Merge pull request 'v20260113-08-vspc-object-linking-normalize' (#114) from v20260113-08-vspc-object-linking-normalize into main

Reviewed-on: #114

.last-branch

@@ -1 +1 @@
-v20260108-39-changelog-0.1.19
+v20260113-08-vspc-object-linking-normalize

containers/backupchecks/requirements.txt

@@ -7,3 +7,4 @@ python-dateutil==2.9.0.post0
 gunicorn==23.0.0
 requests==2.32.3
 reportlab==4.2.5
+Markdown==3.6

containers/backupchecks/src/backend/app/auth/routes.py

@@ -18,8 +18,9 @@ from ..models import User
 auth_bp = Blueprint("auth", __name__, url_prefix="/auth")
 
 
-def admin_exists() -> bool:
-    return db.session.query(User.id).filter_by(role="admin").first() is not None
+def users_exist() -> bool:
+    # Initial setup should only run on a fresh install where NO users exist yet.
+    return db.session.query(User.id).first() is not None
 
 
 def generate_captcha():
@@ -55,7 +56,7 @@ def captcha_required(func):
 @captcha_required
 def login():
     if request.method == "GET":
-        if not admin_exists():
+        if not users_exist():
             return redirect(url_for("auth.initial_setup"))
 
         question, answer = generate_captcha()
@@ -98,8 +99,8 @@ def logout():
 
 @auth_bp.route("/initial-setup", methods=["GET", "POST"])
 def initial_setup():
-    if admin_exists():
-        flash("An admin user already exists. Please log in.", "info")
+    if users_exist():
+        flash("Users already exist. Please log in.", "info")
         return redirect(url_for("auth.login"))
 
     if request.method == "POST":

containers/backupchecks/src/backend/app/auto_importer_service.py

@@ -7,7 +7,7 @@ from datetime import datetime
 from .admin_logging import log_admin_event
 from .mail_importer import MailImportError, run_auto_import
 from .models import SystemSettings
-from .object_persistence import persist_objects_for_approved_run
+from .object_persistence import persist_objects_for_auto_run
 
 
 _AUTO_IMPORTER_THREAD_NAME = "auto_importer"
@@ -80,7 +80,7 @@ def start_auto_importer(app) -> None:
                         persisted_errors = 0
                         for (customer_id, job_id, run_id, mail_message_id) in auto_approved_runs:
                             try:
-                                persisted_objects += persist_objects_for_approved_run(
+                                persisted_objects += persist_objects_for_auto_run(
                                     int(customer_id), int(job_id), int(run_id), int(mail_message_id)
                                 )
                             except Exception as exc:

containers/backupchecks/src/backend/app/job_matching.py

@@ -68,4 +68,53 @@ def find_matching_job(msg: MailMessage) -> Optional[Job]:
     if len(matches) == 1:
         return matches[0]
 
+    # Backwards-compatible matching for Veeam VSPC Active Alarms summary per-company jobs.
+    # Earlier versions could store company names with slightly different whitespace / HTML entities,
+    # while parsers store objects using a normalized company prefix. When the exact match fails,
+    # try a normalized company comparison so existing jobs continue to match.
+    try:
+        bsw = (backup or "").strip().lower()
+        bt = (btype or "").strip().lower()
+        jn = (job_name or "").strip()
+        if bsw == "veeam" and bt == "service provider console" and "|" in jn:
+            left, right = [p.strip() for p in jn.split("|", 1)]
+            if left.lower() == "active alarms summary" and right:
+                from .parsers.veeam import normalize_vspc_company_name  # lazy import
+
+                target_company = normalize_vspc_company_name(right)
+                if not target_company:
+                    return None
+
+                q2 = Job.query
+                if norm_from is None:
+                    q2 = q2.filter(Job.from_address.is_(None))
+                else:
+                    q2 = q2.filter(Job.from_address == norm_from)
+                q2 = q2.filter(Job.backup_software == backup)
+                q2 = q2.filter(Job.backup_type == btype)
+                q2 = q2.filter(Job.job_name.ilike("Active alarms summary | %"))
+
+                # Load a small set of candidates and compare the company portion.
+                candidates = q2.order_by(Job.updated_at.desc(), Job.id.desc()).limit(25).all()
+                normalized_matches: list[Job] = []
+                for cand in candidates:
+                    cand_name = (cand.job_name or "").strip()
+                    if "|" not in cand_name:
+                        continue
+                    c_left, c_right = [p.strip() for p in cand_name.split("|", 1)]
+                    if c_left.lower() != "active alarms summary" or not c_right:
+                        continue
+                    if normalize_vspc_company_name(c_right) == target_company:
+                        normalized_matches.append(cand)
+
+                if len(normalized_matches) > 1:
+                    customer_ids = {m.customer_id for m in normalized_matches}
+                    if len(customer_ids) == 1:
+                        return normalized_matches[0]
+                    return None
+                if len(normalized_matches) == 1:
+                    return normalized_matches[0]
+    except Exception:
+        pass
+
     return None

containers/backupchecks/src/backend/app/mail_importer.py

@@ -11,8 +11,9 @@ import requests
 from sqlalchemy import func
 
 from . import db
-from .models import MailMessage, SystemSettings, Job, JobRun
+from .models import MailMessage, SystemSettings, Job, JobRun, MailObject
 from .parsers import parse_mail_message
+from .parsers.veeam import extract_vspc_active_alarms_companies
 from .email_utils import normalize_from_address, extract_best_html_from_eml, is_effectively_blank_html
 from .job_matching import find_matching_job
 
@@ -265,6 +266,94 @@ def _store_messages(settings: SystemSettings, messages):
                 and getattr(mail, "parse_result", None) == "ok"
                 and not bool(getattr(mail, "approved", False))
             ):
+                # Special case: Veeam VSPC "Active alarms summary" contains multiple companies.
+                bsw = (getattr(mail, "backup_software", "") or "").strip().lower()
+                btype = (getattr(mail, "backup_type", "") or "").strip().lower()
+                jname = (getattr(mail, "job_name", "") or "").strip().lower()
+
+                if bsw == "veeam" and btype == "service provider console" and jname == "active alarms summary":
+                    raw = (mail.text_body or "").strip() or (mail.html_body or "")
+                    companies = extract_vspc_active_alarms_companies(raw)
+
+                    if companies:
+                        def _is_error_status(value: str | None) -> bool:
+                            v = (value or "").strip().lower()
+                            return v in {"error", "failed", "critical"} or v.startswith("fail")
+
+                        created_any = False
+                        first_job = None
+                        mapped_count = 0
+
+                        for company in companies:
+                            # Build a temp message using the per-company job name
+                            tmp = MailMessage(
+                                from_address=mail.from_address,
+                                backup_software=mail.backup_software,
+                                backup_type=mail.backup_type,
+                                job_name=f"{(mail.job_name or 'Active alarms summary').strip()} | {company}".strip(),
+                            )
+                            job = find_matching_job(tmp)
+                            if not job:
+                                continue
+
+                            # Respect per-job flags.
+                            if hasattr(job, "active") and not bool(job.active):
+                                continue
+                            if hasattr(job, "auto_approve") and not bool(job.auto_approve):
+                                continue
+
+                            mapped_count += 1
+
+                            objs = (
+                                MailObject.query.filter(MailObject.mail_message_id == mail.id)
+                                .filter(MailObject.object_name.ilike(f"{company} | %"))
+                                .all()
+                            )
+                            saw_error = any(_is_error_status(o.status) for o in objs)
+                            saw_warning = any((o.status or "").strip().lower() == "warning" for o in objs)
+                            status = "Error" if saw_error else ("Warning" if saw_warning else (mail.overall_status or "Success"))
+
+                            run = JobRun(
+                                job_id=job.id,
+                                mail_message_id=mail.id,
+                                run_at=mail.received_at,
+                                status=status or None,
+                                missed=False,
+                            )
+
+                            # Optional storage metrics
+                            if hasattr(run, "storage_used_bytes") and hasattr(mail, "storage_used_bytes"):
+                                run.storage_used_bytes = mail.storage_used_bytes
+                            if hasattr(run, "storage_capacity_bytes") and hasattr(mail, "storage_capacity_bytes"):
+                                run.storage_capacity_bytes = mail.storage_capacity_bytes
+                            if hasattr(run, "storage_free_bytes") and hasattr(mail, "storage_free_bytes"):
+                                run.storage_free_bytes = mail.storage_free_bytes
+                            if hasattr(run, "storage_free_percent") and hasattr(mail, "storage_free_percent"):
+                                run.storage_free_percent = mail.storage_free_percent
+
+                            db.session.add(run)
+                            db.session.flush()
+
+                            auto_approved_runs.append((job.customer_id, job.id, run.id, mail.id))
+                            created_any = True
+
+                            if not first_job:
+                                first_job = job
+
+                        # If all companies are mapped, mark the mail as fully approved and move to history.
+                        if created_any and mapped_count == len(companies):
+                            mail.job_id = first_job.id if first_job else None
+                            if hasattr(mail, "approved"):
+                                mail.approved = True
+                            if hasattr(mail, "approved_at"):
+                                mail.approved_at = datetime.utcnow()
+                            if hasattr(mail, "location"):
+                                mail.location = "history"
+                            auto_approved += 1
+
+                        # Do not fall back to single-job matching for VSPC summary.
+                        continue
+
                 job = find_matching_job(mail)
                 if job:
                     # Respect per-job flags.

containers/backupchecks/src/backend/app/main/routes_feedback.py

@@ -4,15 +4,14 @@ from .routes_shared import _format_datetime
 
 @main_bp.route("/feedback")
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_page():
     item_type = (request.args.get("type") or "").strip().lower()
     if item_type not in ("", "bug", "feature"):
         item_type = ""
 
-    # Default to showing both open and resolved items. Resolved items should remain
-    # visible for all users until an admin deletes them.
-    status = (request.args.get("status") or "all").strip().lower()
+    # Default to showing only open items. Users can still switch to Resolved or All via the filter.
+    status = (request.args.get("status") or "open").strip().lower()
     if status not in ("open", "resolved", "all"):
         status = "all"
 
@@ -46,6 +45,9 @@ def feedback_page():
     else:
         order_sql = "vote_count DESC, fi.created_at DESC"
 
+    # Always keep resolved items at the bottom when mixing statuses.
+    order_sql = "CASE WHEN fi.status = 'resolved' THEN 1 ELSE 0 END, " + order_sql
+
     sql = text(
         f"""
         SELECT
@@ -108,7 +110,7 @@ def feedback_page():
 
 @main_bp.route("/feedback/new", methods=["GET", "POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_new():
     if request.method == "POST":
         item_type = (request.form.get("item_type") or "").strip().lower()
@@ -143,7 +145,7 @@ def feedback_new():
 
 @main_bp.route("/feedback/<int:item_id>")
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_detail(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:
@@ -198,7 +200,7 @@ def feedback_detail(item_id: int):
 
 @main_bp.route("/feedback/<int:item_id>/reply", methods=["POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_reply(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:
@@ -231,7 +233,7 @@ def feedback_reply(item_id: int):
 
 @main_bp.route("/feedback/<int:item_id>/vote", methods=["POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_vote(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:

containers/backupchecks/src/backend/app/main/routes_inbox.py

@@ -2,8 +2,13 @@ from .routes_shared import *  # noqa: F401,F403
 from .routes_shared import _format_datetime, _log_admin_event, _send_mail_message_eml_download
 
 from ..email_utils import extract_best_html_from_eml, is_effectively_blank_html
+from ..parsers.veeam import extract_vspc_active_alarms_companies
+from ..models import MailObject
 
 import time
+import re
+import html as _html
+
 
 @main_bp.route("/inbox")
 @login_required
@@ -149,7 +154,52 @@ def inbox_message_detail(message_id: int):
         for obj in MailObject.query.filter_by(mail_message_id=msg.id).order_by(MailObject.object_name.asc()).all()
     ]
 
-    return jsonify({"status": "ok", "meta": meta, "body_html": body_html, "objects": objects})
+    # VSPC multi-company emails (e.g. "Active alarms summary") may not store parsed objects yet.
+    # Extract company names from the stored body so the UI can offer a dedicated mapping workflow.
+    vspc_companies: list[str] = []
+    vspc_company_defaults: dict[str, dict] = {}
+    try:
+        bsw = (getattr(msg, "backup_software", "") or "").strip().lower()
+        btype = (getattr(msg, "backup_type", "") or "").strip().lower()
+        jname = (getattr(msg, "job_name", "") or "").strip().lower()
+
+        if bsw == "veeam" and btype == "service provider console" and jname == "active alarms summary":
+            raw = text_body if not _is_blank_text(text_body) else (html_body or "")
+            vspc_companies = extract_vspc_active_alarms_companies(raw)
+
+            # For each company, prefill the UI with the existing customer mapping if we already have a job for it.
+            # This avoids re-mapping known companies and keeps the message actionable in the Inbox.
+            if vspc_companies:
+                for company in vspc_companies:
+                    norm_from, store_backup, store_type, _store_job = build_job_match_key(msg)
+                    company_job_name = f"{(msg.job_name or 'Active alarms summary').strip()} | {company}".strip()
+                    tmp_msg = MailMessage(
+                        from_address=norm_from,
+                        backup_software=store_backup,
+                        backup_type=store_type,
+                        job_name=company_job_name,
+                    )
+                    job = find_matching_job(tmp_msg)
+                    if job and getattr(job, "customer_id", None):
+                        c = Customer.query.get(int(job.customer_id))
+                        if c:
+                            vspc_company_defaults[company] = {
+                                "customer_id": int(c.id),
+                                "customer_name": c.name,
+                            }
+    except Exception:
+        vspc_companies = []
+        vspc_company_defaults = {}
+
+
+    return jsonify({
+        "status": "ok",
+        "meta": meta,
+        "body_html": body_html,
+        "objects": objects,
+        "vspc_companies": vspc_companies,
+        "vspc_company_defaults": vspc_company_defaults,
+    })
 
 
 @main_bp.route("/inbox/message/<int:message_id>/eml")
@@ -282,6 +332,409 @@ def inbox_message_approve(message_id: int):
     return redirect(url_for("main.inbox"))
 
 
+@main_bp.route("/inbox/<int:message_id>/approve_vspc_companies", methods=["POST"])
+@login_required
+@roles_required("admin", "operator")
+def inbox_message_approve_vspc_companies(message_id: int):
+    msg = MailMessage.query.get_or_404(message_id)
+
+    # Only allow approval from inbox
+    if getattr(msg, "location", "inbox") != "inbox":
+        flash("This message is no longer in the Inbox and cannot be approved here.", "warning")
+        return redirect(url_for("main.inbox"))
+
+    mappings_json = (request.form.get("company_mappings_json") or "").strip()
+    try:
+        mappings = json.loads(mappings_json) if mappings_json else []
+    except Exception:
+        flash("Invalid company mappings payload.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    if mappings is None:
+        mappings = []
+
+    if not isinstance(mappings, list):
+        flash("Invalid company mappings payload.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    # Validate message type (best-effort guard)
+    if (getattr(msg, "backup_software", None) or "").strip() != "Veeam" or (getattr(msg, "backup_type", None) or "").strip() != "Service Provider Console":
+        flash("This approval method is only valid for Veeam Service Provider Console summary emails.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    # Determine companies present in this message (only alarms > 0).
+    html_body = getattr(msg, "html_body", None)
+    text_body = getattr(msg, "text_body", None)
+    raw_for_companies = text_body if (text_body and str(text_body).strip()) else (html_body or "")
+    companies_present = extract_vspc_active_alarms_companies(raw_for_companies)
+
+    if not companies_present:
+        flash("No companies could be detected in this VSPC summary email.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    # Resolve existing mappings from already-created per-company jobs.
+    existing_map: dict[str, int] = {}
+    for company in companies_present:
+        norm_from, store_backup, store_type, _store_job = build_job_match_key(msg)
+        company_job_name = f"{(msg.job_name or 'Active alarms summary').strip()} | {company}".strip()
+        tmp_msg = MailMessage(
+            from_address=norm_from,
+            backup_software=store_backup,
+            backup_type=store_type,
+            job_name=company_job_name,
+        )
+        job = find_matching_job(tmp_msg)
+        if job and getattr(job, "customer_id", None):
+            try:
+                existing_map[company] = int(job.customer_id)
+            except Exception:
+                pass
+
+    # Resolve mappings provided by the user from the popup.
+    provided_map: dict[str, int] = {}
+    for item in mappings:
+        if not isinstance(item, dict):
+            continue
+        company = (item.get("company") or "").strip()
+        customer_id_raw = str(item.get("customer_id") or "").strip()
+        if not company or not customer_id_raw:
+            continue
+
+        try:
+            customer_id = int(customer_id_raw)
+        except ValueError:
+            continue
+
+        customer = Customer.query.get(customer_id)
+        if not customer:
+            continue
+
+        provided_map[company] = int(customer.id)
+
+        # Persist mapping immediately by creating/updating the per-company job.
+        # This ensures already mapped companies are shown next time, even if approval is blocked.
+        norm_from, store_backup, store_type, _store_job = build_job_match_key(msg)
+        company_job_name = f"{(msg.job_name or 'Active alarms summary').strip()} | {company}".strip()
+
+        tmp_msg = MailMessage(
+            from_address=norm_from,
+            backup_software=store_backup,
+            backup_type=store_type,
+            job_name=company_job_name,
+        )
+        job = find_matching_job(tmp_msg)
+        if job:
+            if job.customer_id != customer.id:
+                job.customer_id = customer.id
+        else:
+            job = Job(
+                customer_id=customer.id,
+                from_address=norm_from,
+                backup_software=store_backup,
+                backup_type=store_type,
+                job_name=company_job_name,
+                active=True,
+                auto_approve=True,
+            )
+            db.session.add(job)
+            db.session.flush()
+
+    # Commit any mapping updates so they are visible immediately in the UI.
+    try:
+        db.session.commit()
+    except Exception:
+        db.session.rollback()
+        flash("Could not save company mappings due to a database error.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    # Final mapping resolution: existing job mappings + any newly provided ones.
+    final_map: dict[str, int] = dict(existing_map)
+    final_map.update(provided_map)
+
+    missing_companies = [c for c in companies_present if c not in final_map]
+    mapped_companies = [c for c in companies_present if c in final_map]
+
+    if not mapped_companies:
+        # Nothing to approve yet; user must map at least one company.
+        missing_str = ", ".join(missing_companies[:10])
+        if len(missing_companies) > 10:
+            missing_str += f" (+{len(missing_companies) - 10} more)"
+        flash(
+            (
+                "Please map at least one company before approving."
+                + (f" Missing: {missing_str}" if missing_str else "")
+            ),
+            "danger",
+        )
+        return redirect(url_for("main.inbox"))
+
+    def _is_error_status(value: str | None) -> bool:
+        v = (value or "").strip().lower()
+        return v in {"error", "failed", "critical"} or v.startswith("fail")
+
+    created_runs: list[JobRun] = []
+    skipped_existing = 0
+    first_job: Job | None = None
+
+    # Create runs for mapped companies only. If some companies remain unmapped,
+    # the message stays in the Inbox so the user can map the remainder later.
+    for company in mapped_companies:
+        customer_id = int(final_map[company])
+        customer = Customer.query.get(customer_id)
+        if not customer:
+            continue
+
+        norm_from, store_backup, store_type, _store_job = build_job_match_key(msg)
+        company_job_name = f"{(msg.job_name or 'Active alarms summary').strip()} | {company}".strip()
+        tmp_msg = MailMessage(
+            from_address=norm_from,
+            backup_software=store_backup,
+            backup_type=store_type,
+            job_name=company_job_name,
+        )
+        job = find_matching_job(tmp_msg)
+        if job:
+            if job.customer_id != customer.id:
+                job.customer_id = customer.id
+        else:
+            job = Job(
+                customer_id=customer.id,
+                from_address=norm_from,
+                backup_software=store_backup,
+                backup_type=store_type,
+                job_name=company_job_name,
+                active=True,
+                auto_approve=True,
+            )
+            db.session.add(job)
+            db.session.flush()
+
+        if not first_job:
+            first_job = job
+
+        objs = (
+            MailObject.query.filter(MailObject.mail_message_id == msg.id)
+            .filter(MailObject.object_name.ilike(f"{company} | %"))
+            .all()
+        )
+        saw_error = any(_is_error_status(o.status) for o in objs)
+        saw_warning = any((o.status or "").strip().lower() == "warning" for o in objs)
+        status = "Error" if saw_error else ("Warning" if saw_warning else (msg.overall_status or "Success"))
+
+        # De-duplicate: do not create multiple runs for the same (mail_message_id, job_id).
+        run = JobRun.query.filter(JobRun.job_id == job.id, JobRun.mail_message_id == msg.id).first()
+        if run:
+            skipped_existing += 1
+        else:
+            run = JobRun(
+                job_id=job.id,
+                mail_message_id=msg.id,
+                run_at=(msg.received_at or getattr(msg, "parsed_at", None) or datetime.utcnow()),
+                status=status or None,
+                missed=False,
+            )
+            if hasattr(run, "remark"):
+                run.remark = getattr(msg, "overall_message", None)
+
+            db.session.add(run)
+            db.session.flush()
+            created_runs.append(run)
+
+        # Persist objects for reporting (idempotent upsert; safe to repeat).
+        try:
+            persist_objects_for_approved_run_filtered(
+                customer.id,
+                job.id,
+                run.id,
+                msg.id,
+                object_name_prefix=company,
+                strip_prefix=True,
+            )
+        except Exception as exc:
+            _log_admin_event(
+                "object_persist_error",
+                f"Filtered object persistence failed for message {msg.id} (company '{company}', job {job.id}, run {run.id}): {exc}",
+            )
+
+    processed_total = len(created_runs) + skipped_existing
+    if processed_total <= 0:
+        flash("No runs could be created for this VSPC summary.", "danger")
+        return redirect(url_for("main.inbox"))
+
+    # Commit created runs and any job mapping updates first.
+    try:
+        db.session.commit()
+    except Exception as exc:
+        db.session.rollback()
+        flash("Could not approve this job due to a database error.", "danger")
+        _log_admin_event("inbox_approve_error", f"Failed to approve VSPC message {msg.id}: {exc}")
+        return redirect(url_for("main.inbox"))
+
+    if missing_companies:
+        # Keep message in Inbox until all companies are mapped, but keep the already
+        # created runs for mapped companies.
+        missing_str = ", ".join(missing_companies[:10])
+        if len(missing_companies) > 10:
+            missing_str += f" (+{len(missing_companies) - 10} more)"
+        _log_admin_event(
+            "inbox_approve_vspc_partial",
+            f"Partially approved VSPC message {msg.id}: {processed_total} run(s) processed, missing={missing_str}",
+        )
+        flash(
+            f"Approved {processed_total} mapped compan{'y' if processed_total == 1 else 'ies'}. Message stays in the Inbox until all companies are mapped. Missing: {missing_str}",
+            "warning",
+        )
+        return redirect(url_for("main.inbox"))
+
+    # All companies mapped: mark the message as approved and move it to History.
+    msg.job_id = first_job.id if first_job else None
+    if hasattr(msg, "approved"):
+        msg.approved = True
+    if hasattr(msg, "approved_at"):
+        msg.approved_at = datetime.utcnow()
+    if hasattr(msg, "approved_by_id"):
+        msg.approved_by_id = current_user.id
+    if hasattr(msg, "location"):
+        msg.location = "history"
+
+    try:
+        db.session.commit()
+    except Exception as exc:
+        db.session.rollback()
+        flash("Could not finalize approval due to a database error.", "danger")
+        _log_admin_event("inbox_approve_error", f"Failed to finalize VSPC approval for message {msg.id}: {exc}")
+        return redirect(url_for("main.inbox"))
+
+    # Best-effort: now that company jobs are mapped, auto-approve other inbox
+    # messages of the same VSPC summary type whose companies are now all mapped.
+    retro_approved_msgs = 0
+    try:
+        q = MailMessage.query
+        if hasattr(MailMessage, "location"):
+            q = q.filter(MailMessage.location == "inbox")
+        q = q.filter(MailMessage.parse_result == "ok")
+        q = q.filter(MailMessage.job_id.is_(None))
+        q = q.filter(MailMessage.backup_software == "Veeam")
+        q = q.filter(MailMessage.backup_type == "Service Provider Console")
+        q = q.filter(MailMessage.job_name == (msg.job_name or "Active alarms summary"))
+        q = q.filter(MailMessage.id != msg.id)
+        candidates = q.order_by(MailMessage.received_at.desc().nullslast(), MailMessage.id.desc()).limit(25).all()
+
+        for other in candidates:
+            nested = db.session.begin_nested()
+            try:
+                raw_other = (other.text_body or "").strip() or (other.html_body or "")
+                companies = extract_vspc_active_alarms_companies(raw_other)
+                if not companies:
+                    nested.commit()
+                    continue
+
+                jobs_by_company: dict[str, Job] = {}
+                all_mapped = True
+                for company in companies:
+                    norm_from, store_backup, store_type, _store_job = build_job_match_key(other)
+                    company_job_name = f"{(other.job_name or 'Active alarms summary').strip()} | {company}".strip()
+                    tmp = MailMessage(
+                        from_address=norm_from,
+                        backup_software=store_backup,
+                        backup_type=store_type,
+                        job_name=company_job_name,
+                    )
+                    with db.session.no_autoflush:
+                        j = find_matching_job(tmp)
+                    if not j or not getattr(j, "customer_id", None):
+                        all_mapped = False
+                        break
+                    if hasattr(j, "active") and not bool(j.active):
+                        all_mapped = False
+                        break
+                    if hasattr(j, "auto_approve") and not bool(j.auto_approve):
+                        all_mapped = False
+                        break
+                    jobs_by_company[company] = j
+
+                if not all_mapped:
+                    nested.commit()
+                    continue
+
+                first_job2: Job | None = None
+                for company, job2 in jobs_by_company.items():
+                    if not first_job2:
+                        first_job2 = job2
+
+                    objs2 = (
+                        MailObject.query.filter(MailObject.mail_message_id == other.id)
+                        .filter(MailObject.object_name.ilike(f"{company} | %"))
+                        .all()
+                    )
+                    saw_error2 = any(_is_error_status(o.status) for o in objs2)
+                    saw_warning2 = any((o.status or "").strip().lower() == "warning" for o in objs2)
+                    status2 = "Error" if saw_error2 else ("Warning" if saw_warning2 else (other.overall_status or "Success"))
+
+                    run2 = JobRun.query.filter(JobRun.job_id == job2.id, JobRun.mail_message_id == other.id).first()
+                    if not run2:
+                        run2 = JobRun(
+                            job_id=job2.id,
+                            mail_message_id=other.id,
+                            run_at=(other.received_at or getattr(other, "parsed_at", None) or datetime.utcnow()),
+                            status=status2 or None,
+                            missed=False,
+                        )
+                        if hasattr(run2, "remark"):
+                            run2.remark = getattr(other, "overall_message", None)
+                        db.session.add(run2)
+                        db.session.flush()
+
+                    # Persist objects per company
+                    try:
+                        persist_objects_for_approved_run_filtered(
+                            int(job2.customer_id),
+                            int(job2.id),
+                            int(run2.id),
+                            int(other.id),
+                            object_name_prefix=company,
+                            strip_prefix=True,
+                        )
+                    except Exception as exc:
+                        _log_admin_event(
+                            "object_persist_error",
+                            f"Filtered object persistence failed for message {other.id} (company '{company}', job {job2.id}, run {run2.id}): {exc}",
+                        )
+
+                other.job_id = first_job2.id if first_job2 else None
+                if hasattr(other, "approved"):
+                    other.approved = True
+                if hasattr(other, "approved_at"):
+                    other.approved_at = datetime.utcnow()
+                if hasattr(other, "approved_by_id"):
+                    other.approved_by_id = current_user.id
+                if hasattr(other, "location"):
+                    other.location = "history"
+
+                nested.commit()
+                retro_approved_msgs += 1
+            except Exception:
+                try:
+                    nested.rollback()
+                except Exception:
+                    db.session.rollback()
+
+        db.session.commit()
+    except Exception:
+        try:
+            db.session.rollback()
+        except Exception:
+            pass
+
+    _log_admin_event(
+        "inbox_approve_vspc",
+        f"Approved VSPC message {msg.id} into {processed_total} run(s) (job_id={msg.job_id}), retro_approved={retro_approved_msgs}",
+    )
+    flash(f"Approved VSPC summary into {processed_total} run(s).", "success")
+    return redirect(url_for("main.inbox"))
+
+
+
 @main_bp.route("/inbox/message/<int:message_id>/delete", methods=["POST"])
 @login_required
 @roles_required("admin", "operator")
@@ -529,6 +982,95 @@ def inbox_reparse_all():
                         and getattr(msg, "parse_result", None) == "ok"
                         and getattr(msg, "job_id", None) is None
                     ):
+                        # Special case: VSPC Active Alarms summary can contain multiple companies.
+                        bsw = (getattr(msg, "backup_software", "") or "").strip().lower()
+                        btype = (getattr(msg, "backup_type", "") or "").strip().lower()
+                        jname = (getattr(msg, "job_name", "") or "").strip().lower()
+
+                        if bsw == "veeam" and btype == "service provider console" and jname == "active alarms summary":
+                            raw = (getattr(msg, "text_body", None) or "").strip() or (getattr(msg, "html_body", None) or "")
+                            companies = extract_vspc_active_alarms_companies(raw)
+
+                            if companies:
+                                def _is_error_status(value: str | None) -> bool:
+                                    v = (value or "").strip().lower()
+                                    return v in {"error", "failed", "critical"} or v.startswith("fail")
+
+                                first_job = None
+                                mapped_count = 0
+                                created_any = False
+
+                                for company in companies:
+                                    tmp_msg = MailMessage(
+                                        from_address=msg.from_address,
+                                        backup_software=msg.backup_software,
+                                        backup_type=msg.backup_type,
+                                        job_name=f"{(msg.job_name or 'Active alarms summary').strip()} | {company}".strip(),
+                                    )
+                                    with db.session.no_autoflush:
+                                        job = find_matching_job(tmp_msg)
+
+                                    if not job:
+                                        continue
+                                    if hasattr(job, "active") and not bool(job.active):
+                                        continue
+                                    if hasattr(job, "auto_approve") and not bool(job.auto_approve):
+                                        continue
+
+                                    mapped_count += 1
+
+                                    objs = (
+                                        MailObject.query.filter(MailObject.mail_message_id == msg.id)
+                                        .filter(MailObject.object_name.ilike(f"{company} | %"))
+                                        .all()
+                                    )
+                                    saw_error = any(_is_error_status(o.status) for o in objs)
+                                    saw_warning = any((o.status or "").strip().lower() == "warning" for o in objs)
+                                    status = "Error" if saw_error else ("Warning" if saw_warning else (msg.overall_status or "Success"))
+
+                                    run = JobRun(
+                                        job_id=job.id,
+                                        mail_message_id=msg.id,
+                                        run_at=(msg.received_at or getattr(msg, "parsed_at", None) or datetime.utcnow()),
+                                        status=status or None,
+                                        missed=False,
+                                    )
+
+                                    if hasattr(run, "remark"):
+                                        run.remark = getattr(msg, "overall_message", None)
+
+                                    if hasattr(run, "storage_used_bytes") and hasattr(msg, "storage_used_bytes"):
+                                        run.storage_used_bytes = msg.storage_used_bytes
+                                    if hasattr(run, "storage_capacity_bytes") and hasattr(msg, "storage_capacity_bytes"):
+                                        run.storage_capacity_bytes = msg.storage_capacity_bytes
+                                    if hasattr(run, "storage_free_bytes") and hasattr(msg, "storage_free_bytes"):
+                                        run.storage_free_bytes = msg.storage_free_bytes
+                                    if hasattr(run, "storage_free_percent") and hasattr(msg, "storage_free_percent"):
+                                        run.storage_free_percent = msg.storage_free_percent
+
+                                    db.session.add(run)
+                                    db.session.flush()
+                                    auto_approved_runs.append((job.customer_id, job.id, run.id, msg.id))
+                                    created_any = True
+
+                                    if not first_job:
+                                        first_job = job
+
+                                if created_any and mapped_count == len(companies):
+                                    msg.job_id = first_job.id if first_job else None
+                                    if hasattr(msg, "approved"):
+                                        msg.approved = True
+                                    if hasattr(msg, "approved_at"):
+                                        msg.approved_at = datetime.utcnow()
+                                    if hasattr(msg, "approved_by_id"):
+                                        msg.approved_by_id = None
+                                    if hasattr(msg, "location"):
+                                        msg.location = "history"
+                                    auto_approved += 1
+
+                                # Do not fall back to single-job matching for VSPC summary.
+                                continue
+
                         # Match approved job on: From + Backup + Type + Job name
                         # Prevent session autoflush for every match lookup while we
                         # are still updating many messages in a loop.
@@ -709,7 +1251,7 @@ def inbox_reparse_all():
         persisted_errors = 0
         for (customer_id, job_id, run_id, mail_message_id) in auto_approved_runs:
             try:
-                persisted_objects += persist_objects_for_approved_run(
+                persisted_objects += persist_objects_for_auto_run(
                     customer_id, job_id, run_id, mail_message_id
                 )
             except Exception as exc:

containers/backupchecks/src/backend/app/main/routes_jobs.py

@@ -423,25 +423,17 @@ def job_delete(job_id: int):
     job = Job.query.get_or_404(job_id)
 
     try:
-        # Collect run ids for FK cleanup in auxiliary tables that may not have ON DELETE CASCADE
-        run_ids = []
-        mail_message_ids = []
+        # Collect run IDs up-front for cleanup across dependent tables
+        run_ids = [r.id for r in JobRun.query.filter_by(job_id=job.id).all()]
 
-        for run in job.runs:
-            if run.id is not None:
-                run_ids.append(run.id)
-            if run.mail_message_id:
-                mail_message_ids.append(run.mail_message_id)
+        # Put any related mails back into the inbox and unlink from job
+        msgs = MailMessage.query.filter(MailMessage.job_id == job.id).all()
+        for msg in msgs:
+            if hasattr(msg, "location"):
+                msg.location = "inbox"
+            msg.job_id = None
 
-        # Put related mails back into the inbox and unlink from job
-        if mail_message_ids:
-            msgs = MailMessage.query.filter(MailMessage.id.in_(mail_message_ids)).all()
-            for msg in msgs:
-                if hasattr(msg, "location"):
-                    msg.location = "inbox"
-                msg.job_id = None
-
-        # Ensure run_object_links doesn't block job_runs deletion (older schemas may miss ON DELETE CASCADE)
+        # Clean up tables that may not have ON DELETE CASCADE in older schemas.
         if run_ids:
             db.session.execute(
                 text("DELETE FROM run_object_links WHERE run_id IN :run_ids").bindparams(
@@ -449,13 +441,47 @@ def job_delete(job_id: int):
                 ),
                 {"run_ids": run_ids},
             )
+            db.session.execute(
+                text("DELETE FROM job_run_review_events WHERE run_id IN :run_ids").bindparams(
+                    bindparam("run_ids", expanding=True)
+                ),
+                {"run_ids": run_ids},
+            )
+            db.session.execute(
+                text("DELETE FROM ticket_job_runs WHERE job_run_id IN :run_ids").bindparams(
+                    bindparam("run_ids", expanding=True)
+                ),
+                {"run_ids": run_ids},
+            )
+            db.session.execute(
+                text("DELETE FROM remark_job_runs WHERE job_run_id IN :run_ids").bindparams(
+                    bindparam("run_ids", expanding=True)
+                ),
+                {"run_ids": run_ids},
+            )
+            db.session.execute(
+                text("DELETE FROM job_objects WHERE job_run_id IN :run_ids").bindparams(
+                    bindparam("run_ids", expanding=True)
+                ),
+                {"run_ids": run_ids},
+            )
+
+        # Overrides scoped to this job (object overrides)
+        db.session.execute(text("UPDATE overrides SET job_id = NULL WHERE job_id = :job_id"), {"job_id": job.id})
+
+        # Ticket/Remark scopes may reference a specific job
+        db.session.execute(text("UPDATE ticket_scopes SET job_id = NULL WHERE job_id = :job_id"), {"job_id": job.id})
+        db.session.execute(text("UPDATE remark_scopes SET job_id = NULL WHERE job_id = :job_id"), {"job_id": job.id})
 
         # Ensure job_object_links doesn't block jobs deletion (older schemas may miss ON DELETE CASCADE)
-        if job.id is not None:
-            db.session.execute(
-                text("DELETE FROM job_object_links WHERE job_id = :job_id"),
-                {"job_id": job.id},
-            )
+        db.session.execute(
+            text("DELETE FROM job_object_links WHERE job_id = :job_id"),
+            {"job_id": job.id},
+        )
+
+        # Finally remove runs and the job itself
+        if run_ids:
+            db.session.execute(text("DELETE FROM job_runs WHERE job_id = :job_id"), {"job_id": job.id})
 
         db.session.delete(job)
         db.session.commit()
@@ -465,4 +491,4 @@ def job_delete(job_id: int):
         print(f"[jobs] Failed to delete job: {exc}")
         flash("Failed to delete job.", "danger")
 
-    return redirect(url_for("main.jobs"))
+    return redirect(url_for("main.jobs"))

containers/backupchecks/src/backend/app/main/routes_overrides.py

@@ -75,7 +75,16 @@ def overrides():
         if ov.match_status:
             crit.append(f"status == {ov.match_status}")
         if ov.match_error_contains:
-            crit.append(f"error contains '{ov.match_error_contains}'")
+            mode = (getattr(ov, "match_error_mode", None) or "contains").strip().lower()
+            if mode == "exact":
+                label = "error exact"
+            elif mode == "starts_with":
+                label = "error starts with"
+            elif mode == "ends_with":
+                label = "error ends with"
+            else:
+                label = "error contains"
+            crit.append(f"{label} '{ov.match_error_contains}'")
         if crit:
             scope = scope + " [" + ", ".join(crit) + "]"
 
@@ -95,6 +104,13 @@ def overrides():
                 "comment": ov.comment or "",
                 "match_status": ov.match_status or "",
                 "match_error_contains": ov.match_error_contains or "",
+                "match_error_mode": getattr(ov, "match_error_mode", None) or "",
+                "backup_software": ov.backup_software or "",
+                "backup_type": ov.backup_type or "",
+                "job_id": ov.job_id or "",
+                "object_name": ov.object_name or "",
+                "start_at_raw": (ov.start_at.strftime("%Y-%m-%dT%H:%M") if ov.start_at else ""),
+                "end_at_raw": (ov.end_at.strftime("%Y-%m-%dT%H:%M") if ov.end_at else ""),
             }
         )
 
@@ -126,6 +142,12 @@ def overrides_create():
 
     match_status = (request.form.get("match_status") or "").strip() or None
     match_error_contains = (request.form.get("match_error_contains") or "").strip() or None
+    match_error_mode = (request.form.get("match_error_mode") or "").strip().lower() or None
+    if match_error_contains:
+        if match_error_mode not in ("contains", "exact", "starts_with", "ends_with"):
+            match_error_mode = "contains"
+    else:
+        match_error_mode = None
 
     start_at_str = request.form.get("start_at") or ""
     end_at_str = request.form.get("end_at") or ""
@@ -159,6 +181,7 @@ def overrides_create():
         object_name=object_name if level == "object" else None,
         match_status=match_status,
         match_error_contains=match_error_contains,
+        match_error_mode=match_error_mode,
         treat_as_success=treat_as_success,
         active=True,
         comment=comment,
@@ -218,6 +241,12 @@ def overrides_update(override_id: int):
 
     match_status = (request.form.get("match_status") or "").strip() or None
     match_error_contains = (request.form.get("match_error_contains") or "").strip() or None
+    match_error_mode = (request.form.get("match_error_mode") or "").strip().lower() or None
+    if match_error_contains:
+        if match_error_mode not in ("contains", "exact", "starts_with", "ends_with"):
+            match_error_mode = "contains"
+    else:
+        match_error_mode = None
 
     start_at_str = request.form.get("start_at") or ""
     end_at_str = request.form.get("end_at") or ""
@@ -252,6 +281,7 @@ def overrides_update(override_id: int):
     ov.object_name = object_name if level == "object" else None
     ov.match_status = match_status
     ov.match_error_contains = match_error_contains
+    ov.match_error_mode = match_error_mode
     ov.treat_as_success = treat_as_success
     ov.comment = comment
     ov.start_at = start_at

containers/backupchecks/src/backend/app/main/routes_parsers.py

@@ -1,106 +1,16 @@
 from .routes_shared import *  # noqa: F401,F403
 
+# Keep the parser overview page in sync with the actual parser registry.
+from ..parsers.registry import PARSER_DEFINITIONS
+
 @main_bp.route("/parsers")
 @login_required
 @roles_required("admin")
 def parsers_overview():
-    # Only show what is currently implemented in code.
-    # Currently implemented parsers:
-    # - 3CX (Backup Complete notifications)
-    # - Veeam (status mails in multiple variants)
-    parsers = [
-        {
-            "name": "3CX backup complete",
-            "backup_software": "3CX",
-            "backup_types": [],
-            "order": 10,
-            "enabled": True,
-            "match": {
-                "subject_regex": r"^3CX Notification:\\s*Backup Complete\\s*-\\s*(.+)$",
-            },
-            "description": "Parses 3CX backup notifications (Backup Complete).",
-            "examples": [
-                {
-                    "subject": "3CX Notification: Backup Complete - PBX01",
-                    "from_address": "noreply@3cx.local",
-                    "body_snippet": "Backup name: PBX01_2025-12-17.zip",
-                    "parsed_result": {
-                        "backup_software": "3CX",
-                        "backup_type": "",
-                        "job_name": "PBX01",
-                        "objects": [
-                            {
-                                "name": "PBX01_2025-12-17.zip",
-                                "status": "Success",
-                                "error_message": "",
-                            }
-                        ],
-                    },
-                }
-            ],
-        },
-        {
-            "name": "3CX SSL certificate renewal",
-            "backup_software": "3CX",
-            "backup_types": ["SSL Certificate"],
-            "order": 11,
-            "enabled": True,
-            "match": {
-                "subject_regex": r"^3CX Notification:\\s*SSL Certificate Renewal\\s*-\\s*(.+)$",
-            },
-            "description": "Parses 3CX SSL certificate renewal notifications (informational) so they are tracked and included in reporting.",
-            "examples": [],
-        },
-        {
-            "name": "Veeam status mails",
-            "backup_software": "Veeam",
-            "backup_types": [
-                "Backup Job",
-                "Backup Copy Job",
-                "Replica Job",
-                "Replication job",
-                "Configuration Backup",
-                "Agent Backup job",
-                "Veeam Backup for Microsoft 365",
-                "Scale Out Back-up Repository",
-            ],
-            "order": 20,
-            "enabled": True,
-            "match": {
-                "subject_regex": r"\\[(Success|Warning|Failed)\\]\\s*(.+)$",
-            },
-            "description": "Parses Veeam status mails. Job name/type are preferably extracted from the HTML header to avoid subject suffix noise.",
-            "examples": [
-                {
-                    "subject": "[Warning] Daily-VM-Backup (3 objects) 1 warning",
-                    "from_address": "veeam@customer.local",
-                    "body_snippet": "Backup job: Daily-VM-Backup\\n...",
-                    "parsed_result": {
-                        "backup_software": "Veeam",
-                        "backup_type": "Backup job",
-                        "job_name": "Daily-VM-Backup",
-                        "objects": [
-                            {"name": "VM-APP01", "status": "Success", "error_message": ""},
-                            {"name": "VM-DB01", "status": "Warning", "error_message": "Low disk space"},
-                        ],
-                    },
-                },
-                {
-                    "subject": "[Success] Offsite-Repository",
-                    "from_address": "veeam@customer.local",
-                    "body_snippet": "Backup Copy job: Offsite-Repository\\n...",
-                    "parsed_result": {
-                        "backup_software": "Veeam",
-                        "backup_type": "Backup Copy job",
-                        "job_name": "Offsite-Repository",
-                        "objects": [
-                            {"name": "Backup Copy Chain", "status": "Success", "error_message": ""}
-                        ],
-                    },
-                },
-            ],
-        },
-    ]
+    parsers = sorted(
+        PARSER_DEFINITIONS,
+        key=lambda p: (p.get("order", 9999), p.get("backup_software", ""), p.get("name", "")),
+    )
 
     return render_template(
         "main/parsers.html",

containers/backupchecks/src/backend/app/main/routes_reporting_api.py

@@ -360,6 +360,10 @@ def build_report_job_filters_meta():
         if (bs_val or "").strip().lower() == "synology" and bt_val.lower() == "updates":
             continue
 
+        # QNAP firmware update notifications are informational and should never appear in reports.
+        if (bs_val or "").strip().lower() == "qnap" and bt_val.lower() == "firmware update":
+            continue
+
         if bs_val:
             backup_softwares_set.add(bs_val)
         if bt_val:
@@ -381,7 +385,7 @@ def build_report_job_filters_meta():
         "backup_softwares": backup_softwares,
         "backup_types": backup_types,
         "by_backup_software": by_backup_software_out,
-        "excluded_backup_types": ["License Key", "Updates (Synology)"],
+        "excluded_backup_types": ["License Key", "Updates (Synology)", "Firmware Update (QNAP)"],
     }
 
 
@@ -507,6 +511,7 @@ def api_reports_generate(report_id: int):
     where_filters = (
         " AND COALESCE(j.backup_type,'') NOT ILIKE 'license key' "
         " AND NOT (LOWER(COALESCE(j.backup_software,'')) = 'synology' AND LOWER(COALESCE(j.backup_type,'')) = 'updates') "
+        " AND NOT (LOWER(COALESCE(j.backup_software,'')) = 'qnap' AND LOWER(COALESCE(j.backup_type,'')) = 'firmware update') "
     )
     rc = _safe_json_dict(getattr(report, "report_config", None))
     filters = rc.get("filters") if isinstance(rc, dict) else None

containers/backupchecks/src/backend/app/main/routes_run_checks.py

@@ -744,6 +744,7 @@ def run_checks_details():
                 "run_at": _format_datetime(run.run_at) if run.run_at else "-",
                 "status": status_display,
                 "remark": run.remark or "",
+                "overall_message": (getattr(msg, "overall_message", None) or "") if msg else "",
                 "missed": bool(run.missed),
                 "is_reviewed": bool(run.reviewed_at),
                 "reviewed_at": _format_datetime(run.reviewed_at) if (get_active_role() == "admin" and run.reviewed_at) else "",
@@ -967,6 +968,7 @@ def api_run_checks_mark_success_override():
             object_name=obj_name,
             match_status=(obj_status or None),
             match_error_contains=(err[:255] if err else None),
+            match_error_mode=("contains" if err else None),
             treat_as_success=True,
             active=True,
             comment=comment,
@@ -998,6 +1000,7 @@ def api_run_checks_mark_success_override():
             backup_type=job.backup_type or None,
             match_status=(getattr(run, "status", None) or None),
             match_error_contains=(match_error_contains[:255] if match_error_contains else None),
+            match_error_mode=("contains" if match_error_contains else None),
             treat_as_success=True,
             active=True,
             comment=comment,

containers/backupchecks/src/backend/app/main/routes_settings.py

@@ -169,7 +169,7 @@ def settings_objects_backfill():
 
     for r in rows:
         try:
-            repaired_objects += persist_objects_for_approved_run(
+            repaired_objects += persist_objects_for_auto_run(
                 int(r[2]), int(r[1]), int(r[0]), int(r[3])
             )
             repaired_runs += 1
@@ -586,6 +586,15 @@ def settings():
             news_admin_stats = {}
 
 
+    users = User.query.order_by(User.username.asc()).all()
+
+    # Count users that have 'admin' among their assigned roles (comma-separated storage)
+    admin_users_count = 0
+    try:
+        admin_users_count = sum(1 for u in users if "admin" in (getattr(u, "roles", None) or []))
+    except Exception:
+        admin_users_count = 0
+
     return render_template(
         "main/settings.html",
         settings=settings,
@@ -594,7 +603,8 @@ def settings():
         free_disk_warning=free_disk_warning,
         has_client_secret=has_client_secret,
         tz_options=tz_options,
-        users=User.query.order_by(User.username.asc()).all(),
+        users=users,
+        admin_users_count=admin_users_count,
         section=section,
         news_admin_items=news_admin_items,
         news_admin_stats=news_admin_stats,
@@ -915,6 +925,53 @@ def settings_users_reset_password(user_id: int):
     return redirect(url_for("main.settings", section="users"))
 
 
+@main_bp.route("/settings/users/<int:user_id>/roles", methods=["POST"])
+@login_required
+@roles_required("admin")
+def settings_users_update_roles(user_id: int):
+    user = User.query.get_or_404(user_id)
+
+    roles = [r.strip() for r in request.form.getlist("roles") if (r or "").strip()]
+    roles = list(dict.fromkeys(roles))
+    if not roles:
+        roles = ["viewer"]
+
+    # Prevent removing the last remaining admin role
+    removing_admin = ("admin" in user.roles) and ("admin" not in roles)
+    if removing_admin:
+        try:
+            all_users = User.query.all()
+            admin_count = sum(1 for u in all_users if "admin" in (getattr(u, "roles", None) or []))
+        except Exception:
+            admin_count = 0
+
+        if admin_count <= 1:
+            flash("Cannot remove admin role from the last admin account.", "danger")
+            return redirect(url_for("main.settings", section="users"))
+
+    old_roles = ",".join(user.roles)
+    new_roles = ",".join(roles)
+    user.role = new_roles
+
+    try:
+        db.session.commit()
+        flash(f"Roles for '{user.username}' have been updated.", "success")
+        _log_admin_event("user_update_roles", f"User '{user.username}' roles changed from '{old_roles}' to '{new_roles}'.")
+
+        # If the updated user is currently logged in, make sure the active role stays valid.
+        try:
+            if getattr(current_user, "id", None) == user.id:
+                current_user.set_active_role(user.roles[0])
+        except Exception:
+            pass
+    except Exception as exc:
+        db.session.rollback()
+        print(f"[settings-users] Failed to update roles: {exc}")
+        flash("Failed to update roles.", "danger")
+
+    return redirect(url_for("main.settings", section="users"))
+
+
 @main_bp.route("/settings/users/<int:user_id>/delete", methods=["POST"])
 @login_required
 @roles_required("admin")
@@ -922,8 +979,13 @@ def settings_users_delete(user_id: int):
     user = User.query.get_or_404(user_id)
 
     # Prevent deleting the last admin user
-    if user.role == "admin":
-        admin_count = User.query.filter_by(role="admin").count()
+    if "admin" in user.roles:
+        try:
+            all_users = User.query.all()
+            admin_count = sum(1 for u in all_users if "admin" in (getattr(u, "roles", None) or []))
+        except Exception:
+            admin_count = 0
+
         if admin_count <= 1:
             flash("Cannot delete the last admin account.", "danger")
             return redirect(url_for("main.settings", section="general"))
@@ -995,7 +1057,7 @@ def settings_mail_import():
         persisted_errors = 0
         for (customer_id, job_id, run_id, mail_message_id) in auto_approved_runs:
             try:
-                persisted_objects += persist_objects_for_approved_run(
+                persisted_objects += persist_objects_for_auto_run(
                     int(customer_id), int(job_id), int(run_id), int(mail_message_id)
                 )
             except Exception as exc:

containers/backupchecks/src/backend/app/main/routes_shared.py

@@ -60,7 +60,7 @@ from ..models import (
 )
 from ..mail_importer import run_manual_import, MailImportError
 from ..parsers import parse_mail_message
-from ..object_persistence import persist_objects_for_approved_run
+from ..object_persistence import persist_objects_for_approved_run, persist_objects_for_auto_run
 
 
 main_bp = Blueprint("main", __name__)
@@ -293,7 +293,8 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
         try:
             mec = (getattr(ov, "match_error_contains", None) or "").strip()
             if mec:
-                parts.append(f"contains={mec}")
+                mem = (getattr(ov, "match_error_mode", None) or "contains").strip()
+                parts.append(f"error_{mem}={mec}")
         except Exception:
             pass
         try:
@@ -342,6 +343,40 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
             return False
         return needle.lower() in haystack.lower()
 
+    def _matches_error_text(haystack: str | None, needle: str | None, mode: str | None) -> bool:
+        """Match error text using a configured mode.
+
+        Modes:
+          - contains (default)
+          - exact
+          - starts_with
+          - ends_with
+
+        Matching is case-insensitive and trims surrounding whitespace.
+        """
+        if not needle:
+            return True
+        if not haystack:
+            return False
+
+        hs = (haystack or "").strip()
+        nd = (needle or "").strip()
+        if not hs:
+            return False
+
+        hs_l = hs.lower()
+        nd_l = nd.lower()
+        m = (mode or "contains").strip().lower()
+
+        if m == "exact":
+            return hs_l == nd_l
+        if m in ("starts_with", "startswith", "start"):
+            return hs_l.startswith(nd_l)
+        if m in ("ends_with", "endswith", "end"):
+            return hs_l.endswith(nd_l)
+        # Default/fallback
+        return nd_l in hs_l
+
     def _matches_status(candidate: str | None, expected: str | None) -> bool:
         if not expected:
             return True
@@ -410,12 +445,12 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
 
         # Global overrides should match both the run-level remark and any object-level error messages.
         if ov.match_error_contains:
-            if _contains(run.remark, ov.match_error_contains):
+            if _matches_error_text(run.remark, ov.match_error_contains, getattr(ov, "match_error_mode", None)):
                 return True
 
             # Check persisted run-object error messages.
             for row in run_object_rows or []:
-                if _contains(row.get("error_message"), ov.match_error_contains):
+                if _matches_error_text(row.get("error_message"), ov.match_error_contains, getattr(ov, "match_error_mode", None)):
                     return True
 
             objs = []
@@ -424,7 +459,7 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
             except Exception:
                 objs = []
             for obj in objs or []:
-                if _contains(getattr(obj, "error_message", None), ov.match_error_contains):
+                if _matches_error_text(getattr(obj, "error_message", None), ov.match_error_contains, getattr(ov, "match_error_mode", None)):
                     return True
             return False
 
@@ -438,7 +473,7 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
                 continue
             if not _matches_status(row.get("status"), ov.match_status):
                 continue
-            if not _contains(row.get("error_message"), ov.match_error_contains):
+            if not _matches_error_text(row.get("error_message"), ov.match_error_contains, getattr(ov, "match_error_mode", None)):
                 continue
             return True
 
@@ -453,7 +488,7 @@ def _apply_overrides_to_run(job: Job, run: JobRun):
                 continue
             if not _matches_status(getattr(obj, "status", None), ov.match_status):
                 continue
-            if not _contains(getattr(obj, "error_message", None), ov.match_error_contains):
+            if not _matches_error_text(getattr(obj, "error_message", None), ov.match_error_contains, getattr(ov, "match_error_mode", None)):
                 continue
             return True
 
@@ -637,6 +672,8 @@ def _infer_schedule_map_from_runs(job_id: int):
                 return schedule
             if bs == 'synology' and bt == 'updates':
                 return schedule
+            if bs == 'qnap' and bt == 'firmware update':
+                return schedule
             if bs == 'syncovery' and bt == 'syncovery':
                 return schedule
     except Exception:

containers/backupchecks/src/backend/app/migrations.py

@@ -378,7 +378,7 @@ def migrate_remarks_active_from_date() -> None:
 
 
 def migrate_overrides_match_columns() -> None:
-    """Add match_status and match_error_contains columns to overrides table if missing."""
+    """Add match_status / match_error columns to overrides table if missing."""
     engine = db.get_engine()
     inspector = inspect(engine)
     try:
@@ -397,6 +397,25 @@ def migrate_overrides_match_columns() -> None:
             print("[migrations] Adding overrides.match_error_contains column...")
             conn.execute(text('ALTER TABLE "overrides" ADD COLUMN match_error_contains VARCHAR(255)'))
 
+        if "match_error_mode" not in existing_columns:
+            print("[migrations] Adding overrides.match_error_mode column...")
+            conn.execute(text('ALTER TABLE "overrides" ADD COLUMN match_error_mode VARCHAR(20)'))
+
+        # Backfill mode for existing overrides that already have a match string.
+        try:
+            conn.execute(
+                text(
+                    """
+                    UPDATE "overrides"
+                    SET match_error_mode = 'contains'
+                    WHERE (match_error_mode IS NULL OR match_error_mode = '')
+                      AND (match_error_contains IS NOT NULL AND match_error_contains <> '');
+                    """
+                )
+            )
+        except Exception:
+            pass
+
     print("[migrations] migrate_overrides_match_columns completed.")
 
 

containers/backupchecks/src/backend/app/models.py

@@ -156,6 +156,8 @@ class Override(db.Model):
     # Matching criteria on object status / error message
     match_status = db.Column(db.String(32), nullable=True)
     match_error_contains = db.Column(db.String(255), nullable=True)
+    # Matching mode for error text: contains (default), exact, starts_with, ends_with
+    match_error_mode = db.Column(db.String(20), nullable=True)
 
     # Behaviour flags
     treat_as_success = db.Column(db.Boolean, nullable=False, default=True)

containers/backupchecks/src/backend/app/object_persistence.py

@@ -130,3 +130,172 @@ def persist_objects_for_approved_run(customer_id: int, job_id: int, run_id: int,
 
     return processed
 
+
+def persist_objects_for_approved_run_filtered(
+    customer_id: int,
+    job_id: int,
+    run_id: int,
+    mail_message_id: int,
+    *,
+    object_name_prefix: str,
+    strip_prefix: bool = True,
+) -> int:
+    """Persist a subset of mail_objects for a specific approved run.
+
+    This is used for multi-tenant / multi-customer summary emails where a single mail_message
+    contains objects for multiple companies (e.g. Veeam VSPC Active Alarms summary).
+
+    Args:
+        customer_id: Customer id for the target job.
+        job_id: Job id for the target job.
+        run_id: JobRun id.
+        mail_message_id: MailMessage id that contains the parsed mail_objects.
+        object_name_prefix: Company prefix (exact) used in mail_objects.object_name ("<company> | <object>").
+        strip_prefix: If True, store object names without the "<company> | " prefix.
+
+    Returns:
+        Number of processed objects.
+    """
+    engine = db.get_engine()
+    processed = 0
+
+    prefix = (object_name_prefix or "").strip()
+    if not prefix:
+        return 0
+
+    like_value = f"{prefix} | %"
+
+    with engine.begin() as conn:
+        rows = conn.execute(
+            text(
+                """
+                SELECT object_name, object_type, status, error_message
+                FROM mail_objects
+                WHERE mail_message_id = :mail_message_id
+                  AND object_name LIKE :like_value
+                ORDER BY id
+                """
+            ),
+            {"mail_message_id": mail_message_id, "like_value": like_value},
+        ).fetchall()
+
+        for r in rows:
+            raw_name = (r[0] or "").strip()
+            if not raw_name:
+                continue
+
+            object_name = raw_name
+            if strip_prefix and object_name.startswith(f"{prefix} | "):
+                object_name = object_name[len(prefix) + 3 :].strip()
+
+            if not object_name:
+                continue
+
+            object_type = r[1]
+            status = r[2]
+            error_message = r[3]
+
+            # 1) Upsert customer_objects and get id (schema uses UNIQUE(customer_id, object_name))
+            customer_object_id = conn.execute(
+                text(
+                    """
+                    INSERT INTO customer_objects (customer_id, object_name, object_type, first_seen_at, last_seen_at)
+                    VALUES (:customer_id, :object_name, :object_type, NOW(), NOW())
+                    ON CONFLICT (customer_id, object_name)
+                    DO UPDATE SET
+                        last_seen_at = NOW(),
+                        object_type = COALESCE(EXCLUDED.object_type, customer_objects.object_type)
+                    RETURNING id
+                    """
+                ),
+                {
+                    "customer_id": customer_id,
+                    "object_name": object_name,
+                    "object_type": object_type,
+                },
+            ).scalar()
+
+            # 2) Upsert job_object_links (keep timestamps fresh)
+            conn.execute(
+                text(
+                    """
+                    INSERT INTO job_object_links (job_id, customer_object_id, first_seen_at, last_seen_at)
+                    VALUES (:job_id, :customer_object_id, NOW(), NOW())
+                    ON CONFLICT (job_id, customer_object_id)
+                    DO UPDATE SET last_seen_at = NOW()
+                    """
+                ),
+                {
+                    "job_id": job_id,
+                    "customer_object_id": customer_object_id,
+                },
+            )
+
+            # 3) Upsert run_object_links
+            conn.execute(
+                text(
+                    """
+                    INSERT INTO run_object_links (run_id, customer_object_id, status, error_message, observed_at)
+                    VALUES (:run_id, :customer_object_id, :status, :error_message, NOW())
+                    ON CONFLICT (run_id, customer_object_id)
+                    DO UPDATE SET
+                        status = EXCLUDED.status,
+                        error_message = EXCLUDED.error_message,
+                        observed_at = NOW()
+                    """
+                ),
+                {
+                    "run_id": run_id,
+                    "customer_object_id": customer_object_id,
+                    "status": status,
+                    "error_message": error_message,
+                },
+            )
+
+            processed += 1
+
+    _update_override_applied_for_run(job_id, run_id)
+    return processed
+
+
+def persist_objects_for_auto_run(customer_id: int, job_id: int, run_id: int, mail_message_id: int) -> int:
+    """Persist objects for a run created by auto-approve logic.
+
+    For VSPC Active Alarms summary, objects are stored on the mail_message with
+    a "<company> | <object>" prefix. Auto-approved runs are created per-company
+    job ("Active alarms summary | <company>"). In that case we persist only the
+    matching subset and strip the prefix so objects are correctly linked.
+    """
+
+    try:
+        # Lazy import to avoid circular dependencies.
+        from .models import Job  # noqa
+
+        job = Job.query.get(int(job_id))
+        if not job:
+            return persist_objects_for_approved_run(customer_id, job_id, run_id, mail_message_id)
+
+        bsw = (getattr(job, "backup_software", "") or "").strip().lower()
+        btype = (getattr(job, "backup_type", "") or "").strip().lower()
+        jname = (getattr(job, "job_name", "") or "").strip()
+
+        if bsw == "veeam" and btype == "service provider console":
+            # Expected format: "Active alarms summary | <company>"
+            parts = [p.strip() for p in jname.split("|", 1)]
+            if len(parts) == 2 and parts[0].strip().lower() == "active alarms summary" and parts[1]:
+                company = parts[1]
+                return persist_objects_for_approved_run_filtered(
+                    customer_id,
+                    job_id,
+                    run_id,
+                    mail_message_id,
+                    object_name_prefix=company,
+                    strip_prefix=True,
+                )
+
+    except Exception:
+        # Fall back to the generic behavior.
+        pass
+
+    return persist_objects_for_approved_run(customer_id, job_id, run_id, mail_message_id)
+

containers/backupchecks/src/backend/app/parsers/__init__.py

@@ -13,6 +13,8 @@ from .nakivo import try_parse_nakivo
 from .veeam import try_parse_veeam
 from .rdrive import try_parse_rdrive
 from .syncovery import try_parse_syncovery
+from .ntfs_auditing import try_parse_ntfs_auditing
+from .qnap import try_parse_qnap
 
 
 def _sanitize_text(value: object) -> object:
@@ -43,14 +45,25 @@ def _store_mail_objects(msg: MailMessage, objects: List[Dict]) -> None:
     - error_message (optional)
     """
     for item in objects or []:
-        name = (item.get("name") or "").strip()
+        name = _sanitize_text(item.get("name") or "")
+        if isinstance(name, str):
+            name = name.strip()
         if not name:
             continue
         object_type = (item.get("type") or item.get("object_type") or None)
+        object_type = _sanitize_text(object_type)
         if isinstance(object_type, str):
             object_type = object_type.strip() or None
+
         status = (item.get("status") or None) or None
+        status = _sanitize_text(status)
+        if isinstance(status, str):
+            status = status.strip() or None
+
         error_message = item.get("error_message") or None
+        error_message = _sanitize_text(error_message)
+        if isinstance(error_message, str):
+            error_message = error_message.strip() or None
         db.session.add(
             MailObject(
                 mail_message_id=msg.id,
@@ -94,6 +107,8 @@ def parse_mail_message(msg: MailMessage) -> None:
 
     try:
         handled, result, objects = try_parse_3cx(msg)
+        if not handled:
+            handled, result, objects = try_parse_qnap(msg)
         if not handled:
             handled, result, objects = try_parse_synology(msg)
         if not handled:
@@ -106,6 +121,8 @@ def parse_mail_message(msg: MailMessage) -> None:
             handled, result, objects = try_parse_veeam(msg)
         if not handled:
             handled, result, objects = try_parse_syncovery(msg)
+        if not handled:
+            handled, result, objects = try_parse_ntfs_auditing(msg)
     except Exception as exc:
         msg.parse_result = "error"
         msg.parse_error = str(exc)[:500]

containers/backupchecks/src/backend/app/parsers/ntfs_auditing.py

@@ -0,0 +1,89 @@
+from __future__ import annotations
+
+import re
+from typing import Dict, Tuple, List
+
+from ..models import MailMessage
+
+
+_HOSTNAME_RE = re.compile(r"""(?ix)
+    \b
+    (?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+
+    (?:[a-z]{2,}|local)
+    \b
+""")
+
+_COUNTS_RE = re.compile(r"""(?x)
+    [\u2193\u2191]   # ↓ or ↑
+    \s*
+    (\d+)
+""")
+
+
+def _normalize_subject(subject: str) -> str:
+    # Some senders use underscores as spaces in the subject.
+    s = (subject or "").strip()
+    s = s.replace("_", " ")
+    s = re.sub(r"\s+", " ", s)
+    return s.strip()
+
+
+def _extract_host(subject: str) -> str | None:
+    subj = _normalize_subject(subject)
+    lower = subj.lower()
+
+    idx = lower.find("file audits")
+    if idx == -1:
+        return None
+
+    prefix = subj[:idx].strip()
+    # Some senders add a company prefix in front of the hostname, e.g. "Bouter btr-dc001.bouter.nl ...".
+    # Extract the last hostname-looking token before "file audits".
+    hosts = _HOSTNAME_RE.findall(prefix)
+    if not hosts:
+        return None
+
+    return hosts[-1].lower()
+
+
+def _extract_counts(subject: str) -> Tuple[int, int]:
+    # Subject format: "<host> file audits ↓ 0 ↑ 29"
+    # Not all senders include both arrows, so we parse what we can.
+    subj = _normalize_subject(subject)
+    nums = [int(x) for x in _COUNTS_RE.findall(subj)]
+    down = nums[0] if len(nums) >= 1 else 0
+    up = nums[1] if len(nums) >= 2 else 0
+    return down, up
+
+
+def try_parse_ntfs_auditing(msg: MailMessage) -> Tuple[bool, Dict, List[Dict]]:
+    subject = getattr(msg, "subject", None) or ""
+
+    # Fast checks: this parser is subject-based.
+    if "file audits" not in _normalize_subject(subject).lower():
+        return False, {}, []
+
+    host = _extract_host(subject)
+    if not host:
+        return False, {}, []
+
+    down, up = _extract_counts(subject)
+
+    # If changes were detected, mark as Warning (auditing reports only changes).
+    overall_status = "Warning" if (down > 0 or up > 0) else "Success"
+    overall_message = None
+    if overall_status == "Warning":
+        overall_message = f"NTFS auditing detected file changes (deleted: {down}, changed: {up})."
+
+    job_name = f"{host} file audits"
+
+    result = {
+        "backup_software": "NTFS Auditing",
+        "backup_type": "Audit",
+        "job_name": job_name,
+        "overall_status": overall_status,
+        "overall_message": overall_message,
+    }
+
+    # This mail contains an attachment report; objects are not tracked.
+    return True, result, []

containers/backupchecks/src/backend/app/parsers/qnap.py

@@ -0,0 +1,100 @@
+from __future__ import annotations
+
+import html
+import re
+from typing import Dict, Tuple, List
+
+from ..models import MailMessage
+
+
+_SUBJECT_RE = re.compile(
+    r"^\[(?P<severity>info|warning|error)\]\s*\[\s*firmware\s+update\s*\]\s*notification\s+from\s+your\s+device\s*:\s*(?P<host>.+)$",
+    re.I,
+)
+
+_NAS_NAME_RE = re.compile(r"\bNAS\s*Name\s*:\s*(?P<host>[^\n<]+)", re.I)
+_APP_NAME_RE = re.compile(r"\bApp\s*Name\s*:\s*(?P<app>[^\n<]+)", re.I)
+_CATEGORY_RE = re.compile(r"\bCategory\s*:\s*(?P<cat>[^\n<]+)", re.I)
+_MESSAGE_RE = re.compile(r"\bMessage\s*:\s*(?P<msg>.+)$", re.I | re.M)
+
+_BR_RE = re.compile(r"<\s*br\s*/?\s*>", re.I)
+_TAG_RE = re.compile(r"<[^>]+>")
+_WS_RE = re.compile(r"[\t\r\f\v ]+")
+
+
+def _html_to_text(value: str) -> str:
+    if not value:
+        return ""
+    s = value
+    s = _BR_RE.sub("\n", s)
+    s = _TAG_RE.sub("", s)
+    s = html.unescape(s)
+    s = s.replace("\u00a0", " ")
+    # keep newlines, but normalize whitespace on each line
+    lines = [(_WS_RE.sub(" ", ln)).strip() for ln in s.split("\n")]
+    return "\n".join([ln for ln in lines if ln]).strip()
+
+
+def try_parse_qnap(msg: MailMessage) -> Tuple[bool, Dict, List[Dict]]:
+    """Parse QNAP Notification Center e-mails.
+
+    Supported (informational):
+      - Firmware Update notifications
+        Subject: [Info][Firmware Update] Notification from your device: <HOST>
+
+    These notifications are informational: they should be visible in Run Checks,
+    but they must not participate in schedule inference, missed/expected logic,
+    or reporting.
+    """
+
+    subject = (getattr(msg, "subject", None) or "").strip()
+    if not subject:
+        return False, {}, []
+
+    m = _SUBJECT_RE.match(subject)
+    if not m:
+        return False, {}, []
+
+    host = (m.group("host") or "").strip()
+
+    html_body = getattr(msg, "html_body", None) or ""
+    text_body = getattr(msg, "text_body", None) or getattr(msg, "body", None) or ""
+    text = _html_to_text(html_body) if html_body else (text_body or "")
+
+    if text:
+        m_host = _NAS_NAME_RE.search(text)
+        if m_host:
+            host = (m_host.group("host") or "").strip() or host
+
+    # Prefer the detailed 'Message:' line from the body.
+    overall_message = None
+    if text:
+        m_msg = _MESSAGE_RE.search(text)
+        if m_msg:
+            overall_message = (m_msg.group("msg") or "").strip() or None
+
+    # If the body doesn't contain a dedicated message line, derive one.
+    if not overall_message and text:
+        parts: List[str] = []
+        m_app = _APP_NAME_RE.search(text)
+        if m_app:
+            parts.append((m_app.group("app") or "").strip())
+        m_cat = _CATEGORY_RE.search(text)
+        if m_cat:
+            parts.append((m_cat.group("cat") or "").strip())
+        if parts:
+            overall_message = " / ".join([p for p in parts if p]) or None
+
+    result: Dict = {
+        "backup_software": "QNAP",
+        "backup_type": "Firmware Update",
+        "job_name": "Firmware Update",
+        "overall_status": "Warning",
+        "overall_message": overall_message,
+    }
+
+    objects: List[Dict] = []
+    if host:
+        objects.append({"name": host, "status": "Warning"})
+
+    return True, result, objects

containers/backupchecks/src/backend/app/parsers/registry.py

@@ -38,6 +38,55 @@ PARSER_DEFINITIONS = [
             },
         },
     },
+    {
+        "name": "ntfs_auditing_audit",
+        "backup_software": "NTFS Auditing",
+        "backup_types": ["Audit"],
+        "order": 220,
+        "enabled": True,
+        "match": {
+            "from_contains": "auditing@",
+            "subject_contains": "file audits",
+        },
+        "description": "Parses NTFS Auditing file audit report mails (attachment-based HTML reports).",
+        "example": {
+            "subject": "Bouter btr-dc001.bouter.nl file audits → 6 ↑ 12",
+            "from_address": "auditing@bouter.nl",
+            "body_snippet": "(empty body, HTML report in attachment)",
+            "parsed_result": {
+                "backup_software": "NTFS Auditing",
+                "backup_type": "Audit",
+                "job_name": "btr-dc001.bouter.nl file audits",
+                "objects": [],
+            },
+        },
+    },
+    {
+        "name": "qnap_firmware_update",
+        "backup_software": "QNAP",
+        "backup_types": ["Firmware Update"],
+        "order": 235,
+        "enabled": True,
+        "match": {
+            "from_contains": "notifications@",
+            "subject_contains": "Firmware Update",
+        },
+        "description": "Parses QNAP Notification Center firmware update notifications (informational; excluded from reporting and missing logic).",
+        "example": {
+            "subject": "[Info][Firmware Update] Notification from your device: BETSIES-NAS01",
+            "from_address": "notifications@customer.tld",
+            "body_snippet": "NAS Name: BETSIES-NAS01\n...\nMessage: ...",
+            "parsed_result": {
+                "backup_software": "QNAP",
+                "backup_type": "Firmware Update",
+                "job_name": "Firmware Update",
+                "overall_status": "Warning",
+                "objects": [
+                    {"name": "BETSIES-NAS01", "status": "Warning", "error_message": None}
+                ],
+            },
+        },
+    },
     {
         "name": "veeam_replication_job",
         "backup_software": "Veeam",

containers/backupchecks/src/backend/app/parsers/synology.py

@@ -173,23 +173,35 @@ def _extract_totals(text: str) -> Tuple[int, int, int]:
 
 _ABB_SUBJECT_RE = re.compile(r"\bactive\s+backup\s+for\s+business\b", re.I)
 
-# Example (NL):
+# Examples (NL):
 #   "De back-uptaak vSphere-Task-1 op KANTOOR-NEW is voltooid."
-# Example (EN):
+#   "Virtuele machine back-uptaak vSphere-Task-1 op KANTOOR-NEW is gedeeltelijk voltooid."
+# Examples (EN):
 #   "The backup task vSphere-Task-1 on KANTOOR-NEW has completed."
+#   "Virtual machine backup task vSphere-Task-1 on KANTOOR-NEW partially completed."
 _ABB_COMPLETED_RE = re.compile(
-    r"\b(?:de\s+)?back-?up\s*taak\s+(?P<job>.+?)\s+op\s+(?P<host>.+?)\s+is\s+voltooid\b"
-    r"|\b(?:the\s+)?back-?up\s+task\s+(?P<job_en>.+?)\s+on\s+(?P<host_en>.+?)\s+(?:is\s+)?(?:completed|finished|has\s+completed)\b",
+    r"\b(?:virtuele\s+machine\s+)?(?:de\s+)?back-?up\s*taak\s+(?P<job>.+?)\s+op\s+(?P<host>[A-Za-z0-9._-]+)\s+is\s+(?P<status>voltooid|gedeeltelijk\s+voltooid)\b"
+    r"|\b(?:virtual\s+machine\s+)?(?:the\s+)?back-?up\s+task\s+(?P<job_en>.+?)\s+on\s+(?P<host_en>[A-Za-z0-9._-]+)\s+(?:is\s+)?(?P<status_en>completed|finished|has\s+completed|partially\s+completed)\b",
     re.I,
 )
 
 _ABB_FAILED_RE = re.compile(
-    r"\b(?:de\s+)?back-?up\s*taak\s+.+?\s+op\s+.+?\s+is\s+mislukt\b"
-    r"|\b(?:the\s+)?back-?up\s+task\s+.+?\s+on\s+.+?\s+(?:has\s+)?failed\b",
+    r"\b(?:virtuele\s+machine\s+)?(?:de\s+)?back-?up\s*taak\s+.+?\s+op\s+.+?\s+is\s+mislukt\b"
+    r"|\b(?:virtual\s+machine\s+)?(?:the\s+)?back-?up\s+task\s+.+?\s+on\s+.+?\s+(?:has\s+)?failed\b",
     re.I,
 )
 
-_ABB_DEVICE_LIST_RE = re.compile(r"^\s*(?:Apparaatlijst|Device\s+list)\s*:\s*(?P<list>.+?)\s*$", re.I)
+# Device list lines in body, e.g.
+#   "Apparaatlijst (back-up gelukt): DC01, SQL01"
+#   "Lijst met apparaten (back-up gelukt): DC01, SQL01"
+#   "Apparaatlijst (back-up mislukt): FS01"
+#   "Device list (backup succeeded): DC01, SQL01"
+#   "List of devices (backup succeeded): DC01, SQL01"
+#   "Device list (backup failed): FS01"
+_ABB_DEVICE_LIST_RE = re.compile(
+    r"^\s*(?:Apparaatlijst|Lijst\s+met\s+apparaten|Device\s+list|List\s+of\s+devices)\s*(?:\((?P<kind>[^)]+)\))?\s*:\s*(?P<list>.*?)\s*$",
+    re.I,
+)
 
 
 def _is_synology_active_backup_for_business(subject: str, text: str) -> bool:
@@ -210,22 +222,60 @@ def _parse_active_backup_for_business(subject: str, text: str) -> Tuple[bool, Di
     job_name = (m.group("job") or m.group("job_en") or "").strip()
     host = (m.group("host") or m.group("host_en") or "").strip()
 
+    # Determine overall status based on completion type and failure markers
+    status_raw = (m.group("status") or m.group("status_en") or "").lower()
+
     overall_status = "Success"
     overall_message = "Success"
+
+    # "gedeeltelijk voltooid" / "partially completed" should be treated as Warning
+    if "gedeeltelijk" in status_raw or "partially" in status_raw:
+        overall_status = "Warning"
+        overall_message = "Partially completed"
+
+    # Explicit failure wording overrides everything
     if _ABB_FAILED_RE.search(haystack):
         overall_status = "Error"
         overall_message = "Failed"
 
-    objects: List[Dict] = []
+    # Collect device/object statuses while avoiding duplicates.
+    # Prefer the most severe status when a device appears multiple times.
+    severity = {"Error": 3, "Failed": 3, "Warning": 2, "Success": 1}
+    device_status: Dict[str, str] = {}
+
     for line in (text or "").splitlines():
         mm = _ABB_DEVICE_LIST_RE.match(line.strip())
         if not mm:
             continue
         raw_list = (mm.group("list") or "").strip()
+
+        kind = (mm.group("kind") or "").lower()
+        line_status = overall_status
+        kind_is_specific = False
+        if "gelukt" in kind or "succeeded" in kind or "success" in kind:
+            line_status = "Success"
+            kind_is_specific = True
+        elif "mislukt" in kind or "failed" in kind or "error" in kind:
+            line_status = "Error"
+            kind_is_specific = True
+
         # "DC01, SQL01"
         for name in [p.strip() for p in raw_list.split(",")]:
-            if name:
-                objects.append({"name": name, "status": overall_status})
+            if not name:
+                continue
+            prev = device_status.get(name)
+            if prev is None:
+                device_status[name] = line_status
+                continue
+
+            # Do not override specific succeeded/failed lists with a generic "device list".
+            if not kind_is_specific:
+                continue
+
+            if severity.get(line_status, 0) > severity.get(prev, 0):
+                device_status[name] = line_status
+
+    objects: List[Dict] = [{"name": n, "status": s} for n, s in device_status.items()]
 
     result = {
         "backup_software": "Synology",

containers/backupchecks/src/backend/app/parsers/veeam.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import re
+import html as _html
 from typing import Dict, Tuple, List, Optional
 
 from ..models import MailMessage
@@ -17,9 +18,311 @@ VEEAM_BACKUP_TYPES = [
     "Veeam Backup for Microsoft 365",
     "Scale-out Backup Repository",
     "Health Check",
+    "Cloud Connect Report",
+    "Service Provider Console",
 ]
 
 
+def normalize_vspc_company_name(name: str) -> str:
+    """Normalize a VSPC company name so it matches across HTML/text extraction and parsing."""
+    n = _strip_html_tags(name or "")
+    n = _html.unescape(n)
+    n = n.replace("\xa0", " ")
+    n = re.sub(r"\s+", " ", n).strip()
+    return n
+
+
+def extract_vspc_active_alarms_companies(raw: str) -> List[str]:
+    """Best-effort extraction of company names from VSPC "Active alarms summary" bodies.
+
+    Only returns companies with alarms > 0.
+    """
+    if not raw:
+        return []
+
+    txt = raw
+    if "<" in txt and ">" in txt:
+        txt = re.sub(r"<[^>]+>", " ", txt)
+    txt = _html.unescape(txt)
+    txt = txt.replace("\xa0", " ")
+    txt = re.sub(r"\s+", " ", txt).strip()
+
+    seen: set[str] = set()
+    out: List[str] = []
+
+    for m in re.finditer(
+        r"\bCompany:\s*([^\(\r\n]+?)\s*\(\s*alarms?\s*:\s*(\d+)\s*\)",
+        txt,
+        flags=re.IGNORECASE,
+    ):
+        cname = normalize_vspc_company_name((m.group(1) or "").strip())
+        try:
+            alarms = int(m.group(2))
+        except Exception:
+            alarms = 0
+
+        if not cname or alarms <= 0:
+            continue
+        if cname in seen:
+            continue
+        seen.add(cname)
+        out.append(cname)
+
+    return out
+
+
+def _parse_vspc_active_alarms_from_html(html: str) -> Tuple[List[Dict], str, Optional[str]]:
+    """Parse Veeam Service Provider Console (VSPC) Active Alarms summary emails.
+
+    The VSPC summary email can contain multiple companies. We keep this as a
+    single Backupchecks run, but we prefix object names with the company name
+    so alarms remain attributable per customer.
+
+    Returns: (objects, overall_status, overall_message)
+    """
+    html = _normalize_html(html)
+    if not html:
+        return [], "Success", None
+
+    html_lower = html.lower()
+    if "veeam service provider console" not in html_lower or "company" not in html_lower:
+        return [], "Success", None
+
+    # Extract each company block and its first alarm table.
+    # Company header example: "Company: AKR Performance (alarms: 2)"
+    # Be defensive about line breaks (CR/LF) and HTML formatting.
+    company_header_re = re.compile(
+        r"(?is)company:\s*([^<\r\n]+?)\s*\(\s*alarms\s*:\s*(\d+)\s*\)"
+    )
+
+
+    # Build spans using HTML positions.
+    headers = [(m.start(), m.end(), (m.group(1) or "").strip(), m.group(2)) for m in company_header_re.finditer(html)]
+    if not headers:
+        return [], "Success", None
+
+    objects: List[Dict] = []
+    saw_failed = False
+    saw_warning = False
+
+    for idx, (h_start, h_end, company_name, alarms_raw) in enumerate(headers):
+        company_name = normalize_vspc_company_name(company_name)
+        seg_start = h_end
+        seg_end = headers[idx + 1][0] if idx + 1 < len(headers) else len(html)
+        segment_html = html[seg_start:seg_end]
+
+        # Find the first table that looks like the Active Alarms table.
+        m_table = re.search(r"(?is)<table[^>]*>.*?(Current\s*State).*?</table>", segment_html)
+        if not m_table:
+            continue
+        table_html = m_table.group(0)
+
+        # Parse rows and cells.
+        row_re = re.compile(r"(?is)<tr[^>]*>(.*?)</tr>")
+        cell_re = re.compile(r"(?is)<t[dh][^>]*>(.*?)</t[dh]>")
+
+        rows = row_re.findall(table_html)
+        if not rows:
+            continue
+
+        # Determine column indexes from header row.
+        colmap = {}
+        header_cells = [_strip_html_tags(c).strip().lower() for c in cell_re.findall(rows[0])]
+        for i, c in enumerate(header_cells):
+            if c in {"current state", "currentstate"}:
+                colmap["current_state"] = i
+            elif c in {"object"}:
+                colmap["object"] = i
+            elif c in {"object type", "objecttype"}:
+                colmap["object_type"] = i
+            elif c in {"hostname"}:
+                colmap["hostname"] = i
+            elif c in {"time"}:
+                colmap["time"] = i
+            elif c in {"alarm name", "alarmname"}:
+                colmap["alarm_name"] = i
+            elif c in {"n. of repeats", "n.of repeats", "repeats"}:
+                colmap["repeats"] = i
+            elif c in {"alarm details", "alarmdetails", "details"}:
+                colmap["alarm_details"] = i
+
+        # Basic validation: needs at least object + current state
+        if "object" not in colmap or "current_state" not in colmap:
+            continue
+
+        # Convert the entire company segment to text once for details matching.
+        seg_text = _html_to_text_preserve_lines(segment_html)
+        seg_lines = [ln.strip() for ln in (seg_text or "").splitlines() if ln.strip()]
+
+        for r in rows[1:]:
+            cells = cell_re.findall(r)
+            if not cells:
+                continue
+            plain = [_strip_html_tags(c).strip() for c in cells]
+
+            obj_name = plain[colmap["object"]].strip() if colmap["object"] < len(plain) else ""
+            if not obj_name:
+                continue
+
+            current_state = plain[colmap["current_state"]].strip() if colmap["current_state"] < len(plain) else ""
+            obj_type = plain[colmap.get("object_type", -1)].strip() if colmap.get("object_type", -1) >= 0 and colmap.get("object_type", -1) < len(plain) else ""
+            hostname = plain[colmap.get("hostname", -1)].strip() if colmap.get("hostname", -1) >= 0 and colmap.get("hostname", -1) < len(plain) else ""
+            at_time = plain[colmap.get("time", -1)].strip() if colmap.get("time", -1) >= 0 and colmap.get("time", -1) < len(plain) else ""
+            alarm_name = plain[colmap.get("alarm_name", -1)].strip() if colmap.get("alarm_name", -1) >= 0 and colmap.get("alarm_name", -1) < len(plain) else ""
+            repeats = plain[colmap.get("repeats", -1)].strip() if colmap.get("repeats", -1) >= 0 and colmap.get("repeats", -1) < len(plain) else ""
+            alarm_details = plain[colmap.get("alarm_details", -1)].strip() if colmap.get("alarm_details", -1) >= 0 and colmap.get("alarm_details", -1) < len(plain) else ""
+
+            state_lower = (current_state or "").lower()
+            status = "Success"
+            if state_lower in {"failed", "error", "critical"}:
+                status = "Failed"
+                saw_failed = True
+            elif state_lower in {"warning", "warn"}:
+                status = "Warning"
+                saw_warning = True
+
+            # Prefer the explicit "Alarm Details" column if present.
+            detail_line = alarm_details or None
+
+            # Otherwise try to find a more descriptive detail line in the company text.
+            # Prefer lines that mention the object or alarm name and are long enough to be a real description.
+            needles = [n for n in [obj_name, alarm_name] if n]
+            if not detail_line:
+                for ln in seg_lines:
+                    if len(ln) < 25:
+                        continue
+                    if any(n.lower() in ln.lower() for n in needles):
+                        detail_line = ln
+                        break
+
+            if not detail_line and alarm_name:
+                # fallback: use alarm name with context
+                parts = [alarm_name]
+                ctx = []
+                if hostname:
+                    ctx.append(f"Host: {hostname}")
+                if at_time:
+                    ctx.append(f"Time: {at_time}")
+                if repeats:
+                    ctx.append(f"Repeats: {repeats}")
+                if ctx:
+                    parts.append("(" + ", ".join(ctx) + ")")
+                detail_line = " ".join(parts).strip() or None
+
+            objects.append(
+                {
+                    "name": f"{company_name} | {obj_name}" if company_name else obj_name,
+                    "type": obj_type or "Alarm",
+                    "status": status,
+                    "error_message": detail_line,
+                }
+            )
+
+    overall_status = "Success"
+    if saw_failed:
+        overall_status = "Failed"
+    elif saw_warning:
+        overall_status = "Warning"
+
+    overall_message = None
+    return objects, overall_status, overall_message
+
+
+def _parse_cloud_connect_report_from_html(html: str) -> Tuple[List[Dict], str]:
+    """Parse Veeam Cloud Connect daily report (provider) HTML.
+
+    The report contains a "Backup" table with columns including:
+      User | Repository Name | ...
+
+    Objects in our system are a combination of the "User" and "Repository Name"
+    columns, separated by " | ".
+
+    Row background colour indicates status:
+      - Red/pink rows: Failed/Error
+      - Yellow/orange rows: Warning
+      - White rows: Success
+
+    The row where the first cell is "TOTAL" is a summary row and is not an object.
+
+    Returns: (objects, overall_status)
+    """
+    html = _normalize_html(html)
+    if not html:
+        return [], "Success"
+
+    # Find the Backup table block.
+    m_table = re.search(r"(?is)<p[^>]*>\s*Backup\s*</p>\s*<table.*?</table>", html)
+    if not m_table:
+        return [], "Success"
+
+    table_html = m_table.group(0)
+
+    # Extract rows.
+    row_pattern = re.compile(r"(?is)<tr([^>]*)>(.*?)</tr>")
+    cell_pattern = re.compile(r"(?is)<t[dh][^>]*>(.*?)</t[dh]>")
+
+    objects: List[Dict] = []
+    saw_failed = False
+    saw_warning = False
+
+    for row_attr, row_inner in row_pattern.findall(table_html):
+        cells = cell_pattern.findall(row_inner)
+        if len(cells) < 3:
+            continue
+
+        # Convert cells to plain text.
+        plain = [_strip_html_tags(c).strip() for c in cells]
+        if not plain:
+            continue
+
+        # Skip header row.
+        if plain[0].strip().lower() == "user":
+            continue
+
+        user = (plain[0] or "").strip()
+        repo_name = (plain[2] or "").strip()
+
+        # Skip summary row.
+        if user.upper() == "TOTAL":
+            continue
+
+        if not user and not repo_name:
+            continue
+
+        # Determine status based on background colour.
+        # Veeam uses inline styles like: background-color: #fb9895 (error)
+        # and background-color: #ffd96c (warning).
+        row_style = (row_attr or "")
+        m_bg = re.search(r"(?i)background-color\s*:\s*([^;\"\s]+)", row_style)
+        bg = (m_bg.group(1).strip().lower() if m_bg else "")
+
+        status = "Success"
+        if bg in {"#fb9895", "#ff9999", "#f4cccc", "#ffb3b3"}:
+            status = "Failed"
+            saw_failed = True
+        elif bg in {"#ffd96c", "#fff2cc", "#ffe599", "#f9cb9c"}:
+            status = "Warning"
+            saw_warning = True
+
+        name = f"{user} | {repo_name}".strip(" |")
+        objects.append(
+            {
+                "name": name,
+                "type": "Repository",
+                "status": status,
+                "error_message": None,
+            }
+        )
+
+    overall_status = "Success"
+    if saw_failed:
+        overall_status = "Failed"
+    elif saw_warning:
+        overall_status = "Warning"
+
+    return objects, overall_status
+
+
 def _strip_html_tags(value: str) -> str:
     """Very small helper to strip HTML tags from a string."""
     if not value:
@@ -347,12 +650,34 @@ def _extract_m365_overall_details_message(html: str) -> Optional[str]:
     if not html:
         return None
 
-    # Look for the summary "Details" cell (typically a header_td with rowspan).
-    candidates = re.findall(
-        r'<td[^>]*rowspan\s*=\s*["\']?\s*2\s*["\']?[^>]*>(.*?)</td>',
-        html,
-        flags=re.IGNORECASE | re.DOTALL,
-    )
+    html = _normalize_html(html)
+
+    # Strategy 1 (preferred): locate the "Details" header cell and then scan a small
+    # window after it for a rowspan cell that contains the overall message.
+    #
+    # We intentionally avoid a single giant regex over the entire HTML body to keep
+    # parsing fast and prevent worst-case backtracking on large messages.
+    candidates: List[str] = []
+
+    hdr = re.search(r'(?is)<td[^>]*>\s*<b>\s*Details\s*</b>\s*</td>', html)
+    if hdr:
+        window = html[hdr.end() : hdr.end() + 6000]
+        m = re.search(
+            r'(?is)<td[^>]*rowspan\s*=\s*["\']?\s*(?:2|3|4|5|6|7|8|9|10)\s*["\']?[^>]*>(.*?)</td>',
+            window,
+        )
+        if m:
+            candidates = [m.group(1)]
+
+    # Strategy 2 (fallback): look for rowspan cells with rowspan >= 2.
+    if not candidates:
+        all_rowspans = re.findall(
+            r'(?is)<td[^>]*rowspan\s*=\s*["\']?\s*([2-9]|10)\s*["\']?[^>]*>(.*?)</td>',
+            html,
+        )
+        # re.findall above returns tuples (rowspan, content)
+        candidates = [c[1] for c in all_rowspans] if all_rowspans else []
+
     if not candidates:
         return None
 
@@ -747,17 +1072,68 @@ def try_parse_veeam(msg: MailMessage) -> Tuple[bool, Dict, List[Dict]]:
     html_body = _normalize_html(getattr(msg, "html_body", None) or "")
     html_lower = html_body.lower()
 
+    # Veeam Cloud Connect provider daily report (no [Success]/[Warning] marker).
+    is_cloud_connect_report = (
+        "veeam cloud connect" in subject.lower()
+        and "daily report" in subject.lower()
+        and "repository name" in html_lower
+        and "infrastructure status" in html_lower
+    )
+
     # Special-case: Veeam Backup for Microsoft 365 mails can come without a
     # subject marker. Detect via HTML and extract status from the banner.
     is_m365 = "veeam backup for microsoft 365" in html_lower
 
+    # VSPC Active Alarms summary (no [Success]/[Warning] marker).
+    is_vspc_active_alarms = (
+        ("veeam service provider console" in html_lower)
+        and ("active alarms" in html_lower or "active alarms summary" in subject.lower())
+        and ("company:" in html_lower and "alarms" in html_lower)
+    )
+
     # If we cannot detect a status marker and this is not an M365 report,
     # we still try to parse when the subject strongly indicates a Veeam report.
-    if not m_status and not m_finished and not is_m365:
+    if not m_status and not m_finished and not is_m365 and not is_cloud_connect_report and not is_vspc_active_alarms:
         lowered = subject.lower()
-        if not any(k in lowered for k in ["veeam", "backup job", "backup copy job", "replica job", "configuration backup", "health check"]):
+        if not any(k in lowered for k in ["veeam", "cloud connect", "backup job", "backup copy job", "replica job", "configuration backup", "health check"]):
             return False, {}, []
 
+    # Handle Cloud Connect daily report early: overall status is derived from row colours.
+    if is_cloud_connect_report:
+        objects, overall_status = _parse_cloud_connect_report_from_html(html_body)
+
+        overall_message = None
+        # Use the short subject summary when present, e.g. ": 2 Errors, 1 Warnings, 49 Successes".
+        m_sum = re.search(r"(?i)daily\s+report\s*:\s*(.+)$", subject)
+        if m_sum:
+            overall_message = (m_sum.group(1) or "").strip() or None
+
+        result = {
+            "backup_software": "Veeam",
+            "backup_type": "Cloud Connect Report",
+            "job_name": "Daily report",
+            "overall_status": overall_status,
+        }
+        if overall_message:
+            result["overall_message"] = overall_message
+
+        return True, result, objects
+
+    # Handle VSPC Active Alarms summary early.
+    if is_vspc_active_alarms:
+        objects, overall_status, overall_message = _parse_vspc_active_alarms_from_html(html_body)
+
+        result = {
+            "backup_software": "Veeam",
+            "backup_type": "Service Provider Console",
+            "job_name": "Active alarms summary",
+            "overall_status": overall_status,
+        }
+        if overall_message:
+            result["overall_message"] = overall_message
+
+        return True, result, objects
+
     if m_status:
         status_word = m_status.group(1)
         rest = m_status.group(2)

containers/backupchecks/src/static/css/layout.css

@@ -14,3 +14,76 @@ main.dashboard-container {
   width: min(90vw, 1728px);
   max-width: 1728px;
 }
+
+/* Prevent long detail values (e.g., email addresses) from overlapping other fields */
+.dl-compact dt {
+  white-space: nowrap;
+}
+
+.dl-compact .ellipsis-field {
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  cursor: pointer;
+}
+
+.dl-compact .ellipsis-field.is-expanded {
+  overflow: visible;
+  text-overflow: clip;
+  white-space: normal;
+  cursor: text;
+}
+
+/* Markdown rendering (e.g., changelog page) */
+.markdown-content {
+  overflow-wrap: anywhere;
+}
+
+.markdown-content h1,
+.markdown-content h2,
+.markdown-content h3,
+.markdown-content h4,
+.markdown-content h5,
+.markdown-content h6 {
+  margin-top: 1.25rem;
+  margin-bottom: 0.75rem;
+}
+
+.markdown-content p {
+  margin-bottom: 0.75rem;
+}
+
+.markdown-content ul,
+.markdown-content ol {
+  margin-bottom: 0.75rem;
+}
+
+.markdown-content pre {
+  padding: 0.75rem;
+  border-radius: 0.5rem;
+  background: rgba(0, 0, 0, 0.05);
+  overflow: auto;
+}
+
+.markdown-content code {
+  font-size: 0.95em;
+}
+
+.markdown-content table {
+  width: 100%;
+  margin-bottom: 1rem;
+}
+
+.markdown-content table th,
+.markdown-content table td {
+  padding: 0.5rem;
+  border-top: 1px solid rgba(0, 0, 0, 0.15);
+}
+
+.markdown-content blockquote {
+  border-left: 0.25rem solid rgba(0, 0, 0, 0.15);
+  padding-left: 0.75rem;
+  margin-left: 0;
+  color: rgba(0, 0, 0, 0.7);
+}

containers/backupchecks/src/templates/layout/base.html

@@ -68,6 +68,17 @@
         <div class="collapse navbar-collapse" id="navbarNav">
           {% if current_user.is_authenticated %}
           <ul class="navbar-nav me-auto mb-2 mb-lg-0">
+            {% if active_role == 'reporter' %}
+            <li class="nav-item">
+              <a class="nav-link" href="{{ url_for('main.reports') }}">Reports</a>
+            </li>
+            <li class="nav-item">
+              <a class="nav-link" href='{{ url_for("main.changelog_page") }}'>Changelog</a>
+            </li>
+            <li class="nav-item">
+              <a class="nav-link" href="{{ url_for('main.feedback_page') }}">Feedback</a>
+            </li>
+            {% else %}
             <li class="nav-item">
               <a class="nav-link" href="{{ url_for('main.inbox') }}">Inbox</a>
             </li>
@@ -126,6 +137,7 @@
             <li class="nav-item">
               <a class="nav-link" href="{{ url_for('main.feedback_page') }}">Feedback</a>
             </li>
+            {% endif %}
           </ul>
           <span class="navbar-text me-3">
             <a class="text-decoration-none" href="{{ url_for('main.user_settings') }}">
@@ -185,5 +197,98 @@
     </main>
 
     <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
+
+    <script>
+      (function () {
+        function isOverflowing(el) {
+          try {
+            return el && el.scrollWidth > el.clientWidth;
+          } catch (e) {
+            return false;
+          }
+        }
+
+        function collapseExpandedEllipsis(root) {
+          try {
+            if (!root || !root.querySelectorAll) return;
+            var expanded = root.querySelectorAll('.ellipsis-field.is-expanded');
+            if (!expanded || !expanded.length) return;
+            expanded.forEach(function (el) {
+              el.classList.remove('is-expanded');
+              setEllipsisTitle(el);
+            });
+          } catch (e) {
+            // no-op
+          }
+        }
+
+        function setEllipsisTitle(el) {
+          if (!el || el.classList.contains('is-expanded')) {
+            return;
+          }
+          var txt = (el.textContent || '').trim();
+          if (!txt) {
+            el.removeAttribute('title');
+            return;
+          }
+          if (isOverflowing(el)) {
+            el.setAttribute('title', txt);
+          } else {
+            el.removeAttribute('title');
+          }
+        }
+
+        document.addEventListener('click', function (e) {
+          var el = e.target;
+          if (!el) return;
+          if (!el.classList || !el.classList.contains('ellipsis-field')) return;
+          // Ignore clicks on interactive children
+          if (e.target.closest && e.target.closest('a, button, input, select, textarea, label')) return;
+          el.classList.toggle('is-expanded');
+          if (el.classList.contains('is-expanded')) {
+            el.removeAttribute('title');
+          } else {
+            setEllipsisTitle(el);
+          }
+        });
+
+        document.addEventListener('dblclick', function (e) {
+          var el = e.target;
+          if (!el || !el.classList || !el.classList.contains('ellipsis-field')) return;
+          // Expand on double click and select all text
+          el.classList.add('is-expanded');
+          el.removeAttribute('title');
+          try {
+            var range = document.createRange();
+            range.selectNodeContents(el);
+            var sel = window.getSelection();
+            sel.removeAllRanges();
+            sel.addRange(range);
+          } catch (err) {
+            // no-op
+          }
+        });
+
+        document.addEventListener('mouseover', function (e) {
+          var el = e.target;
+          if (!el || !el.classList || !el.classList.contains('ellipsis-field')) return;
+          setEllipsisTitle(el);
+        });
+
+        // Ensure expanded fields do not persist between popup/modal openings.
+        document.addEventListener('show.bs.modal', function (e) {
+          collapseExpandedEllipsis(e.target);
+        });
+        document.addEventListener('hidden.bs.modal', function (e) {
+          collapseExpandedEllipsis(e.target);
+        });
+        document.addEventListener('show.bs.offcanvas', function (e) {
+          collapseExpandedEllipsis(e.target);
+        });
+        document.addEventListener('hidden.bs.offcanvas', function (e) {
+          collapseExpandedEllipsis(e.target);
+        });
+      })();
+    </script>
   </body>
 </html>

containers/backupchecks/src/templates/main/admin_all_mail.html

@@ -168,30 +168,30 @@
       <div class="modal-body">
         <div class="row">
           <div class="col-md-3">
-            <dl class="row mb-0">
+            <dl class="row mb-0 dl-compact">
               <dt class="col-4">From</dt>
-              <dd class="col-8" id="msg_from"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_from"></dd>
 
               <dt class="col-4">Backup</dt>
-              <dd class="col-8" id="msg_backup"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_backup"></dd>
 
               <dt class="col-4">Type</dt>
-              <dd class="col-8" id="msg_type"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_type"></dd>
 
               <dt class="col-4">Job</dt>
-              <dd class="col-8" id="msg_job"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_job"></dd>
 
               <dt class="col-4">Overall</dt>
-              <dd class="col-8" id="msg_overall"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_overall"></dd>
 
               <dt class="col-4">Customer</dt>
-              <dd class="col-8" id="msg_customer"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_customer"></dd>
 
               <dt class="col-4">Received</dt>
-              <dd class="col-8" id="msg_received"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_received"></dd>
 
               <dt class="col-4">Parsed</dt>
-              <dd class="col-8" id="msg_parsed"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_parsed"></dd>
 
               <dt class="col-4">Details</dt>
               <dd class="col-8" id="msg_overall_message" style="white-space: pre-wrap;"></dd>
@@ -204,7 +204,6 @@
             </div>
 
             <div class="mt-3">
-              <h6>Objects</h6>
               <div id="msg_objects_container"></div>
             </div>
           </div>
@@ -235,6 +234,33 @@
         if (el) el.textContent = value || '';
       }
 
+      function objectSeverityRank(o) {
+        var st = String((o && o.status) || '').trim().toLowerCase();
+        var err = String((o && o.error_message) || '').trim();
+        if (st === 'error' || st === 'failed' || st === 'failure' || err) return 0;
+        if (st === 'warning') return 1;
+        return 2;
+      }
+
+      function sortObjects(objects) {
+        return (objects || []).slice().sort(function (a, b) {
+          var ra = objectSeverityRank(a);
+          var rb = objectSeverityRank(b);
+          if (ra !== rb) return ra - rb;
+
+          var na = String((a && a.name) || '').toLowerCase();
+          var nb = String((b && b.name) || '').toLowerCase();
+          if (na < nb) return -1;
+          if (na > nb) return 1;
+
+          var ta = String((a && a.type) || '').toLowerCase();
+          var tb = String((b && b.type) || '').toLowerCase();
+          if (ta < tb) return -1;
+          if (ta > tb) return 1;
+          return 0;
+        });
+      }
+
       function renderObjects(objects) {
         var container = document.getElementById('msg_objects_container');
         if (!container) return;
@@ -248,8 +274,10 @@
         var tableHtml = '<div class="table-responsive"><table class="table table-sm table-hover align-middle">' +
           '<thead class="table-light"><tr><th>Name</th><th>Type</th><th>Status</th><th>Error</th></tr></thead><tbody>';
 
-        for (var i = 0; i < objects.length; i++) {
-          var o = objects[i] || {};
+        var sorted = sortObjects(objects);
+
+        for (var i = 0; i < sorted.length; i++) {
+          var o = sorted[i] || {};
           tableHtml += '<tr>' +
             '<td>' + (o.name || '') + '</td>' +
             '<td>' + (o.type || '') + '</td>' +
@@ -262,10 +290,33 @@
         container.innerHTML = tableHtml;
       }
 
-      function setIframeHtml(html) {
+        function wrapMailHtml(html) {
+      html = html || "";
+      var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
+
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
+      }
+
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
+    }
+
+function setIframeHtml(html) {
         var iframe = document.getElementById('msg_body_container_iframe');
         if (!iframe) return;
-        iframe.srcdoc = html || '<p>No message content stored.</p>';
+        iframe.srcdoc = wrapMailHtml(html || '<p>No message content stored.</p>');
       }
 
       async function openMessage(messageId) {
@@ -286,7 +337,7 @@
           setText('msg_parsed', meta.parsed_at);
           setText('msg_overall_message', meta.overall_message);
 
-          setIframeHtml(data.body_html);
+          setIframeHtml(data.body_html || "");
           renderObjects(data.objects);
 
           modal.show();

containers/backupchecks/src/templates/main/changelog.html

@@ -4,74 +4,29 @@
 <div class="d-flex align-items-center justify-content-between mb-3">
   <div>
     <h1 class="h3 mb-1">Changelog</h1>
-    <div class="text-body-secondary">Product versions and changes.</div>
+    <div class="text-body-secondary">Loaded live from the repository.</div>
   </div>
+  {% if changelog_source_url %}
+  <div class="text-end">
+    <a class="btn btn-sm btn-outline-secondary" href="{{ changelog_source_url }}" target="_blank" rel="noopener">
+      View source
+    </a>
+  </div>
+  {% endif %}
 </div>
 
-{# Completed (summary) #}
-<div class="card mb-4">
-  <div class="card-header d-flex align-items-center justify-content-between">
-    <div class="fw-semibold">Completed</div>
-    <span class="badge text-bg-primary">History</span>
-  </div>
+{% if changelog_error %}
+<div class="alert alert-warning" role="alert">
+  {{ changelog_error }}
+</div>
+{% endif %}
+
+<div class="card">
   <div class="card-body">
-    {% if changelog.completed_summary and changelog.completed_summary|length > 0 %}
-      <div class="accordion" id="changelogCompletedAccordion">
-        {% for item in changelog.completed_summary %}
-        <div class="accordion-item">
-          <h2 class="accordion-header" id="completedHeading{{ loop.index }}">
-            <button class="accordion-button {% if not loop.first %}collapsed{% endif %}" type="button" data-bs-toggle="collapse" data-bs-target="#completedCollapse{{ loop.index }}" aria-expanded="{% if loop.first %}true{% else %}false{% endif %}" aria-controls="completedCollapse{{ loop.index }}">
-              <span class="fw-semibold">v{{ item.version }}</span>
-            </button>
-          </h2>
-          <div id="completedCollapse{{ loop.index }}" class="accordion-collapse collapse {% if loop.first %}show{% endif %}" aria-labelledby="completedHeading{{ loop.index }}" data-bs-parent="#changelogCompletedAccordion">
-            <div class="accordion-body">
-              {% if item.overview and item.overview|length > 0 %}
-                {% for p in item.overview %}
-                  <p class="mb-2">{{ p }}</p>
-                {% endfor %}
-              {% endif %}
-
-              {% if item.categories and item.categories|length > 0 %}
-                {% for cat in item.categories %}
-                  <div class="fw-semibold mb-2">{{ cat.category }}</div>
-
-                  {# NOTE: 'items' is a dict key; use bracket notation to avoid calling dict.items() #}
-                  {% if cat['items'] and cat['items']|length > 0 %}
-                    {% for it in cat['items'] %}
-                      <div class="mb-3">
-                        {% if it.title %}
-                          <div class="fw-semibold">{{ it.title }}</div>
-                        {% endif %}
-                        {% if it.details and it.details|length > 0 %}
-                          <ul class="mb-0">
-                            {% for d in it.details %}
-                              <li>{{ d }}</li>
-                            {% endfor %}
-                          </ul>
-                        {% endif %}
-                      </div>
-                    {% endfor %}
-                  {% else %}
-                    <div class="text-body-secondary mb-3">No items in this section.</div>
-                  {% endif %}
-                {% endfor %}
-              {% elif item.highlights and item.highlights|length > 0 %}
-                <ul class="mb-0">
-                  {% for h in item.highlights %}
-                    <li>{{ h }}</li>
-                  {% endfor %}
-                </ul>
-              {% else %}
-                <div class="text-body-secondary">No details.</div>
-              {% endif %}
-            </div>
-          </div>
-        </div>
-        {% endfor %}
-      </div>
+    {% if changelog_html %}
+      <div class="markdown-content">{{ changelog_html | safe }}</div>
     {% else %}
-      <div class="text-body-secondary">No completed items.</div>
+      <div class="text-body-secondary">No changelog content available.</div>
     {% endif %}
   </div>
 </div>

containers/backupchecks/src/templates/main/daily_jobs.html

@@ -172,18 +172,18 @@
               <div id="dj_runs_list" class="list-group"></div>
             </div>
             <div class="col-md-9 dj-detail-col">
-              <dl class="row mb-3">
+              <dl class="row mb-3 dl-compact">
                 <dt class="col-3">From</dt>
-                <dd class="col-9" id="dj_from"></dd>
+                <dd class="col-9 ellipsis-field" id="dj_from"></dd>
 
                 <dt class="col-3">Subject</dt>
-                <dd class="col-9" id="dj_subject"></dd>
+                <dd class="col-9 ellipsis-field" id="dj_subject"></dd>
 
                 <dt class="col-3">Received</dt>
-                <dd class="col-9" id="dj_received"></dd>
+                <dd class="col-9 ellipsis-field" id="dj_received"></dd>
 
                 <dt class="col-3">Status</dt>
-                <dd class="col-9" id="dj_status"></dd>
+                <dd class="col-9 ellipsis-field" id="dj_status"></dd>
 
                 <dt class="col-3">Remark</dt>
                 <dd class="col-9" id="dj_remark" style="white-space: pre-wrap;"></dd>
@@ -234,7 +234,6 @@
               </div>
 
               <div class="dj-objects-panel">
-                <h6>Objects</h6>
                 <div class="table-responsive dj-objects-scroll">
                   <table class="table table-sm table-bordered" id="dj_objects_table">
                     <thead class="table-light" style="position: sticky; top: 0; z-index: 1;">
@@ -293,24 +292,59 @@
       return "";
     }
 
-    
-
-    function wrapMailHtml(html) {
-      html = html || "";
-      // Ensure we render the mail HTML with its own CSS, isolated from the site styling.
-      return (
-        "<!doctype html><html><head><meta charset=\"utf-8\">" +
-        "<base target=\"_blank\">" +
-        "</head><body style=\"margin:0; padding:8px;\">" +
-        html +
-        "</body></html>"
-      );
+    function objectSeverityRank(o) {
+      var st = String((o && o.status) || '').trim().toLowerCase();
+      var err = String((o && o.error_message) || '').trim();
+      if (st === 'error' || st === 'failed' || st === 'failure' || err) return 0;
+      if (st === 'warning') return 1;
+      return 2;
     }
 
-    var currentJobId = null;
-    var currentRunId = null;
+    function sortObjects(objects) {
+      return (objects || []).slice().sort(function (a, b) {
+        var ra = objectSeverityRank(a);
+        var rb = objectSeverityRank(b);
+        if (ra !== rb) return ra - rb;
 
-    function escapeHtml(s) {
+        var na = String((a && a.name) || '').toLowerCase();
+        var nb = String((b && b.name) || '').toLowerCase();
+        if (na < nb) return -1;
+        if (na > nb) return 1;
+
+        var ta = String((a && a.type) || '').toLowerCase();
+        var tb = String((b && b.type) || '').toLowerCase();
+        if (ta < tb) return -1;
+        if (ta > tb) return 1;
+        return 0;
+      });
+    }
+
+    
+
+        function wrapMailHtml(html) {
+      html = html || "";
+      var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
+
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
+      }
+
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
+    }
+
+function escapeHtml(s) {
       return (s || "").toString()
         .replace(/&/g, "&amp;")
         .replace(/</g, "&lt;")
@@ -606,7 +640,7 @@ if (tStatus) tStatus.textContent = '';
 
       var tbody = document.querySelector("#dj_objects_table tbody");
       tbody.innerHTML = "";
-      (run.objects || []).forEach(function (obj) {
+      sortObjects(run.objects || []).forEach(function (obj) {
         var tr = document.createElement("tr");
 
         var tdName = document.createElement("td");

containers/backupchecks/src/templates/main/inbox.html

@@ -135,21 +135,21 @@
       <div class="modal-body">
         <div class="row">
           <div class="col-md-3">
-            <dl class="row mb-0">
+            <dl class="row mb-0 dl-compact">
               <dt class="col-4">From</dt>
-              <dd class="col-8" id="msg_from"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_from"></dd>
 
               <dt class="col-4">Backup</dt>
-              <dd class="col-8" id="msg_backup"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_backup"></dd>
 
               <dt class="col-4">Type</dt>
-              <dd class="col-8" id="msg_type"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_type"></dd>
 
               <dt class="col-4">Job</dt>
-              <dd class="col-8" id="msg_job"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_job"></dd>
 
               <dt class="col-4">Overall</dt>
-              <dd class="col-8" id="msg_overall"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_overall"></dd>
 
               <dt class="col-4">Customer</dt>
               <dd class="col-8">
@@ -161,15 +161,15 @@
                     {% endfor %}
                   </datalist>
                 {% else %}
-                  <span id="msg_customer_display"></span>
+                  <span id="msg_customer_display" class="ellipsis-field"></span>
                 {% endif %}
               </dd>
 
               <dt class="col-4">Received</dt>
-              <dd class="col-8" id="msg_received"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_received"></dd>
 
               <dt class="col-4">Parsed</dt>
-              <dd class="col-8" id="msg_parsed"></dd>
+              <dd class="col-8 ellipsis-field" id="msg_parsed"></dd>
             </dl>
           </div>
 
@@ -183,7 +183,6 @@
             </div>
 
             <div class="mt-3">
-              <h6>Objects</h6>
               <div id="msg_objects_container">
                 <!-- Parsed objects will be rendered here -->
               </div>
@@ -196,7 +195,8 @@
         {% if current_user.is_authenticated and active_role in ["admin", "operator"] %}
           <form id="inboxApproveForm" method="POST" action="" class="me-auto mb-0">
             <input type="hidden" id="msg_customer_id" name="customer_id" value="" />
-            <button type="submit" class="btn btn-primary">Approve job</button>
+            <button type="submit" class="btn btn-primary" id="inboxApproveBtn">Approve job</button>
+            <button type="button" class="btn btn-outline-primary ms-2 d-none" id="vspcMapCompaniesBtn">Map companies</button>
           </form>
           <form id="inboxDeleteForm" method="POST" action="" class="mb-0">
             <button type="submit" class="btn btn-outline-danger" onclick="return confirm('Delete this message from the Inbox?');">Delete</button>
@@ -208,6 +208,50 @@
   </div>
 </div>
 
+
+<!-- VSPC company mapping modal (for multi-company summary emails) -->
+<div class="modal fade" id="vspcCompanyMapModal" tabindex="-1" aria-labelledby="vspcCompanyMapModalLabel" aria-hidden="true">
+  <div class="modal-dialog modal-lg modal-dialog-scrollable">
+    <div class="modal-content">
+      <div class="modal-header">
+        <h5 class="modal-title" id="vspcCompanyMapModalLabel">Map companies to customers</h5>
+        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+      </div>
+      <form id="vspcCompanyMapForm" method="POST" action="">
+        <div class="modal-body">
+          <p class="mb-2">This message contains multiple companies. Map each company to a customer to approve.</p>
+
+          <datalist id="vspcCustomerList">
+            {% for c in customers %}
+              <option value="{{ c.name }}"></option>
+            {% endfor %}
+          </datalist>
+
+          <div class="table-responsive" style="max-height:55vh; overflow-y:auto;">
+            <table class="table table-sm align-middle">
+              <thead>
+                <tr>
+                  <th style="width: 40%;">Company</th>
+                  <th style="width: 60%;">Customer</th>
+                </tr>
+              </thead>
+              <tbody id="vspcCompanyMapTbody">
+                <!-- rows injected by JS -->
+              </tbody>
+            </table>
+          </div>
+
+          <input type="hidden" id="vspc_company_mappings_json" name="company_mappings_json" value="" />
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+          <button type="submit" class="btn btn-primary">Approve mapped companies</button>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>
+
 <script>
   (function () {
     var customers = {{ customers|tojson|safe }};
@@ -333,25 +377,29 @@
 
     
 
-    function wrapMailHtml(html) {
+            function wrapMailHtml(html) {
       html = html || "";
       var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
 
-      // If the content already looks like a full HTML document (common for report attachments),
-      // do not wrap it again.
-      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
-        return trimmed;
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
       }
 
-      // Ensure we render the mail HTML with its own CSS, isolated from the site styling.
-      return (
-        "<!doctype html><html><head><meta charset=\"utf-8\">" +
-        "<base target=\"_blank\">" +
-        "</head><body style=\"margin:0; padding:8px;\">" +
-        html +
-        "</body></html>"
-      );
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
     }
+
 function findCustomerIdByName(name) {
       if (!name) return null;
       for (var i = 0; i < customers.length; i++) {
@@ -369,10 +417,39 @@ function findCustomerIdByName(name) {
         return;
       }
 
+      function objectSeverityRank(o) {
+        var st = String((o && o.status) || "").trim().toLowerCase();
+        var err = String((o && o.error_message) || "").trim();
+        if (st === "error" || st === "failed" || st === "failure" || err) return 0;
+        if (st === "warning") return 1;
+        return 2;
+      }
+
+      function sortObjects(list) {
+        return (list || []).slice().sort(function (a, b) {
+          var ra = objectSeverityRank(a);
+          var rb = objectSeverityRank(b);
+          if (ra !== rb) return ra - rb;
+
+          var na = String((a && a.name) || "").toLowerCase();
+          var nb = String((b && b.name) || "").toLowerCase();
+          if (na < nb) return -1;
+          if (na > nb) return 1;
+
+          var ta = String((a && a.type) || "").toLowerCase();
+          var tb = String((b && b.type) || "").toLowerCase();
+          if (ta < tb) return -1;
+          if (ta > tb) return 1;
+          return 0;
+        });
+      }
+
+      var sorted = sortObjects(objects);
+
       var html = "<div class=\"table-responsive\"><table class=\"table table-sm table-bordered mb-0\">";
       html += "<thead><tr><th>Object</th><th>Type</th><th>Status</th><th>Error</th></tr></thead><tbody>";
-      for (var i = 0; i < objects.length; i++) {
-        var o = objects[i] || {};
+      for (var i = 0; i < sorted.length; i++) {
+        var o = sorted[i] || {};
         html += "<tr>";
         html += "<td>" + (o.name || "") + "</td>";
         html += "<td>" + (o.type || "") + "</td>";
@@ -427,6 +504,132 @@ function findCustomerIdByName(name) {
 
               renderObjects(data.objects || []);
 
+              // VSPC multi-company mapping support (Active alarms summary)
+              (function () {
+                var mapBtn = document.getElementById("vspcMapCompaniesBtn");
+                var approveBtn = document.getElementById("inboxApproveBtn");
+                if (!mapBtn) return;
+
+                // reset
+                mapBtn.classList.add("d-none");
+                if (approveBtn) approveBtn.classList.remove("d-none");
+                var ciReset = document.getElementById("msg_customer_input");
+                if (ciReset) {
+                  ciReset.removeAttribute("disabled");
+                  ciReset.placeholder = "Select customer";
+                }
+
+                var bsw = String(meta.backup_software || "").trim();
+                var btype = String(meta.backup_type || "").trim();
+                var jname = String(meta.job_name || "").trim();
+
+                if (bsw !== "Veeam" || btype !== "Service Provider Console" || jname !== "Active alarms summary") {
+                  return;
+                }
+
+                var companies = (data.vspc_companies || meta.vspc_companies || []);
+                var defaults = (data.vspc_company_defaults || {});
+                if (!Array.isArray(companies)) companies = [];
+
+                // Fallback for older stored messages where companies were embedded in object names.
+                if (!companies.length) {
+                  var objs = data.objects || [];
+                  var seen = {};
+                  objs.forEach(function (o) {
+                    var name = String((o && o.name) || "");
+                    var ix = name.indexOf(" | ");
+                    if (ix > 0) {
+                      var c = name.substring(0, ix).trim();
+                      if (c && !seen[c]) { seen[c] = true; companies.push(c); }
+                    }
+                  });
+                }
+
+                if (!companies.length) return;
+
+                // Show mapping button; hide regular approve
+                mapBtn.classList.remove("d-none");
+                if (approveBtn) approveBtn.classList.add("d-none");
+                var ci = document.getElementById("msg_customer_input");
+                if (ci) {
+                  ci.value = "";
+                  ci.setAttribute("disabled", "disabled");
+                  ci.placeholder = "Use \"Map companies\"";
+                }
+
+                mapBtn.onclick = function () {
+                  var tbody = document.getElementById("vspcCompanyMapTbody");
+                  var form = document.getElementById("vspcCompanyMapForm");
+                  if (!tbody || !form) return;
+
+                  // set form action
+                  form.action = "{{ url_for('main.inbox_message_approve_vspc_companies', message_id=0) }}".replace("0", String(meta.id || id));
+
+                  // build rows
+                  tbody.innerHTML = "";
+                  companies.forEach(function (company) {
+                    var tr = document.createElement("tr");
+
+                    var tdC = document.createElement("td");
+                    tdC.textContent = company;
+                    tr.appendChild(tdC);
+
+                    var tdS = document.createElement("td");
+                    var inp = document.createElement("input");
+                    inp.type = "text";
+                    inp.className = "form-control form-control-sm";
+                    inp.setAttribute("list", "vspcCustomerList");
+                    inp.setAttribute("data-company", company);
+                    inp.placeholder = "Select customer";
+
+                    // Prefill with existing mapping when available.
+                    try {
+                      var d = defaults && defaults[company];
+                      if (d && d.customer_name) {
+                        inp.value = String(d.customer_name);
+                      }
+                    } catch (e) {}
+                    tdS.appendChild(inp);
+                    tr.appendChild(tdS);
+
+                    tbody.appendChild(tr);
+                  });
+
+                  // clear hidden field
+                  var hidden = document.getElementById("vspc_company_mappings_json");
+                  if (hidden) hidden.value = "";
+
+                  var mapModalEl = document.getElementById("vspcCompanyMapModal");
+                  if (mapModalEl && window.bootstrap) {
+                    var mm = bootstrap.Modal.getOrCreateInstance(mapModalEl);
+                    mm.show();
+                  }
+                };
+
+                // Attach submit handler once
+                var mapForm = document.getElementById("vspcCompanyMapForm");
+                if (mapForm && !mapForm.getAttribute("data-bound")) {
+                  mapForm.setAttribute("data-bound", "1");
+                  mapForm.addEventListener("submit", function (ev) {
+                    var rows = document.querySelectorAll("#vspcCompanyMapTbody input[data-company]");
+                    var mappings = [];
+                    rows.forEach(function (inp) {
+                      var company = inp.getAttribute("data-company") || "";
+                      var cname = String(inp.value || "").trim();
+                      if (!company || !cname) return;
+
+                      var cid = findCustomerIdByName(cname);
+                      if (!cid) return;
+                      mappings.push({ company: company, customer_id: cid });
+                    });
+
+                    var hidden = document.getElementById("vspc_company_mappings_json");
+                    if (hidden) hidden.value = JSON.stringify(mappings);
+                  });
+                }
+              })();
+
+
               var customerName = meta.customer_name || "";
               var approveForm = document.getElementById("inboxApproveForm");
 

containers/backupchecks/src/templates/main/inbox_deleted.html

@@ -99,18 +99,18 @@
       <div class="modal-body">
         <div class="row">
           <div class="col-md-3">
-            <dl class="row mb-0">
+            <dl class="row mb-0 dl-compact">
               <dt class="col-4">From</dt>
-              <dd class="col-8" id="dmsg_from"></dd>
+              <dd class="col-8 ellipsis-field" id="dmsg_from"></dd>
 
               <dt class="col-4">Received</dt>
-              <dd class="col-8" id="dmsg_received"></dd>
+              <dd class="col-8 ellipsis-field" id="dmsg_received"></dd>
 
               <dt class="col-4">Deleted by</dt>
-              <dd class="col-8" id="dmsg_deleted_by"></dd>
+              <dd class="col-8 ellipsis-field" id="dmsg_deleted_by"></dd>
 
               <dt class="col-4">Deleted at</dt>
-              <dd class="col-8" id="dmsg_deleted_at"></dd>
+              <dd class="col-8 ellipsis-field" id="dmsg_deleted_at"></dd>
             </dl>
           </div>
 
@@ -130,18 +130,30 @@
 
 <script>
   (function () {
-    function wrapMailHtml(html) {
+        function wrapMailHtml(html) {
       html = html || "";
-      return (
-        "<!doctype html><html><head><meta charset=\"utf-8\">" +
-        "<base target=\"_blank\">" +
-        "</head><body style=\"margin:0; padding:8px;\">" +
-        html +
-        "</body></html>"
-      );
+      var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
+
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
+      }
+
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
     }
 
-    function attachHandlers() {
+function attachHandlers() {
       var emlLinks = document.querySelectorAll("a.eml-download");
       emlLinks.forEach(function (a) {
         a.addEventListener("click", function (ev) {

containers/backupchecks/src/templates/main/job_detail.html

@@ -4,18 +4,18 @@
 
 <div class="card mb-3">
   <div class="card-body">
-    <dl class="row mb-0">
+    <dl class="row mb-0 dl-compact">
       <dt class="col-sm-3">Customer</dt>
-      <dd class="col-sm-9">{{ job.customer.name if job.customer else "" }}</dd>
+      <dd class="col-sm-9 ellipsis-field">{{ job.customer.name if job.customer else "" }}</dd>
 
       <dt class="col-sm-3">Backup</dt>
-      <dd class="col-sm-9">{{ job.backup_software }}</dd>
+      <dd class="col-sm-9 ellipsis-field">{{ job.backup_software }}</dd>
 
       <dt class="col-sm-3">Type</dt>
-      <dd class="col-sm-9">{{ job.backup_type }}</dd>
+      <dd class="col-sm-9 ellipsis-field">{{ job.backup_type }}</dd>
 
       <dt class="col-sm-3">Job name</dt>
-      <dd class="col-sm-9">{{ job.job_name }}</dd>
+      <dd class="col-sm-9 ellipsis-field">{{ job.job_name }}</dd>
 
       <dt class="col-sm-3">Tickets</dt>
       <dd class="col-sm-9">{{ ticket_open_count }} open / {{ ticket_total_count }} total</dd>
@@ -168,21 +168,21 @@
       <div class="modal-body">
         <div class="row">
           <div class="col-md-3">
-            <dl class="row mb-0">
+            <dl class="row mb-0 dl-compact">
               <dt class="col-4">From</dt>
-              <dd class="col-8" id="run_msg_from"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_from"></dd>
 
               <dt class="col-4">Backup</dt>
-              <dd class="col-8" id="run_msg_backup"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_backup"></dd>
 
               <dt class="col-4">Type</dt>
-              <dd class="col-8" id="run_msg_type"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_type"></dd>
 
                <dt class="col-4">Ticket</dt>
-               <dd class="col-8" id="run_msg_ticket"></dd>
+               <dd class="col-8 ellipsis-field" id="run_msg_ticket"></dd>
 
                <dt class="col-4">Remark</dt>
-               <dd class="col-8" id="run_msg_remark"></dd>
+               <dd class="col-8 ellipsis-field" id="run_msg_remark"></dd>
 
               <dt class="col-12 mt-2">Tickets &amp; remarks</dt>
               <dd class="col-12">
@@ -208,19 +208,19 @@
               </dd>
 
               <dt class="col-4">Job</dt>
-              <dd class="col-8" id="run_msg_job"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_job"></dd>
 
               <dt class="col-4">Overall</dt>
-              <dd class="col-8" id="run_msg_overall"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_overall"></dd>
 
               <dt class="col-4">Customer</dt>
-              <dd class="col-8" id="run_msg_customer"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_customer"></dd>
 
               <dt class="col-4">Received</dt>
-              <dd class="col-8" id="run_msg_received"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_received"></dd>
 
               <dt class="col-4">Parsed</dt>
-              <dd class="col-8" id="run_msg_parsed"></dd>
+              <dd class="col-8 ellipsis-field" id="run_msg_parsed"></dd>
             </dl>
 
           </div>
@@ -235,7 +235,6 @@
             </div>
 
             <div class="mt-3">
-              <h6>Objects</h6>
               <div id="run_msg_objects_container">
                 <!-- Parsed objects will be rendered here -->
               </div>
@@ -477,18 +476,30 @@
       }
     }
 
-    function wrapMailHtml(html) {
+        function wrapMailHtml(html) {
       html = html || "";
-      // Ensure we render the mail HTML with its own CSS, isolated from the site styling.
-      return (
-        "<!doctype html><html><head><meta charset=\"utf-8\">" +
-        "<base target=\"_blank\">" +
-        "</head><body style=\"margin:0; padding:8px;\">" +
-        html +
-        "</body></html>"
-      );
+      var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
+
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
+      }
+
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
     }
-    function renderObjects(objects) {
+
+function renderObjects(objects) {
       var container = document.getElementById("run_msg_objects_container");
       if (!container) return;
 
@@ -497,18 +508,29 @@
         return;
       }
 
-      // Sort: objects with an error_message first (alphabetically by name), then the rest (also by name).
-      var sorted = (objects || []).slice().sort(function (a, b) {
-        a = a || {};
-        b = b || {};
-        var aHasErr = !!(a.error_message && a.error_message.toString().trim());
-        var bHasErr = !!(b.error_message && b.error_message.toString().trim());
-        if (aHasErr !== bHasErr) return aHasErr ? -1 : 1;
+      function objectSeverityRank(o) {
+        var st = String((o && o.status) || "").trim().toLowerCase();
+        var err = String((o && o.error_message) || "").trim();
+        if (st === "error" || st === "failed" || st === "failure" || err) return 0;
+        if (st === "warning") return 1;
+        return 2;
+      }
 
-        var an = (a.name || "").toString().toLowerCase();
-        var bn = (b.name || "").toString().toLowerCase();
+      // Sort: errors first, then warnings, then the rest; within each group sort alphabetically.
+      var sorted = (objects || []).slice().sort(function (a, b) {
+        var ra = objectSeverityRank(a);
+        var rb = objectSeverityRank(b);
+        if (ra !== rb) return ra - rb;
+
+        var an = String((a && a.name) || "").toLowerCase();
+        var bn = String((b && b.name) || "").toLowerCase();
         if (an < bn) return -1;
         if (an > bn) return 1;
+
+        var at = String((a && a.type) || "").toLowerCase();
+        var bt = String((b && b.type) || "").toLowerCase();
+        if (at < bt) return -1;
+        if (at > bt) return 1;
         return 0;
       });
 

containers/backupchecks/src/templates/main/overrides.html

@@ -62,7 +62,16 @@
         </select>
       </div>
       <div class="col-md-3">
-        <label for="ov_match_error_contains" class="form-label">Error contains</label>
+        <label for="ov_match_error_mode" class="form-label">Error match type</label>
+        <select class="form-select" id="ov_match_error_mode" name="match_error_mode">
+          <option value="contains">Contains</option>
+          <option value="exact">Exact</option>
+          <option value="starts_with">Starts with</option>
+          <option value="ends_with">Ends with</option>
+        </select>
+      </div>
+      <div class="col-md-3">
+        <label for="ov_match_error_contains" class="form-label">Error text</label>
         <input type="text" class="form-control" id="ov_match_error_contains" name="match_error_contains" placeholder="Text to match in error message">
       </div>
       <div class="col-md-3">
@@ -142,6 +151,7 @@
                         data-ov-object-name="{{ ov.object_name or '' }}"
                         data-ov-match-status="{{ ov.match_status or '' }}"
                         data-ov-match-error-contains="{{ ov.match_error_contains or '' }}"
+                        data-ov-match-error-mode="{{ ov.match_error_mode or 'contains' }}"
                         data-ov-treat-as-success="{{ 1 if ov.treat_as_success else 0 }}"
                         data-ov-comment="{{ ov.comment or '' }}"
                         data-ov-start-at="{{ ov.start_at_raw or '' }}"
@@ -190,6 +200,7 @@
   const jobField = document.getElementById('ov_job_id');
   const objectNameField = document.getElementById('ov_object_name');
   const matchStatusField = document.getElementById('ov_match_status');
+  const matchErrorModeField = document.getElementById('ov_match_error_mode');
   const matchErrorContainsField = document.getElementById('ov_match_error_contains');
   const treatAsSuccessField = document.getElementById('ov_treat_success');
   const commentField = document.getElementById('ov_comment');
@@ -228,6 +239,7 @@
       setValue(jobField, btn.dataset.ovJobId || '');
       setValue(objectNameField, btn.dataset.ovObjectName || '');
       setValue(matchStatusField, btn.dataset.ovMatchStatus || '');
+      setValue(matchErrorModeField, btn.dataset.ovMatchErrorMode || 'contains');
       setValue(matchErrorContainsField, btn.dataset.ovMatchErrorContains || '');
       if (treatAsSuccessField) treatAsSuccessField.checked = (btn.dataset.ovTreatAsSuccess === '1');
       setValue(commentField, btn.dataset.ovComment || '');

containers/backupchecks/src/templates/main/run_checks.html

@@ -144,9 +144,22 @@
     overflow: auto;
   }
 
-  #runChecksModal #rcm_body_iframe { height: 100%; }
-  #runChecksModal .rcm-mail-panel { flex: 1 1 auto; min-height: 0; }
-  #runChecksModal .rcm-objects-scroll { max-height: 25vh; overflow: auto; }
+  #runChecksModal #rcm_body_iframe {
+    flex: 1 1 auto;
+    min-height: 0;
+    height: auto;
+  }
+  #runChecksModal .rcm-mail-panel {
+    display: flex;
+    flex-direction: column;
+    flex: 1 1 auto;
+    min-height: 0;
+  }
+  #runChecksModal .rcm-objects-scroll {
+    max-height: 25vh;
+    overflow: auto;
+    margin-top: 0.5rem;
+  }
 </style>
 
 <div class="modal fade" id="runChecksModal" tabindex="-1" aria-labelledby="runChecksModalLabel" aria-hidden="true">
@@ -177,18 +190,21 @@
               <div id="rcm_runs_list" class="list-group"></div>
             </div>
             <div class="col-md-9 rcm-detail-col">
-              <dl class="row mb-3">
+              <dl class="row mb-3 dl-compact">
                 <dt class="col-3">From</dt>
-                <dd class="col-9" id="rcm_from"></dd>
+                <dd class="col-9 ellipsis-field" id="rcm_from"></dd>
 
                 <dt class="col-3">Subject</dt>
-                <dd class="col-9" id="rcm_subject"></dd>
+                <dd class="col-9 ellipsis-field" id="rcm_subject"></dd>
 
                 <dt class="col-3">Received</dt>
-                <dd class="col-9" id="rcm_received"></dd>
+                <dd class="col-9 ellipsis-field" id="rcm_received"></dd>
 
                 <dt class="col-3">Indicator</dt>
-                <dd class="col-9" id="rcm_status"></dd>
+                <dd class="col-9 ellipsis-field" id="rcm_status"></dd>
+
+                <dt class="col-3">Overall remark</dt>
+                <dd class="col-9" id="rcm_overall_message" style="white-space: pre-wrap;"></dd>
 
                 <dt class="col-3">Remark</dt>
                 <dd class="col-9" id="rcm_remark" style="white-space: pre-wrap;"></dd>
@@ -239,7 +255,6 @@
               </div>
 
               <div>
-                <h6>Objects</h6>
                 <div class="table-responsive rcm-objects-scroll">
                   <table class="table table-sm table-bordered" id="rcm_objects_table">
                     <thead class="table-light" style="position: sticky; top: 0; z-index: 1;">
@@ -263,7 +278,6 @@
       <div class="modal-footer">
         <a id="rcm_eml_btn" class="btn btn-outline-primary" href="#" style="display:none;" rel="nofollow">Download EML</a>
         <a id="rcm_job_btn" class="btn btn-outline-secondary" href="#">Open job page</a>
-        <button type="button" class="btn btn-outline-primary" id="rcm_mark_success_override" disabled>Mark success (override)</button>
         <button type="button" class="btn btn-primary" id="rcm_mark_all_reviewed" disabled>Mark as Reviewed</button>
         <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
       </div>
@@ -324,18 +338,57 @@ function statusClass(status) {
       return "";
     }
 
-    function wrapMailHtml(html) {
-      html = html || "";
-      return (
-        "<!doctype html><html><head><meta charset=\"utf-8\">" +
-        "<base target=\"_blank\">" +
-        "</head><body style=\"margin:0; padding:8px;\">" +
-        html +
-        "</body></html>"
-      );
+    function objectSeverityRank(o) {
+      var st = String((o && o.status) || '').trim().toLowerCase();
+      var err = String((o && o.error_message) || '').trim();
+      if (st === 'error' || st === 'failed' || st === 'failure' || err) return 0;
+      if (st === 'warning') return 1;
+      return 2;
     }
 
-    function escapeHtml(s) {
+    function sortObjects(objects) {
+      return (objects || []).slice().sort(function (a, b) {
+        var ra = objectSeverityRank(a);
+        var rb = objectSeverityRank(b);
+        if (ra !== rb) return ra - rb;
+
+        var na = String((a && a.name) || '').toLowerCase();
+        var nb = String((b && b.name) || '').toLowerCase();
+        if (na < nb) return -1;
+        if (na > nb) return 1;
+
+        var ta = String((a && a.type) || '').toLowerCase();
+        var tb = String((b && b.type) || '').toLowerCase();
+        if (ta < tb) return -1;
+        if (ta > tb) return 1;
+        return 0;
+      });
+    }
+
+        function wrapMailHtml(html) {
+      html = html || "";
+      var trimmed = (typeof html === "string") ? html.trim() : "";
+      var injection = '<meta charset="utf-8"><meta name="color-scheme" content="light"><meta name="supported-color-schemes" content="light"><meta name="viewport" content="width=device-width, initial-scale=1"><base target="_blank"><style>:root{color-scheme:light;}html{color-scheme:light;}body{margin:0;padding:8px;background:#fff;forced-color-adjust:none;-ms-high-contrast-adjust:none;}</style>';
+
+      function injectIntoFullDoc(doc) {
+        var d = doc || "";
+        if (/<head[^>]*>/i.test(d)) {
+          return d.replace(/<head[^>]*>/i, function (m) { return m + injection; });
+        }
+        if (/<html[^>]*>/i.test(d)) {
+          return d.replace(/<html[^>]*>/i, function (m) { return m + "<head>" + injection + "</head>"; });
+        }
+        return "<!doctype html><html><head>" + injection + "</head><body>" + d + "</body></html>";
+      }
+
+      if (trimmed.toLowerCase().indexOf("<!doctype") === 0 || trimmed.toLowerCase().indexOf("<html") === 0) {
+        return injectIntoFullDoc(trimmed);
+      }
+
+      return "<!doctype html><html><head>" + injection + "</head><body>" + html + "</body></html>";
+    }
+
+function escapeHtml(s) {
       return (s || "").toString()
         .replace(/&/g, "&amp;")
         .replace(/</g, "&lt;")
@@ -899,6 +952,7 @@ if (tStatus) tStatus.textContent = '';
         stEl.innerHTML = (d ? ('<span class="status-dot ' + d + '" aria-hidden="true"></span>') : '');
       }
       document.getElementById('rcm_remark').textContent = run.remark || '';
+      document.getElementById('rcm_overall_message').textContent = run.overall_message || '';
 
       currentRunId = run.id || null;
       if (window.__rcmClearCreateStatus) window.__rcmClearCreateStatus();
@@ -940,7 +994,7 @@ if (tStatus) tStatus.textContent = '';
       var tbody = document.querySelector('#rcm_objects_table tbody');
       if (tbody) {
         tbody.innerHTML = '';
-        (run.objects || []).forEach(function (obj) {
+        sortObjects(run.objects || []).forEach(function (obj) {
           var tr = document.createElement('tr');
 
           var tdName = document.createElement('td');
@@ -1142,4 +1196,4 @@ if (tStatus) tStatus.textContent = '';
     updateButtons();
   })();
 </script>
-{% endblock %}
+{% endblock %}

containers/backupchecks/src/templates/main/settings.html

@@ -160,8 +160,30 @@
           {% if users %}
             {% for user in users %}
             <tr>
+              {% set is_last_admin = ('admin' in user.roles and (admin_users_count or 0) <= 1) %}
               <td>{{ user.username }}</td>
-              <td>{{ (user.role or '')|replace(',', ', ') }}</td>
+              <td>
+                <form method="post" action="{{ url_for('main.settings_users_update_roles', user_id=user.id) }}" class="d-flex flex-wrap gap-2 align-items-center">
+                  <div class="form-check form-check-inline m-0">
+                    <input class="form-check-input" type="checkbox" id="role_admin_{{ user.id }}" name="roles" value="admin" {% if 'admin' in user.roles %}checked{% endif %} {% if is_last_admin %}disabled title="Cannot remove admin from the last admin account"{% endif %} />
+                    <label class="form-check-label" for="role_admin_{{ user.id }}">Admin</label>
+                  </div>
+                  <div class="form-check form-check-inline m-0">
+                    <input class="form-check-input" type="checkbox" id="role_operator_{{ user.id }}" name="roles" value="operator" {% if 'operator' in user.roles %}checked{% endif %} />
+                    <label class="form-check-label" for="role_operator_{{ user.id }}">Operator</label>
+                  </div>
+                  <div class="form-check form-check-inline m-0">
+                    <input class="form-check-input" type="checkbox" id="role_reporter_{{ user.id }}" name="roles" value="reporter" {% if 'reporter' in user.roles %}checked{% endif %} />
+                    <label class="form-check-label" for="role_reporter_{{ user.id }}">Reporter</label>
+                  </div>
+                  <div class="form-check form-check-inline m-0">
+                    <input class="form-check-input" type="checkbox" id="role_viewer_{{ user.id }}" name="roles" value="viewer" {% if 'viewer' in user.roles %}checked{% endif %} />
+                    <label class="form-check-label" for="role_viewer_{{ user.id }}">Viewer</label>
+                  </div>
+                  <button type="submit" class="btn btn-sm btn-outline-primary">Save</button>
+                </form>
+                <div class="text-muted small mt-1">Current: {{ (user.role or '')|replace(',', ', ') }}</div>
+              </td>
               <td>
                 <div class="d-flex flex-wrap gap-2">
                   <form method="post" action="{{ url_for('main.settings_users_reset_password', user_id=user.id) }}" class="d-inline">
@@ -170,7 +192,6 @@
                       <button type="submit" class="btn btn-outline-secondary">Reset</button>
                     </div>
                   </form>
-                  {% set is_last_admin = (user.role == 'admin' and (users | selectattr('role', 'equalto', 'admin') | list | length) <= 1) %}
                   <form method="post" action="{{ url_for('main.settings_users_delete', user_id=user.id) }}" class="d-inline">
                     <button type="submit" class="btn btn-sm btn-outline-danger" {% if is_last_admin %}disabled title="Cannot delete the last admin account"{% endif %}>Delete</button>
                   </form>

docs/changelog.md

@@ -1,16 +1,174 @@
 
+***
+
+## v0.1.21
+
+This release focuses on improving correctness, consistency, and access control across core application workflows, with particular attention to changelog rendering, browser-specific mail readability, Run Checks visibility, role-based access restrictions, override flexibility, and VSPC object linking reliability. The goal is to ensure predictable behavior, clearer diagnostics, and safer administration across both day-to-day operations and complex multi-entity reports.
+
+### Changelog Rendering and Documentation Accuracy
+
+- Updated the Changelog route to render remote Markdown content instead of plain text.
+- Enabled full Markdown parsing so headings, lists, links, and code blocks are displayed correctly.
+- Ensured the changelog always fetches the latest version directly from the source repository at request time.
+- Removed legacy plain-text rendering to prevent loss of structure and formatting.
+
+### Mail Rendering and Browser Compatibility
+
+- Forced a light color scheme for embedded mail content to prevent Microsoft Edge from applying automatic dark mode styling.
+- Added explicit `color-scheme` and `forced-color-adjust` rules so original mail CSS is respected.
+- Ensured consistent mail readability across Edge and Firefox.
+- Applied these fixes consistently across Inbox, Deleted Inbox, Job Details, Run Checks, Daily Jobs, and Admin All Mail views.
+
+### Run Checks Visibility and Consistency
+
+- Added support for displaying the overall remark (overall_message) directly on the Run Checks page.
+- Ensured consistency between Run Checks and Job Details, where the overall remark was already available.
+- Improved operator visibility of high-level run context without requiring navigation to job details.
+
+### Initial Setup and User Existence Safeguards
+
+- Fixed an incorrect redirect to the “Initial admin setup” page when users already exist.
+- Changed setup detection logic from “admin user exists” to “any user exists”.
+- Ensured existing environments always show the login page instead of allowing a new initial admin to be created.
+- Prevented direct access to the initial setup route when at least one user is present.
+
+### Role-Based Access Control and Menu Restrictions
+
+- Restricted the Reporter role to only access Dashboard, Reports, Changelog, and Feedback.
+- Updated menu rendering to fully hide unauthorized menu items for Reporter users.
+- Adjusted route access to ensure Feedback pages remain accessible for the Reporter role.
+- Improved overall consistency between visible navigation and backend access rules.
+
+### Override Matching Flexibility and Maintainability
+
+- Added configurable error text matching modes for overrides: contains, exact, starts with, and ends with.
+- Updated override evaluation logic to apply the selected match mode across run remarks and object error messages.
+- Extended the overrides UI with a match type selector and improved edit support for existing overrides.
+- Added a database migration to create and backfill the `overrides.match_error_mode` field for existing records.
+
+### Job Deletion Stability
+
+- Fixed an error that occurred during job deletion.
+- Corrected backend deletion logic to prevent runtime exceptions.
+- Ensured related records are handled safely to avoid constraint or reference errors during removal.
+
+### VSPC Object Linking and Normalization
+
+- Fixed VSPC company name normalization so detection and object prefixing behave consistently.
+- Ensured filtered object persistence respects the UNIQUE(customer_id, object_name) constraint.
+- Correctly update `last_seen` timestamps for existing objects.
+- Added automatic object persistence routing for VSPC per-company runs, ensuring objects are linked to the correct customer and job.
+- Improved auto-approval for VSPC Active Alarms summaries with per-company run creation and case-insensitive object matching.
+- Added best-effort retroactive processing to automatically link older inbox messages once company mappings are approved.
+
+### VSPC Normalization Bug Fixes and Backward Compatibility
+
+- Removed duplicate definitions of VSPC Active Alarms company extraction logic that caused inconsistent normalization.
+- Ensured a single, consistent normalization path is used when creating jobs and linking objects.
+- Improved object linking so real objects (e.g. HV01, USB Disk) are reliably associated with their jobs.
+- Restored automatic re-linking for both new and historical VSPC mails.
+- Added backward-compatible matching to prevent existing VSPC jobs from breaking due to earlier inconsistent company naming.
+
+---
+
+## v0.1.20
+
+This release delivers a comprehensive set of improvements focused on parser correctness, data consistency, and clearer operator workflows across Inbox handling, Run Checks, and administrative tooling. The main goal of these changes is to ensure that backup notifications are parsed reliably, presented consistently, and handled through predictable and auditable workflows, even for complex or multi-entity reports.
+
+### Mail Parsing and Data Integrity
+
+- Fixed Veeam Backup for Microsoft 365 parsing where the overall summary message was not consistently stored.
+- Improved extraction of overall detail messages so permission and role warnings are reliably captured.
+- Ensured the extracted overall message is always available across Job Details, Run Checks, and reporting views.
+- Added decoding of HTML entities in parsed object fields (name, type, status, error message) before storage, ensuring characters such as ampersands are displayed correctly.
+- Improved robustness of parsing logic to prevent partial or misleading data from being stored when mails contain mixed or malformed content.
+
+### Object Classification and Sorting
+
+- Updated object list sorting to improve readability and prioritization.
+- Objects are now grouped by severity in a fixed order: Errors first, then Warnings, followed by all other statuses.
+- Within each severity group, objects are sorted alphabetically (A–Z).
+- Applied the same sorting logic consistently across Inbox, Job Details, Run Checks, Daily Jobs, and the Admin All Mail view.
+- Improved overall run status determination by reliably deriving the worst detected object state.
+
+### Parsers Overview and Maintainability
+
+- Refactored the Parsers overview page to use the central parser registry instead of a static, hardcoded list.
+- All available parsers are now displayed automatically, ensuring the page stays in sync as parsers are added or removed.
+- Removed hardcoded parser definitions from templates to improve long-term maintainability.
+- Fixed a startup crash in the parsers route caused by an invalid absolute import by switching to a package-relative import.
+- Prevented Gunicorn worker boot failures and Bad Gateway errors during application initialization.
+
+### User Management and Feedback Handling
+
+- Added support for editing user roles directly from the User Management interface.
+- Implemented backend logic to update existing role assignments without requiring user deletion.
+- Ensured role changes are applied immediately and reflected correctly in permissions and access control.
+- Updated feedback listings to show only Open items by default.
+- Ensured Resolved items are always sorted to the bottom when viewing all feedback.
+- Preserved existing filtering, searching, and user-controlled sorting behavior.
+
+### UI Improvements and Usability Enhancements
+
+- Introduced reusable ellipsis handling for long detail fields to prevent layout overlap.
+- Added click-to-expand behavior for truncated fields, with double-click support to expand and select all text.
+- Added automatic tooltips showing the full value when a field is truncated.
+- Removed the redundant “Objects” heading above objects tables to reduce visual clutter.
+- Applied truncation and expansion behavior consistently across Inbox, Deleted Mail, Run Checks, Daily Jobs, Job Detail views, and Admin All Mail.
+- Reset expanded ellipsis fields when Bootstrap modals or offcanvas components are opened or closed to prevent state leakage.
+- Fixed layout issues where the Objects table could overlap mail content in the Run Checks popup.
+
+### Veeam Cloud Connect and VSPC Parsing
+
+- Improved the Veeam Cloud Connect Report parser by combining User and Repository Name into a single object identifier.
+- Excluded “TOTAL” rows from object processing.
+- Correctly classified red rows as Errors and yellow/orange rows as Warnings.
+- Ensured overall status is set to Error when one or more objects are in error state.
+- Added support for Veeam Service Provider Console daily alarm summary emails.
+- Implemented per-company object aggregation and derived overall status from the worst detected state.
+- Improved detection of VSPC Active Alarms emails to prevent incorrect fallback to other Veeam parsers.
+- Fixed a SyntaxError in the VSPC parser that caused application startup failures.
+
+### VSPC Company Mapping Workflow
+
+- Introduced a dedicated company-mapping popup for VSPC Active Alarms summary reports.
+- Enabled manual mapping of companies found in mails to existing customers.
+- Implemented per-company job and run creation using the format “Active alarms summary | <Company>”.
+- Disabled the standard approval flow for this report type and replaced it with a dedicated mapping workflow.
+- Required all detected companies to be mapped before full approval, while still allowing partial approvals.
+- Prevented duplicate run creation on repeated approvals.
+- Improved visibility and usability of the mapping popup with scroll support for large company lists.
+- Ensured only alarms belonging to the selected company are attached to the corresponding run.
+
+### NTFS Auditing and Synology ABB Enhancements
+
+- Added full parser support for NTFS Auditing reports.
+- Improved hostname and FQDN extraction from subject lines, supporting multiple subject formats and prefixes.
+- Ensured consistent job name generation as “<hostname> file audits”.
+- Set overall status to Warning when detected change counts are greater than zero.
+- Improved Synology Active Backup for Business parsing to detect partially completed jobs as Warning.
+- Added support for localized completion messages and subject variants.
+- Improved per-device object extraction and ensured specific device statuses take precedence over generic listings.
+
+### Workflow Simplification and Cleanup
+
+- Removed the “Mark success (override)” button from the Run Checks popup.
+- Prevented creation of unintended overrides when marking individual runs as successful.
+- Simplified override handling so Run Checks actions no longer affect override administration.
+- Ensured firmware update notifications (QNAP) are treated as informational warnings and excluded from missing-run detection and reporting.
+
+---
 
-================================================================================================================================================
 ## v0.1.19
 This release delivers a broad set of improvements focused on reliability, transparency, and operational control across mail processing, administrative auditing, and Run Checks workflows. The changes aim to make message handling more robust, provide better insight for administrators, and give operators clearer and more flexible control when reviewing backup runs.
 
-Mail Import Reliability and Data Integrity
+### Mail Import Reliability and Data Integrity
 - Updated the mail import flow so messages are only moved to the processed folder after a successful database store and commit.
 - Prevented Graph emails from being moved when parsing, storing, or committing data fails, ensuring no messages are lost due to partial failures.
 - Added explicit commit and rollback handling to guarantee database consistency before any mail state changes occur.
 - Improved logging around import, commit, and rollback failures to make skipped or retried mails easier to trace and troubleshoot.
 
-Administrative Mail Auditing and Visibility
+### Administrative Mail Auditing and Visibility
 - Introduced an admin-only “All Mail” audit page that provides a complete overview of all received mail messages.
 - Implemented pagination with a fixed page size of 50 items to ensure consistent performance and predictable navigation.
 - Added always-visible search filters that can be combined using AND logic, including From, Subject, Backup, Type, Job name, and a received date/time range.
@@ -19,14 +177,14 @@ Administrative Mail Auditing and Visibility
 - Added a dedicated navigation entry so administrators can easily access the All Mail audit view.
 - Fixed modal opening behavior in the All Mail page to fully align click handling and popups with the Inbox implementation.
 
-Inbox and Mail Body Rendering Improvements
+### Inbox and Mail Body Rendering Improvements
 - Treated whitespace-only email bodies as empty during import so HTML report attachments can be extracted and displayed correctly.
 - Added legacy fallback logic in the Inbox message detail API to extract the first HTML attachment from stored EML files when bodies are empty or invalid.
 - Improved iframe rendering in the Inbox so full HTML documents (commonly used for report attachments) are rendered directly instead of being wrapped.
 - Added detection for “effectively empty” HTML bodies, such as empty Graph-generated HTML skeletons.
 - Ensured that both newly imported and already-stored messages can dynamically fall back to EML attachment extraction without requiring a reset.
 
-Run Checks Usability and Control
+### Run Checks Usability and Control
 - Added a copy-to-clipboard icon next to ticket numbers in the Run Checks popup to quickly copy only the ticket code.
 - Prevented accidental selection of appended status text when copying ticket numbers.
 - Introduced a manual “Success (override)” action that allows Operators and Admins to mark a run as successful even if it originally failed or produced warnings.
@@ -37,13 +195,13 @@ Run Checks Usability and Control
 - Added support for extracting HTML content from stored EML files when both HTML and text bodies are unavailable.
 - Ensured plain-text emails are safely rendered using preformatted HTML to preserve readability.
 
-Customer, Ticket, and Scope Cleanup
+### Customer, Ticket, and Scope Cleanup
 - Updated customer deletion logic to allow removal of customers even when tickets or remarks are linked.
 - Added explicit cleanup of related TicketScope and RemarkScope records prior to customer deletion.
 - Ensured jobs linked to a deleted customer are safely unassigned to prevent foreign key constraint errors.
 - Eliminated deletion failures caused by lingering ticket or remark relationships.
 
-Parser Enhancements and Informational Messages
+### Parser Enhancements and Informational Messages
 - Added parser support for 3CX SSL Certificate notification emails.
 - Classified these messages as Backup: 3CX with Type: SSL Certificate.
 - Parsed and displayed certificate information in the Run Checks popup.
@@ -52,7 +210,7 @@ Parser Enhancements and Informational Messages
 - Classified Synology Updates messages as informational and set their overall status to Warning.
 - Excluded Synology Updates informational messages from scheduling logic and reporting output.
 
-UI Layout and Status Accuracy Improvements
+### UI Layout and Status Accuracy Improvements
 - Moved the Details section above the email body in both Inbox and Job Details popups to improve readability.
 - Avoided long detail texts being constrained to narrow side columns.
 - Adjusted missed run detection to include a ±1 hour grace window around scheduled run times.
@@ -92,42 +250,42 @@ This release focuses on improving ticket reuse, scoping, and visibility across j
 
 This release focuses on improving job normalization, ticket and remark handling, UI usability, and the robustness of run and object detection across the platform.
 
-**Job normalization and aggregation**
+### Job normalization and aggregation
 - Veeam job names are now normalized to prevent duplicates:
   - Jobs with “(Combined)” and “(Full)” suffixes are merged with their base job names.
 - Ensures accurate aggregation, reporting, and statistics for Veeam Backup and Microsoft 365 jobs.
 - Added support for archiving inactive jobs while keeping all historical runs fully included in reports.
 
-**Inbox and bulk operations**
+### Inbox and bulk operations
 - Introduced multi-select inbox functionality for Operator and Admin roles.
 - Added a bulk “Delete selected” action with validation, counters, and admin audit logging.
 
-**Jobs UI and navigation**
+### Jobs UI and navigation
 - Restored row-click navigation on the Jobs page.
 - Moved the Archive action from the Jobs table to the Job Details page for consistency.
 - Improved layout and behavior of job run popups, ensuring objects are visible, correctly rendered, and consistently sorted.
 
-**Tickets and remarks**
+### Tickets and remarks
 - Ticket creation now always uses a user-provided ticket code with strict format and uniqueness validation.
 - Editing of tickets and remarks has been fully disabled; items must be resolved and recreated instead.
 - Removed ticket description fields from creation and detail views to prevent inconsistent data.
 - Fixed backend indentation errors that previously caused startup and Bad Gateway failures.
 
-**Customer deletion stability**
+### Customer deletion stability
 - Fixed foreign key constraint issues when deleting customers.
 - Customer deletion now safely unlinks jobs while preserving historical job and run data.
 - Enforced cascading deletes where appropriate to prevent integrity errors.
 
-**Feedback handling**
+### Feedback handling
 - Users can now reply directly to Feedback items while they are in the “Open” state.
 - Replies are stored for audit and history tracking.
 
-**Veeam parser improvements**
+### Veeam parser improvements
 - Configuration Backup parser now correctly captures multi-line overall warning messages.
 - Improved date parsing to support formats without leading zeros.
 - Microsoft 365 parser now always persists overall warning/info messages, even on successful runs.
 
-**Run checks and missed run detection**
+### Run checks and missed run detection
 - Improved weekly and monthly schedule inference to reduce false positives.
 - Monthly jobs are now detected and marked as missed on the correct expected date.
 - Added fallback mechanisms for loading run objects in Run Checks to support legacy and transitional data.

version.txt

@@ -1 +1 @@
-v0.1.19
+v0.1.20