security: Fix MITM RCE vulnerability in microcode scripts

- Changed Intel microcode download from HTTP to HTTPS
- Added --proto '=https' flag to curl to prevent protocol downgrade attacks
- Simplified output parameter from basename to direct variable reference
- Affects: tools/pve/microcode.sh (line 79) and tools/pve/pbs-microcode.sh (line 93)
- CVSS: 6.5 (Medium) - CWE-494, CWE-300, CWE-829
- Impact: Prevents network-path MITM attacks that could lead to root RCE

The AMD branch was already using HTTPS, this fix brings Intel branch
to parity and closes the vulnerability reported in security advisory.

.github/changelogs/2026/05.md

@@ -1,3 +1,23 @@
+## 2026-05-31
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Manyfold: regenerate Rails credentials on update to fix encryption mimatch [@MickLesk](https://github.com/MickLesk) ([#14817](https://github.com/community-scripts/ProxmoxVE/pull/14817))
+    - OpenThread-BR: use correct ipv6 configuration [@tomfrenzel](https://github.com/tomfrenzel) ([#14829](https://github.com/community-scripts/ProxmoxVE/pull/14829))
+
+  - #### 🔧 Refactor
+
+    - Webtrees: use PHP CLI for initial setup instead of curl to setup wizard [@MickLesk](https://github.com/MickLesk) ([#14818](https://github.com/community-scripts/ProxmoxVE/pull/14818))
+    - Kima-Hub: use curl_with_retry for ML model downloads to fix possible timeout issues [@MickLesk](https://github.com/MickLesk) ([#14816](https://github.com/community-scripts/ProxmoxVE/pull/14816))
+
+### 🧰 Tools
+
+  - #### 🔧 Refactor
+
+    - PBS4-Upgrade: update current PBS3 packages before switching to Trixie repos [@MickLesk](https://github.com/MickLesk) ([#14815](https://github.com/community-scripts/ProxmoxVE/pull/14815))
+
 ## 2026-05-30
 
 ### 🚀 Updated Scripts

.github/changelogs/2026/06.md

@@ -0,0 +1,121 @@
+## 2026-06-06
+
+### 🆕 New Scripts
+
+  - Spliit ([#14966](https://github.com/community-scripts/ProxmoxVE/pull/14966))
+- Tolgee ([#14965](https://github.com/community-scripts/ProxmoxVE/pull/14965))
+- XYOps ([#14967](https://github.com/community-scripts/ProxmoxVE/pull/14967))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Photoprism: Allow env variables with spaces [@Badintral](https://github.com/Badintral) ([#14969](https://github.com/community-scripts/ProxmoxVE/pull/14969))
+
+## 2026-06-05
+
+### 🆕 New Scripts
+
+  - MatterJS-Server ([#14951](https://github.com/community-scripts/ProxmoxVE/pull/14951))
+- CyberChef ([#14952](https://github.com/community-scripts/ProxmoxVE/pull/14952))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Jackett: Create missing .env file [@tremor021](https://github.com/tremor021) ([#14959](https://github.com/community-scripts/ProxmoxVE/pull/14959))
+    - OpenThread-BR: use systemd instead of init.d [@tomfrenzel](https://github.com/tomfrenzel) ([#14942](https://github.com/community-scripts/ProxmoxVE/pull/14942))
+
+  - #### ✨ New Features
+
+    - AMD IGPU support [@Learath](https://github.com/Learath) ([#14944](https://github.com/community-scripts/ProxmoxVE/pull/14944))
+
+  - #### 💥 Breaking Changes
+
+    - update authentik to 2026.5.2 [@thieneret](https://github.com/thieneret) ([#14846](https://github.com/community-scripts/ProxmoxVE/pull/14846))
+
+## 2026-06-04
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Fix status messages for several alpine scripts [@tremor021](https://github.com/tremor021) ([#14911](https://github.com/community-scripts/ProxmoxVE/pull/14911))
+    - ReactiveResume: Fix Service Path [@MickLesk](https://github.com/MickLesk) ([#14926](https://github.com/community-scripts/ProxmoxVE/pull/14926))
+    - Jellyfin: install intel-igc deps before intel-opencl-icd to fix dependency order [@MickLesk](https://github.com/MickLesk) ([#14927](https://github.com/community-scripts/ProxmoxVE/pull/14927))
+
+  - #### 🔧 Refactor
+
+    - OpenThread-BR: use official GitHub releases [@tomfrenzel](https://github.com/tomfrenzel) ([#14916](https://github.com/community-scripts/ProxmoxVE/pull/14916))
+    - Grist: remove extra text at the end of installation [@tremor021](https://github.com/tremor021) ([#14905](https://github.com/community-scripts/ProxmoxVE/pull/14905))
+
+### ❔ Uncategorized
+
+  - chore(ct): sync sparkyfitness defaults with PocketBase [@github-actions[bot]](https://github.com/github-actions[bot]) ([#14925](https://github.com/community-scripts/ProxmoxVE/pull/14925))
+
+## 2026-06-03
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Glance: Use separate directory for configuration files [@tremor021](https://github.com/tremor021) ([#14906](https://github.com/community-scripts/ProxmoxVE/pull/14906))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - [core]: Fix alignment for `msg_` functions [@tremor021](https://github.com/tremor021) ([#14908](https://github.com/community-scripts/ProxmoxVE/pull/14908))
+
+## 2026-06-02
+
+### 🆕 New Scripts
+
+  - DDNS-Updater ([#14883](https://github.com/community-scripts/ProxmoxVE/pull/14883))
+- InvoiceShelf ([#14882](https://github.com/community-scripts/ProxmoxVE/pull/14882))
+- Certimate ([#14881](https://github.com/community-scripts/ProxmoxVE/pull/14881))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - OpenThread-BR: preserve config during update [@tomfrenzel](https://github.com/tomfrenzel) ([#14893](https://github.com/community-scripts/ProxmoxVE/pull/14893))
+    - infisical: fix update abort due to creds field mismatch (#14868) [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14870](https://github.com/community-scripts/ProxmoxVE/pull/14870))
+
+  - #### ✨ New Features
+
+    - feat(degoog): enable default valkey cache integration [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14871](https://github.com/community-scripts/ProxmoxVE/pull/14871))
+
+  - #### 🔧 Refactor
+
+    - chore: bump Node version in selected scripts [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14873](https://github.com/community-scripts/ProxmoxVE/pull/14873))
+
+### 💾 Core
+
+  - #### ✨ New Features
+
+    - tools.func: add support for Rust installation profile in setup_rust [@MickLesk](https://github.com/MickLesk) ([#14872](https://github.com/community-scripts/ProxmoxVE/pull/14872))
+
+### 📂 Github
+
+  - fix(workflow): only flag node drift when local is behind upstream [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14874](https://github.com/community-scripts/ProxmoxVE/pull/14874))
+
+## 2026-06-01
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - fix(dispatcharr): forward nginx port for M3U URLs on new installs [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14862](https://github.com/community-scripts/ProxmoxVE/pull/14862))
+    - Set environment paths in service for apprise-api-install.sh [@SystemIdleProcess](https://github.com/SystemIdleProcess) ([#14805](https://github.com/community-scripts/ProxmoxVE/pull/14805))
+    - fix(fireshare): rebuild client on update to fix nginx 500 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14848](https://github.com/community-scripts/ProxmoxVE/pull/14848))
+    - Fix Kan build failure (TS7016 nodemailer) [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14856](https://github.com/community-scripts/ProxmoxVE/pull/14856))
+    - fix(firefly): set Data Importer APP_URL for subdirectory install [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14847](https://github.com/community-scripts/ProxmoxVE/pull/14847))
+    - kan: extend fetch_and_deploy_gh_tag to use 'latest' tag [@MickLesk](https://github.com/MickLesk) ([#14853](https://github.com/community-scripts/ProxmoxVE/pull/14853))
+    - Glance: preserve glance.yml across updates [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14845](https://github.com/community-scripts/ProxmoxVE/pull/14845))
+    - NginxProxymanager: set Certbot version in npm.service environment variable (2.15.0) [@MickLesk](https://github.com/MickLesk) ([#14843](https://github.com/community-scripts/ProxmoxVE/pull/14843))
+    - [FileFlows] Fix service handling by using systemctl --all with quoted glob [@adrianmusante](https://github.com/adrianmusante) ([#14838](https://github.com/community-scripts/ProxmoxVE/pull/14838))
+
+  - #### ✨ New Features
+
+    - Kometa: also update Quickstart in update_script [@MickLesk](https://github.com/MickLesk) ([#14529](https://github.com/community-scripts/ProxmoxVE/pull/14529))

.github/workflows/check-node-versions.yml

@@ -336,14 +336,18 @@ jobs:
               issue_scripts+=("$slug|$our_version|$upstream_major|$upstream_hint|$repo")
               drift_count=$((drift_count + 1))
             elif [[ -n "$upstream_major" && "$our_version" != "$upstream_major" ]]; then
-              # Check if engines.node is a minimum constraint that our version satisfies
+              if (( our_version < upstream_major )); then
-              if [[ -z "$DF_NODE_MAJOR" && "$ENGINES_IS_MINIMUM" == "true" ]] && \
+                # Check if engines.node is a minimum constraint that our version satisfies
-                 version_satisfies_engines "$our_version" "$ENGINES_MIN_MAJOR" "$ENGINES_IS_MINIMUM"; then
+                if [[ -z "$DF_NODE_MAJOR" && "$ENGINES_IS_MINIMUM" == "true" ]] && \
-                status="✅ (engines: $ENGINES_NODE_RAW — ours: $our_version satisfies)"
+                   version_satisfies_engines "$our_version" "$ENGINES_MIN_MAJOR" "$ENGINES_IS_MINIMUM"; then
+                  status="✅ (engines: $ENGINES_NODE_RAW — ours: $our_version satisfies)"
+                else
+                  status="🔸 Drift → upstream=$upstream_major ($upstream_hint)"
+                  issue_scripts+=("$slug|$our_version|$upstream_major|$upstream_hint|$repo")
+                  drift_count=$((drift_count + 1))
+                fi
               else
-                status="🔸 Drift → upstream=$upstream_major ($upstream_hint)"
+                status="✅ Ahead of upstream ($upstream_major via $upstream_hint)"
-                issue_scripts+=("$slug|$our_version|$upstream_major|$upstream_hint|$repo")
-                drift_count=$((drift_count + 1))
               fi
             fi
 

.github/workflows/close-new-script-prs.yml

@@ -3,7 +3,7 @@ name: Close Unauthorized New Script PRs
 on:
   pull_request_target:
     branches: ["main"]
-    types: [opened, labeled]
+    types: [opened, labeled, reopened, synchronize]
 
 jobs:
   check-new-script:
@@ -24,13 +24,6 @@ jobs:
             const owner = context.repo.owner;
             const repo = context.repo.repo;
 
-            // --- Only act on PRs with the "new script" label ---
-            const labels = pr.labels.map(l => l.name);
-            if (!labels.includes("new script")) {
-              core.info(`PR #${prNumber} does not have "new script" label — skipping.`);
-              return;
-            }
-
             // --- Allow our bots ---
             const allowedBots = [
               "push-app-to-main[bot]",
@@ -42,38 +35,40 @@ jobs:
               return;
             }
 
-            // --- Check if author is a member of the contributor team ---
+            // --- Exempt contributors via author_association ---
-            const teamSlug = "contributor";
+            // OWNER/MEMBER/COLLABORATOR are trusted; CONTRIBUTOR ("has merged before")
-            let isMember = false;
+            // and NONE are not — their new-script PRs are still closed.
-
+            const association = pr.author_association;
-            try {
+            const exempt = ["OWNER", "MEMBER", "COLLABORATOR"];
-              const { status } = await github.rest.teams.getMembershipForUserInOrg({
+            if (exempt.includes(association)) {
-                org: owner,
+              core.info(`PR #${prNumber} by ${association} "${author}" — skipping.`);
-                team_slug: teamSlug,
+              return;
-                username: author,
-              });
-              // status 200 means the user is a member (active or pending)
-              isMember = true;
-            } catch (error) {
-              if (error.status === 404) {
-                isMember = false;
-              } else {
-                core.warning(`Could not check team membership for ${author}: ${error.message}`);
-                // Fallback: check org membership
-                try {
-                  await github.rest.orgs.checkMembershipForUser({
-                    org: owner,
-                    username: author,
-                  });
-                  isMember = true;
-                } catch {
-                  isMember = false;
-                }
-              }
             }
 
-            if (isMember) {
+            // --- Detect a new-script PR: "new script" label OR a newly-added
-              core.info(`PR #${prNumber} by contributor "${author}" — skipping.`);
+            //     script file under ct/ install/ turnkey/ vm/ (mirrors
+            //     autolabeler-config.json). Removes the label-timing dependency. ---
+            const labels = pr.labels.map(l => l.name);
+            const hasNewScriptLabel = labels.includes("new script");
+
+            const scriptPrefixes = ["ct/", "install/", "turnkey/", "vm/"];
+            let hasAddedScriptFile = false;
+            try {
+              const files = await github.paginate(github.rest.pulls.listFiles, {
+                owner,
+                repo,
+                pull_number: prNumber,
+                per_page: 100,
+              });
+              hasAddedScriptFile = files.some(
+                f => f.status === "added" && scriptPrefixes.some(p => f.filename.startsWith(p))
+              );
+            } catch (error) {
+              core.warning(`Could not list files for PR #${prNumber}: ${error.message}`);
+            }
+
+            if (!hasNewScriptLabel && !hasAddedScriptFile) {
+              core.info(`PR #${prNumber} is not a new-script submission (no label, no added script file) — skipping.`);
               return;
             }
 

.github/workflows/close_issue_in_dev.yaml

@@ -56,46 +56,57 @@ jobs:
           echo "$slugs" > pocketbase_slugs.txt
           echo "count=$(echo $slugs | wc -w)" >> "$GITHUB_OUTPUT"
 
-      - name: Search for Issues with Similar Titles
+      - name: Find matching issues in ProxmoxVED by slug
         id: find_issue
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          issues=$(gh issue list --repo community-scripts/ProxmoxVED --json number,title --jq '.[] | {number, title}')
+          if [[ ! -s pocketbase_slugs.txt ]]; then
-
+            echo "No slugs derived from PR — nothing to match."
-          best_match_score=0
+            echo "issue_numbers=" >> "$GITHUB_OUTPUT"
-          best_match_number=0
-
-          for issue in $(echo "$issues" | jq -r '. | @base64'); do
-            _jq() {
-              echo ${issue} | base64 --decode | jq -r ${1}
-            }
-
-            issue_title=$(_jq '.title' | tr '[:upper:]' '[:lower:]' | sed 's/ //g' | sed 's/-//g')
-            issue_number=$(_jq '.number')
-
-            match_score=$(echo "$title" | grep -o "$issue_title" | wc -l)
-            
-            if [ "$match_score" -gt "$best_match_score" ]; then
-              best_match_score=$match_score
-              best_match_number=$issue_number
-            fi
-          done
-
-          if [ "$best_match_number" != "0" ]; then
-            echo "issue_number=$best_match_number" >> $GITHUB_ENV
-          else
-            echo "No matching issue found."
             exit 0
           fi
+          slugs=$(cat pocketbase_slugs.txt)
 
-      - name: Comment on the Best-Matching Issue and Close It
+          # Normalize: lowercase, strip spaces and hyphens (same shape as the slug derivation)
-        if: env.issue_number != ''
+          norm() { echo "$1" | tr '[:upper:]' '[:lower:]' | sed 's/[[:space:]]//g; s/-//g'; }
+
+          issues=$(gh issue list --repo community-scripts/ProxmoxVED --state open --limit 1000 --json number,title,body)
+
+          matched=""
+          for slug in $slugs; do
+            nslug=$(norm "$slug")
+            [[ -z "$nslug" ]] && continue
+            while IFS= read -r row; do
+              num=$(echo "$row" | jq -r '.number')
+              ntitle=$(norm "$(echo "$row" | jq -r '.title')")
+              body=$(echo "$row" | jq -r '.body // ""' | tr '[:upper:]' '[:lower:]')
+              # Match when the issue title contains the slug, or the body mentions it verbatim
+              if [[ "$ntitle" == *"$nslug"* ]] || [[ "$body" == *"$slug"* ]]; then
+                matched="$matched $num"
+              fi
+            done < <(echo "$issues" | jq -c '.[]')
+          done
+
+          matched=$(echo $matched | xargs -n1 2>/dev/null | sort -un | tr '\n' ' ')
+          if [[ -z "$matched" ]]; then
+            echo "No matching ProxmoxVED issues found for slugs: $slugs"
+            echo "issue_numbers=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "Matched ProxmoxVED issues: $matched"
+          echo "issue_numbers=$matched" >> "$GITHUB_OUTPUT"
+
+      - name: Comment on and close matching ProxmoxVED issues
+        if: steps.find_issue.outputs.issue_numbers != ''
         env:
           GH_TOKEN: ${{ secrets.PAT_MICHEL }}
         run: |
-          gh issue comment $issue_number --repo community-scripts/ProxmoxVED --body "Merged with #${{ github.event.pull_request.number }} in ProxmoxVE"
+          for issue_number in ${{ steps.find_issue.outputs.issue_numbers }}; do
-          gh issue close $issue_number --repo community-scripts/ProxmoxVED
+            echo "Closing ProxmoxVED issue #$issue_number"
+            gh issue comment "$issue_number" --repo community-scripts/ProxmoxVED --body "Merged with #${{ github.event.pull_request.number }} in ProxmoxVE"
+            gh issue close "$issue_number" --repo community-scripts/ProxmoxVED
+          done
 
       - name: Set is_dev to false in PocketBase
         if: steps.get_slugs.outputs.count != '0'

.github/workflows/delete-merged-branches.yml

@@ -0,0 +1,134 @@
+name: Delete merged branches
+
+on:
+  schedule:
+    - cron: "0 2 * * *"  # Run daily at 02:00 UTC
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Only log branches that would be deleted (no deletion)"
+        type: boolean
+        default: true
+
+permissions:
+  contents: write       # required to delete branch refs
+  pull-requests: read
+
+jobs:
+  delete-merged-branches:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete branches of merged PRs
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+
+            // dry_run is only set on workflow_dispatch; scheduled runs delete for real.
+            const dryRun = context.eventName === "workflow_dispatch"
+              ? context.payload.inputs?.dry_run === "true" || context.payload.inputs?.dry_run === true
+              : false;
+
+            // Only look at PRs updated within this window on scheduled runs, so we don't
+            // re-scan the entire history every day. Raise this for an initial cleanup.
+            const lookbackDays = 30;
+            const cutoff = new Date();
+            cutoff.setDate(cutoff.getDate() - lookbackDays);
+
+            // Long-lived branches that must never be deleted (besides the default branch).
+            const protectedNames = new Set();
+
+            // Resolve the default branch once.
+            const { data: repoData } = await github.rest.repos.get({ owner, repo });
+            const defaultBranch = repoData.default_branch;
+            protectedNames.add(defaultBranch);
+
+            console.log(`Mode: ${dryRun ? "DRY RUN (no deletion)" : "LIVE"}`);
+            console.log(`Default branch: ${defaultBranch}`);
+
+            const candidates = new Set();
+            let page = 1;
+            let stop = false;
+
+            while (!stop) {
+              const { data: prs } = await github.rest.pulls.list({
+                owner,
+                repo,
+                state: "closed",
+                sort: "updated",
+                direction: "desc",
+                per_page: 100,
+                page,
+              });
+
+              if (prs.length === 0) break;
+
+              for (const pr of prs) {
+                // Sorted by updated desc: once we pass the cutoff we can stop paginating.
+                if (new Date(pr.updated_at) < cutoff) {
+                  stop = true;
+                  break;
+                }
+
+                if (!pr.merged_at) continue;                          // only merged PRs
+                if (!pr.head.repo) continue;                          // head fork was deleted
+                if (pr.head.repo.full_name !== pr.base.repo.full_name) continue; // skip forks
+
+                const branch = pr.head.ref;
+                if (protectedNames.has(branch)) continue;             // default / kept branches
+
+                candidates.add(branch);
+              }
+
+              page++;
+              if (page > 50) break; // safety cap
+            }
+
+            console.log(`Found ${candidates.size} unique candidate branch(es) from merged PRs.`);
+
+            let deleted = 0;
+            let skipped = 0;
+
+            for (const branch of candidates) {
+              // Confirm the branch still exists and isn't protected.
+              let branchData;
+              try {
+                const res = await github.rest.repos.getBranch({ owner, repo, branch });
+                branchData = res.data;
+              } catch (error) {
+                if (error.status === 404) {
+                  // Already deleted (e.g. auto-delete head branch) — nothing to do.
+                  continue;
+                }
+                console.log(`Failed to inspect "${branch}": ${error.message}`);
+                skipped++;
+                continue;
+              }
+
+              if (branchData.protected) {
+                console.log(`Skipped "${branch}" (protected branch)`);
+                skipped++;
+                continue;
+              }
+
+              if (dryRun) {
+                console.log(`[dry-run] Would delete "${branch}"`);
+                continue;
+              }
+
+              try {
+                await github.rest.git.deleteRef({ owner, repo, ref: `heads/${branch}` });
+                console.log(`Deleted "${branch}"`);
+                deleted++;
+              } catch (error) {
+                console.log(`Failed to delete "${branch}": ${error.message}`);
+                skipped++;
+              }
+            }
+
+            console.log(
+              dryRun
+                ? `Dry run complete. ${candidates.size} candidate(s) would be processed.`
+                : `Done. Deleted ${deleted} branch(es), skipped ${skipped}.`
+            );

.github/workflows/lock-issue.yaml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
-            const daysBeforeLock = 3;
+            const daysBeforeLock = 7;
             const lockDate = new Date();
             lockDate.setDate(lockDate.getDate() - daysBeforeLock);
             
@@ -28,7 +28,7 @@ jobs:
               /dependabot/i
             ];
             
-            // Search for closed, unlocked issues older than 3 days (paginated, oldest first)
+            // Search for closed, unlocked issues older than 7 days (paginated, oldest first)
             let page = 1;
             let totalLocked = 0;
             

.github/workflows/pocketbase-ai-bot.yml

@@ -0,0 +1,610 @@
+name: PocketBase AI Bot
+
+# Natural-language companion to pocketbase-bot.yml.
+# Mention the bot in plain English, e.g.:
+#   @pocketbase-bot change RAM to 4096 on zigbee2mqtt
+#   @pocketbase-bot disable script Nextcloud because upstream is broken
+# The bot parses the request with GitHub Models, replies with the exact change(s)
+# it understood, and only applies them after you reply "@pocketbase-bot confirm".
+# The slash-command bot (/pocketbase ...) is unaffected; triggers do not overlap.
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  models: read # lets the built-in GITHUB_TOKEN call GitHub Models inference
+  contents: write # built-in token opens the CT-defaults sync PR (like the slash bot)
+  pull-requests: write
+
+jobs:
+  ai-bot:
+    runs-on: self-hosted
+    # Broad gate; the script does precise keyword + self-author checks.
+    if: contains(github.event.comment.body, '@pocketbase-bot')
+
+    steps:
+      - name: Mint GitHub App token (bot identity)
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.PB_BOT_APP_ID }}
+          private-key: ${{ secrets.PB_BOT_APP_PRIVATE_KEY }}
+
+      - name: Run PocketBase AI bot
+        env:
+          # GitHub REST as the bot identity
+          GH_APP_TOKEN: ${{ steps.app-token.outputs.token }}
+          PB_BOT_APP_ID: ${{ secrets.PB_BOT_APP_ID }}
+          # GitHub Models inference uses the built-in token (needs models: read)
+          MODELS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Built-in token for git/PR ops (CT-defaults sync), mirroring the slash bot
+          GH_DEFAULT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AI_MODEL: openai/gpt-4o
+          # PocketBase
+          POCKETBASE_URL: ${{ secrets.POCKETBASE_URL }}
+          POCKETBASE_COLLECTION: ${{ secrets.POCKETBASE_COLLECTION }}
+          POCKETBASE_ADMIN_EMAIL: ${{ secrets.POCKETBASE_ADMIN_EMAIL }}
+          POCKETBASE_ADMIN_PASSWORD: ${{ secrets.POCKETBASE_ADMIN_PASSWORD }}
+          FRONTEND_URL: ${{ secrets.FRONTEND_URL }}
+          REVALIDATE_SECRET: ${{ secrets.REVALIDATE_SECRET }}
+          # Event context
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          COMMENT_ID: ${{ github.event.comment.id }}
+          COMMENT_AUTHOR_TYPE: ${{ github.event.comment.user.type }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+          ACTOR: ${{ github.event.comment.user.login }}
+          ACTOR_ASSOCIATION: ${{ github.event.comment.author_association }}
+        run: |
+          node << 'ENDSCRIPT'
+          (async function () {
+            const https = require('https');
+            const http = require('http');
+            const url = require('url');
+
+            // ── HTTP helper with redirect following ────────────────────────────
+            function request(fullUrl, opts, redirectCount) {
+              redirectCount = redirectCount || 0;
+              return new Promise(function (resolve, reject) {
+                const u = url.parse(fullUrl);
+                const isHttps = u.protocol === 'https:';
+                const body = opts.body;
+                const options = {
+                  hostname: u.hostname,
+                  port: u.port || (isHttps ? 443 : 80),
+                  path: u.path,
+                  method: opts.method || 'GET',
+                  headers: opts.headers || {}
+                };
+                if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
+                const lib = isHttps ? https : http;
+                const req = lib.request(options, function (res) {
+                  if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                    if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
+                    const redirectUrl = url.resolve(fullUrl, res.headers.location);
+                    res.resume();
+                    resolve(request(redirectUrl, opts, redirectCount + 1));
+                    return;
+                  }
+                  let data = '';
+                  res.on('data', function (chunk) { data += chunk; });
+                  res.on('end', function () {
+                    resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, statusCode: res.statusCode, body: data });
+                  });
+                });
+                req.on('error', reject);
+                if (body) req.write(body);
+                req.end();
+              });
+            }
+
+            // ── GitHub REST (as the bot app) ───────────────────────────────────
+            const owner = process.env.REPO_OWNER;
+            const repo = process.env.REPO_NAME;
+            const issueNumber = parseInt(process.env.ISSUE_NUMBER, 10);
+            const commentId = parseInt(process.env.COMMENT_ID, 10);
+            const actor = process.env.ACTOR;
+
+            function ghRequest(path, method, body) {
+              const headers = {
+                'Authorization': 'Bearer ' + process.env.GH_APP_TOKEN,
+                'Accept': 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+                'User-Agent': 'PocketBase-AI-Bot'
+              };
+              const bodyStr = body ? JSON.stringify(body) : undefined;
+              if (bodyStr) headers['Content-Type'] = 'application/json';
+              return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
+            }
+
+            // Same as ghRequest but authenticated with the built-in GITHUB_TOKEN.
+            // Used for the CT-defaults sync branch/PR (the App token lacks contents:write).
+            function ghDefault(path, method, body) {
+              const headers = {
+                'Authorization': 'Bearer ' + process.env.GH_DEFAULT_TOKEN,
+                'Accept': 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+                'User-Agent': 'PocketBase-AI-Bot'
+              };
+              const bodyStr = body ? JSON.stringify(body) : undefined;
+              if (bodyStr) headers['Content-Type'] = 'application/json';
+              return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
+            }
+
+            async function addReaction(content) {
+              try {
+                await ghRequest('/repos/' + owner + '/' + repo + '/issues/comments/' + commentId + '/reactions', 'POST', { content });
+              } catch (e) { console.warn('Could not add reaction:', e.message); }
+            }
+            async function postComment(text) {
+              const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/' + issueNumber + '/comments', 'POST', { body: text });
+              if (!res.ok) console.warn('Could not post comment:', res.body);
+              return res.ok ? JSON.parse(res.body) : null;
+            }
+            async function updateComment(id, text) {
+              const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/comments/' + id, 'PATCH', { body: text });
+              if (!res.ok) console.warn('Could not update comment:', res.body);
+            }
+            async function listIssueComments() {
+              const all = [];
+              let page = 1;
+              while (page <= 10) {
+                const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/' + issueNumber + '/comments?per_page=100&page=' + page);
+                if (!res.ok) break;
+                const batch = JSON.parse(res.body);
+                all.push.apply(all, batch);
+                if (batch.length < 100) break;
+                page++;
+              }
+              return all;
+            }
+
+            // ── 1. Self-trigger guard (App-token comments DO re-fire this event) ─
+            if (process.env.COMMENT_AUTHOR_TYPE === 'Bot') {
+              console.log('Comment authored by a bot — skipping to avoid loops.');
+              return;
+            }
+
+            // ── 2. Permission gate (mirrors the slash bot) ─────────────────────
+            const association = process.env.ACTOR_ASSOCIATION;
+            if (association !== 'OWNER' && association !== 'MEMBER') {
+              await addReaction('-1');
+              await postComment(
+                '❌ **PocketBase AI Bot**: @' + actor + ' is not authorized to use this command.\n' +
+                'Only org members (Contributors team) can use `@pocketbase-bot`.'
+              );
+              return;
+            }
+
+            // ── 3. Extract the instruction after the @pocketbase-bot handle ────
+            const commentBody = process.env.COMMENT_BODY || '';
+            const handleMatch = commentBody.match(/@pocketbase-bot(\[bot\])?/i);
+            if (!handleMatch) {
+              console.log('No @pocketbase-bot handle found — ignoring.');
+              return;
+            }
+            const instruction = commentBody.slice(handleMatch.index + handleMatch[0].length).trim();
+            if (!instruction) {
+              await addReaction('-1');
+              await postComment(
+                'ℹ️ **PocketBase AI Bot**: Tell me what to do, e.g.\n' +
+                '`@pocketbase-bot change RAM to 4096 on zigbee2mqtt` or `@pocketbase-bot disable script Nextcloud`.'
+              );
+              return;
+            }
+
+            // ── PocketBase auth + low-level helpers ────────────────────────────
+            const pbRaw = process.env.POCKETBASE_URL.replace(/\/$/, '');
+            const apiBase = /\/api$/i.test(pbRaw) ? pbRaw : pbRaw + '/api';
+            const coll = process.env.POCKETBASE_COLLECTION;
+            const recordsUrl = apiBase + '/collections/' + encodeURIComponent(coll) + '/records';
+
+            async function pbAuth() {
+              const res = await request(apiBase + '/collections/users/auth-with-password', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ identity: process.env.POCKETBASE_ADMIN_EMAIL, password: process.env.POCKETBASE_ADMIN_PASSWORD })
+              });
+              if (!res.ok) throw new Error('PocketBase auth failed: ' + res.body);
+              return JSON.parse(res.body).token;
+            }
+            async function pbFindRecord(token, slug) {
+              const filter = "(slug='" + String(slug).replace(/'/g, "''") + "')";
+              const res = await request(recordsUrl + '?filter=' + encodeURIComponent(filter) + '&perPage=1', { headers: { 'Authorization': token } });
+              const list = JSON.parse(res.body);
+              return list.items && list.items[0];
+            }
+            async function pbPatch(token, id, payload) {
+              return request(recordsUrl + '/' + id, {
+                method: 'PATCH',
+                headers: { 'Authorization': token, 'Content-Type': 'application/json' },
+                body: JSON.stringify(payload)
+              });
+            }
+            function readJsonBlob(val) {
+              if (Array.isArray(val)) return val;
+              try { return JSON.parse(val || '[]'); } catch (e) { return []; }
+            }
+            async function revalidate(s) {
+              const frontendUrl = process.env.FRONTEND_URL;
+              const secret = process.env.REVALIDATE_SECRET;
+              if (!frontendUrl || !secret) return;
+              try {
+                await request(frontendUrl.replace(/\/$/, '') + '/api/revalidate', {
+                  method: 'POST',
+                  headers: { 'Authorization': 'Bearer ' + secret, 'Content-Type': 'application/json' },
+                  body: JSON.stringify({ tags: ['scripts', 'script-' + s] })
+                });
+              } catch (e) { console.warn('Revalidation skipped:', e.message); }
+            }
+
+            // ── CT-defaults sync PR (copied from slash bot) ────────────────────
+            function encodeContentPath(filePath) { return filePath.split('/').map(encodeURIComponent).join('/'); }
+            function decodeGitHubContent(content) { return Buffer.from((content || '').replace(/\n/g, ''), 'base64').toString('utf8'); }
+            function sanitizeBranchPart(value) {
+              return (value || '').toLowerCase().replace(/[^a-z0-9._/-]+/g, '-').replace(/\/+/g, '/').replace(/^-+|-+$/g, '');
+            }
+            function applyCtDefaultChanges(scriptText, varChanges) {
+              let nextText = scriptText;
+              const updatedVars = [], unchangedVars = [];
+              for (const [varName, rawValue] of Object.entries(varChanges)) {
+                const newValue = String(rawValue);
+                const pattern = new RegExp('(^\\s*' + varName + '="\\$\\{' + varName + ':-)([^"}]*)(\\}"\\s*$)', 'm');
+                const match = nextText.match(pattern);
+                if (!match) continue;
+                if (match[2] === newValue) { unchangedVars.push(varName); continue; }
+                nextText = nextText.replace(pattern, '$1' + newValue + '$3');
+                updatedVars.push(varName);
+              }
+              return { nextText, updatedVars, unchangedVars };
+            }
+            async function ensureBranch(defaultBranch, branchName) {
+              const ghRequest = ghDefault; // git ops run as the built-in token
+              const branchRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(branchName));
+              if (branchRefRes.ok) return;
+              const defaultRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(defaultBranch));
+              if (!defaultRefRes.ok) throw new Error('Could not read default branch ref: ' + defaultRefRes.body);
+              const defaultRef = JSON.parse(defaultRefRes.body);
+              const createBranchRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/refs', 'POST', { ref: 'refs/heads/' + branchName, sha: defaultRef.object.sha });
+              if (!createBranchRes.ok) throw new Error('Could not create branch: ' + createBranchRes.body);
+            }
+            async function upsertCtDefaultsPr(slugValue, varChanges) {
+              const ghRequest = ghDefault; // contents/PR ops run as the built-in token
+              const wantedEntries = Object.entries(varChanges || {}).filter(function ([, v]) { return v !== undefined && v !== null && String(v) !== ''; });
+              if (wantedEntries.length === 0) return { status: 'skipped', reason: 'No mapped CT defaults changed.' };
+              const repoRes = await ghRequest('/repos/' + owner + '/' + repo);
+              if (!repoRes.ok) throw new Error('Could not read repository metadata: ' + repoRes.body);
+              const defaultBranch = JSON.parse(repoRes.body).default_branch;
+              const ctPath = 'ct/' + slugValue + '.sh';
+              const encodedCtPath = encodeContentPath(ctPath);
+              const defaultFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(defaultBranch));
+              if (defaultFileRes.statusCode === 404) return { status: 'skipped', reason: 'No matching CT file found at `' + ctPath + '`.' };
+              if (!defaultFileRes.ok) throw new Error('Could not read CT file from default branch: ' + defaultFileRes.body);
+              const branchName = 'pocketbase-sync/' + sanitizeBranchPart(slugValue || 'unknown');
+              await ensureBranch(defaultBranch, branchName);
+              const branchFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(branchName));
+              if (!branchFileRes.ok) throw new Error('Could not read CT file from sync branch: ' + branchFileRes.body);
+              const branchFile = JSON.parse(branchFileRes.body);
+              const currentBranchText = decodeGitHubContent(branchFile.content);
+              const updateResult = applyCtDefaultChanges(currentBranchText, Object.fromEntries(wantedEntries));
+              if (updateResult.updatedVars.length === 0) return { status: 'skipped', reason: 'CT defaults already up to date.' };
+              const putRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath, 'PUT', {
+                message: 'chore(ct): sync ' + slugValue + ' defaults from PocketBase',
+                content: Buffer.from(updateResult.nextText, 'utf8').toString('base64'),
+                sha: branchFile.sha,
+                branch: branchName
+              });
+              if (!putRes.ok) throw new Error('Could not update CT file: ' + putRes.body);
+              const openPrRes = await ghRequest('/repos/' + owner + '/' + repo + '/pulls?state=open&head=' + encodeURIComponent(owner + ':' + branchName) + '&base=' + encodeURIComponent(defaultBranch));
+              if (!openPrRes.ok) throw new Error('Could not query existing PRs: ' + openPrRes.body);
+              const openPrs = JSON.parse(openPrRes.body);
+              if (openPrs.length > 0) return { status: 'updated', prUrl: openPrs[0].html_url, updatedVars: updateResult.updatedVars };
+              const createPrRes = await ghRequest('/repos/' + owner + '/' + repo + '/pulls', 'POST', {
+                title: 'chore(ct): sync ' + slugValue + ' defaults with PocketBase',
+                body: '## Summary\n- Sync default CT variables for `' + slugValue + '` after an `@pocketbase-bot` update.\n- Updated vars: `' + updateResult.updatedVars.join('`, `') + '`.\n\n## Source\n- Triggered by @' + actor + ' via PocketBase AI bot.\n',
+                head: branchName,
+                base: defaultBranch
+              });
+              if (!createPrRes.ok) throw new Error('Could not create PR: ' + createPrRes.body);
+              return { status: 'created', prUrl: JSON.parse(createPrRes.body).html_url, updatedVars: updateResult.updatedVars };
+            }
+
+            // ── Allow-lists (mirror the slash bot) ─────────────────────────────
+            const ALLOWED_FIELDS = {
+              name: 'string', description: 'string', logo: 'string', documentation: 'string',
+              website: 'string', project_url: 'string', github: 'string', config_path: 'string',
+              tags: 'string', port: 'number', default_user: 'nullable_string', default_passwd: 'nullable_string',
+              unprivileged: 'number', updateable: 'boolean', privileged: 'boolean', has_arm: 'boolean',
+              is_dev: 'boolean', is_disabled: 'boolean', disable_message: 'string',
+              is_deleted: 'boolean', deleted_message: 'string'
+            };
+            const FIELD_TO_CT_VAR = { tags: 'var_tags', unprivileged: 'var_unprivileged' };
+            const RESOURCE_KEYS = { cpu: 'number', ram: 'number', hdd: 'number', os: 'string', version: 'string' };
+            const METHOD_KEYS = { config_path: 'string', script: 'string' };
+            const ALL_METHOD_KEYS = Object.assign({}, RESOURCE_KEYS, METHOD_KEYS);
+            const RESOURCE_TO_CT_VAR = { cpu: 'var_cpu', ram: 'var_ram', hdd: 'var_disk', os: 'var_os', version: 'var_version' };
+
+            function castFieldValue(key, rawVal) {
+              const type = ALLOWED_FIELDS[key];
+              if (!type) return { error: 'Unknown field `' + key + '`' };
+              if (type === 'boolean') {
+                if (rawVal === true || rawVal === 'true') return { value: true };
+                if (rawVal === false || rawVal === 'false') return { value: false };
+                return { error: '`' + key + '` must be true/false' };
+              }
+              if (type === 'number') {
+                const n = parseInt(rawVal, 10);
+                if (isNaN(n)) return { error: '`' + key + '` must be a number' };
+                return { value: n };
+              }
+              if (type === 'nullable_string') return { value: rawVal === '' || rawVal == null ? null : String(rawVal) };
+              return { value: String(rawVal) };
+            }
+
+            // ── Operation validation (used at propose AND confirm time) ────────
+            // Never trust raw operations: enforce the field/op allow-lists and
+            // re-cast values. Returns only well-formed, allowed operations.
+            function sanitizeOperations(ops) {
+              const validOps = [], problems = [];
+              for (const op of (Array.isArray(ops) ? ops : [])) {
+                if (op && op.kind === 'field') {
+                  const cast = castFieldValue(op.field, op.value);
+                  if (cast.error) { problems.push(cast.error); continue; }
+                  validOps.push({ kind: 'field', field: op.field, value: cast.value });
+                } else if (op && op.kind === 'note' && ['add', 'edit', 'remove'].includes(op.action)) {
+                  validOps.push({ kind: 'note', action: op.action, type: String(op.type || ''), text: op.text, newText: op.newText });
+                } else if (op && op.kind === 'method' && ['add', 'edit', 'remove'].includes(op.action)) {
+                  const changes = {};
+                  for (const [k, v] of Object.entries(op.changes || {})) { if (ALL_METHOD_KEYS[k]) changes[k] = v; }
+                  validOps.push({ kind: 'method', action: op.action, type: String(op.type || 'default'), changes });
+                } else {
+                  problems.push('Unsupported operation: `' + JSON.stringify(op) + '`');
+                }
+              }
+              return { validOps, problems };
+            }
+
+            // ── Executor: apply a validated {slug, operations} set ─────────────
+            async function applyOperations(action) {
+              const token = await pbAuth();
+              const record = await pbFindRecord(token, action.slug);
+              if (!record) return { ok: false, summary: '❌ No PocketBase record for slug `' + action.slug + '`.' };
+
+              const fieldPayload = {};
+              let notesArr = readJsonBlob(record.notes);
+              let methodsArr = readJsonBlob(record.install_methods);
+              let notesChanged = false, methodsChanged = false;
+              const ctChanges = {};
+              const lines = [];
+
+              for (const op of action.operations) {
+                if (op.kind === 'field') {
+                  const cast = castFieldValue(op.field, op.value);
+                  if (cast.error) { lines.push('- ⚠️ skipped field: ' + cast.error); continue; }
+                  fieldPayload[op.field] = cast.value;
+                  if (FIELD_TO_CT_VAR[op.field]) ctChanges[FIELD_TO_CT_VAR[op.field]] = cast.value;
+                  lines.push('- `' + op.field + '` → `' + JSON.stringify(cast.value) + '`');
+                } else if (op.kind === 'note') {
+                  const type = String(op.type || '').toLowerCase();
+                  if (op.action === 'add') {
+                    notesArr.push({ type, text: String(op.text || '') });
+                    notesChanged = true; lines.push('- note add `' + type + '`: ' + op.text);
+                  } else if (op.action === 'remove') {
+                    const before = notesArr.length;
+                    notesArr = notesArr.filter(function (n) { return !(String(n.type).toLowerCase() === type && n.text === op.text); });
+                    if (notesArr.length !== before) { notesChanged = true; lines.push('- note remove `' + type + '`: ' + op.text); }
+                    else lines.push('- ⚠️ note remove: no `' + type + '` note matched');
+                  } else if (op.action === 'edit') {
+                    const idx = notesArr.findIndex(function (n) { return String(n.type).toLowerCase() === type && n.text === op.text; });
+                    if (idx !== -1) { notesArr[idx].text = String(op.newText || ''); notesChanged = true; lines.push('- note edit `' + type + '`'); }
+                    else lines.push('- ⚠️ note edit: no `' + type + '` note matched');
+                  }
+                } else if (op.kind === 'method') {
+                  const type = String(op.type || '').toLowerCase();
+                  const changes = op.changes || {};
+                  if (op.action === 'remove') {
+                    const before = methodsArr.length;
+                    methodsArr = methodsArr.filter(function (im) { return String(im.type || '').toLowerCase() !== type; });
+                    if (methodsArr.length !== before) { methodsChanged = true; lines.push('- method remove `' + type + '`'); }
+                    else lines.push('- ⚠️ method remove: `' + type + '` not found');
+                  } else {
+                    let method = methodsArr.find(function (im) { return String(im.type || '').toLowerCase() === type; });
+                    if (!method && op.action === 'add') { method = { type, resources: { cpu: 1, ram: 512, hdd: 4, os: 'debian', version: '13' } }; methodsArr.push(method); }
+                    if (!method) { lines.push('- ⚠️ method edit: `' + type + '` not found'); continue; }
+                    if (!method.resources) method.resources = {};
+                    for (const [k, v] of Object.entries(changes)) {
+                      if (RESOURCE_KEYS[k]) {
+                        method.resources[k] = RESOURCE_KEYS[k] === 'number' ? parseInt(v, 10) : String(v);
+                        if (RESOURCE_TO_CT_VAR[k]) ctChanges[RESOURCE_TO_CT_VAR[k]] = method.resources[k];
+                      } else if (METHOD_KEYS[k]) {
+                        method[k] = v === '' ? null : String(v);
+                      }
+                    }
+                    methodsChanged = true;
+                    lines.push('- method `' + (op.action === 'add' ? 'add' : 'edit') + '` `' + type + '`: ' + JSON.stringify(changes));
+                  }
+                }
+              }
+
+              if (Object.keys(fieldPayload).length) {
+                const r = await pbPatch(token, record.id, fieldPayload);
+                if (!r.ok) return { ok: false, summary: '❌ Field update failed:\n```\n' + r.body + '\n```' };
+              }
+              if (notesChanged) {
+                const r = await pbPatch(token, record.id, { notes: notesArr });
+                if (!r.ok) return { ok: false, summary: '❌ Notes update failed:\n```\n' + r.body + '\n```' };
+              }
+              if (methodsChanged) {
+                const r = await pbPatch(token, record.id, { install_methods: methodsArr });
+                if (!r.ok) return { ok: false, summary: '❌ Install-method update failed:\n```\n' + r.body + '\n```' };
+              }
+              await revalidate(action.slug);
+
+              let ctNote = '';
+              if (Object.keys(ctChanges).length) {
+                try {
+                  const sync = await upsertCtDefaultsPr(action.slug, ctChanges);
+                  if (sync.status === 'created') ctNote = '\n\n**CT sync PR:** ' + sync.prUrl;
+                  else if (sync.status === 'updated') ctNote = '\n\n**CT sync PR updated:** ' + sync.prUrl;
+                  else if (sync.status === 'skipped') ctNote = '\n\n**CT sync skipped:** ' + sync.reason;
+                } catch (e) { ctNote = '\n\n**CT sync failed:** ' + e.message; }
+              }
+              return { ok: true, summary: lines.join('\n') + ctNote };
+            }
+
+            // ── 4. Confirm branch ──────────────────────────────────────────────
+            const PENDING_RE = /<!--\s*pocketbase-pending:\s*([A-Za-z0-9+/=]+)\s*-->/;
+            const isConfirm = /^(confirm|yes|apply|do it|y)\b/i.test(instruction);
+
+            if (isConfirm) {
+              const comments = await listIssueComments();
+              const appId = String(process.env.PB_BOT_APP_ID || '');
+              let pending = null, pendingComment = null;
+              for (let i = comments.length - 1; i >= 0; i--) {
+                const c = comments[i];
+                // Only trust a marker in a comment THIS bot app authored — otherwise a
+                // user could hand-craft a forged pocketbase-pending marker and confirm it.
+                const byBotApp = c.user && c.user.type === 'Bot' &&
+                  c.performed_via_github_app && String(c.performed_via_github_app.id) === appId;
+                if (!byBotApp) continue;
+                const m = c.body && c.body.match(PENDING_RE);
+                if (m) { pending = m[1]; pendingComment = c; break; }
+              }
+              if (!pending) {
+                await addReaction('confused');
+                await postComment('🤔 **PocketBase AI Bot**: I have no pending change to confirm in this thread.');
+                return;
+              }
+              let action;
+              try { action = JSON.parse(Buffer.from(pending, 'base64').toString('utf8')); }
+              catch (e) { await postComment('❌ **PocketBase AI Bot**: Could not decode the pending change.'); return; }
+
+              // Re-validate the decoded operations before applying (defense-in-depth).
+              const recheck = sanitizeOperations(action.operations);
+              if (!action.slug || recheck.validOps.length === 0) {
+                await addReaction('-1');
+                await postComment('❌ **PocketBase AI Bot**: The pending change is no longer valid. Please restate the request.');
+                return;
+              }
+              action.operations = recheck.validOps;
+
+              let result;
+              try { result = await applyOperations(action); }
+              catch (e) { await addReaction('-1'); await postComment('❌ **PocketBase AI Bot**: ' + e.message); return; }
+
+              if (!result.ok) { await addReaction('-1'); await postComment(result.summary); return; }
+              await updateComment(pendingComment.id, pendingComment.body.replace(PENDING_RE, '<!-- pocketbase-applied -->'));
+              await addReaction('+1');
+              await postComment(
+                '✅ **PocketBase AI Bot**: Applied to **`' + action.slug + '`**\n\n' + result.summary +
+                '\n\n*Confirmed by @' + actor + '*'
+              );
+              return;
+            }
+
+            // ── 5. New request: acknowledge, fetch script list, call the model ─
+            await addReaction('eyes');
+
+            const token0 = await pbAuth();
+            const scripts = [];
+            let page = 1;
+            while (page <= 5) {
+              const res = await request(recordsUrl + '?fields=slug,name&perPage=500&page=' + page, { headers: { 'Authorization': token0 } });
+              if (!res.ok) break;
+              const data = JSON.parse(res.body);
+              (data.items || []).forEach(function (it) { if (it.slug) scripts.push({ slug: it.slug, name: it.name || it.slug }); });
+              if (!data.items || data.items.length < 500) break;
+              page++;
+            }
+
+            const SYSTEM_PROMPT =
+              'You translate a maintainer\'s natural-language request into a STRICT JSON change-set for a ' +
+              'script catalog (PocketBase). Respond with a SINGLE JSON object and nothing else.\n\n' +
+              'Schema:\n' +
+              '{\n' +
+              '  "slug": string|null,            // MUST be one of the known slugs below, chosen from the request\n' +
+              '  "operations": [ ... ],          // [] if you cannot determine concrete changes\n' +
+              '  "human_summary": string,        // short plain-English description\n' +
+              '  "clarification": string|null    // a question to ask if ambiguous/unsupported; else null\n' +
+              '}\n\n' +
+              'Operation kinds:\n' +
+              '- {"kind":"field","field":<one of: ' + Object.keys(ALLOWED_FIELDS).join(', ') + '>,"value":<bool|number|string>}\n' +
+              '  (booleans true/false; "is_disabled"/"is_deleted"/"is_dev" are booleans; "port"/"unprivileged" are numbers; rest strings.)\n' +
+              '- {"kind":"note","action":"add"|"edit"|"remove","type":string,"text":string,"newText":string?}\n' +
+              '- {"kind":"method","action":"add"|"edit"|"remove","type":string,"changes":{cpu?:number,ram?:number,hdd?:number,os?:string,version?:string,config_path?:string,script?:string}}\n' +
+              '  (RAM/HDD are in MB/GB; method "type" defaults to "default" if the user does not name one.)\n\n' +
+              'Rules:\n' +
+              '- Only use fields/operations listed above. If the request needs something else, set clarification and operations=[].\n' +
+              '- "disable"/"enable" map to is_disabled true/false. If disabling and the user gave a reason, also set disable_message.\n' +
+              '- Resolve the target script to a slug from the list. If you cannot confidently match exactly one, set slug=null and ask via clarification.\n\n' +
+              'Known scripts (slug — name):\n' +
+              scripts.map(function (s) { return s.slug + ' — ' + s.name; }).join('\n');
+
+            const modelRes = await request('https://models.github.ai/inference/chat/completions', {
+              method: 'POST',
+              headers: { 'Authorization': 'Bearer ' + process.env.MODELS_TOKEN, 'Content-Type': 'application/json', 'Accept': 'application/json' },
+              body: JSON.stringify({
+                model: process.env.AI_MODEL || 'openai/gpt-4o',
+                temperature: 0.1,
+                response_format: { type: 'json_object' },
+                messages: [{ role: 'system', content: SYSTEM_PROMPT }, { role: 'user', content: instruction }]
+              })
+            });
+            if (!modelRes.ok) {
+              await addReaction('-1');
+              await postComment('❌ **PocketBase AI Bot**: Model request failed (' + modelRes.statusCode + ').\n```\n' + modelRes.body.slice(0, 500) + '\n```');
+              return;
+            }
+
+            let parsed;
+            try {
+              const content = JSON.parse(modelRes.body).choices[0].message.content;
+              const cleaned = content.replace(/^```(?:json)?\s*/i, '').replace(/```\s*$/i, '').trim();
+              parsed = JSON.parse(cleaned);
+            } catch (e) {
+              await addReaction('-1');
+              await postComment('❌ **PocketBase AI Bot**: Could not parse the model response. Please rephrase.');
+              return;
+            }
+
+            // ── 6. Validate ────────────────────────────────────────────────────
+            const knownSlugs = new Set(scripts.map(function (s) { return s.slug; }));
+            const problems = [];
+            if (parsed.clarification) problems.push(parsed.clarification);
+            if (!parsed.slug || !knownSlugs.has(parsed.slug)) problems.push('I could not match the request to a known script.');
+            const sanitized = sanitizeOperations(parsed.operations);
+            const validOps = sanitized.validOps;
+            problems.push.apply(problems, sanitized.problems);
+            if (validOps.length === 0) problems.push('No concrete, supported change was found.');
+
+            if (problems.length) {
+              await addReaction('confused');
+              await postComment(
+                '🤔 **PocketBase AI Bot**: I need a bit more to act on that.\n\n- ' + problems.join('\n- ') +
+                '\n\nTry naming the script and the exact change, e.g. `@pocketbase-bot set RAM to 4096 on zigbee2mqtt`.'
+              );
+              return;
+            }
+
+            // ── 7. Propose (do NOT apply yet) ──────────────────────────────────
+            const action = { slug: parsed.slug, operations: validOps };
+            const bullets = validOps.map(function (op) {
+              if (op.kind === 'field') return '- `' + op.field + '` → `' + JSON.stringify(op.value) + '`';
+              if (op.kind === 'note') return '- note ' + op.action + ' `' + op.type + '`' + (op.text ? ': ' + op.text : '');
+              return '- method ' + op.action + ' `' + op.type + '`: ' + JSON.stringify(op.changes);
+            }).join('\n');
+            const marker = '<!-- pocketbase-pending: ' + Buffer.from(JSON.stringify(action), 'utf8').toString('base64') + ' -->';
+            await addReaction('+1');
+            await postComment(
+              '🤖 **PocketBase AI Bot** — please confirm\n\n' +
+              (parsed.human_summary ? '> ' + parsed.human_summary + '\n\n' : '') +
+              '**Target:** `' + action.slug + '`\n**Proposed changes:**\n' + bullets + '\n\n' +
+              'Reply **`@pocketbase-bot confirm`** to apply, or restate the request to adjust.\n' + marker
+            );
+          })().catch(function (e) {
+            console.error('Fatal error:', e && (e.message || e));
+            process.exit(1);
+          });
+          ENDSCRIPT

.github/workflows/pocketbase-bot.yml

@@ -13,8 +13,8 @@ jobs:
   pocketbase-bot:
     runs-on: self-hosted
 
-    # Only act on /pocketbase commands
+    # Act on comments that contain a /pocketbase command line (precise line check happens in-script)
-    if: startsWith(github.event.comment.body, '/pocketbase')
+    if: contains(github.event.comment.body, '/pocketbase')
 
     steps:
       - name: Execute PocketBase bot command
@@ -257,6 +257,22 @@ jobs:
               if (!res.ok) console.warn('Could not post comment:', res.body);
             }
 
+            // ── Locate the command line ────────────────────────────────────────
+            // Accept /pocketbase at the start of ANY line (leading whitespace ok),
+            // so the command works even when preceded by other text. Mid-sentence
+            // mentions and blockquoted ("> ...") examples are ignored.
+            const commentBody = process.env.COMMENT_BODY || '';
+            const cmdLine = commentBody
+              .split('\n')
+              .map(l => l.trim())
+              .find(l => l.startsWith('/pocketbase'));
+
+            if (!cmdLine) {
+              console.log('No /pocketbase command line found — ignoring comment.');
+              process.exit(0);
+            }
+            const withoutCmd = cmdLine.replace(/^\/pocketbase\s*/, '').trim();
+
             // ── Permission check ───────────────────────────────────────────────
             const association = process.env.ACTOR_ASSOCIATION;
             if (association !== 'OWNER' && association !== 'MEMBER') {
@@ -272,10 +288,6 @@ jobs:
             await addReaction('eyes');
 
             // ── Parse command ──────────────────────────────────────────────────
-            const commentBody = process.env.COMMENT_BODY || '';
-            const lines = commentBody.trim().split('\n');
-            const firstLine = lines[0].trim();
-            const withoutCmd = firstLine.replace(/^\/pocketbase\s+/, '').trim();
 
             function extractCodeBlock(body) {
               const m = body.match(/```[^\n]*\n([\s\S]*?)```/);

CHANGELOG.md

@@ -59,6 +59,9 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 
+
+
+
 
 
 
@@ -72,7 +75,14 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 <details>
-<summary><h4>May (30 entries)</h4></summary>
+<summary><h4>June (6 entries)</h4></summary>
+
+[View June 2026 Changelog](.github/changelogs/2026/06.md)
+
+</details>
+
+<details>
+<summary><h4>May (31 entries)</h4></summary>
 
 [View May 2026 Changelog](.github/changelogs/2026/05.md)
 
@@ -470,6 +480,153 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-06-08
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - homelable: preserve MCP server config across updates [@ferr079](https://github.com/ferr079) ([#14996](https://github.com/community-scripts/ProxmoxVE/pull/14996))
+    - changedetection: migrate Python install to uv venv [@ferr079](https://github.com/ferr079) ([#14995](https://github.com/community-scripts/ProxmoxVE/pull/14995))
+
+  - #### 🔧 Refactor
+
+    - Update Flowwiseai to node 24 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14999](https://github.com/community-scripts/ProxmoxVE/pull/14999))
+
+## 2026-06-07
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Immich: use actual installed PostgreSQL version for vchord package [@MickLesk](https://github.com/MickLesk) ([#14989](https://github.com/community-scripts/ProxmoxVE/pull/14989))
+
+  - #### 🔧 Refactor
+
+    - Navidrome: remove genereic filebrowser addon setup [@MickLesk](https://github.com/MickLesk) ([#14991](https://github.com/community-scripts/ProxmoxVE/pull/14991))
+
+## 2026-06-06
+
+### 🆕 New Scripts
+
+  - Spliit ([#14966](https://github.com/community-scripts/ProxmoxVE/pull/14966))
+- Tolgee ([#14965](https://github.com/community-scripts/ProxmoxVE/pull/14965))
+- XYOps ([#14967](https://github.com/community-scripts/ProxmoxVE/pull/14967))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Photoprism: Allow env variables with spaces [@Badintral](https://github.com/Badintral) ([#14969](https://github.com/community-scripts/ProxmoxVE/pull/14969))
+
+## 2026-06-05
+
+### 🆕 New Scripts
+
+  - MatterJS-Server ([#14951](https://github.com/community-scripts/ProxmoxVE/pull/14951))
+- CyberChef ([#14952](https://github.com/community-scripts/ProxmoxVE/pull/14952))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Jackett: Create missing .env file [@tremor021](https://github.com/tremor021) ([#14959](https://github.com/community-scripts/ProxmoxVE/pull/14959))
+    - OpenThread-BR: use systemd instead of init.d [@tomfrenzel](https://github.com/tomfrenzel) ([#14942](https://github.com/community-scripts/ProxmoxVE/pull/14942))
+
+  - #### ✨ New Features
+
+    - AMD IGPU support [@Learath](https://github.com/Learath) ([#14944](https://github.com/community-scripts/ProxmoxVE/pull/14944))
+
+  - #### 💥 Breaking Changes
+
+    - update authentik to 2026.5.2 [@thieneret](https://github.com/thieneret) ([#14846](https://github.com/community-scripts/ProxmoxVE/pull/14846))
+
+## 2026-06-04
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Fix status messages for several alpine scripts [@tremor021](https://github.com/tremor021) ([#14911](https://github.com/community-scripts/ProxmoxVE/pull/14911))
+    - ReactiveResume: Fix Service Path [@MickLesk](https://github.com/MickLesk) ([#14926](https://github.com/community-scripts/ProxmoxVE/pull/14926))
+    - Jellyfin: install intel-igc deps before intel-opencl-icd to fix dependency order [@MickLesk](https://github.com/MickLesk) ([#14927](https://github.com/community-scripts/ProxmoxVE/pull/14927))
+
+  - #### 🔧 Refactor
+
+    - OpenThread-BR: use official GitHub releases [@tomfrenzel](https://github.com/tomfrenzel) ([#14916](https://github.com/community-scripts/ProxmoxVE/pull/14916))
+    - Grist: remove extra text at the end of installation [@tremor021](https://github.com/tremor021) ([#14905](https://github.com/community-scripts/ProxmoxVE/pull/14905))
+
+### ❔ Uncategorized
+
+  - chore(ct): sync sparkyfitness defaults with PocketBase [@github-actions[bot]](https://github.com/github-actions[bot]) ([#14925](https://github.com/community-scripts/ProxmoxVE/pull/14925))
+
+## 2026-06-03
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Glance: Use separate directory for configuration files [@tremor021](https://github.com/tremor021) ([#14906](https://github.com/community-scripts/ProxmoxVE/pull/14906))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - [core]: Fix alignment for `msg_` functions [@tremor021](https://github.com/tremor021) ([#14908](https://github.com/community-scripts/ProxmoxVE/pull/14908))
+
+## 2026-06-02
+
+### 🆕 New Scripts
+
+  - DDNS-Updater ([#14883](https://github.com/community-scripts/ProxmoxVE/pull/14883))
+- InvoiceShelf ([#14882](https://github.com/community-scripts/ProxmoxVE/pull/14882))
+- Certimate ([#14881](https://github.com/community-scripts/ProxmoxVE/pull/14881))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - OpenThread-BR: preserve config during update [@tomfrenzel](https://github.com/tomfrenzel) ([#14893](https://github.com/community-scripts/ProxmoxVE/pull/14893))
+    - infisical: fix update abort due to creds field mismatch (#14868) [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14870](https://github.com/community-scripts/ProxmoxVE/pull/14870))
+
+  - #### ✨ New Features
+
+    - feat(degoog): enable default valkey cache integration [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14871](https://github.com/community-scripts/ProxmoxVE/pull/14871))
+
+  - #### 🔧 Refactor
+
+    - chore: bump Node version in selected scripts [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14873](https://github.com/community-scripts/ProxmoxVE/pull/14873))
+
+### 💾 Core
+
+  - #### ✨ New Features
+
+    - tools.func: add support for Rust installation profile in setup_rust [@MickLesk](https://github.com/MickLesk) ([#14872](https://github.com/community-scripts/ProxmoxVE/pull/14872))
+
+### 📂 Github
+
+  - fix(workflow): only flag node drift when local is behind upstream [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14874](https://github.com/community-scripts/ProxmoxVE/pull/14874))
+
+## 2026-06-01
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - fix(dispatcharr): forward nginx port for M3U URLs on new installs [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14862](https://github.com/community-scripts/ProxmoxVE/pull/14862))
+    - Set environment paths in service for apprise-api-install.sh [@SystemIdleProcess](https://github.com/SystemIdleProcess) ([#14805](https://github.com/community-scripts/ProxmoxVE/pull/14805))
+    - fix(fireshare): rebuild client on update to fix nginx 500 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14848](https://github.com/community-scripts/ProxmoxVE/pull/14848))
+    - Fix Kan build failure (TS7016 nodemailer) [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14856](https://github.com/community-scripts/ProxmoxVE/pull/14856))
+    - fix(firefly): set Data Importer APP_URL for subdirectory install [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14847](https://github.com/community-scripts/ProxmoxVE/pull/14847))
+    - kan: extend fetch_and_deploy_gh_tag to use 'latest' tag [@MickLesk](https://github.com/MickLesk) ([#14853](https://github.com/community-scripts/ProxmoxVE/pull/14853))
+    - Glance: preserve glance.yml across updates [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14845](https://github.com/community-scripts/ProxmoxVE/pull/14845))
+    - NginxProxymanager: set Certbot version in npm.service environment variable (2.15.0) [@MickLesk](https://github.com/MickLesk) ([#14843](https://github.com/community-scripts/ProxmoxVE/pull/14843))
+    - [FileFlows] Fix service handling by using systemctl --all with quoted glob [@adrianmusante](https://github.com/adrianmusante) ([#14838](https://github.com/community-scripts/ProxmoxVE/pull/14838))
+
+  - #### ✨ New Features
+
+    - Kometa: also update Quickstart in update_script [@MickLesk](https://github.com/MickLesk) ([#14529](https://github.com/community-scripts/ProxmoxVE/pull/14529))
+
 ## 2026-05-31
 
 ### 🚀 Updated Scripts
@@ -911,144 +1068,3 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
   - #### 🐞 Bug Fixes
 
     - tools.func: fix meilisearch import-dump background process handling [@MickLesk](https://github.com/MickLesk) ([#14341](https://github.com/community-scripts/ProxmoxVE/pull/14341))
-
-## 2026-05-07
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - termix: create /tmp/nginx before nginx -t [@MickLesk](https://github.com/MickLesk) ([#14312](https://github.com/community-scripts/ProxmoxVE/pull/14312))
-    - The Lounge: Fix service not starting automaticaly [@tremor021](https://github.com/tremor021) ([#14311](https://github.com/community-scripts/ProxmoxVE/pull/14311))
-    - netbird-lxc: fix installation check [@MickLesk](https://github.com/MickLesk) ([#14309](https://github.com/community-scripts/ProxmoxVE/pull/14309))
-    - databasus: Backup and secure configuration file [@MickLesk](https://github.com/MickLesk) ([#14308](https://github.com/community-scripts/ProxmoxVE/pull/14308))
-    - vm: update disk image URL for Ubuntu 25.04 [@MickLesk](https://github.com/MickLesk) ([#14290](https://github.com/community-scripts/ProxmoxVE/pull/14290))
-
-  - #### ✨ New Features
-
-    - pangolin: bump version to 1.18.3 [@MickLesk](https://github.com/MickLesk) ([#14297](https://github.com/community-scripts/ProxmoxVE/pull/14297))
-
-### 🗑️ Deleted Scripts
-
-  - Remove: LiteLLM [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14294](https://github.com/community-scripts/ProxmoxVE/pull/14294))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - update-apps: some  improvements [@MickLesk](https://github.com/MickLesk) ([#14275](https://github.com/community-scripts/ProxmoxVE/pull/14275))
-
-## 2026-05-06
-
-### 🆕 New Scripts
-
-  - Hoodik ([#14279](https://github.com/community-scripts/ProxmoxVE/pull/14279))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Pelican-Panel: create backup subdirectory before copying storage [@MickLesk](https://github.com/MickLesk) ([#14274](https://github.com/community-scripts/ProxmoxVE/pull/14274))
-    - Rustdeskserver: remove redundant else with undefined RELEASE var [@MickLesk](https://github.com/MickLesk) ([#14272](https://github.com/community-scripts/ProxmoxVE/pull/14272))
-
-### 🧰 Tools
-
-  - #### 🔧 Refactor
-
-    - AdguardHome-Sync replace ifconfig with hostname -I for IP detection [@MickLesk](https://github.com/MickLesk) ([#14273](https://github.com/community-scripts/ProxmoxVE/pull/14273))
-
-## 2026-05-05
-
-### 🆕 New Scripts
-
-  - LibreChat ([#14247](https://github.com/community-scripts/ProxmoxVE/pull/14247))
-- Matomo ([#14248](https://github.com/community-scripts/ProxmoxVE/pull/14248))
-- Storyteller ([#14122](https://github.com/community-scripts/ProxmoxVE/pull/14122))
-
-### 🧰 Tools
-
-  - Fix container count message in update-apps.sh [@Quotacious](https://github.com/Quotacious) ([#14265](https://github.com/community-scripts/ProxmoxVE/pull/14265))
-
-## 2026-05-04
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Databasus: move .env to filesystem root so service starts correctly [@Copilot](https://github.com/Copilot) ([#14252](https://github.com/community-scripts/ProxmoxVE/pull/14252))
-    - Databasus: update mongo-tools fallback to 100.16.1 and use now pnpm instead of npm ci [@MickLesk](https://github.com/MickLesk) ([#14240](https://github.com/community-scripts/ProxmoxVE/pull/14240))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - tools.func get_latest_gh_tag - add pagination to find prefixed tags beyond first 50 [@MickLesk](https://github.com/MickLesk) ([#14241](https://github.com/community-scripts/ProxmoxVE/pull/14241))
-    - tools.func: add GitLab release check/fetch/deploy helpers [@MickLesk](https://github.com/MickLesk) ([#14242](https://github.com/community-scripts/ProxmoxVE/pull/14242))
-
-## 2026-05-03
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Hortusfox: fix update issues [@tomfrenzel](https://github.com/tomfrenzel) ([#14214](https://github.com/community-scripts/ProxmoxVE/pull/14214))
-
-  - #### ✨ New Features
-
-    - Refactor: PeaNUT for v6 [@MickLesk](https://github.com/MickLesk) ([#14224](https://github.com/community-scripts/ProxmoxVE/pull/14224))
-    - pangolin: pin version, drop manual SQL, use upstream migrator [@MickLesk](https://github.com/MickLesk) ([#14223](https://github.com/community-scripts/ProxmoxVE/pull/14223))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - core: fix validate_bridge function [@MichaelOultram](https://github.com/MichaelOultram) ([#14206](https://github.com/community-scripts/ProxmoxVE/pull/14206))
-
-### 🧰 Tools
-
-  - #### 🐞 Bug Fixes
-
-    - pve/pbs scripts: guard sed against missing /etc/apt/sources.list [@MickLesk](https://github.com/MickLesk) ([#14222](https://github.com/community-scripts/ProxmoxVE/pull/14222))
-
-## 2026-05-02
-
-### 🆕 New Scripts
-
-  - protonmail-bridge ([#14136](https://github.com/community-scripts/ProxmoxVE/pull/14136))
-- Tube Archivist ([#14123](https://github.com/community-scripts/ProxmoxVE/pull/14123))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Nagios: Ping fix [@tremor021](https://github.com/tremor021) ([#14186](https://github.com/community-scripts/ProxmoxVE/pull/14186))
-    - opnsense-vm: retry pvesm alloc on transient zfs 'got timeout' errors [@MickLesk](https://github.com/MickLesk) ([#14157](https://github.com/community-scripts/ProxmoxVE/pull/14157))
-    - ImmichFrame: fix update by reinstalling dotnet-sdk before publish [@MickLesk](https://github.com/MickLesk) ([#14158](https://github.com/community-scripts/ProxmoxVE/pull/14158))
-    - [FIX]ShelfMark: Use UV sync for shelfmark backend build; update to Python 3.14 [@vhsdream](https://github.com/vhsdream) ([#14170](https://github.com/community-scripts/ProxmoxVE/pull/14170))
-    - alpine: remove deb/ubuntu-only resource & storage checks from update-script [@MickLesk](https://github.com/MickLesk) ([#14166](https://github.com/community-scripts/ProxmoxVE/pull/14166))
-    - Threadfin: use 'threadfin-app' as app name to avoid version-file clash  [@MickLesk](https://github.com/MickLesk) ([#14159](https://github.com/community-scripts/ProxmoxVE/pull/14159))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - core: prompt to also run installed addon update scripts (…/bin/update_*) after update_script [@MickLesk](https://github.com/MickLesk) ([#14162](https://github.com/community-scripts/ProxmoxVE/pull/14162))
-
-## 2026-05-01
-
-### 🆕 New Scripts
-
-  - SoulSync ([#14124](https://github.com/community-scripts/ProxmoxVE/pull/14124))
-- Teable ([#14125](https://github.com/community-scripts/ProxmoxVE/pull/14125))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Step ca update [@heinemannj](https://github.com/heinemannj) ([#14058](https://github.com/community-scripts/ProxmoxVE/pull/14058))
-    - paperless-ngx: refresh NLTK data on update [@kurtislanderson](https://github.com/kurtislanderson) ([#14144](https://github.com/community-scripts/ProxmoxVE/pull/14144))
-    - [Pelican Panel] stop deleting the public storage [@LetterN](https://github.com/LetterN) ([#14145](https://github.com/community-scripts/ProxmoxVE/pull/14145))
-
-  - #### 🔧 Refactor
-
-    - Mail-Archiver: update dependencies [@tremor021](https://github.com/tremor021) ([#14152](https://github.com/community-scripts/ProxmoxVE/pull/14152))

ct/2fauth.sh

@@ -70,5 +70,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:80${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:80${CL}"

ct/actualbudget.sh

@@ -63,5 +63,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:5006${CL}"
+echo -e "${GATEWAY}${BGN}https://${IP}:5006${CL}"

ct/adguard.sh

@@ -38,5 +38,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/adventurelog.sh

@@ -84,5 +84,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/agentdvr.sh

@@ -61,5 +61,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8090${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8090${CL}"

ct/alpine-adguard.sh

@@ -43,5 +43,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-bitmagnet.sh

@@ -85,5 +85,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3333${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3333${CL}"

ct/alpine-borgbackup-server.sh

@@ -104,5 +104,5 @@ description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW}Connection information:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}ssh backup@${IP}${CL}"
+echo -e "${GATEWAY}${BGN}ssh backup@${IP}${CL}"
 echo -e "${TAB}${VERIFYPW}${YW}To set SSH key, run this script with the 'update' option and select option 2${CL}"

ct/alpine-caddy.sh

@@ -43,5 +43,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:80${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:80${CL}"

ct/alpine-forgejo.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-garage.sh

@@ -60,5 +60,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/alpine-gatus.sh

@@ -58,5 +58,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/alpine-gitea.sh

@@ -43,5 +43,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-grafana.sh

@@ -55,5 +55,6 @@ build_container
 description
 
 msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable by going to the following URL.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}http://${IP}:3000${CL} \n"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-ironclaw.sh

@@ -66,6 +66,6 @@ echo -e "${TAB}${TAB}${BGN}/usr/local/bin/ironclaw onboard${CL}"
 echo -e "${TAB}2. Start the service:${CL}"
 echo -e "${TAB}${TAB}${BGN}rc-service ironclaw start${CL}"
 echo -e "${TAB}3. Access the Web UI at:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"
 echo -e "${INFO}${YW} Use Gateway Authentication Token to login:${CL}"
 echo -e "${TAB}${TAB}${BGN}cat /root/.ironclaw/gateway.creds${CL}"

ct/alpine-it-tools.sh

@@ -51,5 +51,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/alpine-komodo.sh

@@ -72,5 +72,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9120${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9120${CL}"

ct/alpine-loki.sh

@@ -54,8 +54,9 @@ start
 build_container
 description
 
-msg_ok "Completed Successfully!\n"
+msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable by going to the following URL.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}http://${IP}:3100${CL} \n"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "Promtail should be reachable by going to the following URL.
+echo -e "${GATEWAY}${BGN}http://${IP}:3100${CL}"
-         ${BL}http://${IP}:9080${CL} \n"
+echo -e "${INFO}${YW}Access Promtail using the following URL:${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9080${CL}"

ct/alpine-mariadb.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}${IP}:3306${CL}"
+echo -e "${GATEWAY}${BGN}${IP}:3306${CL}"

ct/alpine-nextcloud.sh

@@ -57,5 +57,6 @@ build_container
 description
 
 msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable by going to the following URL.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}https://${IP}${CL} \n"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
+echo -e "${GATEWAY}${BGN}https://${IP}${CL}"

ct/alpine-node-red.sh

@@ -46,5 +46,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:1880${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:1880${CL}"

ct/alpine-ntfy.sh

@@ -45,5 +45,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/alpine-postgresql.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}${IP}:5432${CL}"
+echo -e "${GATEWAY}${BGN}${IP}:5432${CL}"

ct/alpine-prometheus.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9090${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9090${CL}"

ct/alpine-rclone.sh

@@ -48,5 +48,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-redis.sh

@@ -58,5 +58,6 @@ build_container
 description
 
 msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable on port 6379.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}redis-cli -h ${IP} -p 6379${CL} \n"
+echo -e "${INFO}${YW}Connect to Redis CLI using the following command:${CL}"
+echo -e "${GATEWAY}${BGN}redis-cli -h ${IP} -p 6379${CL}"

ct/alpine-redlib.sh

@@ -51,5 +51,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5252${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:5252${CL}"

ct/alpine-rustdeskserver.sh

@@ -72,5 +72,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:21114${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:21114${CL}"

ct/alpine-rustypaste.sh

@@ -46,5 +46,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000${CL}"

ct/alpine-syncthing.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8384${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8384${CL}"

ct/alpine-teamspeak-server.sh

@@ -54,5 +54,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}${IP}:9987${CL}"
+echo -e "${GATEWAY}${BGN}${IP}:9987${CL}"

ct/alpine-tinyauth.sh

@@ -73,5 +73,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-traefik.sh

@@ -40,4 +40,4 @@ description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} WebUI Access (if configured) - using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080/dashboard${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080/dashboard${CL}"

ct/alpine-transmission.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9091${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9091${CL}"

ct/alpine-valkey.sh

@@ -59,5 +59,6 @@ build_container
 description
 
 msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable on port 6379.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}valkey-cli -h ${IP} -p 6379${CL} \n"
+echo -e "${INFO}${YW}Connect to Valkey CLI using the following command:${CL}"
+echo -e "${GATEWAY}${BGN}valkey-cli -h ${IP} -p 6379${CL}"

ct/alpine-vaultwarden.sh

@@ -60,5 +60,6 @@ build_container
 description
 
 msg_ok "Completed successfully!\n"
-echo -e "${APP} should be reachable by going to the following URL.
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-         ${BL}https://${IP}:8000${CL} \n"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
+echo -e "${GATEWAY}${BGN}https://${IP}:8000${CL}"

ct/alpine-wakapi.sh

@@ -68,5 +68,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/alpine-wireguard.sh

@@ -47,5 +47,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} WGDashboard Access it using the following URL:${CL}"
+echo -e "${INFO}${YW} WGDashboardAccess it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:10086${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:10086${CL}"

ct/ampache.sh

@@ -68,5 +68,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}/install.php${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}/install.php${CL}"

ct/anchor.sh

@@ -80,5 +80,5 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/anytype-server.sh

@@ -62,7 +62,7 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:33010${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:33010${CL}"
 echo -e "${INFO}${YW} Client config file:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}/opt/anytype/data/client-config.yml${CL}"
+echo -e "${GATEWAY}${BGN}/opt/anytype/data/client-config.yml${CL}"

ct/apache-couchdb.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5984/_utils/${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:5984/_utils/${CL}"

ct/apache-guacamole.sh

@@ -227,5 +227,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080/guacamole${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080/guacamole${CL}"

ct/apache-tika.sh

@@ -59,5 +59,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9998${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9998${CL}"

ct/apache-tomcat.sh

@@ -102,5 +102,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/apprise-api.sh

@@ -72,5 +72,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000${CL}"

ct/apt-cacher-ng.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3142/acng-report.html${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3142/acng-report.html${CL}"

ct/archivebox.sh

@@ -62,5 +62,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000/admin/login${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000/admin/login${CL}"

ct/argus.sh

@@ -49,5 +49,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/aria2.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:6880${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:6880${CL}"

ct/audiobookshelf.sh

@@ -43,5 +43,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:13378${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:13378${CL}"

ct/authelia.sh

@@ -45,5 +45,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9091 or https://auth.YOURDOMAIN ${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9091 or https://auth.YOURDOMAIN ${CL}"

ct/authentik.sh

@@ -8,7 +8,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 APP="authentik"
 var_tags="${var_tags:-auth}"
 var_cpu="${var_cpu:-4}"
-var_ram="${var_ram:-4096}"
+var_ram="${var_ram:-8192}"
 var_disk="${var_disk:-16}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
@@ -30,12 +30,20 @@ function update_script() {
     exit
   fi
 
+  read -r MAJOR MINOR PATCH <<< "$(sed 's/^version\///; s/\./ /g' "$HOME/.authentik")"
+
+  msg_info "Update dependencies"
+  ensure_dependencies crossbuild-essential-amd64 gcc-x86-64-linux-gnu cmake clang libunwind-18-dev
+  msg_ok "Update dependencies"
+
   NODE_VERSION="24" setup_nodejs
   setup_go
   UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
-  setup_rust
+  RUST_PROFILE="minimal" RUST_TOOLCHAIN="stable" setup_rust
+  setup_yq
 
-  AUTHENTIK_VERSION="version/2026.2.3"
+  AUTHENTIK_VERSION="version/2026.5.2"
+  # Source: https://github.com/goauthentik/fips/blob/main/Makefile#L26
   XMLSEC_VERSION="1.3.11"
 
   if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then
@@ -71,7 +79,13 @@ function update_script() {
 
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
 
-    msg_info "Updating web"
+	msg_info "Configuring rust"
+	cd /opt/authentik
+	$STD rustup install
+	$STD rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)"
+	msg_ok "Configured rust"
+
+	msg_info "Updating web"
     cd /opt/authentik/web
     export NODE_ENV="production"
     $STD npm install
@@ -89,6 +103,14 @@ function update_script() {
 	$STD go build -o /opt/authentik/radius ./cmd/radius
     msg_ok "Updated go proxy"
 
+	msg_info "Building worker"
+	export AWS_LC_FIPS_SYS_CC="clang"
+	cd /opt/authentik
+	$STD cargo build --package authentik --no-default-features --features core --locked --release --jobs 1
+	cp ./target/release/authentik /opt/authentik/authentik-worker
+	rm -r ./target
+	msg_ok "Built worker"
+
     msg_info "Updating python server"
     export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
     export UV_COMPILE_BYTECODE="1"
@@ -100,6 +122,103 @@ function update_script() {
     $STD uv sync --frozen --no-install-project --no-dev
     chown -R authentik:authentik /opt/authentik
     msg_ok "Updated python server"
+
+    if [[ $MAJOR == 2026 && $MINOR -lt 5 ]]; then
+	  msg_info "Updating Worker and Server config"
+	  cp /etc/authentik/config.yml /etc/authentik/config.bak
+	  yq -i ".postgresql.conn_max_age = 0" /etc/authentik/config.yml
+	  yq -i ".postgresql.conn_health_checks = false" /etc/authentik/config.yml
+	  yq -i ".listen.debug_tokio = \"[::]:6669\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.console_subscriber = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.h2 = \"info\""  /etc/authentik/config.yml
+      yq -i ".log.rust_log.hyper_util = \"warn\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.mio = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.notify = \"info\"" /etc/authentik/config.yml
+	  yq -i ".log.rust_log.reqwest = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.runtime = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.rustls = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.sqlx = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.sqlx_postgres = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.tokio = \"info\"" /etc/authentik/config.yml
+      yq -i ".log.rust_log.tungstenite = \"info\"" /etc/authentik/config.yml
+	  yq -i ".web.workers = 2" /etc/authentik/config.yml
+	  mv /etc/default/authentik /etc/default/authentik.bak
+	  cat <<EOF >/etc/default/authentik-server
+TMPDIR=/dev/shm/
+UV_LINK_MODE=copy
+UV_PYTHON_DOWNLOADS=0
+UV_NATIVE_TLS=1
+VENV_PATH=/opt/authentik/.venv
+PYTHONDONTWRITEBYTECODE=1
+PYTHONUNBUFFERED=1
+PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+DJANGO_SETTINGS_MODULE=authentik.root.settings
+PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
+AUTHENTIK_LISTEN__HTTP="[::]:9000"
+AUTHENTIK_LISTEN__HTTPS="[::]:9443"
+AUTHENTIK_LISTEN__METRICS="[::]:9300"
+EOF
+	  cat <<EOF >/etc/default/authentik-worker
+TMPDIR=/dev/shm/
+UV_LINK_MODE=copy
+UV_PYTHON_DOWNLOADS=0
+UV_NATIVE_TLS=1
+VENV_PATH=/opt/authentik/.venv
+PYTHONDONTWRITEBYTECODE=1
+PYTHONUNBUFFERED=1
+PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+DJANGO_SETTINGS_MODULE=authentik.root.settings
+PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
+AUTHENTIK_LISTEN__HTTP="[::]:8000"
+AUTHENTIK_LISTEN__HTTPS="[::]:8443"
+AUTHENTIK_LISTEN__METRICS="[::]:8300"
+EOF
+	  msg_ok "Updated Worker and Server config!"
+	  msg_warn "Please check /etc/default/authentik-worker and /etc/default/authentik-server config files for port configurations!"
+
+	  msg_info "Updating services"
+	  cat <<EOF >/etc/systemd/system/authentik-server.service
+[Unit]
+Description=authentik Go Server (API Gateway)
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
+ExecStart=/opt/authentik/authentik-server
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik-server
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+	  cat <<EOF >/etc/systemd/system/authentik-worker.service
+[Unit]
+Description=authentik Worker
+After=network.target postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+Type=simple
+EnvironmentFile=/etc/default/authentik-worker
+ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
+ExecStart=/opt/authentik/authentik-worker worker
+WorkingDirectory=/opt/authentik
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+	  systemctl daemon-reload
+	  msg_ok "Updated services"
+	fi
   fi
 
   msg_info "Starting Services"
@@ -150,7 +269,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Initial setup URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:9443${CL}"

ct/autobrr.sh

@@ -50,5 +50,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:7474${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:7474${CL}"

ct/autocaliweb.sh

@@ -81,5 +81,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8083${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8083${CL}"

ct/babybuddy.sh

@@ -73,5 +73,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/backrest.sh

@@ -50,5 +50,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9898${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9898${CL}"

ct/baikal.sh

@@ -66,5 +66,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/bambuddy.sh

@@ -87,5 +87,5 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000${CL}"

ct/bar-assistant.sh

@@ -100,5 +100,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/bazarr.sh

@@ -66,5 +66,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:6767${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:6767${CL}"

ct/bentopdf.sh

@@ -156,5 +156,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:8443${CL}"
+echo -e "${GATEWAY}${BGN}https://${IP}:8443${CL}"

ct/beszel.sh

@@ -55,5 +55,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following IP:${CL}"
+echo -e "${INFO}${YW}Access it using the following IP:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8090${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8090${CL}"

ct/bichon.sh

@@ -132,5 +132,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:15630${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:15630${CL}"

ct/birdnet-go.sh

@@ -61,5 +61,5 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/bitfocus-companion.sh

@@ -67,5 +67,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000${CL}"

ct/bitmagnet.sh

@@ -86,5 +86,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3333${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3333${CL}"

ct/blocky.sh

@@ -57,5 +57,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/bookstack.sh

@@ -76,5 +76,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/bunkerweb.sh

@@ -52,5 +52,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}/setup${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}/setup${CL}"

ct/byparr.sh

@@ -98,5 +98,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8191${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8191${CL}"

ct/bytestash.sh

@@ -76,5 +76,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/caddy.sh

@@ -54,5 +54,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:80${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:80${CL}"

ct/calibre-web.sh

@@ -70,5 +70,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8083${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8083${CL}"

ct/casaos.sh

@@ -42,5 +42,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/certimate.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://certimate.me/
+
+APP="Certimate"
+var_tags="${var_tags:-ssl;certificates;acme;automation}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-256}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_arm64="${var_arm64:-no}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/certimate/certimate ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "certimate" "certimate-go/certimate"; then
+    msg_info "Stopping Service"
+    systemctl stop certimate
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp -r /opt/certimate/pb_data /opt/certimate_pb_data_backup
+    msg_ok "Backed up Data"
+
+    fetch_and_deploy_gh_release "certimate" "certimate-go/certimate" "prebuild" "latest" "/opt/certimate" "certimate_*_linux_amd64.zip"
+
+    msg_info "Restoring Data"
+    cp -r /opt/certimate_pb_data_backup/. /opt/certimate/pb_data
+    rm -rf /opt/certimate_pb_data_backup
+    msg_ok "Restored Data"
+
+    msg_info "Starting Service"
+    systemctl start certimate
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8090${CL}"

ct/changedetection.sh

@@ -34,13 +34,32 @@ function update_script() {
 
   NODE_VERSION="24" setup_nodejs
 
-  msg_info "Updating ${APP}"
+  VENV_PATH="/opt/changedetection/.venv"
-  $STD pip3 install changedetection.io --upgrade --break-system-packages --ignore-installed typing_extensions
+  CHANGEDETECTION_BIN="${VENV_PATH}/bin/changedetection.io"
-  msg_ok "Updated ${APP}"
 
-  msg_info "Updating Playwright"
+  PYTHON_VERSION="3.13" setup_uv
-  $STD pip3 install playwright --upgrade --break-system-packages
+
-  msg_ok "Updated Playwright"
+  if [[ ! -d "$VENV_PATH" || ! -x "$CHANGEDETECTION_BIN" ]]; then
+    msg_info "Migrating to uv/venv"
+    rm -rf "$VENV_PATH"
+    $STD uv venv --clear "$VENV_PATH"
+    $STD "$VENV_PATH/bin/python" -m ensurepip --upgrade
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade pip
+    $STD "$VENV_PATH/bin/python" -m pip install changedetection.io playwright
+    msg_ok "Migrated to uv/venv"
+  else
+    msg_info "Updating ${APP}"
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade changedetection.io playwright
+    msg_ok "Updated ${APP}"
+  fi
+
+  SERVICE_FILE="/etc/systemd/system/changedetection.service"
+  if ! grep -q "${VENV_PATH}/bin/changedetection.io" "$SERVICE_FILE"; then
+    msg_info "Updating systemd service"
+    sed -i "s|^ExecStart=.*|ExecStart=${VENV_PATH}/bin/changedetection.io -d /opt/changedetection -p 5000|" "$SERVICE_FILE"
+    $STD systemctl daemon-reload
+    msg_ok "Updated systemd service"
+  fi
 
   if [[ -f /etc/systemd/system/browserless.service ]]; then
     msg_info "Updating Browserless (Patience)"
@@ -74,5 +93,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:5000${CL}"

ct/channels.sh

@@ -39,5 +39,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8089${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8089${CL}"

ct/checkmate.sh

@@ -75,5 +75,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}${CL}"

ct/checkmk.sh

@@ -57,5 +57,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}/monitoring${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}/monitoring${CL}"

ct/cleanuparr.sh

@@ -57,5 +57,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:11011${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:11011${CL}"

ct/cliproxyapi.sh

@@ -52,5 +52,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8317${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8317${CL}"

ct/cloudreve.sh

@@ -50,5 +50,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5212${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:5212${CL}"

ct/cockpit.sh

@@ -43,5 +43,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9090${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:9090${CL}"

ct/comfyui.sh

@@ -40,5 +40,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8188${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8188${CL}"

ct/commafeed.sh

@@ -65,5 +65,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8082${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8082${CL}"

ct/configarr.sh

@@ -53,5 +53,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL (no web-ui):${CL}"
+echo -e "${INFO}${YW}Access it using the following URL (no web-ui):${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8989${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8989${CL}"

ct/convertx.sh

@@ -65,5 +65,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/coolify.sh

@@ -68,5 +68,5 @@ description
 
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${INFO}${YW}Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
+echo -e "${GATEWAY}${BGN}http://${IP}:8000${CL}"

ct/coredns.sh

@@ -54,4 +54,4 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} CoreDNS is listening on port 53 (DNS)${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}dns://${IP}${CL}"
+echo -e "${GATEWAY}${BGN}dns://${IP}${CL}"