+  'this.i18n.t',
+]);
+
+function getPropertyChain(node) {
+  if (ts.isIdentifier(node)) {
+    return node.text;
+  }
+  if (ts.isPropertyAccessExpression(node)) {
+    const left = getPropertyChain(node.expression);
+    if (!left) return undefined;
+    return `${left}.${node.name.text}`;
+  }
+  return undefined;
+}
+
+function extractLiteral(node) {
+  if (ts.isStringLiteralLike(node)) {
+    return node.text;
+  }
+  if (ts.isNoSubstitutionTemplateLiteral(node)) {
+    return node.text;
+  }
+  return undefined;
+}
+
+function collectKeysFromSource(sourceFile) {
+  const keys = new Set();
+
+  function visit(node) {
+    if (ts.isCallExpression(node)) {
+      const expr = node.expression;
+      let matches = false;
+
+      if (ts.isIdentifier(expr) && identifierTargets.has(expr.text)) {
+        matches = true;
+      } else if (ts.isPropertyAccessExpression(expr)) {
+        const chain = getPropertyChain(expr);
+        if (chain && propertyTargets.has(chain)) {
+          matches = true;
+        }
+      }
+
+      if (matches) {
+        const [firstArg] = node.arguments;
+        if (firstArg) {
+          const literal = extractLiteral(firstArg);
+          if (literal) {
+            keys.add(literal);
+          }
+        }
+      }
+    }
+
+    ts.forEachChild(node, visit);
+  }
+
+  visit(sourceFile);
+  return keys;
+}
+
+async function loadEnglishCatalog() {
+  try {
+    const raw = await readFile(englishLocaleFile, 'utf8');
+    const parsed = raw.trim() ? JSON.parse(raw) : {};
+    if (typeof parsed !== 'object' || Array.isArray(parsed)) {
+      throw new Error('English locale file must contain a JSON object.');
+    }
+    return parsed;
+  } catch (error) {
+    if (error && error.code === 'ENOENT') {
+      return {};
+    }
+    throw error;
+  }
+}
+
+async function ensureEnglishCatalog(keys) {
+  const existingCatalog = await loadEnglishCatalog();
+  const existingKeys = new Set(Object.keys(existingCatalog));
+
+  let added = 0;
+  const combinedKeys = new Set([...existingKeys, ...keys]);
+  const sortedKeys = Array.from(combinedKeys).sort((a, b) => a.localeCompare(b));
+  const nextCatalog = {};
+
+  for (const key of sortedKeys) {
+    if (Object.prototype.hasOwnProperty.call(existingCatalog, key)) {
+      nextCatalog[key] = existingCatalog[key];
+    } else {
+      nextCatalog[key] = key;
+      added += 1;
+    }
+  }
+
+  const nextJson = `${JSON.stringify(nextCatalog, null, 2)}\n`;
+  const existingJson = JSON.stringify(existingCatalog, null, 2) + '\n';
+
+  if (nextJson !== existingJson) {
+    await writeFile(englishLocaleFile, nextJson, 'utf8');
+  }
+
+  return added;
+}
+
+async function main() {
+  const files = await glob(sourcePatterns, {
+    cwd: projectRoot,
+    ignore: ignorePatterns,
+    absolute: true,
+  });
+
+  const collectedKeys = new Set();
+
+  await Promise.all(
+    files.map(async (file) => {
+      const content = await readFile(file, 'utf8');
+      const sourceFile = ts.createSourceFile(file, content, ts.ScriptTarget.Latest, true);
+      const keys = collectKeysFromSource(sourceFile);
+      keys.forEach((key) => collectedKeys.add(key));
+    }),
+  );
+
+  const added = await ensureEnglishCatalog(collectedKeys);
+
+  if (added === 0) {
+    console.log('[i18n] No new backend translation keys detected.');
+  } else {
+    console.log(`[i18n] Added ${added} key(s) to src/i18n/en.json.`);
+  }
+}
+
+main().catch((error) => {
+  console.error('[i18n] Failed to extract backend translations.', error);
+  process.exitCode = 1;
+});

api/src/__test__/core/utils/images/image-file-helpers.test.ts

@@ -4,23 +4,18 @@ import {
     getBannerPathIfPresent,
     getCasePathIfPresent,
 } from '@app/core/utils/images/image-file-helpers.js';
-import { loadDynamixConfigFile } from '@app/store/actions/load-dynamix-config-file.js';
-import { store } from '@app/store/index.js';
+import { loadDynamixConfig } from '@app/store/index.js';
 
 test('get case path returns expected result', async () => {
     await expect(getCasePathIfPresent()).resolves.toContain('/dev/dynamix/case-model.png');
 });
 
-test('get banner path returns null (state unloaded)', async () => {
-    await expect(getBannerPathIfPresent()).resolves.toMatchInlineSnapshot('null');
-});
-
 test('get banner path returns the banner (state loaded)', async () => {
-    await store.dispatch(loadDynamixConfigFile()).unwrap();
+    loadDynamixConfig();
     await expect(getBannerPathIfPresent()).resolves.toContain('/dev/dynamix/banner.png');
 });
 
 test('get banner path returns null when no banner (state loaded)', async () => {
-    await store.dispatch(loadDynamixConfigFile()).unwrap();
+    loadDynamixConfig();
     await expect(getBannerPathIfPresent('notabanner.png')).resolves.toMatchInlineSnapshot('null');
 });

api/src/connect-plugin-cleanup.ts

@@ -0,0 +1,12 @@
+import { existsSync } from 'node:fs';
+
+/**
+ * Local filesystem and env checks stay synchronous so we can branch at module load.
+ * @returns True if the Connect Unraid plugin is installed, false otherwise.
+ */
+export const isConnectPluginInstalled = () => {
+    if (process.env.SKIP_CONNECT_PLUGIN_CHECK === 'true') {
+        return true;
+    }
+    return existsSync('/boot/config/plugins/dynamix.unraid.net.plg');
+};

api/src/core/utils/__test__/safe-mode.test.ts

@@ -0,0 +1,66 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+
+import { isSafeModeEnabled } from '@app/core/utils/safe-mode.js';
+import { store } from '@app/store/index.js';
+import * as stateFileLoader from '@app/store/services/state-file-loader.js';
+
+describe('isSafeModeEnabled', () => {
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+
+    it('returns the safe mode flag already present in the store', () => {
+        const baseState = store.getState();
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            emhttp: {
+                ...baseState.emhttp,
+                var: {
+                    ...(baseState.emhttp?.var ?? {}),
+                    safeMode: true,
+                },
+            },
+        });
+        const loaderSpy = vi.spyOn(stateFileLoader, 'loadStateFileSync');
+
+        expect(isSafeModeEnabled()).toBe(true);
+        expect(loaderSpy).not.toHaveBeenCalled();
+    });
+
+    it('falls back to the synchronous loader when store state is missing', () => {
+        const baseState = store.getState();
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            emhttp: {
+                ...baseState.emhttp,
+                var: {
+                    ...(baseState.emhttp?.var ?? {}),
+                    safeMode: undefined as unknown as boolean,
+                } as typeof baseState.emhttp.var,
+            } as typeof baseState.emhttp,
+        } as typeof baseState);
+        vi.spyOn(stateFileLoader, 'loadStateFileSync').mockReturnValue({
+            ...(baseState.emhttp?.var ?? {}),
+            safeMode: true,
+        } as any);
+
+        expect(isSafeModeEnabled()).toBe(true);
+    });
+
+    it('defaults to false when loader cannot provide state', () => {
+        const baseState = store.getState();
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            emhttp: {
+                ...baseState.emhttp,
+                var: {
+                    ...(baseState.emhttp?.var ?? {}),
+                    safeMode: undefined as unknown as boolean,
+                } as typeof baseState.emhttp.var,
+            } as typeof baseState.emhttp,
+        } as typeof baseState);
+        vi.spyOn(stateFileLoader, 'loadStateFileSync').mockReturnValue(null);
+
+        expect(isSafeModeEnabled()).toBe(false);
+    });
+});

api/src/core/utils/safe-mode.ts

@@ -0,0 +1,17 @@
+import { store } from '@app/store/index.js';
+import { loadStateFileSync } from '@app/store/services/state-file-loader.js';
+import { StateFileKey } from '@app/store/types.js';
+
+export const isSafeModeEnabled = (): boolean => {
+    const safeModeFromStore = store.getState().emhttp?.var?.safeMode;
+    if (typeof safeModeFromStore === 'boolean') {
+        return safeModeFromStore;
+    }
+
+    const varState = loadStateFileSync(StateFileKey.var);
+    if (varState) {
+        return Boolean(varState.safeMode);
+    }
+
+    return false;
+};

api/src/i18n/ar.json

@@ -0,0 +1 @@
+{}

api/src/i18n/bn.json

@@ -0,0 +1 @@
+{}

api/src/i18n/ca.json

@@ -0,0 +1 @@
+{}

api/src/i18n/cs.json

@@ -0,0 +1 @@
+{}

api/src/i18n/da.json

@@ -0,0 +1 @@
+{}

api/src/i18n/de.json

@@ -0,0 +1 @@
+{}

api/src/i18n/en.json

@@ -0,0 +1 @@
+{}

api/src/i18n/es.json

@@ -0,0 +1 @@
+{}

api/src/i18n/fr.json

@@ -0,0 +1 @@
+{}

api/src/i18n/hi.json

@@ -0,0 +1 @@
+{}

api/src/i18n/hr.json

@@ -0,0 +1 @@
+{}

api/src/i18n/hu.json

@@ -0,0 +1 @@
+{}

api/src/i18n/it.json

@@ -0,0 +1 @@
+{}

api/src/i18n/ja.json

@@ -0,0 +1 @@
+{}

api/src/i18n/ko.json

@@ -0,0 +1 @@
+{}

api/src/i18n/lv.json

@@ -0,0 +1 @@
+{}

api/src/i18n/nl.json

@@ -0,0 +1 @@
+{}

api/src/i18n/no.json

@@ -0,0 +1 @@
+{}

api/src/i18n/pl.json

@@ -0,0 +1 @@
+{}

api/src/i18n/pt.json

@@ -0,0 +1 @@
+{}

api/src/i18n/ro.json

@@ -0,0 +1 @@
+{}

api/src/i18n/ru.json

@@ -0,0 +1 @@
+{}

api/src/i18n/sv.json

@@ -0,0 +1 @@
+{}

api/src/i18n/uk.json

@@ -0,0 +1 @@
+{}

api/src/i18n/zh.json

@@ -0,0 +1 @@
+{}

api/src/index.ts

@@ -4,7 +4,7 @@ import '@app/dotenv.js';
 
 import { type NestFastifyApplication } from '@nestjs/platform-fastify';
 import { unlinkSync } from 'fs';
-import { mkdir } from 'fs/promises';
+import { mkdir, readFile } from 'fs/promises';
 import http from 'http';
 import https from 'https';
 
@@ -18,13 +18,11 @@ import { fileExistsSync } from '@app/core/utils/files/file-exists.js';
 import { getServerIdentifier } from '@app/core/utils/server-identifier.js';
 import { environment, PATHS_CONFIG_MODULES, PORT } from '@app/environment.js';
 import * as envVars from '@app/environment.js';
-import { loadDynamixConfigFile } from '@app/store/actions/load-dynamix-config-file.js';
 import { shutdownApiEvent } from '@app/store/actions/shutdown-api-event.js';
-import { store } from '@app/store/index.js';
+import { loadDynamixConfig, store } from '@app/store/index.js';
 import { startMiddlewareListeners } from '@app/store/listeners/listener-middleware.js';
 import { loadStateFiles } from '@app/store/modules/emhttp.js';
 import { loadRegistrationKey } from '@app/store/modules/registration.js';
-import { setupDynamixConfigWatch } from '@app/store/watch/dynamix-config-watch.js';
 import { setupRegistrationKeyWatch } from '@app/store/watch/registration-watch.js';
 import { StateManager } from '@app/store/watch/state-watch.js';
 
@@ -76,7 +74,7 @@ export const viteNodeApp = async () => {
         await store.dispatch(loadRegistrationKey());
 
         // Load my dynamix config file into store
-        await store.dispatch(loadDynamixConfigFile());
+        loadDynamixConfig();
 
         // Start listening to file updates
         StateManager.getInstance();
@@ -84,9 +82,6 @@ export const viteNodeApp = async () => {
         // Start listening to key file changes
         setupRegistrationKeyWatch();
 
-        // Start listening to dynamix config file changes
-        setupDynamixConfigWatch();
-
         // If port is unix socket, delete old socket before starting http server
         unlinkUnixPort();
 

api/src/store/actions/load-dynamix-config-file.ts

@@ -1,12 +1,9 @@
-import { F_OK } from 'constants';
-import { access } from 'fs/promises';
-
-import { createAsyncThunk } from '@reduxjs/toolkit';
+import { createTtlMemoizedLoader } from '@unraid/shared';
 
+import type { RecursivePartial } from '@app/types/index.js';
 import { type DynamixConfig } from '@app/core/types/ini.js';
+import { fileExistsSync } from '@app/core/utils/files/file-exists.js';
 import { parseConfig } from '@app/core/utils/misc/parse-config.js';
-import { type RecursiveNullable, type RecursivePartial } from '@app/types/index.js';
-import { batchProcess } from '@app/utils.js';
 
 /**
  * Loads a configuration file from disk, parses it to a RecursivePartial of the provided type, and returns it.
@@ -16,11 +13,8 @@ import { batchProcess } from '@app/utils.js';
  * @param path The path to the configuration file on disk.
  * @returns A parsed RecursivePartial of the provided type.
  */
-async function loadConfigFile<ConfigType>(path: string): Promise<RecursivePartial<ConfigType>> {
-    const fileIsAccessible = await access(path, F_OK)
-        .then(() => true)
-        .catch(() => false);
-    return fileIsAccessible
+function loadConfigFileSync<ConfigType>(path: string): RecursivePartial<ConfigType> {
+    return fileExistsSync(path)
         ? parseConfig<RecursivePartial<ConfigType>>({
               filePath: path,
               type: 'ini',
@@ -28,21 +22,40 @@ async function loadConfigFile<ConfigType>(path: string): Promise<RecursivePartia
         : {};
 }
 
-/**
- * Load the dynamix.cfg into the store.
- *
- * Note: If the file doesn't exist this will fallback to default values.
- */
-export const loadDynamixConfigFile = createAsyncThunk<
-    RecursiveNullable<RecursivePartial<DynamixConfig>>,
-    string | undefined
->('config/load-dynamix-config-file', async (filePath) => {
-    if (filePath) {
-        return loadConfigFile<DynamixConfig>(filePath);
-    }
-    const store = await import('@app/store/index.js');
-    const paths = store.getters.paths()['dynamix-config'];
-    const { data: configs } = await batchProcess(paths, (path) => loadConfigFile<DynamixConfig>(path));
-    const [defaultConfig = {}, customConfig = {}] = configs;
-    return { ...defaultConfig, ...customConfig };
+type ConfigPaths = readonly (string | undefined | null)[];
+const CACHE_WINDOW_MS = 250;
+
+const memoizedConfigLoader = createTtlMemoizedLoader<
+    RecursivePartial<DynamixConfig>,
+    ConfigPaths,
+    string
+>({
+    ttlMs: CACHE_WINDOW_MS,
+    getCacheKey: (configPaths: ConfigPaths): string => JSON.stringify(configPaths),
+    load: (configPaths: ConfigPaths) => {
+        const validPaths = configPaths.filter((path): path is string => Boolean(path));
+        if (validPaths.length === 0) {
+            return {};
+        }
+        const configFiles = validPaths.map((path) => loadConfigFileSync<DynamixConfig>(path));
+        return configFiles.reduce<RecursivePartial<DynamixConfig>>(
+            (accumulator, configFile) => ({
+                ...accumulator,
+                ...configFile,
+            }),
+            {}
+        );
+    },
 });
+
+/**
+ * Loads dynamix config from disk with TTL caching.
+ *
+ * @param configPaths - Array of config file paths to load and merge
+ * @returns Merged config object from all valid paths
+ */
+export const loadDynamixConfigFromDiskSync = (
+    configPaths: readonly (string | undefined | null)[]
+): RecursivePartial<DynamixConfig> => {
+    return memoizedConfigLoader.get(configPaths);
+};

api/src/store/index.ts

@@ -1,7 +1,11 @@
 import { configureStore } from '@reduxjs/toolkit';
 
+import { logger } from '@app/core/log.js';
+import { loadDynamixConfigFromDiskSync } from '@app/store/actions/load-dynamix-config-file.js';
 import { listenerMiddleware } from '@app/store/listeners/listener-middleware.js';
+import { updateDynamixConfig } from '@app/store/modules/dynamix.js';
 import { rootReducer } from '@app/store/root-reducer.js';
+import { FileLoadStatus } from '@app/store/types.js';
 
 export const store = configureStore({
     reducer: rootReducer,
@@ -15,8 +19,36 @@ export type RootState = ReturnType<typeof store.getState>;
 export type AppDispatch = typeof store.dispatch;
 export type ApiStore = typeof store;
 
+// loadDynamixConfig is located here and not in the actions/load-dynamix-config-file.js file because it needs to access the store,
+// and injecting it seemed circular and convoluted for this use case.
+/**
+ * Loads the dynamix config into the store.
+ * Can be called multiple times - uses TTL caching internally.
+ * @returns The loaded dynamix config.
+ */
+export const loadDynamixConfig = () => {
+    const configPaths = store.getState().paths['dynamix-config'] ?? [];
+    try {
+        const config = loadDynamixConfigFromDiskSync(configPaths);
+        store.dispatch(
+            updateDynamixConfig({
+                ...config,
+                status: FileLoadStatus.LOADED,
+            })
+        );
+    } catch (error) {
+        logger.error(error, 'Failed to load dynamix config from disk');
+        store.dispatch(
+            updateDynamixConfig({
+                status: FileLoadStatus.FAILED_LOADING,
+            })
+        );
+    }
+    return store.getState().dynamix;
+};
+
 export const getters = {
-    dynamix: () => store.getState().dynamix,
+    dynamix: () => loadDynamixConfig(),
     emhttp: () => store.getState().emhttp,
     paths: () => store.getState().paths,
     registration: () => store.getState().registration,

api/src/store/modules/dynamix.ts

@@ -2,7 +2,6 @@ import type { PayloadAction } from '@reduxjs/toolkit';
 import { createSlice } from '@reduxjs/toolkit';
 
 import { type DynamixConfig } from '@app/core/types/ini.js';
-import { loadDynamixConfigFile } from '@app/store/actions/load-dynamix-config-file.js';
 import { FileLoadStatus } from '@app/store/types.js';
 import { RecursivePartial } from '@app/types/index.js';
 
@@ -22,24 +21,6 @@ export const dynamix = createSlice({
             return Object.assign(state, action.payload);
         },
     },
-    extraReducers(builder) {
-        builder.addCase(loadDynamixConfigFile.pending, (state) => {
-            state.status = FileLoadStatus.LOADING;
-        });
-
-        builder.addCase(loadDynamixConfigFile.fulfilled, (state, action) => {
-            return {
-                ...(action.payload as DynamixConfig),
-                status: FileLoadStatus.LOADED,
-            };
-        });
-
-        builder.addCase(loadDynamixConfigFile.rejected, (state, action) => {
-            Object.assign(state, action.payload, {
-                status: FileLoadStatus.FAILED_LOADING,
-            });
-        });
-    },
 });
 
 export const { updateDynamixConfig } = dynamix.actions;

api/src/store/modules/emhttp.ts

@@ -163,6 +163,18 @@ export const loadStateFiles = createAsyncThunk<
     return state;
 });
 
+const stateFieldKeyMap: Record<StateFileKey, keyof SliceState> = {
+    [StateFileKey.var]: 'var',
+    [StateFileKey.devs]: 'devices',
+    [StateFileKey.network]: 'networks',
+    [StateFileKey.nginx]: 'nginx',
+    [StateFileKey.shares]: 'shares',
+    [StateFileKey.disks]: 'disks',
+    [StateFileKey.users]: 'users',
+    [StateFileKey.sec]: 'smbShares',
+    [StateFileKey.sec_nfs]: 'nfsShares',
+};
+
 export const emhttp = createSlice({
     name: 'emhttp',
     initialState,
@@ -175,7 +187,8 @@ export const emhttp = createSlice({
             }>
         ) {
             const { field } = action.payload;
-            return Object.assign(state, { [field]: action.payload.state });
+            const targetField = stateFieldKeyMap[field] ?? (field as keyof SliceState);
+            return Object.assign(state, { [targetField]: action.payload.state });
         },
     },
     extraReducers(builder) {

api/src/store/services/__test__/state-file-loader.test.ts

@@ -0,0 +1,81 @@
+import { mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { store } from '@app/store/index.js';
+import { loadStateFileSync } from '@app/store/services/state-file-loader.js';
+import { StateFileKey } from '@app/store/types.js';
+
+const VAR_FIXTURE = readFileSync(new URL('../../../../dev/states/var.ini', import.meta.url), 'utf-8');
+
+const writeVarFixture = (dir: string, safeMode: 'yes' | 'no') => {
+    const content = VAR_FIXTURE.replace(/safeMode="(yes|no)"/, `safeMode="${safeMode}"`);
+    writeFileSync(join(dir, `${StateFileKey.var}.ini`), content);
+};
+
+describe('loadStateFileSync', () => {
+    let tempDir: string;
+    let baseState: ReturnType<typeof store.getState>;
+
+    beforeEach(() => {
+        tempDir = mkdtempSync(join(tmpdir(), 'state-file-'));
+        baseState = store.getState();
+    });
+
+    afterEach(() => {
+        vi.restoreAllMocks();
+        rmSync(tempDir, { recursive: true, force: true });
+    });
+
+    it('loads var.ini, updates the store, and returns the parsed state', () => {
+        writeVarFixture(tempDir, 'yes');
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            paths: {
+                ...baseState.paths,
+                states: tempDir,
+            },
+        });
+        const dispatchSpy = vi.spyOn(store, 'dispatch').mockImplementation((action) => action as any);
+
+        const result = loadStateFileSync(StateFileKey.var);
+
+        expect(result?.safeMode).toBe(true);
+        expect(dispatchSpy).toHaveBeenCalledWith(
+            expect.objectContaining({
+                type: 'emhttp/updateEmhttpState',
+                payload: {
+                    field: StateFileKey.var,
+                    state: expect.objectContaining({ safeMode: true }),
+                },
+            })
+        );
+    });
+
+    it('returns null when the states path is missing', () => {
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            paths: undefined,
+        } as any);
+        const dispatchSpy = vi.spyOn(store, 'dispatch');
+
+        expect(loadStateFileSync(StateFileKey.var)).toBeNull();
+        expect(dispatchSpy).not.toHaveBeenCalled();
+    });
+
+    it('returns null when the requested state file cannot be found', () => {
+        vi.spyOn(store, 'getState').mockReturnValue({
+            ...baseState,
+            paths: {
+                ...baseState.paths,
+                states: tempDir,
+            },
+        });
+        const dispatchSpy = vi.spyOn(store, 'dispatch');
+
+        expect(loadStateFileSync(StateFileKey.var)).toBeNull();
+        expect(dispatchSpy).not.toHaveBeenCalled();
+    });
+});

api/src/store/services/state-file-loader.ts

@@ -0,0 +1,81 @@
+import { join } from 'node:path';
+
+import type { SliceState } from '@app/store/modules/emhttp.js';
+import type { StateFileToIniParserMap } from '@app/store/types.js';
+import { parseConfig } from '@app/core/utils/misc/parse-config.js';
+import { store } from '@app/store/index.js';
+import { updateEmhttpState } from '@app/store/modules/emhttp.js';
+import { parse as parseDevices } from '@app/store/state-parsers/devices.js';
+import { parse as parseNetwork } from '@app/store/state-parsers/network.js';
+import { parse as parseNfs } from '@app/store/state-parsers/nfs.js';
+import { parse as parseNginx } from '@app/store/state-parsers/nginx.js';
+import { parse as parseShares } from '@app/store/state-parsers/shares.js';
+import { parse as parseSlots } from '@app/store/state-parsers/slots.js';
+import { parse as parseSmb } from '@app/store/state-parsers/smb.js';
+import { parse as parseUsers } from '@app/store/state-parsers/users.js';
+import { parse as parseVar } from '@app/store/state-parsers/var.js';
+import { StateFileKey } from '@app/store/types.js';
+
+type ParserReturnMap = {
+    [StateFileKey.var]: ReturnType<typeof parseVar>;
+    [StateFileKey.devs]: ReturnType<typeof parseDevices>;
+    [StateFileKey.network]: ReturnType<typeof parseNetwork>;
+    [StateFileKey.nginx]: ReturnType<typeof parseNginx>;
+    [StateFileKey.shares]: ReturnType<typeof parseShares>;
+    [StateFileKey.disks]: ReturnType<typeof parseSlots>;
+    [StateFileKey.users]: ReturnType<typeof parseUsers>;
+    [StateFileKey.sec]: ReturnType<typeof parseSmb>;
+    [StateFileKey.sec_nfs]: ReturnType<typeof parseNfs>;
+};
+
+const PARSER_MAP: { [K in StateFileKey]: StateFileToIniParserMap[K] } = {
+    [StateFileKey.var]: parseVar,
+    [StateFileKey.devs]: parseDevices,
+    [StateFileKey.network]: parseNetwork,
+    [StateFileKey.nginx]: parseNginx,
+    [StateFileKey.shares]: parseShares,
+    [StateFileKey.disks]: parseSlots,
+    [StateFileKey.users]: parseUsers,
+    [StateFileKey.sec]: parseSmb,
+    [StateFileKey.sec_nfs]: parseNfs,
+};
+
+/**
+ * Synchronously loads an emhttp state file, updates the Redux store slice, and returns the parsed state.
+ *
+ * Designed for bootstrap contexts (CLI, plugin loading, etc.) where dispatching the async thunks is
+ * impractical but we still need authoritative emhttp state from disk.
+ */
+export const loadStateFileSync = <K extends StateFileKey>(
+    stateFileKey: K
+): ParserReturnMap[K] | null => {
+    const state = store.getState();
+    const statesDirectory = state.paths?.states;
+
+    if (!statesDirectory) {
+        return null;
+    }
+
+    const filePath = join(statesDirectory, `${stateFileKey}.ini`);
+
+    try {
+        const parser = PARSER_MAP[stateFileKey] as StateFileToIniParserMap[K];
+        const rawConfig = parseConfig<Record<string, unknown>>({
+            filePath,
+            type: 'ini',
+        });
+        const config = rawConfig as Parameters<StateFileToIniParserMap[K]>[0];
+        const parsed = (parser as (input: any) => ParserReturnMap[K])(config);
+
+        store.dispatch(
+            updateEmhttpState({
+                field: stateFileKey,
+                state: parsed as Partial<SliceState[keyof SliceState]>,
+            })
+        );
+
+        return parsed;
+    } catch (error) {
+        return null;
+    }
+};

api/src/store/watch/dynamix-config-watch.ts

@@ -1,17 +0,0 @@
-import { watch } from 'chokidar';
-
-import { loadDynamixConfigFile } from '@app/store/actions/load-dynamix-config-file.js';
-import { getters, store } from '@app/store/index.js';
-
-export const setupDynamixConfigWatch = () => {
-    const configPath = getters.paths()?.['dynamix-config'];
-
-    // Update store when cfg changes
-    watch(configPath, {
-        persistent: true,
-        ignoreInitial: true,
-    }).on('change', async () => {
-        // Load updated dynamix config file into store
-        await store.dispatch(loadDynamixConfigFile());
-    });
-};

api/src/types/jsonforms-i18n.d.ts

@@ -0,0 +1,40 @@
+import '@jsonforms/core/lib/models/jsonSchema4';
+import '@jsonforms/core/lib/models/jsonSchema7';
+import '@jsonforms/core/src/models/jsonSchema4';
+import '@jsonforms/core/src/models/jsonSchema7';
+
+declare module '@jsonforms/core/lib/models/jsonSchema4' {
+    interface JsonSchema4 {
+        i18n?: string;
+    }
+}
+
+declare module '@jsonforms/core/lib/models/jsonSchema7' {
+    interface JsonSchema7 {
+        i18n?: string;
+    }
+}
+
+declare module '@jsonforms/core/src/models/jsonSchema4' {
+    interface JsonSchema4 {
+        i18n?: string;
+    }
+}
+
+declare module '@jsonforms/core/src/models/jsonSchema7' {
+    interface JsonSchema7 {
+        i18n?: string;
+    }
+}
+
+declare module '@jsonforms/core/lib/models/jsonSchema4.js' {
+    interface JsonSchema4 {
+        i18n?: string;
+    }
+}
+
+declare module '@jsonforms/core/lib/models/jsonSchema7.js' {
+    interface JsonSchema7 {
+        i18n?: string;
+    }
+}

api/src/unraid-api/app/__test__/app.module.integration.spec.ts

@@ -6,8 +6,7 @@ import { AuthZGuard } from 'nest-authz';
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it, vi } from 'vitest';
 
-import { loadDynamixConfigFile } from '@app/store/actions/load-dynamix-config-file.js';
-import { store } from '@app/store/index.js';
+import { loadDynamixConfig, store } from '@app/store/index.js';
 import { loadStateFiles } from '@app/store/modules/emhttp.js';
 import { AppModule } from '@app/unraid-api/app/app.module.js';
 import { AuthService } from '@app/unraid-api/auth/auth.service.js';
@@ -111,8 +110,8 @@ describe('AppModule Integration Tests', () => {
 
     beforeAll(async () => {
         // Initialize the dynamix config and state files before creating the module
-        await store.dispatch(loadDynamixConfigFile());
         await store.dispatch(loadStateFiles());
+        loadDynamixConfig();
 
         // Debug: Log the CSRF token from the store
         const { getters } = await import('@app/store/index.js');

api/src/unraid-api/app/__test__/module-dependencies.integration.spec.ts

@@ -1,4 +1,5 @@
 import { CacheModule } from '@nestjs/cache-manager';
+import { ConfigModule } from '@nestjs/config';
 import { Test } from '@nestjs/testing';
 
 import { describe, expect, it } from 'vitest';
@@ -10,7 +11,11 @@ describe('Module Dependencies Integration', () => {
         let module;
         try {
             module = await Test.createTestingModule({
-                imports: [CacheModule.register({ isGlobal: true }), RestModule],
+                imports: [
+                    ConfigModule.forRoot({ ignoreEnvFile: true, isGlobal: true }),
+                    CacheModule.register({ isGlobal: true }),
+                    RestModule,
+                ],
             }).compile();
 
             expect(module).toBeDefined();

api/src/unraid-api/auth/auth.module.ts

@@ -8,6 +8,7 @@ import { AuthService } from '@app/unraid-api/auth/auth.service.js';
 import { CasbinModule } from '@app/unraid-api/auth/casbin/casbin.module.js';
 import { CasbinService } from '@app/unraid-api/auth/casbin/casbin.service.js';
 import { BASE_POLICY, CASBIN_MODEL } from '@app/unraid-api/auth/casbin/index.js';
+import { resolveSubjectFromUser } from '@app/unraid-api/auth/casbin/resolve-subject.util.js';
 import { CookieService, SESSION_COOKIE_CONFIG } from '@app/unraid-api/auth/cookie.service.js';
 import { UserCookieStrategy } from '@app/unraid-api/auth/cookie.strategy.js';
 import { ServerHeaderStrategy } from '@app/unraid-api/auth/header.strategy.js';
@@ -28,6 +29,7 @@ import { getRequest } from '@app/utils.js';
         CasbinModule,
         AuthZModule.register({
             imports: [CasbinModule],
+            enablePossession: false,
             enforcerProvider: {
                 provide: AUTHZ_ENFORCER,
                 useFactory: async (casbinService: CasbinService) => {
@@ -40,13 +42,7 @@ import { getRequest } from '@app/utils.js';
 
                 try {
                     const request = getRequest(ctx);
-                    const roles = request?.user?.roles || [];
-
-                    if (!Array.isArray(roles)) {
-                        throw new UnauthorizedException('User roles must be an array');
-                    }
-
-                    return roles.join(',');
+                    return resolveSubjectFromUser(request?.user);
                 } catch (error) {
                     logger.error('Failed to extract user context', error);
                     throw new UnauthorizedException('Failed to authenticate user');

api/src/unraid-api/auth/casbin/authz.guard.integration.spec.ts

@@ -0,0 +1,133 @@
+import { ExecutionContext, Type } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ExecutionContextHost } from '@nestjs/core/helpers/execution-context-host.js';
+
+import type { Enforcer } from 'casbin';
+import { AuthAction, Resource, Role } from '@unraid/shared/graphql.model.js';
+import { AuthZGuard, BatchApproval } from 'nest-authz';
+import { beforeAll, describe, expect, it } from 'vitest';
+
+import { CasbinService } from '@app/unraid-api/auth/casbin/casbin.service.js';
+import { CASBIN_MODEL } from '@app/unraid-api/auth/casbin/model.js';
+import { BASE_POLICY } from '@app/unraid-api/auth/casbin/policy.js';
+import { resolveSubjectFromUser } from '@app/unraid-api/auth/casbin/resolve-subject.util.js';
+import { DockerMutationsResolver } from '@app/unraid-api/graph/resolvers/docker/docker.mutations.resolver.js';
+import { DockerResolver } from '@app/unraid-api/graph/resolvers/docker/docker.resolver.js';
+import { VmMutationsResolver } from '@app/unraid-api/graph/resolvers/vms/vms.mutations.resolver.js';
+import { MeResolver } from '@app/unraid-api/graph/user/user.resolver.js';
+import { getRequest } from '@app/utils.js';
+
+type Handler = (...args: any[]) => unknown;
+
+type TestUser = {
+    id?: string;
+    roles?: Role[];
+};
+
+type TestRequest = {
+    user?: TestUser;
+};
+
+function createExecutionContext(
+    handler: Handler,
+    classRef: Type<unknown> | null,
+    roles: Role[],
+    userId = 'api-key-viewer'
+): ExecutionContext {
+    const request: TestRequest = {
+        user: {
+            id: userId,
+            roles: [...roles],
+        },
+    };
+
+    const graphqlContextHost = new ExecutionContextHost(
+        [undefined, undefined, { req: request }, undefined],
+        classRef,
+        handler
+    );
+
+    graphqlContextHost.setType('graphql');
+
+    return graphqlContextHost as unknown as ExecutionContext;
+}
+
+describe('AuthZGuard + Casbin policies', () => {
+    let guard: AuthZGuard;
+    let enforcer: Enforcer;
+
+    beforeAll(async () => {
+        const casbinService = new CasbinService();
+        enforcer = await casbinService.initializeEnforcer(CASBIN_MODEL, BASE_POLICY);
+
+        await enforcer.addGroupingPolicy('api-key-viewer', Role.VIEWER);
+        await enforcer.addGroupingPolicy('api-key-admin', Role.ADMIN);
+
+        guard = new AuthZGuard(new Reflector(), enforcer, {
+            enablePossession: false,
+            batchApproval: BatchApproval.ALL,
+            userFromContext: (ctx: ExecutionContext) => {
+                const request = getRequest(ctx) as TestRequest | undefined;
+
+                return resolveSubjectFromUser(request?.user);
+            },
+        });
+    });
+
+    it('denies viewer role from stopping docker containers', async () => {
+        const context = createExecutionContext(
+            DockerMutationsResolver.prototype.stop,
+            DockerMutationsResolver,
+            [Role.VIEWER],
+            'api-key-viewer'
+        );
+
+        await expect(guard.canActivate(context)).resolves.toBe(false);
+    });
+
+    it('allows admin role to stop docker containers', async () => {
+        const context = createExecutionContext(
+            DockerMutationsResolver.prototype.stop,
+            DockerMutationsResolver,
+            [Role.ADMIN],
+            'api-key-admin'
+        );
+
+        await expect(guard.canActivate(context)).resolves.toBe(true);
+    });
+
+    it('denies viewer role from stopping virtual machines', async () => {
+        const context = createExecutionContext(
+            VmMutationsResolver.prototype.stop,
+            VmMutationsResolver,
+            [Role.VIEWER],
+            'api-key-viewer'
+        );
+
+        await expect(guard.canActivate(context)).resolves.toBe(false);
+    });
+
+    it('allows viewer role to read docker data', async () => {
+        const context = createExecutionContext(
+            DockerResolver.prototype.containers,
+            DockerResolver,
+            [Role.VIEWER],
+            'api-key-viewer'
+        );
+
+        await expect(guard.canActivate(context)).resolves.toBe(true);
+    });
+
+    it('allows API key with explicit permission to access ME resource', async () => {
+        await enforcer.addPolicy('api-key-custom', Resource.ME, AuthAction.READ_ANY);
+
+        const context = createExecutionContext(
+            MeResolver.prototype.me,
+            MeResolver,
+            [],
+            'api-key-custom'
+        );
+
+        await expect(guard.canActivate(context)).resolves.toBe(true);
+    });
+});

api/src/unraid-api/auth/casbin/resolve-subject.util.spec.ts

@@ -0,0 +1,43 @@
+import { UnauthorizedException } from '@nestjs/common';
+
+import { describe, expect, it } from 'vitest';
+
+import { resolveSubjectFromUser } from '@app/unraid-api/auth/casbin/resolve-subject.util.js';
+
+describe('resolveSubjectFromUser', () => {
+    it('returns trimmed user id when available', () => {
+        const subject = resolveSubjectFromUser({ id: '  user-123  ', roles: ['viewer'] });
+
+        expect(subject).toBe('user-123');
+    });
+
+    it('falls back to a single non-empty role', () => {
+        const subject = resolveSubjectFromUser({ roles: ['  viewer  '] });
+
+        expect(subject).toBe('viewer');
+    });
+
+    it('throws when role list is empty', () => {
+        expect(() => resolveSubjectFromUser({ roles: [] })).toThrow(UnauthorizedException);
+    });
+
+    it('throws when multiple roles are present', () => {
+        expect(() => resolveSubjectFromUser({ roles: ['viewer', 'admin'] })).toThrow(
+            UnauthorizedException
+        );
+    });
+
+    it('throws when roles is not an array', () => {
+        expect(() => resolveSubjectFromUser({ roles: 'viewer' as unknown })).toThrow(
+            UnauthorizedException
+        );
+    });
+
+    it('throws when role subject is blank', () => {
+        expect(() => resolveSubjectFromUser({ roles: ['  '] })).toThrow(UnauthorizedException);
+    });
+
+    it('throws when user is missing', () => {
+        expect(() => resolveSubjectFromUser(undefined)).toThrow(UnauthorizedException);
+    });
+});

api/src/unraid-api/auth/casbin/resolve-subject.util.ts

@@ -0,0 +1,46 @@
+import { UnauthorizedException } from '@nestjs/common';
+
+type CasbinUser = {
+    id?: unknown;
+    roles?: unknown;
+};
+
+/**
+ * Determine the Casbin subject for a request user.
+ *
+ * Prefers a non-empty `user.id`, otherwise falls back to a single non-empty role.
+ * Throws when the subject cannot be resolved.
+ */
+export function resolveSubjectFromUser(user: CasbinUser | undefined): string {
+    if (!user) {
+        throw new UnauthorizedException('Request user context missing');
+    }
+
+    const roles = user.roles ?? [];
+
+    if (!Array.isArray(roles)) {
+        throw new UnauthorizedException('User roles must be an array');
+    }
+
+    const userId = typeof user.id === 'string' ? user.id.trim() : '';
+
+    if (userId.length > 0) {
+        return userId;
+    }
+
+    if (roles.length === 1) {
+        const [role] = roles;
+
+        if (typeof role === 'string') {
+            const trimmedRole = role.trim();
+
+            if (trimmedRole.length > 0) {
+                return trimmedRole;
+            }
+        }
+
+        throw new UnauthorizedException('Role subject must be a non-empty string');
+    }
+
+    throw new UnauthorizedException('Unable to determine subject from user context');
+}

api/src/unraid-api/cli/__test__/plugin.command.test.ts

@@ -36,6 +36,7 @@ const mockPluginManagementService = {
     addPlugin: vi.fn(),
     addBundledPlugin: vi.fn(),
     removePlugin: vi.fn(),
+    removePluginConfigOnly: vi.fn(),
     removeBundledPlugin: vi.fn(),
     plugins: [] as string[],
 };
@@ -147,6 +148,7 @@ describe('Plugin Commands', () => {
                 '@unraid/plugin-example',
                 '@unraid/plugin-test'
             );
+            expect(mockPluginManagementService.removePluginConfigOnly).not.toHaveBeenCalled();
             expect(mockLogger.log).toHaveBeenCalledWith('Removed plugin @unraid/plugin-example');
             expect(mockLogger.log).toHaveBeenCalledWith('Removed plugin @unraid/plugin-test');
             expect(mockApiConfigPersistence.persist).toHaveBeenCalled();
@@ -178,9 +180,72 @@ describe('Plugin Commands', () => {
             expect(mockPluginManagementService.removePlugin).toHaveBeenCalledWith(
                 '@unraid/plugin-example'
             );
+            expect(mockPluginManagementService.removePluginConfigOnly).not.toHaveBeenCalled();
             expect(mockApiConfigPersistence.persist).toHaveBeenCalled();
             expect(mockRestartCommand.run).not.toHaveBeenCalled();
         });
+
+        it('should bypass npm uninstall when bypass flag is provided', async () => {
+            mockInquirerService.prompt.mockResolvedValue({
+                plugins: ['@unraid/plugin-example'],
+                restart: true,
+                bypassNpm: true,
+            });
+
+            await command.run([], { restart: true, bypassNpm: true });
+
+            expect(mockPluginManagementService.removePluginConfigOnly).toHaveBeenCalledWith(
+                '@unraid/plugin-example'
+            );
+            expect(mockPluginManagementService.removePlugin).not.toHaveBeenCalled();
+        });
+
+        it('should preserve cli flags when prompt supplies plugins', async () => {
+            mockInquirerService.prompt.mockResolvedValue({
+                plugins: ['@unraid/plugin-example'],
+            });
+
+            await command.run([], { restart: false, bypassNpm: true });
+
+            expect(mockPluginManagementService.removePluginConfigOnly).toHaveBeenCalledWith(
+                '@unraid/plugin-example'
+            );
+            expect(mockPluginManagementService.removePlugin).not.toHaveBeenCalled();
+            expect(mockRestartCommand.run).not.toHaveBeenCalled();
+        });
+
+        it('should honor prompt restart value when cli flag not provided', async () => {
+            mockInquirerService.prompt.mockResolvedValue({
+                plugins: ['@unraid/plugin-example'],
+                restart: false,
+            });
+
+            await command.run([], {});
+
+            expect(mockPluginManagementService.removePlugin).toHaveBeenCalledWith(
+                '@unraid/plugin-example'
+            );
+            expect(mockRestartCommand.run).not.toHaveBeenCalled();
+        });
+
+        it('should respect passed params and skip inquirer', async () => {
+            await command.run(['@unraid/plugin-example'], { restart: true, bypassNpm: false });
+
+            expect(mockInquirerService.prompt).not.toHaveBeenCalled();
+            expect(mockPluginManagementService.removePlugin).toHaveBeenCalledWith(
+                '@unraid/plugin-example'
+            );
+        });
+
+        it('should bypass npm when flag provided with passed params', async () => {
+            await command.run(['@unraid/plugin-example'], { restart: true, bypassNpm: true });
+
+            expect(mockInquirerService.prompt).not.toHaveBeenCalled();
+            expect(mockPluginManagementService.removePluginConfigOnly).toHaveBeenCalledWith(
+                '@unraid/plugin-example'
+            );
+            expect(mockPluginManagementService.removePlugin).not.toHaveBeenCalled();
+        });
     });
 
     describe('ListPluginCommand', () => {

api/src/unraid-api/cli/plugins/plugin.command.ts

@@ -74,13 +74,15 @@ export class InstallPluginCommand extends CommandRunner {
 
 interface RemovePluginCommandOptions {
     plugins?: string[];
-    restart: boolean;
+    restart?: boolean;
+    bypassNpm?: boolean;
 }
 
 @SubCommand({
     name: 'remove',
     aliases: ['rm'],
     description: 'Remove plugin peer dependencies.',
+    arguments: '[plugins...]',
 })
 export class RemovePluginCommand extends CommandRunner {
     constructor(
@@ -93,9 +95,83 @@ export class RemovePluginCommand extends CommandRunner {
         super();
     }
 
-    async run(_passedParams: string[], options?: RemovePluginCommandOptions): Promise<void> {
+    async run(passedParams: string[], options?: RemovePluginCommandOptions): Promise<void> {
+        const cliBypass = options?.bypassNpm;
+        const cliRestart = options?.restart;
+        const mergedOptions: RemovePluginCommandOptions = {
+            bypassNpm: cliBypass ?? false,
+            restart: cliRestart ?? true,
+            plugins: passedParams.length > 0 ? passedParams : options?.plugins,
+        };
+
+        let resolvedOptions = mergedOptions;
+        if (!mergedOptions.plugins?.length) {
+            const promptOptions = await this.promptForPlugins(mergedOptions);
+            if (!promptOptions) {
+                return;
+            }
+            resolvedOptions = {
+                // precedence: cli > prompt > default (fallback)
+                bypassNpm: cliBypass ?? promptOptions.bypassNpm ?? mergedOptions.bypassNpm,
+                restart: cliRestart ?? promptOptions.restart ?? mergedOptions.restart,
+                // precedence: prompt > default (fallback)
+                plugins: promptOptions.plugins ?? mergedOptions.plugins,
+            };
+        }
+
+        if (!resolvedOptions.plugins?.length) {
+            this.logService.warn('No plugins selected for removal.');
+            return;
+        }
+
+        if (resolvedOptions.bypassNpm) {
+            await this.pluginManagementService.removePluginConfigOnly(...resolvedOptions.plugins);
+        } else {
+            await this.pluginManagementService.removePlugin(...resolvedOptions.plugins);
+        }
+        for (const plugin of resolvedOptions.plugins) {
+            this.logService.log(`Removed plugin ${plugin}`);
+        }
+        await this.apiConfigPersistence.persist();
+
+        if (resolvedOptions.restart) {
+            await this.restartCommand.run();
+        }
+    }
+
+    @Option({
+        flags: '--no-restart',
+        description: 'do NOT restart the service after deploy',
+        defaultValue: true,
+    })
+    parseRestart(): boolean {
+        return false;
+    }
+
+    @Option({
+        flags: '-b, --bypass-npm',
+        description: 'Bypass npm uninstall and only update the config',
+        defaultValue: false,
+        name: 'bypassNpm',
+    })
+    parseBypass(): boolean {
+        return true;
+    }
+
+    @Option({
+        flags: '--npm',
+        description: 'Run npm uninstall for unbundled plugins (default behavior)',
+        name: 'bypassNpm',
+    })
+    parseRunNpm(): boolean {
+        return false;
+    }
+
+    private async promptForPlugins(
+        initialOptions: RemovePluginCommandOptions
+    ): Promise<RemovePluginCommandOptions | undefined> {
         try {
-            options = await this.inquirerService.prompt(RemovePluginQuestionSet.name, options);
+            return await this.inquirerService.prompt(RemovePluginQuestionSet.name, initialOptions);
         } catch (error) {
             if (error instanceof NoPluginsFoundError) {
                 this.logService.error(error.message);
@@ -108,30 +184,6 @@ export class RemovePluginCommand extends CommandRunner {
                 process.exit(1);
             }
         }
-
-        if (!options.plugins || options.plugins.length === 0) {
-            this.logService.warn('No plugins selected for removal.');
-            return;
-        }
-
-        await this.pluginManagementService.removePlugin(...options.plugins);
-        for (const plugin of options.plugins) {
-            this.logService.log(`Removed plugin ${plugin}`);
-        }
-        await this.apiConfigPersistence.persist();
-
-        if (options.restart) {
-            await this.restartCommand.run();
-        }
-    }
-
-    @Option({
-        flags: '--no-restart',
-        description: 'do NOT restart the service after deploy',
-        defaultValue: true,
-    })
-    parseRestart(): boolean {
-        return false;
     }
 }
 

api/src/unraid-api/cli/pm2.service.ts

@@ -58,7 +58,8 @@ export class PM2Service {
             ...(needsPathUpdate && { PATH: finalPath }),
         };
 
-        const runCommand = () => execa(PM2_PATH, [...args], execOptions satisfies Options);
+        const pm2Args = args.some((arg) => arg === '--no-color') ? args : ['--no-color', ...args];
+        const runCommand = () => execa(PM2_PATH, pm2Args, execOptions satisfies Options);
         if (raw) {
             return runCommand();
         }

api/src/unraid-api/config/api-config.module.ts

@@ -6,6 +6,7 @@ import type { ApiConfig } from '@unraid/shared/services/api-config.js';
 import { ConfigFilePersister } from '@unraid/shared/services/config-file.js';
 import { csvStringToArray } from '@unraid/shared/util/data.js';
 
+import { isConnectPluginInstalled } from '@app/connect-plugin-cleanup.js';
 import { API_VERSION, PATHS_CONFIG_MODULES } from '@app/environment.js';
 
 export { type ApiConfig };
@@ -29,6 +30,13 @@ export const loadApiConfig = async () => {
     const apiHandler = new ApiConfigPersistence(new ConfigService()).getFileHandler();
 
     const diskConfig: Partial<ApiConfig> = await apiHandler.loadConfig();
+    // Hack: cleanup stale connect plugin entry if necessary
+    if (!isConnectPluginInstalled()) {
+        diskConfig.plugins = diskConfig.plugins?.filter(
+            (plugin) => plugin !== 'unraid-api-plugin-connect'
+        );
+        await apiHandler.writeConfigFile(diskConfig as ApiConfig);
+    }
 
     return {
         ...defaultConfig,

api/src/unraid-api/graph/graph.module.ts

@@ -49,6 +49,7 @@ import { PluginModule } from '@app/unraid-api/plugin/plugin.module.js';
                             extra,
                         };
                     },
+                    fieldResolverEnhancers: ['guards'],
                     plugins: [
                         createDynamicIntrospectionPlugin(isSandboxEnabled),
                         createSandboxPlugin(),

api/src/unraid-api/graph/resolvers/api-key/api-key-form.service.ts

@@ -12,6 +12,24 @@ import {
     createSimpleLabeledControl,
 } from '@app/unraid-api/graph/utils/form-utils.js';
 
+const API_KEY_I18N = {
+    name: 'jsonforms.apiKey.name',
+    description: 'jsonforms.apiKey.description',
+    roles: 'jsonforms.apiKey.roles',
+    permissionPresets: 'jsonforms.apiKey.permissionPresets',
+    customPermissions: {
+        root: 'jsonforms.apiKey.customPermissions',
+        resources: 'jsonforms.apiKey.customPermissions.resources',
+        actions: 'jsonforms.apiKey.customPermissions.actions',
+    },
+    permissions: {
+        header: 'jsonforms.apiKey.permissions.header',
+        description: 'jsonforms.apiKey.permissions.description',
+        subheader: 'jsonforms.apiKey.permissions.subheader',
+        help: 'jsonforms.apiKey.permissions.help',
+    },
+} as const;
+
 // Helper to get GraphQL enum names for JSON Schema
 // GraphQL expects the enum names (keys) not the values
 function getAuthActionEnumNames(): string[] {
@@ -82,6 +100,7 @@ export class ApiKeyFormService {
             properties: {
                 name: {
                     type: 'string',
+                    i18n: API_KEY_I18N.name,
                     title: 'API Key Name',
                     description: 'A descriptive name for this API key',
                     minLength: 1,
@@ -89,12 +108,14 @@ export class ApiKeyFormService {
                 },
                 description: {
                     type: 'string',
+                    i18n: API_KEY_I18N.description,
                     title: 'Description',
                     description: 'Optional description of what this key is used for',
                     maxLength: 500,
                 },
                 roles: {
                     type: 'array',
+                    i18n: API_KEY_I18N.roles,
                     title: 'Roles',
                     description: 'Select one or more roles to grant pre-defined permission sets',
                     items: {
@@ -105,6 +126,7 @@ export class ApiKeyFormService {
                 },
                 permissionPresets: {
                     type: 'string',
+                    i18n: API_KEY_I18N.permissionPresets,
                     title: 'Add Permission Preset',
                     description: 'Quick add common permission sets',
                     enum: [
@@ -119,6 +141,7 @@ export class ApiKeyFormService {
                 },
                 customPermissions: {
                     type: 'array',
+                    i18n: API_KEY_I18N.customPermissions.root,
                     title: 'Permissions',
                     description: 'Configure specific permissions',
                     items: {
@@ -126,6 +149,7 @@ export class ApiKeyFormService {
                         properties: {
                             resources: {
                                 type: 'array',
+                                i18n: API_KEY_I18N.customPermissions.resources,
                                 title: 'Resources',
                                 items: {
                                     type: 'string',
@@ -137,6 +161,7 @@ export class ApiKeyFormService {
                             },
                             actions: {
                                 type: 'array',
+                                i18n: API_KEY_I18N.customPermissions.actions,
                                 title: 'Actions',
                                 items: {
                                     type: 'string',
@@ -167,6 +192,7 @@ export class ApiKeyFormService {
                     controlOptions: {
                         inputType: 'text',
                     },
+                    i18nKey: API_KEY_I18N.name,
                 }),
                 createLabeledControl({
                     scope: '#/properties/description',
@@ -177,6 +203,7 @@ export class ApiKeyFormService {
                         multi: true,
                         rows: 3,
                     },
+                    i18nKey: API_KEY_I18N.description,
                 }),
                 // Permissions section header
                 {
@@ -185,6 +212,7 @@ export class ApiKeyFormService {
                     options: {
                         format: 'title',
                     },
+                    i18n: API_KEY_I18N.permissions.header,
                 } as LabelElement,
                 {
                     type: 'Label',
@@ -192,6 +220,7 @@ export class ApiKeyFormService {
                     options: {
                         format: 'description',
                     },
+                    i18n: API_KEY_I18N.permissions.description,
                 } as LabelElement,
                 // Roles selection
                 createLabeledControl({
@@ -210,6 +239,7 @@ export class ApiKeyFormService {
                         ),
                         descriptions: this.getRoleDescriptions(),
                     },
+                    i18nKey: API_KEY_I18N.roles,
                 }),
                 // Separator for permissions
                 {
@@ -218,6 +248,7 @@ export class ApiKeyFormService {
                     options: {
                         format: 'subtitle',
                     },
+                    i18n: API_KEY_I18N.permissions.subheader,
                 } as LabelElement,
                 {
                     type: 'Label',
@@ -225,6 +256,7 @@ export class ApiKeyFormService {
                     options: {
                         format: 'description',
                     },
+                    i18n: API_KEY_I18N.permissions.help,
                 } as LabelElement,
                 // Permission preset dropdown
                 createLabeledControl({
@@ -242,6 +274,7 @@ export class ApiKeyFormService {
                             network_admin: 'Network Admin (Network & Services Control)',
                         },
                     },
+                    i18nKey: API_KEY_I18N.permissionPresets,
                 }),
                 // Custom permissions array - following OIDC pattern exactly
                 {
@@ -269,6 +302,7 @@ export class ApiKeyFormService {
                                             {}
                                         ),
                                     },
+                                    i18nKey: API_KEY_I18N.customPermissions.resources,
                                 }),
                                 createSimpleLabeledControl({
                                     scope: '#/properties/actions',
@@ -278,6 +312,7 @@ export class ApiKeyFormService {
                                         multiple: true,
                                         labels: getAuthActionLabels(),
                                     },
+                                    i18nKey: API_KEY_I18N.customPermissions.actions,
                                 }),
                             ],
                         },

api/src/unraid-api/graph/resolvers/customization/customization.service.spec.ts

@@ -3,6 +3,7 @@ import { Test, TestingModule } from '@nestjs/testing';
 import * as fs from 'fs/promises';
 import * as path from 'path';
 
+import type { Mock } from 'vitest';
 import { plainToInstance } from 'class-transformer';
 import * as ini from 'ini';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
@@ -1182,4 +1183,58 @@ describe('CustomizationService - updateCfgFile', () => {
             writeError
         );
     });
+
+    describe('getTheme', () => {
+        const mockDynamix = getters.dynamix as unknown as Mock;
+        const baseDisplay = {
+            theme: 'white',
+            banner: '',
+            showBannerGradient: 'no',
+            background: '123456',
+            headerdescription: 'yes',
+            headermetacolor: '789abc',
+            header: 'abcdef',
+        };
+
+        const setDisplay = (overrides: Partial<typeof baseDisplay>) => {
+            mockDynamix.mockReturnValue({
+                display: {
+                    ...baseDisplay,
+                    ...overrides,
+                },
+            });
+        };
+
+        it('reports showBannerImage when banner is "image"', async () => {
+            setDisplay({ banner: 'image' });
+
+            const theme = await service.getTheme();
+
+            expect(theme.showBannerImage).toBe(true);
+        });
+
+        it('reports showBannerImage when banner is "yes"', async () => {
+            setDisplay({ banner: 'yes' });
+
+            const theme = await service.getTheme();
+
+            expect(theme.showBannerImage).toBe(true);
+        });
+
+        it('disables showBannerImage when banner is empty', async () => {
+            setDisplay({ banner: '' });
+
+            const theme = await service.getTheme();
+
+            expect(theme.showBannerImage).toBe(false);
+        });
+
+        it('mirrors showBannerGradient flag from display settings', async () => {
+            setDisplay({ banner: 'image', showBannerGradient: 'yes' });
+            expect((await service.getTheme()).showBannerGradient).toBe(true);
+
+            setDisplay({ banner: 'image', showBannerGradient: 'no' });
+            expect((await service.getTheme()).showBannerGradient).toBe(false);
+        });
+    });
 });

api/src/unraid-api/graph/resolvers/customization/customization.service.ts

@@ -458,7 +458,7 @@ export class CustomizationService implements OnModuleInit {
 
         return {
             name,
-            showBannerImage: banner === 'yes',
+            showBannerImage: banner === 'image' || banner === 'yes',
             showBannerGradient: bannerGradient === 'yes',
             headerBackgroundColor: this.addHashtoHexField(bgColor),
             headerPrimaryTextColor: this.addHashtoHexField(textColor),

api/src/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.ts

@@ -0,0 +1,233 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { constants as fsConstants } from 'node:fs';
+import { access, readdir, readFile } from 'node:fs/promises';
+import { join } from 'path';
+
+@Injectable()
+export class CpuTopologyService {
+    private readonly logger = new Logger(CpuTopologyService.name);
+
+    // -----------------------------------------------------------------
+    // Read static CPU topology, per-package core thread pairs
+    // -----------------------------------------------------------------
+    async generateTopology(): Promise<number[][][]> {
+        const packages: Record<number, number[][]> = {};
+        let cpuDirs: string[];
+
+        try {
+            cpuDirs = await readdir('/sys/devices/system/cpu');
+        } catch (err) {
+            this.logger.warn('CPU topology unavailable, /sys/devices/system/cpu not accessible');
+            return [];
+        }
+
+        for (const dir of cpuDirs) {
+            if (!/^cpu\d+$/.test(dir)) continue;
+
+            const basePath = join('/sys/devices/system/cpu', dir, 'topology');
+            const pkgFile = join(basePath, 'physical_package_id');
+            const siblingsFile = join(basePath, 'thread_siblings_list');
+
+            try {
+                const [pkgIdStr, siblingsStrRaw] = await Promise.all([
+                    readFile(pkgFile, 'utf8'),
+                    readFile(siblingsFile, 'utf8'),
+                ]);
+
+                const pkgId = parseInt(pkgIdStr.trim(), 10);
+
+                // expand ranges
+                const siblings = siblingsStrRaw
+                    .trim()
+                    .replace(/(\d+)-(\d+)/g, (_, start, end) =>
+                        Array.from(
+                            { length: parseInt(end) - parseInt(start) + 1 },
+                            (_, i) => parseInt(start) + i
+                        ).join(',')
+                    )
+                    .split(',')
+                    .map((n) => parseInt(n, 10));
+
+                if (!packages[pkgId]) packages[pkgId] = [];
+                if (!packages[pkgId].some((arr) => arr.join(',') === siblings.join(','))) {
+                    packages[pkgId].push(siblings);
+                }
+            } catch (err) {
+                this.logger.warn(err, `Topology read error for ${dir}`);
+            }
+        }
+        // Sort cores within each package, and packages by their lowest core index
+        const result = Object.entries(packages)
+            .sort((a, b) => a[1][0][0] - b[1][0][0]) // sort packages by first CPU ID
+            .map(
+                ([pkgId, cores]) => cores.sort((a, b) => a[0] - b[0]) // sort cores within package
+            );
+
+        return result;
+    }
+
+    // -----------------------------------------------------------------
+    // Dynamic telemetry (power + temperature)
+    // -----------------------------------------------------------------
+    private async getPackageTemps(): Promise<number[]> {
+        const temps: number[] = [];
+        try {
+            const hwmons = await readdir('/sys/class/hwmon');
+            for (const hwmon of hwmons) {
+                const path = join('/sys/class/hwmon', hwmon);
+                try {
+                    const label = (await readFile(join(path, 'name'), 'utf8')).trim();
+                    if (/coretemp|k10temp|zenpower/i.test(label)) {
+                        const files = await readdir(path);
+                        for (const f of files) {
+                            if (f.startsWith('temp') && f.endsWith('_label')) {
+                                const lbl = (await readFile(join(path, f), 'utf8')).trim().toLowerCase();
+                                if (
+                                    lbl.includes('package id') ||
+                                    lbl.includes('tctl') ||
+                                    lbl.includes('tdie')
+                                ) {
+                                    const inputFile = join(path, f.replace('_label', '_input'));
+                                    try {
+                                        const raw = await readFile(inputFile, 'utf8');
+                                        const parsed = parseInt(raw.trim(), 10);
+                                        if (Number.isFinite(parsed)) {
+                                            temps.push(parsed / 1000);
+                                        } else {
+                                            this.logger.warn(`Invalid temperature value: ${raw.trim()}`);
+                                        }
+                                    } catch (err) {
+                                        this.logger.warn('Failed to read file', err);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                } catch (err) {
+                    this.logger.warn('Failed to read file', err);
+                }
+            }
+        } catch (err) {
+            this.logger.warn('Failed to read file', err);
+        }
+        return temps;
+    }
+
+    private async getPackagePower(): Promise<Record<number, Record<string, number>>> {
+        const basePath = '/sys/class/powercap';
+        const prefixes = ['intel-rapl', 'intel-rapl-mmio', 'amd-rapl'];
+        const raplPaths: string[] = [];
+
+        try {
+            const entries = await readdir(basePath, { withFileTypes: true });
+            for (const entry of entries) {
+                if (entry.isSymbolicLink() && prefixes.some((p) => entry.name.startsWith(p))) {
+                    if (/:\d+:\d+/.test(entry.name)) continue;
+                    raplPaths.push(join(basePath, entry.name));
+                }
+            }
+        } catch {
+            return {};
+        }
+
+        if (!raplPaths.length) return {};
+
+        const readEnergy = async (p: string): Promise<number | null> => {
+            try {
+                await access(join(p, 'energy_uj'), fsConstants.R_OK);
+                const raw = await readFile(join(p, 'energy_uj'), 'utf8');
+                const parsed = parseInt(raw.trim(), 10);
+                return Number.isFinite(parsed) ? parsed : null;
+            } catch {
+                return null;
+            }
+        };
+
+        const prevE = new Map<string, number>();
+        const prevT = new Map<string, bigint>();
+
+        for (const p of raplPaths) {
+            const val = await readEnergy(p);
+            if (val !== null) {
+                prevE.set(p, val);
+                prevT.set(p, process.hrtime.bigint());
+            }
+        }
+
+        await new Promise((res) => setTimeout(res, 100));
+
+        const results: Record<number, Record<string, number>> = {};
+
+        for (const p of raplPaths) {
+            const now = await readEnergy(p);
+            if (now === null) continue;
+
+            const prevVal = prevE.get(p);
+            const prevTime = prevT.get(p);
+            if (prevVal === undefined || prevTime === undefined) continue;
+
+            const diffE = now - prevVal;
+            const diffT = Number(process.hrtime.bigint() - prevTime);
+
+            if (!Number.isFinite(diffE) || !Number.isFinite(diffT)) {
+                this.logger.warn(`Non-finite energy/time diff for ${p}`);
+                continue;
+            }
+
+            if (diffT <= 0 || diffE < 0) continue;
+
+            const watts = (diffE * 1e-6) / (diffT * 1e-9);
+            const powerW = Math.round(watts * 100) / 100;
+
+            if (!Number.isFinite(powerW)) {
+                this.logger.warn(`Non-finite power value for ${p}: ${watts}`);
+                continue;
+            }
+
+            const nameFile = join(p, 'name');
+            let label = 'package';
+            try {
+                label = (await readFile(nameFile, 'utf8')).trim();
+            } catch (err) {
+                this.logger.warn('Failed to read file', err);
+            }
+
+            const pkgMatch = label.match(/package-(\d+)/i);
+            const pkgId = pkgMatch ? Number(pkgMatch[1]) : 0;
+
+            if (!results[pkgId]) results[pkgId] = {};
+            results[pkgId][label] = powerW;
+        }
+
+        for (const domains of Object.values(results)) {
+            const total = Object.values(domains).reduce((a, b) => a + b, 0);
+            domains['total'] = Math.round(total * 100) / 100;
+        }
+
+        return results;
+    }
+
+    async generateTelemetry(): Promise<{ id: number; power: number; temp: number }[]> {
+        const temps = await this.getPackageTemps();
+        const powerData = await this.getPackagePower();
+
+        const maxPkg = Math.max(temps.length - 1, ...Object.keys(powerData).map(Number), 0);
+
+        const result: {
+            id: number;
+            power: number;
+            temp: number;
+        }[] = [];
+
+        for (let pkgId = 0; pkgId <= maxPkg; pkgId++) {
+            const entry = powerData[pkgId] ?? {};
+            result.push({
+                id: pkgId,
+                power: entry.total ?? -1,
+                temp: temps[pkgId] ?? -1,
+            });
+        }
+
+        return result;
+    }
+}

api/src/unraid-api/graph/resolvers/info/cpu/cpu.model.ts

@@ -39,6 +39,18 @@ export class CpuLoad {
     percentSteal!: number;
 }
 
+@ObjectType({ implements: () => Node })
+export class CpuPackages extends Node {
+    @Field(() => Float, { description: 'Total CPU package power draw (W)' })
+    totalPower!: number;
+
+    @Field(() => [Float], { description: 'Power draw per package (W)' })
+    power!: number[];
+
+    @Field(() => [Float], { description: 'Temperature per package (°C)' })
+    temp!: number[];
+}
+
 @ObjectType({ implements: () => Node })
 export class CpuUtilization extends Node {
     @Field(() => Float, { description: 'Total CPU load in percent' })
@@ -100,4 +112,12 @@ export class InfoCpu extends Node {
 
     @Field(() => [String], { nullable: true, description: 'CPU feature flags' })
     flags?: string[];
+
+    @Field(() => [[[Int]]], {
+        description: 'Per-package array of core/thread pairs, e.g. [[[0,1],[2,3]], [[4,5],[6,7]]]',
+    })
+    topology!: number[][][];
+
+    @Field(() => CpuPackages)
+    packages!: CpuPackages;
 }

api/src/unraid-api/graph/resolvers/info/cpu/cpu.module.ts

@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
+import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
+
+@Module({
+    providers: [CpuService, CpuTopologyService],
+    exports: [CpuService, CpuTopologyService],
+})
+export class CpuModule {}

api/src/unraid-api/graph/resolvers/info/cpu/cpu.service.spec.ts

@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from 'vitest';
 
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 
 vi.mock('systeminformation', () => ({
@@ -88,9 +89,27 @@ vi.mock('systeminformation', () => ({
 
 describe('CpuService', () => {
     let service: CpuService;
+    let cpuTopologyService: CpuTopologyService;
 
     beforeEach(() => {
-        service = new CpuService();
+        cpuTopologyService = {
+            generateTopology: vi.fn().mockResolvedValue([
+                [
+                    [0, 1],
+                    [2, 3],
+                ],
+                [
+                    [4, 5],
+                    [6, 7],
+                ],
+            ]),
+            generateTelemetry: vi.fn().mockResolvedValue([
+                { power: 32.5, temp: 45.0 },
+                { power: 33.0, temp: 46.0 },
+            ]),
+        } as unknown as CpuTopologyService;
+
+        service = new CpuService(cpuTopologyService);
     });
 
     describe('generateCpu', () => {
@@ -121,6 +140,22 @@ describe('CpuService', () => {
                     l3: 12582912,
                 },
                 flags: ['fpu', 'vme', 'de', 'pse', 'tsc', 'msr', 'pae', 'mce', 'cx8'],
+                packages: {
+                    id: 'info/cpu/packages',
+                    totalPower: 65.5,
+                    power: [32.5, 33.0],
+                    temp: [45.0, 46.0],
+                },
+                topology: [
+                    [
+                        [0, 1],
+                        [2, 3],
+                    ],
+                    [
+                        [4, 5],
+                        [6, 7],
+                    ],
+                ],
             });
         });
 

api/src/unraid-api/graph/resolvers/info/cpu/cpu.service.ts

@@ -2,25 +2,56 @@ import { Injectable } from '@nestjs/common';
 
 import { cpu, cpuFlags, currentLoad } from 'systeminformation';
 
-import { CpuUtilization, InfoCpu } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.model.js';
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
+import {
+    CpuPackages,
+    CpuUtilization,
+    InfoCpu,
+} from '@app/unraid-api/graph/resolvers/info/cpu/cpu.model.js';
 
 @Injectable()
 export class CpuService {
+    constructor(private readonly cpuTopologyService: CpuTopologyService) {}
+
     async generateCpu(): Promise<InfoCpu> {
-        const { cores, physicalCores, speedMin, speedMax, stepping, ...rest } = await cpu();
+        const { cores, physicalCores, speedMin, speedMax, stepping, processors, ...rest } = await cpu();
         const flags = await cpuFlags()
-            .then((flags) => flags.split(' '))
+            .then((f) => f.split(' '))
             .catch(() => []);
 
+        // Gather telemetry
+        const packageList = await this.cpuTopologyService.generateTelemetry();
+        const topology = await this.cpuTopologyService.generateTopology();
+
+        // Compute total power (2 decimals)
+        const totalPower = Number(
+            packageList
+                .map((pkg) => pkg.power)
+                .filter((power) => power >= 0)
+                .reduce((sum, power) => sum + power, 0)
+                .toFixed(2)
+        );
+
+        // Build CpuPackages object
+        const packages: CpuPackages = {
+            id: 'info/cpu/packages',
+            totalPower,
+            power: packageList.map((pkg) => pkg.power ?? -1),
+            temp: packageList.map((pkg) => pkg.temp ?? -1),
+        };
+
         return {
             id: 'info/cpu',
             ...rest,
             cores: physicalCores,
             threads: cores,
+            processors,
             flags,
             stepping: Number(stepping),
             speedmin: speedMin || -1,
             speedmax: speedMax || -1,
+            packages,
+            topology,
         };
     }
 

api/src/unraid-api/graph/resolvers/info/info.module.ts

@@ -1,6 +1,7 @@
 import { Module } from '@nestjs/common';
 import { ConfigModule } from '@nestjs/config';
 
+import { CpuModule } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.module.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 import { DevicesResolver } from '@app/unraid-api/graph/resolvers/info/devices/devices.resolver.js';
 import { DevicesService } from '@app/unraid-api/graph/resolvers/info/devices/devices.service.js';
@@ -14,7 +15,7 @@ import { VersionsService } from '@app/unraid-api/graph/resolvers/info/versions/v
 import { ServicesModule } from '@app/unraid-api/graph/services/services.module.js';
 
 @Module({
-    imports: [ConfigModule, ServicesModule],
+    imports: [ConfigModule, ServicesModule, CpuModule],
     providers: [
         // Main resolver
         InfoResolver,
@@ -25,7 +26,6 @@ import { ServicesModule } from '@app/unraid-api/graph/services/services.module.j
         CoreVersionsResolver,
 
         // Services
-        CpuService,
         MemoryService,
         DevicesService,
         OsService,

api/src/unraid-api/graph/resolvers/info/info.resolver.integration.spec.ts

@@ -6,6 +6,7 @@ import { Test } from '@nestjs/testing';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 import { DockerService } from '@app/unraid-api/graph/resolvers/docker/docker.service.js';
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 import { DevicesResolver } from '@app/unraid-api/graph/resolvers/info/devices/devices.resolver.js';
 import { DevicesService } from '@app/unraid-api/graph/resolvers/info/devices/devices.service.js';
@@ -28,6 +29,7 @@ describe('InfoResolver Integration Tests', () => {
                 InfoResolver,
                 DevicesResolver,
                 CpuService,
+                CpuTopologyService,
                 MemoryService,
                 DevicesService,
                 OsService,

api/src/unraid-api/graph/resolvers/metrics/metrics.module.ts

@@ -1,13 +1,13 @@
 import { Module } from '@nestjs/common';
 
-import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
+import { CpuModule } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.module.js';
 import { MemoryService } from '@app/unraid-api/graph/resolvers/info/memory/memory.service.js';
 import { MetricsResolver } from '@app/unraid-api/graph/resolvers/metrics/metrics.resolver.js';
 import { ServicesModule } from '@app/unraid-api/graph/services/services.module.js';
 
 @Module({
-    imports: [ServicesModule],
-    providers: [MetricsResolver, CpuService, MemoryService],
+    imports: [ServicesModule, CpuModule],
+    providers: [MetricsResolver, MemoryService],
     exports: [MetricsResolver],
 })
 export class MetricsModule {}

api/src/unraid-api/graph/resolvers/metrics/metrics.resolver.integration.spec.ts

@@ -5,6 +5,7 @@ import { Test } from '@nestjs/testing';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 import { pubsub, PUBSUB_CHANNEL } from '@app/core/pubsub.js';
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 import { MemoryService } from '@app/unraid-api/graph/resolvers/info/memory/memory.service.js';
 import { MetricsResolver } from '@app/unraid-api/graph/resolvers/metrics/metrics.resolver.js';
@@ -22,6 +23,7 @@ describe('MetricsResolver Integration Tests', () => {
             providers: [
                 MetricsResolver,
                 CpuService,
+                CpuTopologyService,
                 MemoryService,
                 SubscriptionTrackerService,
                 SubscriptionHelperService,

api/src/unraid-api/graph/resolvers/metrics/metrics.resolver.spec.ts

@@ -3,6 +3,7 @@ import { Test } from '@nestjs/testing';
 
 import { beforeEach, describe, expect, it, vi } from 'vitest';
 
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 import { MemoryService } from '@app/unraid-api/graph/resolvers/info/memory/memory.service.js';
 import { MetricsResolver } from '@app/unraid-api/graph/resolvers/metrics/metrics.resolver.js';
@@ -18,6 +19,7 @@ describe('MetricsResolver', () => {
         const module: TestingModule = await Test.createTestingModule({
             providers: [
                 MetricsResolver,
+                CpuTopologyService,
                 {
                     provide: CpuService,
                     useValue: {
@@ -161,8 +163,14 @@ describe('MetricsResolver', () => {
                 registerTopic: vi.fn(),
             };
 
+            const cpuTopologyServiceMock = {
+                generateTopology: vi.fn(),
+                generateTelemetry: vi.fn().mockResolvedValue([{ id: 0, power: 42.5, temp: 68.3 }]),
+            } satisfies Pick<CpuTopologyService, 'generateTopology' | 'generateTelemetry'>;
+
             const testModule = new MetricsResolver(
                 cpuService,
+                cpuTopologyServiceMock as unknown as CpuTopologyService,
                 memoryService,
                 subscriptionTracker as any,
                 {} as any
@@ -170,7 +178,7 @@ describe('MetricsResolver', () => {
 
             testModule.onModuleInit();
 
-            expect(subscriptionTracker.registerTopic).toHaveBeenCalledTimes(2);
+            expect(subscriptionTracker.registerTopic).toHaveBeenCalledTimes(3);
             expect(subscriptionTracker.registerTopic).toHaveBeenCalledWith(
                 'CPU_UTILIZATION',
                 expect.any(Function),

api/src/unraid-api/graph/resolvers/metrics/metrics.resolver.ts

@@ -1,11 +1,12 @@
-import { OnModuleInit } from '@nestjs/common';
+import { Logger, OnModuleInit } from '@nestjs/common';
 import { Query, ResolveField, Resolver, Subscription } from '@nestjs/graphql';
 
 import { AuthAction, Resource } from '@unraid/shared/graphql.model.js';
 import { UsePermissions } from '@unraid/shared/use-permissions.directive.js';
 
 import { pubsub, PUBSUB_CHANNEL } from '@app/core/pubsub.js';
-import { CpuUtilization } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.model.js';
+import { CpuTopologyService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu-topology.service.js';
+import { CpuPackages, CpuUtilization } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.model.js';
 import { CpuService } from '@app/unraid-api/graph/resolvers/info/cpu/cpu.service.js';
 import { MemoryUtilization } from '@app/unraid-api/graph/resolvers/info/memory/memory.model.js';
 import { MemoryService } from '@app/unraid-api/graph/resolvers/info/memory/memory.service.js';
@@ -15,8 +16,10 @@ import { SubscriptionTrackerService } from '@app/unraid-api/graph/services/subsc
 
 @Resolver(() => Metrics)
 export class MetricsResolver implements OnModuleInit {
+    private readonly logger = new Logger(MetricsResolver.name);
     constructor(
         private readonly cpuService: CpuService,
+        private readonly cpuTopologyService: CpuTopologyService,
         private readonly memoryService: MemoryService,
         private readonly subscriptionTracker: SubscriptionTrackerService,
         private readonly subscriptionHelper: SubscriptionHelperService
@@ -33,6 +36,38 @@ export class MetricsResolver implements OnModuleInit {
             1000
         );
 
+        this.subscriptionTracker.registerTopic(
+            PUBSUB_CHANNEL.CPU_TELEMETRY,
+            async () => {
+                const packageList = (await this.cpuTopologyService.generateTelemetry()) ?? [];
+
+                // Compute total power with 2 decimals
+                const totalPower = Number(
+                    packageList
+                        .map((pkg) => pkg.power)
+                        .filter((power) => power >= 0)
+                        .reduce((sum, power) => sum + power, 0)
+                        .toFixed(2)
+                );
+
+                const packages: CpuPackages = {
+                    id: 'metrics/cpu/packages',
+                    totalPower,
+                    power: packageList.map((pkg) => pkg.power ?? -1),
+                    temp: packageList.map((pkg) => pkg.temp ?? -1),
+                };
+                this.logger.debug(`CPU_TELEMETRY payload: ${JSON.stringify(packages)}`);
+
+                // Publish the payload
+                pubsub.publish(PUBSUB_CHANNEL.CPU_TELEMETRY, {
+                    systemMetricsCpuTelemetry: packages,
+                });
+
+                this.logger.debug(`CPU_TELEMETRY payload2: ${JSON.stringify(packages)}`);
+            },
+            5000
+        );
+
         // Register memory polling with 2 second interval
         this.subscriptionTracker.registerTopic(
             PUBSUB_CHANNEL.MEMORY_UTILIZATION,
@@ -77,6 +112,18 @@ export class MetricsResolver implements OnModuleInit {
         return this.subscriptionHelper.createTrackedSubscription(PUBSUB_CHANNEL.CPU_UTILIZATION);
     }
 
+    @Subscription(() => CpuPackages, {
+        name: 'systemMetricsCpuTelemetry',
+        resolve: (value) => value.systemMetricsCpuTelemetry,
+    })
+    @UsePermissions({
+        action: AuthAction.READ_ANY,
+        resource: Resource.INFO,
+    })
+    public async systemMetricsCpuTelemetrySubscription() {
+        return this.subscriptionHelper.createTrackedSubscription(PUBSUB_CHANNEL.CPU_TELEMETRY);
+    }
+
     @Subscription(() => MemoryUtilization, {
         name: 'systemMetricsMemory',
         resolve: (value) => value.systemMetricsMemory,

api/src/unraid-api/graph/resolvers/mutation/mutation.model.ts

@@ -40,6 +40,11 @@ export class RCloneMutations {
     deleteRCloneRemote!: boolean;
 }
 
+@ObjectType({
+    description: 'Notification related mutations',
+})
+export class NotificationMutations {}
+
 @ObjectType()
 export class RootMutations {
     @Field(() => ArrayMutations, { description: 'Array related mutations' })
@@ -59,4 +64,7 @@ export class RootMutations {
 
     @Field(() => RCloneMutations, { description: 'RClone related mutations' })
     rclone: RCloneMutations = new RCloneMutations();
+
+    @Field(() => NotificationMutations, { description: 'Notification related mutations' })
+    notifications: NotificationMutations = new NotificationMutations();
 }

api/src/unraid-api/graph/resolvers/mutation/mutation.resolver.ts

@@ -4,6 +4,7 @@ import {
     ApiKeyMutations,
     ArrayMutations,
     DockerMutations,
+    NotificationMutations,
     ParityCheckMutations,
     RCloneMutations,
     RootMutations,
@@ -41,4 +42,9 @@ export class RootMutationsResolver {
     rclone(): RCloneMutations {
         return new RCloneMutations();
     }
+
+    @Mutation(() => NotificationMutations, { name: 'notifications' })
+    notifications(): NotificationMutations {
+        return new NotificationMutations();
+    }
 }

api/src/unraid-api/graph/resolvers/notifications/loadNotificationsFile.test.ts

@@ -14,6 +14,16 @@ import {
 } from '@app/unraid-api/graph/resolvers/notifications/notifications.model.js';
 import { NotificationsService } from '@app/unraid-api/graph/resolvers/notifications/notifications.service.js';
 
+// Mock fs/promises for unit tests
+vi.mock('fs/promises', async () => {
+    const actual = await vi.importActual<typeof import('fs/promises')>('fs/promises');
+    const mockReadFile = vi.fn();
+    return {
+        ...actual,
+        readFile: mockReadFile,
+    };
+});
+
 // Mock getters.dynamix, Logger, and pubsub
 vi.mock('@app/store/index.js', () => {
     // Create test directory path inside factory function
@@ -61,24 +71,24 @@ const testNotificationsDir = join(tmpdir(), 'unraid-api-test-notifications');
 
 describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     let service: NotificationsService;
+    let mockReadFile: any;
 
-    beforeEach(() => {
+    beforeEach(async () => {
+        const fsPromises = await import('fs/promises');
+        mockReadFile = fsPromises.readFile as any;
+        vi.mocked(mockReadFile).mockClear();
         service = new NotificationsService();
     });
 
     it('should load and validate a valid notification file', async () => {
-        const mockNotificationIni: NotificationIni = {
-            timestamp: '1609459200',
-            event: 'Test Event',
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'alert',
-            link: 'http://example.com',
-        };
+        const mockFileContent = `timestamp=1609459200
+event=Test Event
+subject=Test Subject
+description=Test Description
+importance=alert
+link=http://example.com`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            mockNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/test.notify',
@@ -99,17 +109,12 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should return masked warning notification on validation error (missing required fields)', async () => {
-        const invalidNotificationIni: Omit<NotificationIni, 'event'> = {
-            timestamp: '1609459200',
-            // event: 'Missing Event', // missing required field
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'alert',
-        };
+        const mockFileContent = `timestamp=1609459200
+subject=Test Subject
+description=Test Description
+importance=alert`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            invalidNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/invalid.notify',
@@ -121,17 +126,13 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should handle invalid enum values', async () => {
-        const invalidNotificationIni: NotificationIni = {
-            timestamp: '1609459200',
-            event: 'Test Event',
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'not-a-valid-enum' as any,
-        };
+        const mockFileContent = `timestamp=1609459200
+event=Test Event
+subject=Test Subject
+description=Test Description
+importance=not-a-valid-enum`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            invalidNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/invalid-enum.notify',
@@ -145,16 +146,12 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should handle missing description field (should return masked warning notification)', async () => {
-        const mockNotificationIni: Omit<NotificationIni, 'description'> = {
-            timestamp: '1609459200',
-            event: 'Test Event',
-            subject: 'Test Subject',
-            importance: 'normal',
-        };
+        const mockFileContent = `timestamp=1609459200
+event=Test Event
+subject=Test Subject
+importance=normal`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            mockNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/test.notify',
@@ -166,19 +163,15 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should preserve passthrough data from notification file (only known fields)', async () => {
-        const mockNotificationIni: NotificationIni & { customField: string } = {
-            timestamp: '1609459200',
-            event: 'Test Event',
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'normal',
-            link: 'http://example.com',
-            customField: 'custom value',
-        };
+        const mockFileContent = `timestamp=1609459200
+event=Test Event
+subject=Test Subject
+description=Test Description
+importance=normal
+link=http://example.com
+customField=custom value`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            mockNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/test.notify',
@@ -201,17 +194,12 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should handle missing timestamp field gracefully', async () => {
-        const mockNotificationIni: Omit<NotificationIni, 'timestamp'> = {
-            // timestamp is missing
-            event: 'Test Event',
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'alert',
-        };
+        const mockFileContent = `event=Test Event
+subject=Test Subject
+description=Test Description
+importance=alert`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            mockNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/missing-timestamp.notify',
@@ -225,17 +213,13 @@ describe('NotificationsService - loadNotificationFile (minimal mocks)', () => {
     });
 
     it('should handle malformed timestamp field gracefully', async () => {
-        const mockNotificationIni: NotificationIni = {
-            timestamp: 'not-a-timestamp',
-            event: 'Test Event',
-            subject: 'Test Subject',
-            description: 'Test Description',
-            importance: 'alert',
-        };
+        const mockFileContent = `timestamp=not-a-timestamp
+event=Test Event
+subject=Test Subject
+description=Test Description
+importance=alert`;
 
-        vi.spyOn(await import('@app/core/utils/misc/parse-config.js'), 'parseConfig').mockReturnValue(
-            mockNotificationIni
-        );
+        vi.mocked(mockReadFile).mockResolvedValue(mockFileContent);
 
         const result = await (service as any).loadNotificationFile(
             '/test/path/malformed-timestamp.notify',

api/src/unraid-api/graph/resolvers/notifications/notifications.model.ts

@@ -1,4 +1,4 @@
-import { Field, InputType, Int, ObjectType, registerEnumType } from '@nestjs/graphql';
+import { Field, ID, InputType, Int, ObjectType, registerEnumType } from '@nestjs/graphql';
 
 import { Node } from '@unraid/shared/graphql.model.js';
 import { IsEnum, IsInt, IsNotEmpty, IsOptional, IsString, Min } from 'class-validator';
@@ -14,6 +14,18 @@ export enum NotificationImportance {
     WARNING = 'WARNING',
 }
 
+export enum NotificationJobState {
+    QUEUED = 'QUEUED',
+    RUNNING = 'RUNNING',
+    SUCCEEDED = 'SUCCEEDED',
+    FAILED = 'FAILED',
+}
+
+export enum NotificationJobOperation {
+    ARCHIVE_ALL = 'ARCHIVE_ALL',
+    DELETE = 'DELETE',
+}
+
 // Register enums with GraphQL
 registerEnumType(NotificationType, {
     name: 'NotificationType',
@@ -23,6 +35,14 @@ registerEnumType(NotificationImportance, {
     name: 'NotificationImportance',
 });
 
+registerEnumType(NotificationJobState, {
+    name: 'NotificationJobState',
+});
+
+registerEnumType(NotificationJobOperation, {
+    name: 'NotificationJobOperation',
+});
+
 @InputType('NotificationFilter')
 export class NotificationFilter {
     @Field(() => NotificationImportance, { nullable: true })
@@ -164,4 +184,28 @@ export class Notifications extends Node {
     @Field(() => [Notification])
     @IsNotEmpty()
     list!: Notification[];
+
+    @Field(() => NotificationJob, { nullable: true })
+    job?: NotificationJob;
+}
+
+@ObjectType()
+export class NotificationJob {
+    @Field(() => ID)
+    id!: string;
+
+    @Field(() => NotificationJobOperation)
+    operation!: NotificationJobOperation;
+
+    @Field(() => NotificationJobState)
+    state!: NotificationJobState;
+
+    @Field(() => Int)
+    processed!: number;
+
+    @Field(() => Int)
+    total!: number;
+
+    @Field({ nullable: true })
+    error?: string | null;
 }

api/src/unraid-api/graph/resolvers/notifications/notifications.mutations.resolver.ts

@@ -0,0 +1,61 @@
+import { Args, ResolveField, Resolver } from '@nestjs/graphql';
+
+import { AuthAction, Resource } from '@unraid/shared/graphql.model.js';
+import { PrefixedID } from '@unraid/shared/prefixed-id-scalar.js';
+import { UsePermissions } from '@unraid/shared/use-permissions.directive.js';
+
+import { AppError } from '@app/core/errors/app-error.js';
+import {
+    NotificationImportance,
+    NotificationJob,
+    NotificationJobState,
+    NotificationMutations,
+    NotificationOverview,
+    NotificationType,
+} from '@app/unraid-api/graph/resolvers/notifications/notifications.model.js';
+import { NotificationsService } from '@app/unraid-api/graph/resolvers/notifications/notifications.service.js';
+
+@Resolver(() => NotificationMutations)
+export class NotificationMutationsResolver {
+    constructor(private readonly notificationsService: NotificationsService) {}
+
+    @ResolveField(() => NotificationOverview)
+    @UsePermissions({
+        action: AuthAction.DELETE_ANY,
+        resource: Resource.NOTIFICATIONS,
+    })
+    public async delete(
+        @Args('id', { type: () => PrefixedID }) id: string,
+        @Args('type', { type: () => NotificationType }) type: NotificationType
+    ): Promise<NotificationOverview> {
+        const { overview } = await this.notificationsService.deleteNotification({ id, type });
+        return overview;
+    }
+
+    @ResolveField(() => NotificationJob)
+    @UsePermissions({
+        action: AuthAction.DELETE_ANY,
+        resource: Resource.NOTIFICATIONS,
+    })
+    public async startArchiveAll(
+        @Args('importance', { type: () => NotificationImportance, nullable: true })
+        importance?: NotificationImportance
+    ): Promise<NotificationJob> {
+        return this.notificationsService.startArchiveAllJob(importance);
+    }
+
+    @ResolveField(() => NotificationJob)
+    @UsePermissions({
+        action: AuthAction.DELETE_ANY,
+        resource: Resource.NOTIFICATIONS,
+    })
+    public async startDeleteAll(
+        @Args('type', { type: () => NotificationType, nullable: true }) type?: NotificationType
+    ): Promise<NotificationJob> {
+        const job = await this.notificationsService.startDeleteAllJob(type);
+        if (job.state === NotificationJobState.FAILED) {
+            throw new AppError(job.error ?? 'Failed to delete notifications', 500);
+        }
+        return job;
+    }
+}

api/src/unraid-api/graph/resolvers/notifications/notifications.resolver.ts

@@ -11,6 +11,7 @@ import {
     NotificationData,
     NotificationFilter,
     NotificationImportance,
+    NotificationJob,
     NotificationOverview,
     Notifications,
     NotificationType,
@@ -41,6 +42,11 @@ export class NotificationsResolver {
         return this.notificationsService.getOverview();
     }
 
+    @ResolveField(() => NotificationJob, { nullable: true })
+    public job(@Args('id') jobId: string): NotificationJob {
+        return this.notificationsService.getJob(jobId);
+    }
+
     @ResolveField(() => [Notification])
     public async list(
         @Args('filter', { type: () => NotificationFilter })

api/src/unraid-api/graph/resolvers/notifications/notifications.service.ts

@@ -1,5 +1,5 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { readdir, rename, stat, unlink, writeFile } from 'fs/promises';
+import { readdir, readFile, rename, stat, unlink, writeFile } from 'fs/promises';
 import { basename, join } from 'path';
 
 import type { Stats } from 'fs';
@@ -7,6 +7,7 @@ import { FSWatcher, watch } from 'chokidar';
 import { ValidationError } from 'class-validator';
 import { execa } from 'execa';
 import { emptyDir } from 'fs-extra';
+import { decode } from 'html-entities';
 import { encode as encodeIni } from 'ini';
 import { v7 as uuidv7 } from 'uuid';
 
@@ -23,10 +24,14 @@ import {
     NotificationData,
     NotificationFilter,
     NotificationImportance,
+    NotificationJob,
+    NotificationJobOperation,
+    NotificationJobState,
     NotificationOverview,
     NotificationType,
 } from '@app/unraid-api/graph/resolvers/notifications/notifications.model.js';
 import { validateObject } from '@app/unraid-api/graph/resolvers/validation.utils.js';
+import { BackgroundJobsService } from '@app/unraid-api/graph/services/background-jobs.service.js';
 import { SortFn } from '@app/unraid-api/types/util.js';
 import { batchProcess, formatDatetime, isFulfilled, isRejected, unraidTimestamp } from '@app/utils.js';
 
@@ -54,7 +59,36 @@ export class NotificationsService {
         },
     };
 
-    constructor() {
+    private createJob(operation: NotificationJobOperation, total: number): NotificationJob {
+        const state = total === 0 ? NotificationJobState.SUCCEEDED : NotificationJobState.QUEUED;
+        return this.backgroundJobs.createJob<NotificationJobOperation, NotificationJobState>({
+            operation,
+            total,
+            initialState: state,
+            prefix: operation.toLowerCase(),
+        });
+    }
+
+    private updateJob(job: NotificationJob) {
+        this.backgroundJobs.updateJob(job);
+    }
+
+    private async runJob(job: NotificationJob, work: () => Promise<void>) {
+        await this.backgroundJobs.runJob<NotificationJobState>({
+            job,
+            work,
+            runningState: NotificationJobState.RUNNING,
+            successState: NotificationJobState.SUCCEEDED,
+            failureState: NotificationJobState.FAILED,
+            logContext: 'notification-job',
+        });
+    }
+
+    public getJob(jobId: string): NotificationJob {
+        return this.backgroundJobs.getJob<NotificationJobOperation, NotificationJobState>(jobId);
+    }
+
+    constructor(private readonly backgroundJobs: BackgroundJobsService) {
         this.path = getters.dynamix().notify!.path;
         void this.getNotificationsWatcher(this.path);
     }
@@ -322,6 +356,30 @@ export class NotificationsService {
         return this.getOverview();
     }
 
+    public async startDeleteAllJob(type?: NotificationType): Promise<NotificationJob> {
+        const targets = type ? [type] : [NotificationType.ARCHIVE, NotificationType.UNREAD];
+        const queue: Array<{ id: string; type: NotificationType }> = [];
+
+        for (const targetType of targets) {
+            const ids = await this.listFilesInFolder(this.paths()[targetType]);
+            ids.forEach((id) => queue.push({ id, type: targetType }));
+        }
+
+        const job = this.createJob(NotificationJobOperation.DELETE, queue.length);
+
+        setImmediate(() =>
+            this.runJob(job, async () => {
+                for (const entry of queue) {
+                    await this.deleteNotification({ id: entry.id, type: entry.type });
+                    job.processed += 1;
+                    this.updateJob(job);
+                }
+            })
+        );
+
+        return job;
+    }
+
     /**
      * Deletes all notifications from disk while preserving the directory structure.
      * Resets overview stats to zero.
@@ -484,6 +542,35 @@ export class NotificationsService {
         return { ...stats, overview: overviewSnapshot };
     }
 
+    public async startArchiveAllJob(importance?: NotificationImportance): Promise<NotificationJob> {
+        const { UNREAD } = this.paths();
+        const unreads = await this.listFilesInFolder(UNREAD);
+        const [notifications] = await this.loadNotificationsFromPaths(
+            unreads,
+            importance ? { importance } : {}
+        );
+        const job = this.createJob(NotificationJobOperation.ARCHIVE_ALL, notifications.length);
+
+        setImmediate(() =>
+            this.runJob(job, async () => {
+                const overviewSnapshot = this.getOverview();
+                const archive = this.moveNotification({
+                    from: NotificationType.UNREAD,
+                    to: NotificationType.ARCHIVE,
+                    snapshot: overviewSnapshot,
+                });
+
+                for (const notification of notifications) {
+                    await archive(notification);
+                    job.processed += 1;
+                    this.updateJob(job);
+                }
+            })
+        );
+
+        return job;
+    }
+
     public async unarchiveAll(importance?: NotificationImportance) {
         const { ARCHIVE } = this.paths();
 
@@ -648,8 +735,11 @@ export class NotificationsService {
      * @throws File system errors (file not found, permission issues) or unexpected validation errors.
      */
     private async loadNotificationFile(path: string, type: NotificationType): Promise<Notification> {
+        const rawContent = await readFile(path, 'utf-8');
+        const decodedContent = decode(rawContent);
+
         const notificationFile = parseConfig<NotificationIni>({
-            filePath: path,
+            file: decodedContent,
             type: 'ini',
         });
 

api/src/unraid-api/graph/resolvers/resolvers.module.ts

@@ -15,6 +15,7 @@ import { InfoModule } from '@app/unraid-api/graph/resolvers/info/info.module.js'
 import { LogsModule } from '@app/unraid-api/graph/resolvers/logs/logs.module.js';
 import { MetricsModule } from '@app/unraid-api/graph/resolvers/metrics/metrics.module.js';
 import { RootMutationsResolver } from '@app/unraid-api/graph/resolvers/mutation/mutation.resolver.js';
+import { NotificationMutationsResolver } from '@app/unraid-api/graph/resolvers/notifications/notifications.mutations.resolver.js';
 import { NotificationsResolver } from '@app/unraid-api/graph/resolvers/notifications/notifications.resolver.js';
 import { NotificationsService } from '@app/unraid-api/graph/resolvers/notifications/notifications.service.js';
 import { OnlineResolver } from '@app/unraid-api/graph/resolvers/online/online.resolver.js';
@@ -29,6 +30,7 @@ import { VarsResolver } from '@app/unraid-api/graph/resolvers/vars/vars.resolver
 import { VmMutationsResolver } from '@app/unraid-api/graph/resolvers/vms/vms.mutations.resolver.js';
 import { VmsResolver } from '@app/unraid-api/graph/resolvers/vms/vms.resolver.js';
 import { VmsService } from '@app/unraid-api/graph/resolvers/vms/vms.service.js';
+import { BackgroundJobsService } from '@app/unraid-api/graph/services/background-jobs.service.js';
 import { ServicesModule } from '@app/unraid-api/graph/services/services.module.js';
 import { ServicesResolver } from '@app/unraid-api/graph/services/services.resolver.js';
 import { SharesResolver } from '@app/unraid-api/graph/shares/shares.resolver.js';
@@ -57,8 +59,10 @@ import { MeResolver } from '@app/unraid-api/graph/user/user.resolver.js';
         ConfigResolver,
         FlashResolver,
         MeResolver,
+        NotificationMutationsResolver,
         NotificationsResolver,
         NotificationsService,
+        BackgroundJobsService,
         OnlineResolver,
         OwnerResolver,
         RegistrationResolver,

api/src/unraid-api/graph/resolvers/settings/settings.service.ts

@@ -11,6 +11,10 @@ import { OidcConfigPersistence } from '@app/unraid-api/graph/resolvers/sso/core/
 import { createLabeledControl } from '@app/unraid-api/graph/utils/form-utils.js';
 import { SettingSlice } from '@app/unraid-api/types/json-forms.js';
 
+const API_SETTINGS_I18N = {
+    sandbox: 'jsonforms.apiSettings.sandbox',
+} as const;
+
 @Injectable()
 export class ApiSettings {
     private readonly logger = new Logger(ApiSettings.name);
@@ -83,6 +87,7 @@ export class ApiSettings {
             properties: {
                 sandbox: {
                     type: 'boolean',
+                    i18n: API_SETTINGS_I18N.sandbox,
                     title: 'Enable Developer Sandbox',
                     default: false,
                 },
@@ -95,6 +100,7 @@ export class ApiSettings {
                     controlOptions: {
                         toggle: true,
                     },
+                    i18nKey: API_SETTINGS_I18N.sandbox,
                 }),
             ],
         };

api/src/unraid-api/graph/resolvers/sso/core/oidc-base.module.ts

@@ -1,4 +1,5 @@
 import { forwardRef, Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
 
 import { UserSettingsModule } from '@unraid/shared/services/user-settings.js';
 
@@ -7,7 +8,7 @@ import { OidcConfigPersistence } from '@app/unraid-api/graph/resolvers/sso/core/
 import { OidcValidationService } from '@app/unraid-api/graph/resolvers/sso/core/oidc-validation.service.js';
 
 @Module({
-    imports: [UserSettingsModule, forwardRef(() => OidcClientModule)],
+    imports: [ConfigModule, UserSettingsModule, forwardRef(() => OidcClientModule)],
     providers: [OidcConfigPersistence, OidcValidationService],
     exports: [OidcConfigPersistence, OidcValidationService],
 })

api/src/unraid-api/graph/resolvers/sso/core/oidc-config.service.ts

@@ -21,6 +21,59 @@ import {
 } from '@app/unraid-api/graph/utils/form-utils.js';
 import { SettingSlice } from '@app/unraid-api/types/json-forms.js';
 
+const OIDC_I18N = {
+    provider: {
+        id: 'jsonforms.oidc.provider.id',
+        name: 'jsonforms.oidc.provider.name',
+        clientId: 'jsonforms.oidc.provider.clientId',
+        clientSecret: 'jsonforms.oidc.provider.clientSecret',
+        issuer: 'jsonforms.oidc.provider.issuer',
+        scopes: 'jsonforms.oidc.provider.scopes',
+        discoveryToggle: 'jsonforms.oidc.provider.discoveryToggle',
+        authorizationEndpoint: 'jsonforms.oidc.provider.authorizationEndpoint',
+        tokenEndpoint: 'jsonforms.oidc.provider.tokenEndpoint',
+        userInfoEndpoint: 'jsonforms.oidc.provider.userInfoEndpoint',
+        jwksUri: 'jsonforms.oidc.provider.jwksUri',
+        unraidNet: 'jsonforms.oidc.provider.unraidNet',
+    },
+    restrictions: {
+        sectionTitle: 'jsonforms.oidc.restrictions.title',
+        sectionHelp: 'jsonforms.oidc.restrictions.help',
+        allowedDomains: 'jsonforms.oidc.restrictions.allowedDomains',
+        allowedEmails: 'jsonforms.oidc.restrictions.allowedEmails',
+        allowedUserIds: 'jsonforms.oidc.restrictions.allowedUserIds',
+        workspaceDomain: 'jsonforms.oidc.restrictions.workspaceDomain',
+    },
+    rules: {
+        mode: 'jsonforms.oidc.rules.mode',
+        claim: 'jsonforms.oidc.rules.claim',
+        operator: 'jsonforms.oidc.rules.operator',
+        value: 'jsonforms.oidc.rules.value',
+        collection: 'jsonforms.oidc.rules.collection',
+        sectionTitle: 'jsonforms.oidc.rules.title',
+        sectionDescription: 'jsonforms.oidc.rules.description',
+    },
+    buttons: {
+        text: 'jsonforms.oidc.buttons.text',
+        icon: 'jsonforms.oidc.buttons.icon',
+        variant: 'jsonforms.oidc.buttons.variant',
+        style: 'jsonforms.oidc.buttons.style',
+        sectionTitle: 'jsonforms.oidc.buttons.title',
+        sectionDescription: 'jsonforms.oidc.buttons.description',
+    },
+    accordion: {
+        basicConfiguration: 'jsonforms.oidc.accordion.basicConfiguration',
+        advancedEndpoints: 'jsonforms.oidc.accordion.advancedEndpoints',
+        authorizationRules: 'jsonforms.oidc.accordion.authorizationRules',
+        buttonCustomization: 'jsonforms.oidc.accordion.buttonCustomization',
+    },
+    // Add missing keys for the form schema
+    sso: {
+        providers: 'jsonforms.sso.providers',
+        defaultAllowedOrigins: 'jsonforms.sso.defaultAllowedOrigins',
+    },
+} as const;
+
 export interface OidcConfig {
     providers: OidcProvider[];
     defaultAllowedOrigins?: string[];
@@ -592,6 +645,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
             default: [],
             description:
                 'Additional trusted redirect origins to allow redirects from custom ports, reverse proxies, Tailscale, etc.',
+            i18n: OIDC_I18N.sso.defaultAllowedOrigins,
         };
 
         // Add the control for defaultAllowedOrigins before the providers control using UnraidSettingsLayout
@@ -624,27 +678,32 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                         properties: {
                             id: {
                                 type: 'string',
+                                i18n: OIDC_I18N.provider.id,
                                 title: 'Provider ID',
                                 description: 'Unique identifier for the provider',
                                 pattern: '^[a-zA-Z0-9._-]+$',
                             },
                             name: {
                                 type: 'string',
+                                i18n: OIDC_I18N.provider.name,
                                 title: 'Provider Name',
                                 description: 'Display name for the provider',
                             },
                             clientId: {
                                 type: 'string',
+                                i18n: OIDC_I18N.provider.clientId,
                                 title: 'Client ID',
                                 description: 'OAuth2 client ID registered with the provider',
                             },
                             clientSecret: {
                                 type: 'string',
+                                i18n: OIDC_I18N.provider.clientSecret,
                                 title: 'Client Secret',
                                 description: 'OAuth2 client secret (if required)',
                             },
                             issuer: {
                                 type: 'string',
+                                i18n: OIDC_I18N.provider.issuer,
                                 title: 'Issuer URL',
                                 format: 'uri',
                                 allOf: [
@@ -669,6 +728,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     { type: 'string', minLength: 1, format: 'uri' },
                                     { type: 'string', maxLength: 0 },
                                 ],
+                                i18n: OIDC_I18N.provider.authorizationEndpoint,
                                 title: 'Authorization Endpoint',
                                 description: 'Optional - will be auto-discovered if not provided',
                             },
@@ -677,6 +737,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     { type: 'string', minLength: 1, format: 'uri' },
                                     { type: 'string', maxLength: 0 },
                                 ],
+                                i18n: OIDC_I18N.provider.tokenEndpoint,
                                 title: 'Token Endpoint',
                                 description: 'Optional - will be auto-discovered if not provided',
                             },
@@ -685,12 +746,14 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     { type: 'string', minLength: 1, format: 'uri' },
                                     { type: 'string', maxLength: 0 },
                                 ],
+                                i18n: OIDC_I18N.provider.jwksUri,
                                 title: 'JWKS URI',
                                 description: 'Optional - will be auto-discovered if not provided',
                             },
                             scopes: {
                                 type: 'array',
                                 items: { type: 'string' },
+                                i18n: OIDC_I18N.provider.scopes,
                                 title: 'Scopes',
                                 default: ['openid', 'profile', 'email'],
                                 description: 'OAuth2 scopes to request',
@@ -709,6 +772,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     allowedDomains: {
                                         type: 'array',
                                         items: { type: 'string' },
+                                        i18n: OIDC_I18N.restrictions.allowedDomains,
                                         title: 'Allowed Email Domains',
                                         description:
                                             'Email domains that are allowed to login (e.g., company.com)',
@@ -716,6 +780,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     allowedEmails: {
                                         type: 'array',
                                         items: { type: 'string' },
+                                        i18n: OIDC_I18N.restrictions.allowedEmails,
                                         title: 'Specific Email Addresses',
                                         description:
                                             'Specific email addresses that are allowed to login',
@@ -723,12 +788,14 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     allowedUserIds: {
                                         type: 'array',
                                         items: { type: 'string' },
+                                        i18n: OIDC_I18N.restrictions.allowedUserIds,
                                         title: 'Allowed User IDs',
                                         description:
                                             'Specific user IDs (sub claim) that are allowed to login',
                                     },
                                     googleWorkspaceDomain: {
                                         type: 'string',
+                                        i18n: OIDC_I18N.restrictions.workspaceDomain,
                                         title: 'Google Workspace Domain',
                                         description:
                                             'Restrict to users from a specific Google Workspace domain',
@@ -737,6 +804,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                             },
                             authorizationRuleMode: {
                                 type: 'string',
+                                i18n: OIDC_I18N.rules.mode,
                                 title: 'Rule Mode',
                                 enum: ['or', 'and'],
                                 default: 'or',
@@ -750,29 +818,34 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     properties: {
                                         claim: {
                                             type: 'string',
+                                            i18n: OIDC_I18N.rules.claim,
                                             title: 'Claim',
                                             description: 'JWT claim to check',
                                         },
                                         operator: {
                                             type: 'string',
+                                            i18n: OIDC_I18N.rules.operator,
                                             title: 'Operator',
                                             enum: ['equals', 'contains', 'endsWith', 'startsWith'],
                                         },
                                         value: {
                                             type: 'array',
                                             items: { type: 'string' },
+                                            i18n: OIDC_I18N.rules.value,
                                             title: 'Values',
                                             description: 'Values to match against',
                                         },
                                     },
                                     required: ['claim', 'operator', 'value'],
                                 },
+                                i18n: OIDC_I18N.rules.collection,
                                 title: 'Claim Rules',
                                 description:
                                     'Define authorization rules based on claims in the ID token. Rule mode can be configured: OR logic (any rule matches) or AND logic (all rules must match).',
                             },
                             buttonText: {
                                 type: 'string',
+                                i18n: OIDC_I18N.buttons.text,
                                 title: 'Button Text',
                                 description: 'Custom text for the login button',
                             },
@@ -781,11 +854,13 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                     { type: 'string', minLength: 1 },
                                     { type: 'string', maxLength: 0 },
                                 ],
+                                i18n: OIDC_I18N.buttons.icon,
                                 title: 'Button Icon URL',
                                 description: 'URL or base64 encoded icon for the login button',
                             },
                             buttonVariant: {
                                 type: 'string',
+                                i18n: OIDC_I18N.buttons.variant,
                                 title: 'Button Style',
                                 enum: [
                                     'primary',
@@ -800,6 +875,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                             },
                             buttonStyle: {
                                 type: 'string',
+                                i18n: OIDC_I18N.buttons.style,
                                 title: 'Custom CSS Styles',
                                 description:
                                     'Custom inline CSS styles for the button (e.g., "background: linear-gradient(to right, #4f46e5, #7c3aed); border-radius: 9999px;")',
@@ -809,6 +885,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                     },
                     title: 'OIDC Providers',
                     description: 'Configure OpenID Connect providers for SSO authentication',
+                    i18n: OIDC_I18N.sso.providers,
                 },
             },
             elements: [
@@ -835,6 +912,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                         title: 'Unraid.net Provider',
                                         description:
                                             'This is the built-in Unraid.net provider. Only authorization rules can be modified.',
+                                        i18n: OIDC_I18N.provider.unraidNet,
                                     },
                                 ],
                                 detail: createAccordionLayout({
@@ -846,6 +924,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                 accordion: {
                                                     title: 'Basic Configuration',
                                                     description: 'Essential provider settings',
+                                                    i18n: OIDC_I18N.accordion.basicConfiguration,
                                                 },
                                             },
                                             rule: {
@@ -872,6 +951,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.id,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/name',
@@ -888,6 +968,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.name,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/clientId',
@@ -903,6 +984,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.clientId,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/clientSecret',
@@ -919,6 +1001,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.clientSecret,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/issuer',
@@ -935,6 +1018,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.issuer,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/scopes',
@@ -952,6 +1036,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             schema: { const: 'unraid.net' },
                                                         },
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.scopes,
                                                 }),
                                             ],
                                         },
@@ -962,6 +1047,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     title: 'Advanced Endpoints',
                                                     description:
                                                         'Override auto-discovery settings (optional)',
+                                                    i18n: OIDC_I18N.accordion.advancedEndpoints,
                                                 },
                                             },
                                             rule: {
@@ -979,6 +1065,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     controlOptions: {
                                                         inputType: 'url',
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.authorizationEndpoint,
                                                     rule: {
                                                         effect: RuleEffect.HIDE,
                                                         condition: {
@@ -994,6 +1081,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     controlOptions: {
                                                         inputType: 'url',
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.tokenEndpoint,
                                                     rule: {
                                                         effect: RuleEffect.HIDE,
                                                         condition: {
@@ -1009,6 +1097,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     controlOptions: {
                                                         inputType: 'url',
                                                     },
+                                                    i18nKey: OIDC_I18N.provider.jwksUri,
                                                     rule: {
                                                         effect: RuleEffect.HIDE,
                                                         condition: {
@@ -1025,6 +1114,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                 accordion: {
                                                     title: 'Authorization Rules',
                                                     description: 'Configure who can access your server',
+                                                    i18n: OIDC_I18N.accordion.authorizationRules,
                                                 },
                                             },
                                             elements: [
@@ -1035,6 +1125,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     description:
                                                         'Choose between simple presets or advanced rule configuration',
                                                     controlOptions: {},
+                                                    i18nKey: OIDC_I18N.rules.mode,
                                                 }),
                                                 // Simple Authorization Fields (shown when mode is 'simple')
                                                 {
@@ -1055,6 +1146,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                     'Configure who can login using simple presets. At least one field must be configured.',
                                                                 format: 'title',
                                                             },
+                                                            i18n: OIDC_I18N.restrictions.sectionTitle,
                                                         },
                                                         createSimpleLabeledControl({
                                                             scope: '#/properties/simpleAuthorization/properties/allowedDomains',
@@ -1066,6 +1158,8 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                 inputType: 'text',
                                                                 placeholder: 'company.com',
                                                             },
+                                                            i18nKey:
+                                                                OIDC_I18N.restrictions.allowedDomains,
                                                         }),
                                                         createSimpleLabeledControl({
                                                             scope: '#/properties/simpleAuthorization/properties/allowedEmails',
@@ -1077,6 +1171,8 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                 inputType: 'email',
                                                                 placeholder: 'user@example.com',
                                                             },
+                                                            i18nKey:
+                                                                OIDC_I18N.restrictions.allowedEmails,
                                                         }),
                                                         createSimpleLabeledControl({
                                                             scope: '#/properties/simpleAuthorization/properties/allowedUserIds',
@@ -1088,6 +1184,8 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                 inputType: 'text',
                                                                 placeholder: 'user-id-123',
                                                             },
+                                                            i18nKey:
+                                                                OIDC_I18N.restrictions.allowedUserIds,
                                                         }),
                                                         // Google-specific field (shown only for Google providers)
                                                         {
@@ -1109,6 +1207,9 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                         inputType: 'text',
                                                                         placeholder: 'company.com',
                                                                     },
+                                                                    i18nKey:
+                                                                        OIDC_I18N.restrictions
+                                                                            .workspaceDomain,
                                                                 }),
                                                             ],
                                                         },
@@ -1141,6 +1242,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                 description:
                                                                     'Define authorization rules based on claims in the ID token. Rule mode can be configured: OR logic (any rule matches) or AND logic (all rules must match).',
                                                             },
+                                                            i18n: OIDC_I18N.rules.sectionTitle,
                                                         },
                                                         createSimpleLabeledControl({
                                                             scope: '#/properties/authorizationRuleMode',
@@ -1148,6 +1250,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                             description:
                                                                 'How to evaluate multiple rules: OR (any rule passes) or AND (all rules must pass)',
                                                             controlOptions: {},
+                                                            i18nKey: OIDC_I18N.rules.mode,
                                                         }),
                                                         {
                                                             type: 'Control',
@@ -1168,6 +1271,8 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                                 inputType: 'text',
                                                                                 placeholder: 'email',
                                                                             },
+                                                                            i18nKey:
+                                                                                OIDC_I18N.rules.claim,
                                                                         }),
                                                                         createSimpleLabeledControl({
                                                                             scope: '#/properties/operator',
@@ -1175,6 +1280,8 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                             description:
                                                                                 'How to compare the claim value',
                                                                             controlOptions: {},
+                                                                            i18nKey:
+                                                                                OIDC_I18N.rules.operator,
                                                                         }),
                                                                         createSimpleLabeledControl({
                                                                             scope: '#/properties/value',
@@ -1187,9 +1294,12 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                                                 placeholder:
                                                                                     '@company.com',
                                                                             },
+                                                                            i18nKey:
+                                                                                OIDC_I18N.rules.value,
                                                                         }),
                                                                     ],
                                                                 },
+                                                                i18n: OIDC_I18N.rules.collection,
                                                             },
                                                         },
                                                     ],
@@ -1203,6 +1313,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     title: 'Button Customization',
                                                     description:
                                                         'Customize the appearance of the login button',
+                                                    i18n: OIDC_I18N.accordion.buttonCustomization,
                                                 },
                                             },
                                             rule: {
@@ -1221,6 +1332,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                         inputType: 'text',
                                                         placeholder: 'Sign in with Provider',
                                                     },
+                                                    i18nKey: OIDC_I18N.buttons.text,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/buttonIcon',
@@ -1230,12 +1342,14 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                     controlOptions: {
                                                         inputType: 'url',
                                                     },
+                                                    i18nKey: OIDC_I18N.buttons.icon,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/buttonVariant',
                                                     label: 'Button Style:',
                                                     description: 'Visual style of the login button',
                                                     controlOptions: {},
+                                                    i18nKey: OIDC_I18N.buttons.variant,
                                                 }),
                                                 createSimpleLabeledControl({
                                                     scope: '#/properties/buttonStyle',
@@ -1247,6 +1361,7 @@ export class OidcConfigPersistence extends ConfigFilePersister<OidcConfig> {
                                                         placeholder:
                                                             'background-color: #3b82f6; border-color: #3b82f6; color: white; transition: all 0.2s;',
                                                     },
+                                                    i18nKey: OIDC_I18N.buttons.style,
                                                 }),
                                             ],
                                         },

api/src/unraid-api/graph/services/background-jobs.service.ts

@@ -0,0 +1,94 @@
+import { Injectable, Logger } from '@nestjs/common';
+
+import { AppError } from '@app/core/errors/app-error.js';
+
+export interface BackgroundJob<Operation = string, State = string> {
+    id: string;
+    operation: Operation;
+    state: State;
+    processed: number;
+    total: number;
+    error?: string | null;
+    meta?: Record<string, unknown>;
+}
+
+interface CreateJobOptions<Operation, State> {
+    operation: Operation;
+    total: number;
+    initialState: State;
+    prefix?: string;
+    meta?: Record<string, unknown>;
+}
+
+interface RunJobOptions<State> {
+    job: BackgroundJob<unknown, State>;
+    work: () => Promise<void>;
+    runningState: State;
+    successState: State;
+    failureState: State;
+    logContext?: string;
+}
+
+@Injectable()
+export class BackgroundJobsService {
+    private readonly logger = new Logger(BackgroundJobsService.name);
+    private readonly jobs = new Map<string, BackgroundJob>();
+
+    public createJob<Operation, State>(options: CreateJobOptions<Operation, State>) {
+        const { operation, total, initialState, prefix, meta } = options;
+        const idBase = typeof operation === 'string' ? operation.toLowerCase() : 'job';
+        const id = `${prefix ?? idBase}-${Date.now().toString(36)}`;
+
+        const job: BackgroundJob<Operation, State> = {
+            id,
+            operation,
+            state: initialState,
+            processed: 0,
+            total,
+            error: null,
+            meta,
+        };
+
+        this.jobs.set(job.id, job);
+        return job;
+    }
+
+    public updateJob<Operation, State>(job: BackgroundJob<Operation, State>) {
+        this.jobs.set(job.id, { ...job });
+        return this.jobs.get(job.id) as BackgroundJob<Operation, State>;
+    }
+
+    public getJob<Operation, State>(jobId: string) {
+        const job = this.jobs.get(jobId) as BackgroundJob<Operation, State> | undefined;
+        if (!job) {
+            throw new AppError(`Background job ${jobId} not found`, 404);
+        }
+        return job;
+    }
+
+    public async runJob<State>(options: RunJobOptions<State>) {
+        const { job, work, runningState, successState, failureState, logContext } = options;
+        if (job.state === successState) {
+            return job;
+        }
+
+        job.state = runningState;
+        this.updateJob(job);
+
+        try {
+            await work();
+            job.state = successState;
+        } catch (error) {
+            job.state = failureState;
+            job.error = error instanceof Error ? error.message : 'Unknown error while processing job';
+            this.logger.error(
+                `[${logContext ?? 'background-job'}] failed ${job.id}: ${job.error}`,
+                error as Error
+            );
+        } finally {
+            this.updateJob(job);
+        }
+
+        return job;
+    }
+}

api/src/unraid-api/graph/utils/form-utils.ts

@@ -10,29 +10,40 @@ export function createSimpleLabeledControl({
     description,
     controlOptions,
     rule,
+    i18nKey,
 }: {
     scope: string;
     label: string;
     description?: string;
     controlOptions?: ControlElement['options'];
     rule?: Rule;
+    i18nKey?: string;
 }): Layout {
+    const labelElement = {
+        type: 'Label',
+        text: label,
+        options: {
+            description,
+        },
+    } as LabelElement;
+
+    if (i18nKey) {
+        (labelElement as any).i18n = i18nKey;
+    }
+
+    const controlElement = {
+        type: 'Control',
+        scope: scope,
+        options: controlOptions,
+    } as ControlElement;
+
+    if (i18nKey) {
+        (controlElement as any).i18n = i18nKey;
+    }
+
     const layout: Layout = {
         type: 'VerticalLayout',
-        elements: [
-            {
-                type: 'Label',
-                text: label,
-                options: {
-                    description,
-                },
-            } as LabelElement,
-            {
-                type: 'Control',
-                scope: scope,
-                options: controlOptions,
-            } as ControlElement,
-        ],
+        elements: [labelElement, controlElement],
     };
 
     // Add rule if provided
@@ -56,6 +67,7 @@ export function createLabeledControl({
     layoutType = 'UnraidSettingsLayout',
     rule,
     passScopeToLayout = false,
+    i18nKey,
 }: {
     scope: string;
     label: string;
@@ -66,19 +78,29 @@ export function createLabeledControl({
     layoutType?: 'UnraidSettingsLayout' | 'VerticalLayout' | 'HorizontalLayout';
     rule?: Rule;
     passScopeToLayout?: boolean;
+    i18nKey?: string;
 }): Layout {
-    const elements: Array<LabelElement | ControlElement> = [
-        {
-            type: 'Label',
-            text: label,
-            options: { ...labelOptions, description },
-        } as LabelElement,
-        {
-            type: 'Control',
-            scope: scope,
-            options: controlOptions,
-        } as ControlElement,
-    ];
+    const labelElement = {
+        type: 'Label',
+        text: label,
+        options: { ...labelOptions, description },
+    } as LabelElement;
+
+    if (i18nKey) {
+        (labelElement as any).i18n = i18nKey;
+    }
+
+    const controlElement = {
+        type: 'Control',
+        scope: scope,
+        options: controlOptions,
+    } as ControlElement;
+
+    if (i18nKey) {
+        (controlElement as any).i18n = i18nKey;
+    }
+
+    const elements: Array<LabelElement | ControlElement> = [labelElement, controlElement];
 
     const layout: Layout = {
         type: layoutType,
@@ -113,6 +135,7 @@ export function createAccordionLayout({
                 accordion?: {
                     title?: string;
                     description?: string;
+                    i18n?: string;
                 };
             };
         }

api/src/unraid-api/plugin/__test__/plugin-management.service.spec.ts

@@ -0,0 +1,73 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { PluginManagementService } from '@app/unraid-api/plugin/plugin-management.service.js';
+
+describe('PluginManagementService', () => {
+    let service: PluginManagementService;
+    let configStore: string[];
+    let configService: {
+        get: ReturnType<typeof vi.fn>;
+        set: ReturnType<typeof vi.fn>;
+    };
+    let dependencyService: {
+        npm: ReturnType<typeof vi.fn>;
+        rebuildVendorArchive: ReturnType<typeof vi.fn>;
+    };
+
+    beforeEach(() => {
+        configStore = ['unraid-api-plugin-connect', '@unraid/test-plugin'];
+        configService = {
+            get: vi.fn((key: string, defaultValue?: unknown) => {
+                if (key === 'api.plugins') {
+                    return configStore ?? defaultValue ?? [];
+                }
+                if (key === 'api') {
+                    return { plugins: configStore ?? defaultValue ?? [] };
+                }
+                return defaultValue;
+            }),
+            set: vi.fn((key: string, value: unknown) => {
+                if (key === 'api' && typeof value === 'object' && value !== null) {
+                    // @ts-expect-error - value is an object
+                    if (Array.isArray(value.plugins)) {
+                        // @ts-expect-error - value is an object
+                        configStore = [...value.plugins];
+                    }
+                }
+                if (key === 'api.plugins' && Array.isArray(value)) {
+                    configStore = [...value];
+                }
+            }),
+        };
+        dependencyService = {
+            npm: vi.fn().mockResolvedValue(undefined),
+            rebuildVendorArchive: vi.fn().mockResolvedValue(undefined),
+        };
+
+        service = new PluginManagementService(configService as never, dependencyService as never);
+    });
+
+    it('rebuilds vendor archive when removing unbundled plugins', async () => {
+        await service.removePlugin('@unraid/test-plugin');
+
+        expect(dependencyService.npm).toHaveBeenCalledWith('uninstall', '@unraid/test-plugin');
+        expect(dependencyService.rebuildVendorArchive).toHaveBeenCalledTimes(1);
+        expect(configStore).not.toContain('@unraid/test-plugin');
+    });
+
+    it('skips vendor archive when only bundled plugins are removed', async () => {
+        await service.removePlugin('unraid-api-plugin-connect');
+
+        expect(dependencyService.npm).not.toHaveBeenCalled();
+        expect(dependencyService.rebuildVendorArchive).not.toHaveBeenCalled();
+        expect(configStore).not.toContain('unraid-api-plugin-connect');
+    });
+
+    it('does not rebuild vendor archive when bypassing npm uninstall', async () => {
+        await service.removePluginConfigOnly('@unraid/test-plugin');
+
+        expect(dependencyService.npm).not.toHaveBeenCalled();
+        expect(dependencyService.rebuildVendorArchive).not.toHaveBeenCalled();
+        expect(configStore).not.toContain('@unraid/test-plugin');
+    });
+});