fix(workflow): only flag node drift when local is behind upstream

Update the node version drift check to count drift only when our script version is lower than upstream, so newer local versions no longer create false-positive drift issues.
2026-06-02 21:59:35 +02:00 · 2026-06-02 09:00:53 +02:00
28 changed files with 80 additions and 1159 deletions
--- a/.github/workflows/close-new-script-prs.yml
+++ b/.github/workflows/close-new-script-prs.yml
@@ -3,7 +3,7 @@ name: Close Unauthorized New Script PRs
 on:
  pull_request_target:
    branches: ["main"]
-    types: [opened, labeled, reopened, synchronize]
+    types: [opened, labeled]
 jobs:
  check-new-script:
@@ -24,6 +24,13 @@ jobs:
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            // --- Only act on PRs with the "new script" label ---
            const labels = pr.labels.map(l => l.name);
            if (!labels.includes("new script")) {
              core.info(`PR #${prNumber} does not have "new script" label — skipping.`);
              return;
            }
            // --- Allow our bots ---
            const allowedBots = [
              "push-app-to-main[bot]",
@@ -35,40 +42,38 @@ jobs:
              return;
            }
-            // --- Exempt contributors via author_association ---
+            // --- Check if author is a member of the contributor team ---
-            // OWNER/MEMBER/COLLABORATOR are trusted; CONTRIBUTOR ("has merged before")
+            const teamSlug = "contributor";
-            // and NONE are not — their new-script PRs are still closed.
+            let isMember = false;
            const association = pr.author_association;
            const exempt = ["OWNER", "MEMBER", "COLLABORATOR"];
            if (exempt.includes(association)) {
              core.info(`PR #${prNumber} by ${association} "${author}" — skipping.`);
              return;
            }
            // --- Detect a new-script PR: "new script" label OR a newly-added
            //     script file under ct/ install/ turnkey/ vm/ (mirrors
            //     autolabeler-config.json). Removes the label-timing dependency. ---
            const labels = pr.labels.map(l => l.name);
            const hasNewScriptLabel = labels.includes("new script");
            const scriptPrefixes = ["ct/", "install/", "turnkey/", "vm/"];
            let hasAddedScriptFile = false;
            try {
-              const files = await github.paginate(github.rest.pulls.listFiles, {
+              const { status } = await github.rest.teams.getMembershipForUserInOrg({
-                owner,
+                org: owner,
-                repo,
+                team_slug: teamSlug,
-                pull_number: prNumber,
+                username: author,
                per_page: 100,
              });
-              hasAddedScriptFile = files.some(
+              // status 200 means the user is a member (active or pending)
-                f => f.status === "added" && scriptPrefixes.some(p => f.filename.startsWith(p))
+              isMember = true;
              );
            } catch (error) {
-              core.warning(`Could not list files for PR #${prNumber}: ${error.message}`);
+              if (error.status === 404) {
                isMember = false;
              } else {
                core.warning(`Could not check team membership for ${author}: ${error.message}`);
                // Fallback: check org membership
                try {
                  await github.rest.orgs.checkMembershipForUser({
                    org: owner,
                    username: author,
                  });
                  isMember = true;
                } catch {
                  isMember = false;
                }
              }
            }
-            if (!hasNewScriptLabel && !hasAddedScriptFile) {
+            if (isMember) {
-              core.info(`PR #${prNumber} is not a new-script submission (no label, no added script file) — skipping.`);
+              core.info(`PR #${prNumber} by contributor "${author}" — skipping.`);
              return;
            }
--- a/.github/workflows/close_issue_in_dev.yaml
+++ b/.github/workflows/close_issue_in_dev.yaml
@@ -56,57 +56,46 @@ jobs:
          echo "$slugs" > pocketbase_slugs.txt
          echo "count=$(echo $slugs | wc -w)" >> "$GITHUB_OUTPUT"
-      - name: Find matching issues in ProxmoxVED by slug
+      - name: Search for Issues with Similar Titles
        id: find_issue
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          if [[ ! -s pocketbase_slugs.txt ]]; then
+          issues=$(gh issue list --repo community-scripts/ProxmoxVED --json number,title --jq '.[] | {number, title}')
            echo "No slugs derived from PR — nothing to match."
            echo "issue_numbers=" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          slugs=$(cat pocketbase_slugs.txt)
-          # Normalize: lowercase, strip spaces and hyphens (same shape as the slug derivation)
+          best_match_score=0
-          norm() { echo "$1" | tr '[:upper:]' '[:lower:]' | sed 's/[[:space:]]//g; s/-//g'; }
+          best_match_number=0
-          issues=$(gh issue list --repo community-scripts/ProxmoxVED --state open --limit 1000 --json number,title,body)
+          for issue in $(echo "$issues" | jq -r '. | @base64'); do
            _jq() {
              echo ${issue} | base64 --decode | jq -r ${1}
            }
-          matched=""
+            issue_title=$(_jq '.title' | tr '[:upper:]' '[:lower:]' | sed 's/ //g' | sed 's/-//g')
-          for slug in $slugs; do
+            issue_number=$(_jq '.number')
-            nslug=$(norm "$slug")
+
-            [[ -z "$nslug" ]] && continue
+            match_score=$(echo "$title" | grep -o "$issue_title" | wc -l)
-            while IFS= read -r row; do
+            
-              num=$(echo "$row" | jq -r '.number')
+            if [ "$match_score" -gt "$best_match_score" ]; then
-              ntitle=$(norm "$(echo "$row" | jq -r '.title')")
+              best_match_score=$match_score
-              body=$(echo "$row" | jq -r '.body // ""' | tr '[:upper:]' '[:lower:]')
+              best_match_number=$issue_number
-              # Match when the issue title contains the slug, or the body mentions it verbatim
+            fi
              if [[ "$ntitle" == *"$nslug"* ]] || [[ "$body" == *"$slug"* ]]; then
                matched="$matched $num"
              fi
            done < <(echo "$issues" | jq -c '.[]')
          done
-          matched=$(echo $matched | xargs -n1 2>/dev/null | sort -un | tr '\n' ' ')
+          if [ "$best_match_number" != "0" ]; then
-          if [[ -z "$matched" ]]; then
+            echo "issue_number=$best_match_number" >> $GITHUB_ENV
-            echo "No matching ProxmoxVED issues found for slugs: $slugs"
+          else
-            echo "issue_numbers=" >> "$GITHUB_OUTPUT"
+            echo "No matching issue found."
            exit 0
          fi
          echo "Matched ProxmoxVED issues: $matched"
          echo "issue_numbers=$matched" >> "$GITHUB_OUTPUT"
-      - name: Comment on and close matching ProxmoxVED issues
+      - name: Comment on the Best-Matching Issue and Close It
-        if: steps.find_issue.outputs.issue_numbers != ''
+        if: env.issue_number != ''
        env:
          GH_TOKEN: ${{ secrets.PAT_MICHEL }}
        run: |
-          for issue_number in ${{ steps.find_issue.outputs.issue_numbers }}; do
+          gh issue comment $issue_number --repo community-scripts/ProxmoxVED --body "Merged with #${{ github.event.pull_request.number }} in ProxmoxVE"
-            echo "Closing ProxmoxVED issue #$issue_number"
+          gh issue close $issue_number --repo community-scripts/ProxmoxVED
            gh issue comment "$issue_number" --repo community-scripts/ProxmoxVED --body "Merged with #${{ github.event.pull_request.number }} in ProxmoxVE"
            gh issue close "$issue_number" --repo community-scripts/ProxmoxVED
          done
      - name: Set is_dev to false in PocketBase
        if: steps.get_slugs.outputs.count != '0'
--- a/.github/workflows/lock-issue.yaml
+++ b/.github/workflows/lock-issue.yaml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/github-script@v7
        with:
          script: |
-            const daysBeforeLock = 7;
+            const daysBeforeLock = 3;
            const lockDate = new Date();
            lockDate.setDate(lockDate.getDate() - daysBeforeLock);
@@ -28,7 +28,7 @@ jobs:
              /dependabot/i
            ];
-            // Search for closed, unlocked issues older than 7 days (paginated, oldest first)
+            // Search for closed, unlocked issues older than 3 days (paginated, oldest first)
            let page = 1;
            let totalLocked = 0;
--- a/.github/workflows/pocketbase-ai-bot.yml
+++ b/.github/workflows/pocketbase-ai-bot.yml
@@ -1,610 +0,0 @@
 name: PocketBase AI Bot
 # Natural-language companion to pocketbase-bot.yml.
 # Mention the bot in plain English, e.g.:
 #   @pocketbase-bot change RAM to 4096 on zigbee2mqtt
 #   @pocketbase-bot disable script Nextcloud because upstream is broken
 # The bot parses the request with GitHub Models, replies with the exact change(s)
 # it understood, and only applies them after you reply "@pocketbase-bot confirm".
 # The slash-command bot (/pocketbase ...) is unaffected; triggers do not overlap.
 on:
  issue_comment:
    types: [created]
 permissions:
  models: read # lets the built-in GITHUB_TOKEN call GitHub Models inference
  contents: write # built-in token opens the CT-defaults sync PR (like the slash bot)
  pull-requests: write
 jobs:
  ai-bot:
    runs-on: self-hosted
    # Broad gate; the script does precise keyword + self-author checks.
    if: contains(github.event.comment.body, '@pocketbase-bot')
    steps:
      - name: Mint GitHub App token (bot identity)
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PB_BOT_APP_ID }}
          private-key: ${{ secrets.PB_BOT_APP_PRIVATE_KEY }}
      - name: Run PocketBase AI bot
        env:
          # GitHub REST as the bot identity
          GH_APP_TOKEN: ${{ steps.app-token.outputs.token }}
          PB_BOT_APP_ID: ${{ secrets.PB_BOT_APP_ID }}
          # GitHub Models inference uses the built-in token (needs models: read)
          MODELS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Built-in token for git/PR ops (CT-defaults sync), mirroring the slash bot
          GH_DEFAULT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AI_MODEL: openai/gpt-4o
          # PocketBase
          POCKETBASE_URL: ${{ secrets.POCKETBASE_URL }}
          POCKETBASE_COLLECTION: ${{ secrets.POCKETBASE_COLLECTION }}
          POCKETBASE_ADMIN_EMAIL: ${{ secrets.POCKETBASE_ADMIN_EMAIL }}
          POCKETBASE_ADMIN_PASSWORD: ${{ secrets.POCKETBASE_ADMIN_PASSWORD }}
          FRONTEND_URL: ${{ secrets.FRONTEND_URL }}
          REVALIDATE_SECRET: ${{ secrets.REVALIDATE_SECRET }}
          # Event context
          COMMENT_BODY: ${{ github.event.comment.body }}
          COMMENT_ID: ${{ github.event.comment.id }}
          COMMENT_AUTHOR_TYPE: ${{ github.event.comment.user.type }}
          ISSUE_NUMBER: ${{ github.event.issue.number }}
          REPO_OWNER: ${{ github.repository_owner }}
          REPO_NAME: ${{ github.event.repository.name }}
          ACTOR: ${{ github.event.comment.user.login }}
          ACTOR_ASSOCIATION: ${{ github.event.comment.author_association }}
        run: |
          node << 'ENDSCRIPT'
          (async function () {
            const https = require('https');
            const http = require('http');
            const url = require('url');
            // ── HTTP helper with redirect following ────────────────────────────
            function request(fullUrl, opts, redirectCount) {
              redirectCount = redirectCount || 0;
              return new Promise(function (resolve, reject) {
                const u = url.parse(fullUrl);
                const isHttps = u.protocol === 'https:';
                const body = opts.body;
                const options = {
                  hostname: u.hostname,
                  port: u.port || (isHttps ? 443 : 80),
                  path: u.path,
                  method: opts.method || 'GET',
                  headers: opts.headers || {}
                };
                if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
                const lib = isHttps ? https : http;
                const req = lib.request(options, function (res) {
                  if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
                    if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
                    const redirectUrl = url.resolve(fullUrl, res.headers.location);
                    res.resume();
                    resolve(request(redirectUrl, opts, redirectCount + 1));
                    return;
                  }
                  let data = '';
                  res.on('data', function (chunk) { data += chunk; });
                  res.on('end', function () {
                    resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, statusCode: res.statusCode, body: data });
                  });
                });
                req.on('error', reject);
                if (body) req.write(body);
                req.end();
              });
            }
            // ── GitHub REST (as the bot app) ───────────────────────────────────
            const owner = process.env.REPO_OWNER;
            const repo = process.env.REPO_NAME;
            const issueNumber = parseInt(process.env.ISSUE_NUMBER, 10);
            const commentId = parseInt(process.env.COMMENT_ID, 10);
            const actor = process.env.ACTOR;
            function ghRequest(path, method, body) {
              const headers = {
                'Authorization': 'Bearer ' + process.env.GH_APP_TOKEN,
                'Accept': 'application/vnd.github+json',
                'X-GitHub-Api-Version': '2022-11-28',
                'User-Agent': 'PocketBase-AI-Bot'
              };
              const bodyStr = body ? JSON.stringify(body) : undefined;
              if (bodyStr) headers['Content-Type'] = 'application/json';
              return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
            }
            // Same as ghRequest but authenticated with the built-in GITHUB_TOKEN.
            // Used for the CT-defaults sync branch/PR (the App token lacks contents:write).
            function ghDefault(path, method, body) {
              const headers = {
                'Authorization': 'Bearer ' + process.env.GH_DEFAULT_TOKEN,
                'Accept': 'application/vnd.github+json',
                'X-GitHub-Api-Version': '2022-11-28',
                'User-Agent': 'PocketBase-AI-Bot'
              };
              const bodyStr = body ? JSON.stringify(body) : undefined;
              if (bodyStr) headers['Content-Type'] = 'application/json';
              return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
            }
            async function addReaction(content) {
              try {
                await ghRequest('/repos/' + owner + '/' + repo + '/issues/comments/' + commentId + '/reactions', 'POST', { content });
              } catch (e) { console.warn('Could not add reaction:', e.message); }
            }
            async function postComment(text) {
              const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/' + issueNumber + '/comments', 'POST', { body: text });
              if (!res.ok) console.warn('Could not post comment:', res.body);
              return res.ok ? JSON.parse(res.body) : null;
            }
            async function updateComment(id, text) {
              const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/comments/' + id, 'PATCH', { body: text });
              if (!res.ok) console.warn('Could not update comment:', res.body);
            }
            async function listIssueComments() {
              const all = [];
              let page = 1;
              while (page <= 10) {
                const res = await ghRequest('/repos/' + owner + '/' + repo + '/issues/' + issueNumber + '/comments?per_page=100&page=' + page);
                if (!res.ok) break;
                const batch = JSON.parse(res.body);
                all.push.apply(all, batch);
                if (batch.length < 100) break;
                page++;
              }
              return all;
            }
            // ── 1. Self-trigger guard (App-token comments DO re-fire this event) ─
            if (process.env.COMMENT_AUTHOR_TYPE === 'Bot') {
              console.log('Comment authored by a bot — skipping to avoid loops.');
              return;
            }
            // ── 2. Permission gate (mirrors the slash bot) ─────────────────────
            const association = process.env.ACTOR_ASSOCIATION;
            if (association !== 'OWNER' && association !== 'MEMBER') {
              await addReaction('-1');
              await postComment(
                '❌ **PocketBase AI Bot**: @' + actor + ' is not authorized to use this command.\n' +
                'Only org members (Contributors team) can use `@pocketbase-bot`.'
              );
              return;
            }
            // ── 3. Extract the instruction after the @pocketbase-bot handle ────
            const commentBody = process.env.COMMENT_BODY || '';
            const handleMatch = commentBody.match(/@pocketbase-bot(\[bot\])?/i);
            if (!handleMatch) {
              console.log('No @pocketbase-bot handle found — ignoring.');
              return;
            }
            const instruction = commentBody.slice(handleMatch.index + handleMatch[0].length).trim();
            if (!instruction) {
              await addReaction('-1');
              await postComment(
                'ℹ️ **PocketBase AI Bot**: Tell me what to do, e.g.\n' +
                '`@pocketbase-bot change RAM to 4096 on zigbee2mqtt` or `@pocketbase-bot disable script Nextcloud`.'
              );
              return;
            }
            // ── PocketBase auth + low-level helpers ────────────────────────────
            const pbRaw = process.env.POCKETBASE_URL.replace(/\/$/, '');
            const apiBase = /\/api$/i.test(pbRaw) ? pbRaw : pbRaw + '/api';
            const coll = process.env.POCKETBASE_COLLECTION;
            const recordsUrl = apiBase + '/collections/' + encodeURIComponent(coll) + '/records';
            async function pbAuth() {
              const res = await request(apiBase + '/collections/users/auth-with-password', {
                method: 'POST',
                headers: { 'Content-Type': 'application/json' },
                body: JSON.stringify({ identity: process.env.POCKETBASE_ADMIN_EMAIL, password: process.env.POCKETBASE_ADMIN_PASSWORD })
              });
              if (!res.ok) throw new Error('PocketBase auth failed: ' + res.body);
              return JSON.parse(res.body).token;
            }
            async function pbFindRecord(token, slug) {
              const filter = "(slug='" + String(slug).replace(/'/g, "''") + "')";
              const res = await request(recordsUrl + '?filter=' + encodeURIComponent(filter) + '&perPage=1', { headers: { 'Authorization': token } });
              const list = JSON.parse(res.body);
              return list.items && list.items[0];
            }
            async function pbPatch(token, id, payload) {
              return request(recordsUrl + '/' + id, {
                method: 'PATCH',
                headers: { 'Authorization': token, 'Content-Type': 'application/json' },
                body: JSON.stringify(payload)
              });
            }
            function readJsonBlob(val) {
              if (Array.isArray(val)) return val;
              try { return JSON.parse(val || '[]'); } catch (e) { return []; }
            }
            async function revalidate(s) {
              const frontendUrl = process.env.FRONTEND_URL;
              const secret = process.env.REVALIDATE_SECRET;
              if (!frontendUrl || !secret) return;
              try {
                await request(frontendUrl.replace(/\/$/, '') + '/api/revalidate', {
                  method: 'POST',
                  headers: { 'Authorization': 'Bearer ' + secret, 'Content-Type': 'application/json' },
                  body: JSON.stringify({ tags: ['scripts', 'script-' + s] })
                });
              } catch (e) { console.warn('Revalidation skipped:', e.message); }
            }
            // ── CT-defaults sync PR (copied from slash bot) ────────────────────
            function encodeContentPath(filePath) { return filePath.split('/').map(encodeURIComponent).join('/'); }
            function decodeGitHubContent(content) { return Buffer.from((content || '').replace(/\n/g, ''), 'base64').toString('utf8'); }
            function sanitizeBranchPart(value) {
              return (value || '').toLowerCase().replace(/[^a-z0-9._/-]+/g, '-').replace(/\/+/g, '/').replace(/^-+|-+$/g, '');
            }
            function applyCtDefaultChanges(scriptText, varChanges) {
              let nextText = scriptText;
              const updatedVars = [], unchangedVars = [];
              for (const [varName, rawValue] of Object.entries(varChanges)) {
                const newValue = String(rawValue);
                const pattern = new RegExp('(^\\s*' + varName + '="\\$\\{' + varName + ':-)([^"}]*)(\\}"\\s*$)', 'm');
                const match = nextText.match(pattern);
                if (!match) continue;
                if (match[2] === newValue) { unchangedVars.push(varName); continue; }
                nextText = nextText.replace(pattern, '$1' + newValue + '$3');
                updatedVars.push(varName);
              }
              return { nextText, updatedVars, unchangedVars };
            }
            async function ensureBranch(defaultBranch, branchName) {
              const ghRequest = ghDefault; // git ops run as the built-in token
              const branchRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(branchName));
              if (branchRefRes.ok) return;
              const defaultRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(defaultBranch));
              if (!defaultRefRes.ok) throw new Error('Could not read default branch ref: ' + defaultRefRes.body);
              const defaultRef = JSON.parse(defaultRefRes.body);
              const createBranchRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/refs', 'POST', { ref: 'refs/heads/' + branchName, sha: defaultRef.object.sha });
              if (!createBranchRes.ok) throw new Error('Could not create branch: ' + createBranchRes.body);
            }
            async function upsertCtDefaultsPr(slugValue, varChanges) {
              const ghRequest = ghDefault; // contents/PR ops run as the built-in token
              const wantedEntries = Object.entries(varChanges || {}).filter(function ([, v]) { return v !== undefined && v !== null && String(v) !== ''; });
              if (wantedEntries.length === 0) return { status: 'skipped', reason: 'No mapped CT defaults changed.' };
              const repoRes = await ghRequest('/repos/' + owner + '/' + repo);
              if (!repoRes.ok) throw new Error('Could not read repository metadata: ' + repoRes.body);
              const defaultBranch = JSON.parse(repoRes.body).default_branch;
              const ctPath = 'ct/' + slugValue + '.sh';
              const encodedCtPath = encodeContentPath(ctPath);
              const defaultFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(defaultBranch));
              if (defaultFileRes.statusCode === 404) return { status: 'skipped', reason: 'No matching CT file found at `' + ctPath + '`.' };
              if (!defaultFileRes.ok) throw new Error('Could not read CT file from default branch: ' + defaultFileRes.body);
              const branchName = 'pocketbase-sync/' + sanitizeBranchPart(slugValue || 'unknown');
              await ensureBranch(defaultBranch, branchName);
              const branchFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(branchName));
              if (!branchFileRes.ok) throw new Error('Could not read CT file from sync branch: ' + branchFileRes.body);
              const branchFile = JSON.parse(branchFileRes.body);
              const currentBranchText = decodeGitHubContent(branchFile.content);
              const updateResult = applyCtDefaultChanges(currentBranchText, Object.fromEntries(wantedEntries));
              if (updateResult.updatedVars.length === 0) return { status: 'skipped', reason: 'CT defaults already up to date.' };
              const putRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath, 'PUT', {
                message: 'chore(ct): sync ' + slugValue + ' defaults from PocketBase',
                content: Buffer.from(updateResult.nextText, 'utf8').toString('base64'),
                sha: branchFile.sha,
                branch: branchName
              });
              if (!putRes.ok) throw new Error('Could not update CT file: ' + putRes.body);
              const openPrRes = await ghRequest('/repos/' + owner + '/' + repo + '/pulls?state=open&head=' + encodeURIComponent(owner + ':' + branchName) + '&base=' + encodeURIComponent(defaultBranch));
              if (!openPrRes.ok) throw new Error('Could not query existing PRs: ' + openPrRes.body);
              const openPrs = JSON.parse(openPrRes.body);
              if (openPrs.length > 0) return { status: 'updated', prUrl: openPrs[0].html_url, updatedVars: updateResult.updatedVars };
              const createPrRes = await ghRequest('/repos/' + owner + '/' + repo + '/pulls', 'POST', {
                title: 'chore(ct): sync ' + slugValue + ' defaults with PocketBase',
                body: '## Summary\n- Sync default CT variables for `' + slugValue + '` after an `@pocketbase-bot` update.\n- Updated vars: `' + updateResult.updatedVars.join('`, `') + '`.\n\n## Source\n- Triggered by @' + actor + ' via PocketBase AI bot.\n',
                head: branchName,
                base: defaultBranch
              });
              if (!createPrRes.ok) throw new Error('Could not create PR: ' + createPrRes.body);
              return { status: 'created', prUrl: JSON.parse(createPrRes.body).html_url, updatedVars: updateResult.updatedVars };
            }
            // ── Allow-lists (mirror the slash bot) ─────────────────────────────
            const ALLOWED_FIELDS = {
              name: 'string', description: 'string', logo: 'string', documentation: 'string',
              website: 'string', project_url: 'string', github: 'string', config_path: 'string',
              tags: 'string', port: 'number', default_user: 'nullable_string', default_passwd: 'nullable_string',
              unprivileged: 'number', updateable: 'boolean', privileged: 'boolean', has_arm: 'boolean',
              is_dev: 'boolean', is_disabled: 'boolean', disable_message: 'string',
              is_deleted: 'boolean', deleted_message: 'string'
            };
            const FIELD_TO_CT_VAR = { tags: 'var_tags', unprivileged: 'var_unprivileged' };
            const RESOURCE_KEYS = { cpu: 'number', ram: 'number', hdd: 'number', os: 'string', version: 'string' };
            const METHOD_KEYS = { config_path: 'string', script: 'string' };
            const ALL_METHOD_KEYS = Object.assign({}, RESOURCE_KEYS, METHOD_KEYS);
            const RESOURCE_TO_CT_VAR = { cpu: 'var_cpu', ram: 'var_ram', hdd: 'var_disk', os: 'var_os', version: 'var_version' };
            function castFieldValue(key, rawVal) {
              const type = ALLOWED_FIELDS[key];
              if (!type) return { error: 'Unknown field `' + key + '`' };
              if (type === 'boolean') {
                if (rawVal === true || rawVal === 'true') return { value: true };
                if (rawVal === false || rawVal === 'false') return { value: false };
                return { error: '`' + key + '` must be true/false' };
              }
              if (type === 'number') {
                const n = parseInt(rawVal, 10);
                if (isNaN(n)) return { error: '`' + key + '` must be a number' };
                return { value: n };
              }
              if (type === 'nullable_string') return { value: rawVal === '' || rawVal == null ? null : String(rawVal) };
              return { value: String(rawVal) };
            }
            // ── Operation validation (used at propose AND confirm time) ────────
            // Never trust raw operations: enforce the field/op allow-lists and
            // re-cast values. Returns only well-formed, allowed operations.
            function sanitizeOperations(ops) {
              const validOps = [], problems = [];
              for (const op of (Array.isArray(ops) ? ops : [])) {
                if (op && op.kind === 'field') {
                  const cast = castFieldValue(op.field, op.value);
                  if (cast.error) { problems.push(cast.error); continue; }
                  validOps.push({ kind: 'field', field: op.field, value: cast.value });
                } else if (op && op.kind === 'note' && ['add', 'edit', 'remove'].includes(op.action)) {
                  validOps.push({ kind: 'note', action: op.action, type: String(op.type || ''), text: op.text, newText: op.newText });
                } else if (op && op.kind === 'method' && ['add', 'edit', 'remove'].includes(op.action)) {
                  const changes = {};
                  for (const [k, v] of Object.entries(op.changes || {})) { if (ALL_METHOD_KEYS[k]) changes[k] = v; }
                  validOps.push({ kind: 'method', action: op.action, type: String(op.type || 'default'), changes });
                } else {
                  problems.push('Unsupported operation: `' + JSON.stringify(op) + '`');
                }
              }
              return { validOps, problems };
            }
            // ── Executor: apply a validated {slug, operations} set ─────────────
            async function applyOperations(action) {
              const token = await pbAuth();
              const record = await pbFindRecord(token, action.slug);
              if (!record) return { ok: false, summary: '❌ No PocketBase record for slug `' + action.slug + '`.' };
              const fieldPayload = {};
              let notesArr = readJsonBlob(record.notes);
              let methodsArr = readJsonBlob(record.install_methods);
              let notesChanged = false, methodsChanged = false;
              const ctChanges = {};
              const lines = [];
              for (const op of action.operations) {
                if (op.kind === 'field') {
                  const cast = castFieldValue(op.field, op.value);
                  if (cast.error) { lines.push('- ⚠️ skipped field: ' + cast.error); continue; }
                  fieldPayload[op.field] = cast.value;
                  if (FIELD_TO_CT_VAR[op.field]) ctChanges[FIELD_TO_CT_VAR[op.field]] = cast.value;
                  lines.push('- `' + op.field + '` → `' + JSON.stringify(cast.value) + '`');
                } else if (op.kind === 'note') {
                  const type = String(op.type || '').toLowerCase();
                  if (op.action === 'add') {
                    notesArr.push({ type, text: String(op.text || '') });
                    notesChanged = true; lines.push('- note add `' + type + '`: ' + op.text);
                  } else if (op.action === 'remove') {
                    const before = notesArr.length;
                    notesArr = notesArr.filter(function (n) { return !(String(n.type).toLowerCase() === type && n.text === op.text); });
                    if (notesArr.length !== before) { notesChanged = true; lines.push('- note remove `' + type + '`: ' + op.text); }
                    else lines.push('- ⚠️ note remove: no `' + type + '` note matched');
                  } else if (op.action === 'edit') {
                    const idx = notesArr.findIndex(function (n) { return String(n.type).toLowerCase() === type && n.text === op.text; });
                    if (idx !== -1) { notesArr[idx].text = String(op.newText || ''); notesChanged = true; lines.push('- note edit `' + type + '`'); }
                    else lines.push('- ⚠️ note edit: no `' + type + '` note matched');
                  }
                } else if (op.kind === 'method') {
                  const type = String(op.type || '').toLowerCase();
                  const changes = op.changes || {};
                  if (op.action === 'remove') {
                    const before = methodsArr.length;
                    methodsArr = methodsArr.filter(function (im) { return String(im.type || '').toLowerCase() !== type; });
                    if (methodsArr.length !== before) { methodsChanged = true; lines.push('- method remove `' + type + '`'); }
                    else lines.push('- ⚠️ method remove: `' + type + '` not found');
                  } else {
                    let method = methodsArr.find(function (im) { return String(im.type || '').toLowerCase() === type; });
                    if (!method && op.action === 'add') { method = { type, resources: { cpu: 1, ram: 512, hdd: 4, os: 'debian', version: '13' } }; methodsArr.push(method); }
                    if (!method) { lines.push('- ⚠️ method edit: `' + type + '` not found'); continue; }
                    if (!method.resources) method.resources = {};
                    for (const [k, v] of Object.entries(changes)) {
                      if (RESOURCE_KEYS[k]) {
                        method.resources[k] = RESOURCE_KEYS[k] === 'number' ? parseInt(v, 10) : String(v);
                        if (RESOURCE_TO_CT_VAR[k]) ctChanges[RESOURCE_TO_CT_VAR[k]] = method.resources[k];
                      } else if (METHOD_KEYS[k]) {
                        method[k] = v === '' ? null : String(v);
                      }
                    }
                    methodsChanged = true;
                    lines.push('- method `' + (op.action === 'add' ? 'add' : 'edit') + '` `' + type + '`: ' + JSON.stringify(changes));
                  }
                }
              }
              if (Object.keys(fieldPayload).length) {
                const r = await pbPatch(token, record.id, fieldPayload);
                if (!r.ok) return { ok: false, summary: '❌ Field update failed:\n```\n' + r.body + '\n```' };
              }
              if (notesChanged) {
                const r = await pbPatch(token, record.id, { notes: notesArr });
                if (!r.ok) return { ok: false, summary: '❌ Notes update failed:\n```\n' + r.body + '\n```' };
              }
              if (methodsChanged) {
                const r = await pbPatch(token, record.id, { install_methods: methodsArr });
                if (!r.ok) return { ok: false, summary: '❌ Install-method update failed:\n```\n' + r.body + '\n```' };
              }
              await revalidate(action.slug);
              let ctNote = '';
              if (Object.keys(ctChanges).length) {
                try {
                  const sync = await upsertCtDefaultsPr(action.slug, ctChanges);
                  if (sync.status === 'created') ctNote = '\n\n**CT sync PR:** ' + sync.prUrl;
                  else if (sync.status === 'updated') ctNote = '\n\n**CT sync PR updated:** ' + sync.prUrl;
                  else if (sync.status === 'skipped') ctNote = '\n\n**CT sync skipped:** ' + sync.reason;
                } catch (e) { ctNote = '\n\n**CT sync failed:** ' + e.message; }
              }
              return { ok: true, summary: lines.join('\n') + ctNote };
            }
            // ── 4. Confirm branch ──────────────────────────────────────────────
            const PENDING_RE = /<!--\s*pocketbase-pending:\s*([A-Za-z0-9+/=]+)\s*-->/;
            const isConfirm = /^(confirm|yes|apply|do it|y)\b/i.test(instruction);
            if (isConfirm) {
              const comments = await listIssueComments();
              const appId = String(process.env.PB_BOT_APP_ID || '');
              let pending = null, pendingComment = null;
              for (let i = comments.length - 1; i >= 0; i--) {
                const c = comments[i];
                // Only trust a marker in a comment THIS bot app authored — otherwise a
                // user could hand-craft a forged pocketbase-pending marker and confirm it.
                const byBotApp = c.user && c.user.type === 'Bot' &&
                  c.performed_via_github_app && String(c.performed_via_github_app.id) === appId;
                if (!byBotApp) continue;
                const m = c.body && c.body.match(PENDING_RE);
                if (m) { pending = m[1]; pendingComment = c; break; }
              }
              if (!pending) {
                await addReaction('confused');
                await postComment('🤔 **PocketBase AI Bot**: I have no pending change to confirm in this thread.');
                return;
              }
              let action;
              try { action = JSON.parse(Buffer.from(pending, 'base64').toString('utf8')); }
              catch (e) { await postComment('❌ **PocketBase AI Bot**: Could not decode the pending change.'); return; }
              // Re-validate the decoded operations before applying (defense-in-depth).
              const recheck = sanitizeOperations(action.operations);
              if (!action.slug || recheck.validOps.length === 0) {
                await addReaction('-1');
                await postComment('❌ **PocketBase AI Bot**: The pending change is no longer valid. Please restate the request.');
                return;
              }
              action.operations = recheck.validOps;
              let result;
              try { result = await applyOperations(action); }
              catch (e) { await addReaction('-1'); await postComment('❌ **PocketBase AI Bot**: ' + e.message); return; }
              if (!result.ok) { await addReaction('-1'); await postComment(result.summary); return; }
              await updateComment(pendingComment.id, pendingComment.body.replace(PENDING_RE, '<!-- pocketbase-applied -->'));
              await addReaction('+1');
              await postComment(
                '✅ **PocketBase AI Bot**: Applied to **`' + action.slug + '`**\n\n' + result.summary +
                '\n\n*Confirmed by @' + actor + '*'
              );
              return;
            }
            // ── 5. New request: acknowledge, fetch script list, call the model ─
            await addReaction('eyes');
            const token0 = await pbAuth();
            const scripts = [];
            let page = 1;
            while (page <= 5) {
              const res = await request(recordsUrl + '?fields=slug,name&perPage=500&page=' + page, { headers: { 'Authorization': token0 } });
              if (!res.ok) break;
              const data = JSON.parse(res.body);
              (data.items || []).forEach(function (it) { if (it.slug) scripts.push({ slug: it.slug, name: it.name || it.slug }); });
              if (!data.items || data.items.length < 500) break;
              page++;
            }
            const SYSTEM_PROMPT =
              'You translate a maintainer\'s natural-language request into a STRICT JSON change-set for a ' +
              'script catalog (PocketBase). Respond with a SINGLE JSON object and nothing else.\n\n' +
              'Schema:\n' +
              '{\n' +
              '  "slug": string|null,            // MUST be one of the known slugs below, chosen from the request\n' +
              '  "operations": [ ... ],          // [] if you cannot determine concrete changes\n' +
              '  "human_summary": string,        // short plain-English description\n' +
              '  "clarification": string|null    // a question to ask if ambiguous/unsupported; else null\n' +
              '}\n\n' +
              'Operation kinds:\n' +
              '- {"kind":"field","field":<one of: ' + Object.keys(ALLOWED_FIELDS).join(', ') + '>,"value":<bool|number|string>}\n' +
              '  (booleans true/false; "is_disabled"/"is_deleted"/"is_dev" are booleans; "port"/"unprivileged" are numbers; rest strings.)\n' +
              '- {"kind":"note","action":"add"|"edit"|"remove","type":string,"text":string,"newText":string?}\n' +
              '- {"kind":"method","action":"add"|"edit"|"remove","type":string,"changes":{cpu?:number,ram?:number,hdd?:number,os?:string,version?:string,config_path?:string,script?:string}}\n' +
              '  (RAM/HDD are in MB/GB; method "type" defaults to "default" if the user does not name one.)\n\n' +
              'Rules:\n' +
              '- Only use fields/operations listed above. If the request needs something else, set clarification and operations=[].\n' +
              '- "disable"/"enable" map to is_disabled true/false. If disabling and the user gave a reason, also set disable_message.\n' +
              '- Resolve the target script to a slug from the list. If you cannot confidently match exactly one, set slug=null and ask via clarification.\n\n' +
              'Known scripts (slug — name):\n' +
              scripts.map(function (s) { return s.slug + ' — ' + s.name; }).join('\n');
            const modelRes = await request('https://models.github.ai/inference/chat/completions', {
              method: 'POST',
              headers: { 'Authorization': 'Bearer ' + process.env.MODELS_TOKEN, 'Content-Type': 'application/json', 'Accept': 'application/json' },
              body: JSON.stringify({
                model: process.env.AI_MODEL || 'openai/gpt-4o',
                temperature: 0.1,
                response_format: { type: 'json_object' },
                messages: [{ role: 'system', content: SYSTEM_PROMPT }, { role: 'user', content: instruction }]
              })
            });
            if (!modelRes.ok) {
              await addReaction('-1');
              await postComment('❌ **PocketBase AI Bot**: Model request failed (' + modelRes.statusCode + ').\n```\n' + modelRes.body.slice(0, 500) + '\n```');
              return;
            }
            let parsed;
            try {
              const content = JSON.parse(modelRes.body).choices[0].message.content;
              const cleaned = content.replace(/^```(?:json)?\s*/i, '').replace(/```\s*$/i, '').trim();
              parsed = JSON.parse(cleaned);
            } catch (e) {
              await addReaction('-1');
              await postComment('❌ **PocketBase AI Bot**: Could not parse the model response. Please rephrase.');
              return;
            }
            // ── 6. Validate ────────────────────────────────────────────────────
            const knownSlugs = new Set(scripts.map(function (s) { return s.slug; }));
            const problems = [];
            if (parsed.clarification) problems.push(parsed.clarification);
            if (!parsed.slug || !knownSlugs.has(parsed.slug)) problems.push('I could not match the request to a known script.');
            const sanitized = sanitizeOperations(parsed.operations);
            const validOps = sanitized.validOps;
            problems.push.apply(problems, sanitized.problems);
            if (validOps.length === 0) problems.push('No concrete, supported change was found.');
            if (problems.length) {
              await addReaction('confused');
              await postComment(
                '🤔 **PocketBase AI Bot**: I need a bit more to act on that.\n\n- ' + problems.join('\n- ') +
                '\n\nTry naming the script and the exact change, e.g. `@pocketbase-bot set RAM to 4096 on zigbee2mqtt`.'
              );
              return;
            }
            // ── 7. Propose (do NOT apply yet) ──────────────────────────────────
            const action = { slug: parsed.slug, operations: validOps };
            const bullets = validOps.map(function (op) {
              if (op.kind === 'field') return '- `' + op.field + '` → `' + JSON.stringify(op.value) + '`';
              if (op.kind === 'note') return '- note ' + op.action + ' `' + op.type + '`' + (op.text ? ': ' + op.text : '');
              return '- method ' + op.action + ' `' + op.type + '`: ' + JSON.stringify(op.changes);
            }).join('\n');
            const marker = '<!-- pocketbase-pending: ' + Buffer.from(JSON.stringify(action), 'utf8').toString('base64') + ' -->';
            await addReaction('+1');
            await postComment(
              '🤖 **PocketBase AI Bot** — please confirm\n\n' +
              (parsed.human_summary ? '> ' + parsed.human_summary + '\n\n' : '') +
              '**Target:** `' + action.slug + '`\n**Proposed changes:**\n' + bullets + '\n\n' +
              'Reply **`@pocketbase-bot confirm`** to apply, or restate the request to adjust.\n' + marker
            );
          })().catch(function (e) {
            console.error('Fatal error:', e && (e.message || e));
            process.exit(1);
          });
          ENDSCRIPT
--- a/.github/workflows/pocketbase-bot.yml
+++ b/.github/workflows/pocketbase-bot.yml
@@ -13,8 +13,8 @@ jobs:
  pocketbase-bot:
    runs-on: self-hosted
-    # Act on comments that contain a /pocketbase command line (precise line check happens in-script)
+    # Only act on /pocketbase commands
-    if: contains(github.event.comment.body, '/pocketbase')
+    if: startsWith(github.event.comment.body, '/pocketbase')
    steps:
      - name: Execute PocketBase bot command
@@ -257,22 +257,6 @@ jobs:
              if (!res.ok) console.warn('Could not post comment:', res.body);
            }
            // ── Locate the command line ────────────────────────────────────────
            // Accept /pocketbase at the start of ANY line (leading whitespace ok),
            // so the command works even when preceded by other text. Mid-sentence
            // mentions and blockquoted ("> ...") examples are ignored.
            const commentBody = process.env.COMMENT_BODY || '';
            const cmdLine = commentBody
              .split('\n')
              .map(l => l.trim())
              .find(l => l.startsWith('/pocketbase'));
            if (!cmdLine) {
              console.log('No /pocketbase command line found — ignoring comment.');
              process.exit(0);
            }
            const withoutCmd = cmdLine.replace(/^\/pocketbase\s*/, '').trim();
            // ── Permission check ───────────────────────────────────────────────
            const association = process.env.ACTOR_ASSOCIATION;
            if (association !== 'OWNER' && association !== 'MEMBER') {
@@ -288,6 +272,10 @@ jobs:
            await addReaction('eyes');
            // ── Parse command ──────────────────────────────────────────────────
            const commentBody = process.env.COMMENT_BODY || '';
            const lines = commentBody.trim().split('\n');
            const firstLine = lines[0].trim();
            const withoutCmd = firstLine.replace(/^\/pocketbase\s+/, '').trim();
            function extractCodeBlock(body) {
              const m = body.match(/```[^\n]*\n([\s\S]*?)```/);
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -470,39 +470,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 </details>
 ## 2026-06-02
 ### 🆕 New Scripts
  - DDNS-Updater ([#14883](https://github.com/community-scripts/ProxmoxVE/pull/14883))
 - InvoiceShelf ([#14882](https://github.com/community-scripts/ProxmoxVE/pull/14882))
 - Certimate ([#14881](https://github.com/community-scripts/ProxmoxVE/pull/14881))
 ### 🚀 Updated Scripts
  - #### 🐞 Bug Fixes
    - OpenThread-BR: preserve config during update [@tomfrenzel](https://github.com/tomfrenzel) ([#14893](https://github.com/community-scripts/ProxmoxVE/pull/14893))
    - infisical: fix update abort due to creds field mismatch (#14868) [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14870](https://github.com/community-scripts/ProxmoxVE/pull/14870))
  - #### ✨ New Features
    - feat(degoog): enable default valkey cache integration [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14871](https://github.com/community-scripts/ProxmoxVE/pull/14871))
  - #### 🔧 Refactor
    - chore: bump Node version in selected scripts [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14873](https://github.com/community-scripts/ProxmoxVE/pull/14873))
 ### 💾 Core
  - #### ✨ New Features
    - tools.func: add support for Rust installation profile in setup_rust [@MickLesk](https://github.com/MickLesk) ([#14872](https://github.com/community-scripts/ProxmoxVE/pull/14872))
 ### 📂 Github
  - fix(workflow): only flag node drift when local is behind upstream [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14874](https://github.com/community-scripts/ProxmoxVE/pull/14874))
 ## 2026-06-01
 ### 🚀 Updated Scripts
--- a/ct/certimate.sh
+++ b/ct/certimate.sh
@@ -1,64 +0,0 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://certimate.me/
 APP="Certimate"
 var_tags="${var_tags:-ssl;certificates;acme;automation}"
 var_cpu="${var_cpu:-1}"
 var_ram="${var_ram:-256}"
 var_disk="${var_disk:-2}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_arm64="${var_arm64:-no}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -f /opt/certimate/certimate ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  if check_for_gh_release "certimate" "certimate-go/certimate"; then
    msg_info "Stopping Service"
    systemctl stop certimate
    msg_ok "Stopped Service"
    msg_info "Backing up Data"
    cp -r /opt/certimate/pb_data /opt/certimate_pb_data_backup
    msg_ok "Backed up Data"
    fetch_and_deploy_gh_release "certimate" "certimate-go/certimate" "prebuild" "latest" "/opt/certimate" "certimate_*_linux_amd64.zip"
    msg_info "Restoring Data"
    cp -r /opt/certimate_pb_data_backup/. /opt/certimate/pb_data
    rm -rf /opt/certimate_pb_data_backup
    msg_ok "Restored Data"
    msg_info "Starting Service"
    systemctl start certimate
    msg_ok "Started Service"
    msg_ok "Updated successfully!"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8090${CL}"
--- a/ct/cross-seed.sh
+++ b/ct/cross-seed.sh
@@ -25,7 +25,7 @@ function update_script() {
  check_container_storage
  check_container_resources
-  NODE_VERSION="26" setup_nodejs
+  NODE_VERSION="24" setup_nodejs
  ensure_dependencies build-essential
  if command -v cross-seed &>/dev/null; then
--- a/ct/ddns-updater.sh
+++ b/ct/ddns-updater.sh
@@ -1,62 +0,0 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: reptil1990
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/qdm12/ddns-updater
 APP="DDNS-Updater"
 var_tags="${var_tags:-network}"
 var_cpu="${var_cpu:-1}"
 var_ram="${var_ram:-512}"
 var_disk="${var_disk:-2}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_arm64="${var_arm64:-no}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -d /opt/ddns-updater ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  if check_for_gh_release "ddns-updater" "qdm12/ddns-updater"; then
    msg_info "Stopping Service"
    systemctl stop ddns-updater
    msg_ok "Stopped Service"
    msg_info "Backing up Data"
    cp -r /opt/ddns-updater/data /opt/ddns-updater_data_backup
    msg_ok "Backed up Data"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "ddns-updater" "qdm12/ddns-updater" "singlefile" "latest" "/opt/ddns-updater" "ddns-updater_*_linux_amd64"
    msg_info "Restoring Data"
    cp -r /opt/ddns-updater_data_backup/. /opt/ddns-updater/data/
    rm -rf /opt/ddns-updater_data_backup
    msg_ok "Restored Data"
    msg_info "Starting Service"
    systemctl start ddns-updater
    msg_ok "Started Service"
    msg_ok "Updated successfully!"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
--- a/ct/degoog.sh
+++ b/ct/degoog.sh
@@ -49,21 +49,11 @@ function update_script() {
      msg_ok "Installed Bun"
    fi
    msg_info "Updating Valkey"
    ensure_dependencies valkey
    msg_ok "Updated Valkey"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "degoog" "fccview/degoog" "prebuild" "latest" "/opt/degoog" "degoog_*_prebuild.tar.gz"
    msg_info "Restoring Configuration & Data"
    [[ -f /opt/degoog.env.bak ]] && mv /opt/degoog.env.bak /opt/degoog/.env
    [[ -d /opt/degoog_data_backup ]] && mv /opt/degoog_data_backup /opt/degoog/data
    if [[ -f /opt/degoog/.env ]]; then
      grep -q "^DEGOOG_VALKEY_URL=" /opt/degoog/.env && sed -i "s|^DEGOOG_VALKEY_URL=.*|DEGOOG_VALKEY_URL=redis://valkey:6379|" /opt/degoog/.env || echo "DEGOOG_VALKEY_URL=redis://valkey:6379" >>/opt/degoog/.env
      grep -q "^DEGOOG_CACHE_MAX_ENTRIES=" /opt/degoog/.env && sed -i "s|^DEGOOG_CACHE_MAX_ENTRIES=.*|DEGOOG_CACHE_MAX_ENTRIES=1000|" /opt/degoog/.env || echo "DEGOOG_CACHE_MAX_ENTRIES=1000" >>/opt/degoog/.env
      grep -q "^DEGOOG_CACHE_TTL_MS=" /opt/degoog/.env && sed -i "s|^DEGOOG_CACHE_TTL_MS=.*|DEGOOG_CACHE_TTL_MS=43200000|" /opt/degoog/.env || echo "DEGOOG_CACHE_TTL_MS=43200000" >>/opt/degoog/.env
    fi
    msg_ok "Restored Configuration & Data"
    msg_info "Starting Service"
--- a/ct/headers/certimate
+++ b/ct/headers/certimate
@@ -1,6 +0,0 @@
   ______          __  _                 __     
  / ____/__  _____/ /_(_)___ ___  ____ _/ /____ 
 / /   / _ \/ ___/ __/ / __ `__ \/ __ `/ __/ _ \
 / /___/  __/ /  / /_/ / / / / / / /_/ / /_/  __/
 \____/\___/_/   \__/_/_/ /_/ /_/\__,_/\__/\___/ 
--- a/ct/headers/ddns-updater
+++ b/ct/headers/ddns-updater
@@ -1,6 +0,0 @@
    ____  ____  _   _______       __  __          __      __           
   / __ \/ __ \/ | / / ___/      / / / /___  ____/ /___ _/ /____  _____
  / / / / / / /  |/ /\__ \______/ / / / __ \/ __  / __ `/ __/ _ \/ ___/
 / /_/ / /_/ / /|  /___/ /_____/ /_/ / /_/ / /_/ / /_/ / /_/  __/ /    
 /_____/_____/_/ |_//____/      \____/ .___/\__,_/\__,_/\__/\___/_/     
                                   /_/                                 
--- a/ct/headers/invoiceshelf
+++ b/ct/headers/invoiceshelf
@@ -1,6 +0,0 @@
    ____                 _          _____ __         ______
   /  _/___ _   ______  (_)_______ / ___// /_  ___  / / __/
   / // __ \ | / / __ \/ / ___/ _ \\__ \/ __ \/ _ \/ / /_  
 _/ // / / / |/ / /_/ / / /__/  __/__/ / / / /  __/ / __/  
 /___/_/ /_/|___/\____/_/\___/\___/____/_/ /_/\___/_/_/     
--- a/ct/infisical.sh
+++ b/ct/infisical.sh
@@ -35,7 +35,7 @@ function update_script() {
  msg_info "Creating backup"
  [[ -f /opt/infisical_backup.sql ]] && rm -f /opt/infisical_backup.sql
-  DB_PASS=$(grep -Po '(?<=^Password:\s).*' ~/infisical.creds | head -n1)
+  DB_PASS=$(grep -Po '(?<=^Database Password:\s).*' ~/infisical.creds | head -n1)
  PGPASSWORD=$DB_PASS pg_dump -U infisical -h localhost -d infisical_db > /opt/infisical_backup.sql
  msg_ok "Created backup"
--- a/ct/invoiceshelf.sh
+++ b/ct/invoiceshelf.sh
@@ -1,77 +0,0 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://invoiceshelf.com/
 APP="InvoiceShelf"
 var_tags="${var_tags:-invoicing;finance;business}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-1024}"
 var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_arm64="${var_arm64:-no}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -d /opt/invoiceshelf ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  if check_for_gh_release "invoiceshelf" "InvoiceShelf/InvoiceShelf"; then
    msg_info "Stopping Services"
    systemctl stop caddy
    msg_ok "Stopped Services"
    msg_info "Backing up Data"
    cp /opt/invoiceshelf/.env /opt/invoiceshelf.env.bak
    cp -r /opt/invoiceshelf/storage /opt/invoiceshelf_storage_backup
    msg_ok "Backed up Data"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "invoiceshelf" "InvoiceShelf/InvoiceShelf" "tarball"
    msg_info "Restoring Data"
    cp /opt/invoiceshelf.env.bak /opt/invoiceshelf/.env
    rm -f /opt/invoiceshelf.env.bak
    cp -r /opt/invoiceshelf_storage_backup/. /opt/invoiceshelf/storage
    rm -rf /opt/invoiceshelf_storage_backup
    msg_ok "Restored Data"
    msg_info "Updating Application"
    cd /opt/invoiceshelf
    $STD composer install --no-dev --optimize-autoloader
    $STD yarn install
    $STD yarn build
    $STD php artisan migrate --force
    $STD php artisan optimize:clear
    chown -R www-data:www-data /opt/invoiceshelf
    msg_ok "Updated Application"
    msg_info "Starting Services"
    systemctl start caddy
    msg_ok "Started Services"
    msg_ok "Updated successfully!"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
--- a/ct/koillection.sh
+++ b/ct/koillection.sh
@@ -53,7 +53,7 @@ function update_script() {
      [[ -s /opt/koillection/.env.local && -n "$(tail -c 1 /opt/koillection/.env.local)" ]] && echo "" >>/opt/koillection/.env.local
      echo 'APP_RUNTIME="Symfony\Component\Runtime\SymfonyRuntime"' >>/opt/koillection/.env.local
    fi
-    NODE_VERSION="26" NODE_MODULE="yarn" setup_nodejs
+    
    export COMPOSER_ALLOW_SUPERUSER=1
    export APP_RUNTIME='Symfony\Component\Runtime\SymfonyRuntime'
    $STD composer install --no-dev -o --no-interaction --classmap-authoritative
--- a/ct/musicseerr.sh
+++ b/ct/musicseerr.sh
@@ -42,7 +42,7 @@ function update_script() {
    PYTHON_VERSION="3.13" setup_uv
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "musicseerr" "HabiRabbu/Musicseerr" "tarball"
-    NODE_VERSION="25" NODE_MODULE="pnpm@10.33.0" setup_nodejs
+    NODE_VERSION="22" NODE_MODULE="pnpm@10.33.0" setup_nodejs
    msg_info "Building Frontend"
    cd /opt/musicseerr/frontend
--- a/ct/openthread-br.sh
+++ b/ct/openthread-br.sh
@@ -47,10 +47,6 @@ function update_script() {
  systemctl stop otbr-agent
  msg_ok "Stopped Services"
  msg_info "Backing up Configuration"
  cp /etc/default/otbr-agent /etc/default/otbr-agent.bak
  msg_ok "Backed up Configuration"
  msg_info "Updating Source"
  $STD git reset --hard origin/main
  $STD git submodule update --depth 1 --init --recursive
@@ -95,10 +91,6 @@ EOF
    msg_ok "Configured Network"
  fi
  msg_info "Restoring Configuration"
  mv /etc/default/otbr-agent.bak /etc/default/otbr-agent
  msg_ok "Restored Configuration"
  msg_info "Starting Services"
  systemctl start otbr-agent
  systemctl start otbr-web
--- a/ct/soulsync.sh
+++ b/ct/soulsync.sh
@@ -30,7 +30,7 @@ function update_script() {
    exit
  fi
-  NODE_VERSION="24" setup_nodejs
+  NODE_VERSION="22" setup_nodejs
  if check_for_gh_release "soulsync" "Nezreka/SoulSync"; then
    msg_info "Stopping Service"
--- a/install/certimate-install.sh
+++ b/install/certimate-install.sh
@@ -1,40 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://certimate.me/
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 fetch_and_deploy_gh_release "certimate" "certimate-go/certimate" "prebuild" "latest" "/opt/certimate" "certimate_*_linux_amd64.zip"
 msg_info "Creating Service"
 cat <<'EOF' >/etc/systemd/system/certimate.service
 [Unit]
 Description=Certimate SSL Certificate Manager
 After=network.target
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/certimate
 ExecStart=/opt/certimate/certimate serve --http "0.0.0.0:8090"
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now certimate
 msg_ok "Created Service"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/cross-seed-install.sh
+++ b/install/cross-seed-install.sh
@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y build-essential
 msg_ok "Installed Dependencies"
-NODE_VERSION="26" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 msg_info "Setup Cross-Seed"
 $STD npm install cross-seed@latest -g
--- a/install/ddns-updater-install.sh
+++ b/install/ddns-updater-install.sh
@@ -1,59 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: reptil1990
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/qdm12/ddns-updater
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 fetch_and_deploy_gh_release "ddns-updater" "qdm12/ddns-updater" "singlefile" "latest" "/opt/ddns-updater" "ddns-updater_*_linux_amd64"
 msg_info "Configuring DDNS-Updater"
 mkdir -p /opt/ddns-updater/data
 cat <<EOF >/opt/ddns-updater/data/config.json
 {
  "settings": [
    {
      "provider": "namecheap",
      "domain": "example.com",
      "password": "e5322165c1d74692bfa6d807100c0310"
    }
  ]
 }
 EOF
 msg_ok "Configured DDNS-Updater"
 msg_info "Creating Service"
 cat <<EOF >/etc/systemd/system/ddns-updater.service
 [Unit]
 Description=DDNS-Updater
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 ExecStartPre=/bin/bash -c 'for i in \$(seq 1 30); do curl -sf --max-time 5 https://1.1.1.1 >/dev/null 2>&1 && break || sleep 2; done'
 ExecStart=/opt/ddns-updater/ddns-updater
 Environment=DATADIR=/opt/ddns-updater/data
 Environment=LISTENING_ADDRESS=:8000
 Environment=LOG_LEVEL=info
 Environment=PERIOD=5m
 WorkingDirectory=/opt/ddns-updater
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now ddns-updater
 msg_ok "Created Service"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/degoog-install.sh
+++ b/install/degoog-install.sh
@@ -16,8 +16,7 @@ update_os
 msg_info "Installing Dependencies"
 $STD apt install -y \
  git \
-  unzip \
+  unzip
  valkey
 msg_ok "Installed Dependencies"
 msg_info "Installing Bun"
@@ -39,9 +38,6 @@ DEGOOG_PLUGINS_DIR=/opt/degoog/data/plugins
 DEGOOG_THEMES_DIR=/opt/degoog/data/themes
 DEGOOG_ALIASES_FILE=/opt/degoog/data/aliases.json
 DEGOOG_PLUGIN_SETTINGS_FILE=/opt/degoog/data/plugin-settings.json
 DEGOOG_VALKEY_URL=redis://valkey:6379
 DEGOOG_CACHE_MAX_ENTRIES=1000
 DEGOOG_CACHE_TTL_MS=43200000
 # DEGOOG_SETTINGS_PASSWORDS=changeme
 # DEGOOG_PUBLIC_INSTANCE=false
 # LOGGER=debug
@@ -66,16 +62,11 @@ EOF
 fi
 msg_ok "Set up degoog"
 msg_info "Starting Valkey Service"
 systemctl enable -q --now valkey-server
 msg_ok "Started Valkey Service"
 msg_info "Creating Service"
 cat <<EOF >/etc/systemd/system/degoog.service
 [Unit]
 Description=degoog
-After=network.target valkey-server.service
+After=network.target
 Wants=valkey-server.service
 [Service]
 Type=simple
--- a/install/invoiceshelf-install.sh
+++ b/install/invoiceshelf-install.sh
@@ -1,69 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://invoiceshelf.com/
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 msg_info "Installing Dependencies"
 $STD apt install -y caddy
 msg_ok "Installed Dependencies"
 PHP_VERSION="8.4" PHP_FPM="YES" PHP_MODULES="bcmath,gd,intl,xml,zip,pdo_pgsql,mbstring,curl,exif" setup_php
 setup_composer
 NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="invoiceshelf" PG_DB_USER="invoiceshelf" setup_postgresql_db
 fetch_and_deploy_gh_release "invoiceshelf" "InvoiceShelf/InvoiceShelf" "tarball"
 msg_info "Setting up InvoiceShelf"
 cd /opt/invoiceshelf
 cp .env.example .env
 sed -i "s|^APP_ENV=.*|APP_ENV=production|" .env
 sed -i "s|^APP_DEBUG=.*|APP_DEBUG=false|" .env
 sed -i "s|^APP_URL=.*|APP_URL=http://${LOCAL_IP}|" .env
 sed -i "s|^DB_CONNECTION=.*|DB_CONNECTION=pgsql|" .env
 sed -i "s|^DB_HOST=.*|DB_HOST=127.0.0.1|" .env
 sed -i "s|^DB_PORT=.*|DB_PORT=5432|" .env
 sed -i "s|^DB_DATABASE=.*|DB_DATABASE=${PG_DB_NAME}|" .env
 sed -i "s|^DB_USERNAME=.*|DB_USERNAME=${PG_DB_USER}|" .env
 sed -i "s|^DB_PASSWORD=.*|DB_PASSWORD=${PG_DB_PASS}|" .env
 COMPOSER_ALLOW_SUPERUSER=1 $STD composer install --no-dev --optimize-autoloader --no-interaction
 $STD php artisan key:generate
 $STD yarn install
 $STD yarn build
 mkdir -p storage/framework/{cache,sessions,views} storage/logs bootstrap/cache
 chown -R www-data:www-data /opt/invoiceshelf
 chmod -R 775 storage bootstrap/cache
 $STD php artisan migrate --force
 $STD php artisan storage:link
 msg_ok "Set up InvoiceShelf"
 msg_info "Configuring Caddy"
 PHP_VER=$(php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;')
 cat <<EOF >/etc/caddy/Caddyfile
 :80 {
    root * /opt/invoiceshelf/public
    php_fastcgi unix//run/php/php${PHP_VER}-fpm.sock
    file_server
    encode gzip
 }
 EOF
 usermod -aG www-data caddy
 msg_ok "Configured Caddy"
 systemctl enable -q --now php${PHP_VER}-fpm
 systemctl restart caddy
 motd_ssh
 customize
 cleanup_lxc
--- a/install/koillection-install.sh
+++ b/install/koillection-install.sh
@@ -13,7 +13,7 @@ setting_up_container
 network_check
 update_os
-NODE_VERSION="26" NODE_MODULE="yarn" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PHP_VERSION="8.5" PHP_APACHE="YES" setup_php
 setup_composer
--- a/install/musicseerr-install.sh
+++ b/install/musicseerr-install.sh
@@ -15,7 +15,7 @@ update_os
 PYTHON_VERSION="3.13" setup_uv
 fetch_and_deploy_gh_release "musicseerr" "HabiRabbu/Musicseerr" "tarball"
-NODE_VERSION="25" NODE_MODULE="pnpm@10.33.0" setup_nodejs
+NODE_VERSION="22" NODE_MODULE="pnpm@10.33.0" setup_nodejs
 msg_info "Building Frontend"
 cd /opt/musicseerr/frontend
--- a/install/soulsync-install.sh
+++ b/install/soulsync-install.sh
@@ -23,7 +23,7 @@ $STD apt install -y \
 msg_ok "Installed Dependencies"
 UV_PYTHON="3.11" setup_uv
-NODE_VERSION="24" setup_nodejs
+NODE_VERSION="22" setup_nodejs
 fetch_and_deploy_gh_release "soulsync" "Nezreka/SoulSync" "tarball"
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -8227,13 +8227,11 @@ setup_ruby() {
 #
 # Variables:
 #   RUST_TOOLCHAIN  - Rust toolchain to install (default: stable)
 #   RUST_PROFILE    - Rust installation profile (default: default, e.g. minimal)
 #   RUST_CRATES     - Comma-separated list of crates (e.g. "cargo-edit,wasm-pack@0.12.1")
 # ------------------------------------------------------------------------------
 setup_rust() {
  local RUST_TOOLCHAIN="${RUST_TOOLCHAIN:-stable}"
  local RUST_PROFILE="${RUST_PROFILE:-default}"
  local RUST_CRATES="${RUST_CRATES:-}"
  local CARGO_BIN="${HOME}/.cargo/bin"
@@ -8245,8 +8243,8 @@ setup_rust() {
  # Scenario 1: Rustup not installed - fresh install
  if ! command -v rustup &>/dev/null; then
-    msg_info "Setup Rust ($RUST_TOOLCHAIN, profile: $RUST_PROFILE)"
+    msg_info "Setup Rust ($RUST_TOOLCHAIN)"
-    curl -fsSL https://sh.rustup.rs | $STD sh -s -- -y --profile "$RUST_PROFILE" --default-toolchain "$RUST_TOOLCHAIN" || {
+    curl -fsSL https://sh.rustup.rs | $STD sh -s -- -y --default-toolchain "$RUST_TOOLCHAIN" || {
      msg_error "Failed to install Rust"
      msg_error "Hint: Check connectivity to sh.rustup.rs and static.rust-lang.org"
      return 7