UI/UX Improvements for AI-skeptical users:
- Only show 'Ideas' button if AI is enabled AND configured
- Renamed 'Suggest Profile' to 'Ideas' with lightbulb icon
- Moved 'New Profile' button to primary position
- Changed AI button styling from prominent purple to subtle gray
- Updated modal title to 'Profile Ideas' with neutral language
Multi-tenant bug fix:
- ProfileSuggestionHandler now uses MultiTenantPersistence
- Properly resolves tenant-specific persistence from request context
- Fixes potential nil pointer panic in multi-tenant deployments
- Existing profiles are now correctly loaded per-tenant for AI context
Tests updated to use MultiTenantPersistence with org context injection.
Replace manual resource ID entry with a searchable, filterable resource
picker that uses live WebSocket state. Support selecting multiple
resources (up to 50) for combined fleet reports.
Multi-resource PDFs include a cover page, fleet summary table with
aggregate health status, and condensed per-resource detail pages with
overlaid CPU/memory charts. Multi-resource CSVs include a summary
section followed by interleaved time-series data with resource columns.
New POST /api/admin/reports/generate-multi endpoint handles multi-resource
requests while the existing single-resource GET endpoint remains unchanged.
Also fixes resource ID validation regex to allow colons used in
VM/container IDs (e.g., "instance:node:vmid").
API tokens passed via ?token= query parameter were accepted on all HTTP
requests. This is a security concern because tokens in URLs can leak via
server logs, browser history, referrer headers, and proxy logs.
The query-string token path exists solely for WebSocket connections which
cannot set custom headers during the upgrade handshake. This change adds
an isWebSocketUpgrade check to all three query-string extraction sites
in CheckAuth and extractAndStoreAuthContext, rejecting ?token= on regular
HTTP requests while preserving WebSocket functionality.
No frontend impact — the kiosk flow stores the token in sessionStorage
then uses X-API-Token headers for all API calls.
