feat: keyword highlighting, server monitor, network discovery, import sources (v0.1.34)

CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.34] — 2026-06-08
+
+### Added
+- **Keyword highlighting** — user-defined regex rules tint matching terminal output at paint time in the xterm fork; defaults ship with Error/Warning/Fail rules (red/yellow/cyan); toggle + rule list + add/edit dialog + color picker in Settings → Terminal and the terminal config side panel; rules persisted in `SettingsProvider`
+- **Server monitor panel** — per-host live dashboard (CPU / memory / disk / uptime / listening ports / firewall status) in a draggable bottom sheet; access from the host card hover button or right-click context menu; `SystemStatsService` polls every 5 s via a single compound SSH exec with sentinel markers; `FirewallStatusService` polls every 30 s and auto-detects ufw / iptables / nftables; requires an active SSH session
+- **Network discovery** — scan the local network for SSH/RDP hosts without typing an IP; `NetworkDiscoveryService` combines mDNS (`_ssh._tcp`, `_rdp._tcp`) and a configurable TCP port scan on the local subnet; results appear in a bottom sheet with one-tap **Add Host**; also reachable from a **Scan network** link in the Add Host panel
+- **Import sources expansion** — nine import sources with a source-picker grid UI; five new formats alongside the existing SSH config / JSON / CSV:
+  - **PuTTY** `.reg` registry export (hex port decoding, URL-decoded session names)
+  - **MobaXterm** `.mxtsessions` (SSH sessions only, type `0`; handles multi-section `[Bookmarks_N]` files)
+  - **SecureCRT** XML session files (recursive folder traversal → group path)
+  - **Ansible** INI inventory (`ansible_host`, `ansible_user` / `ansible_ssh_user`, `ansible_port` with validation; `:vars` and `:children` sections skipped)
+  - **WinSCP** `.ini` session export (URL-decoded names, nested path → label + group)
+  - **Termius** JSON export (`address` → host, `group.label` → group; falls back to YourSSH JSON format)
+  - **SSH URI** — one `ssh://user@host:port` per line
+- **Known hosts import** — import `~/.ssh/known_hosts` into the app's known-hosts store via an IMPORT button on the Known Hosts screen; skips duplicates (host:port:keyType) and hashed entries; fingerprints computed as MD5(key\_blob) to match what dartssh2 passes to the host-key verifier
+
+### Fixed
+- Server monitor panel: disk mount-point labels showed raw inode-count numbers on macOS servers — fixed by using `df -Pk` (POSIX output format) instead of `df -k`
+- Server monitor panel: polling services now guard against overlapping exec calls (in-flight guard); errors surface in the sheet instead of showing an infinite spinner
+- Network discovery: silent error catches replaced with `debugPrint` logging; `_loadSubnets` now handles `NetworkInterface.list` failures gracefully; scan errors shown in the UI
+- `DiscoveredHost.merge()` now preserves source when merging two hosts from the same discovery method
+
+---
+
 ## [0.1.33] — 2026-06-07
 
 ### Added

app/lib/models/discovered_host.dart

@@ -0,0 +1,120 @@
+enum DiscoverySource { mdns, tcpScan, both }
+
+class DiscoveredHost {
+  final String ip;
+  final String? hostname;
+  final List<int> openPorts;
+  final DiscoverySource source;
+  final String? mdnsServiceType;
+
+  const DiscoveredHost({
+    required this.ip,
+    this.hostname,
+    required this.openPorts,
+    required this.source,
+    this.mdnsServiceType,
+  });
+
+  DiscoveredHost merge(DiscoveredHost other) {
+    final ports = {...openPorts, ...other.openPorts}.toList()..sort();
+    return DiscoveredHost(
+      ip: ip,
+      hostname: hostname ?? other.hostname,
+      openPorts: ports,
+      source: source == other.source ? source : DiscoverySource.both,
+      mdnsServiceType: mdnsServiceType ?? other.mdnsServiceType,
+    );
+  }
+
+  String get portLabel {
+    if (openPorts.isEmpty) return '?';
+    if (openPorts.contains(3389)) return 'RDP';
+    if (openPorts.contains(22)) return 'SSH';
+    if (openPorts.contains(2222)) return 'SSH:2222';
+    return openPorts.first.toString();
+  }
+
+  bool get isRdp => openPorts.contains(3389) && !openPorts.contains(22);
+
+  // fix #9: single source of truth for port selection
+  int get preferredPort {
+    if (isRdp) return 3389;
+    if (openPorts.contains(22)) return 22;
+    if (openPorts.contains(2222)) return 2222;
+    return openPorts.isEmpty ? 22 : openPorts.first;
+  }
+}
+
+class SubnetInfo {
+  final String interfaceName;
+  final String displayName;
+  final String address;
+  final String subnet;
+
+  const SubnetInfo({
+    required this.interfaceName,
+    required this.displayName,
+    required this.address,
+    required this.subnet,
+  });
+
+  // fix #10: single source of truth for interface display names (shared with P2PSyncService)
+  static String interfaceDisplayName(String name) {
+    final n = name.toLowerCase();
+    if (n == 'en0') return 'Wi-Fi';
+    if (n.startsWith('wlan') || n.startsWith('wlp')) return 'Wi-Fi';
+    if (n.startsWith('en')) return 'Ethernet';
+    if (n.startsWith('eth')) return 'Ethernet';
+    if (n.startsWith('utun') || n.startsWith('tun') || n.startsWith('tap')) {
+      return 'VPN / Tailscale';
+    }
+    if (n.startsWith('bridge')) return 'Bridge';
+    return name;
+  }
+
+  // fix #7: guard against non-IPv4 / malformed addresses
+  static String subnetFromAddress(String address) {
+    final parts = address.split('.');
+    if (parts.length < 4) return '192.168.1.0/24';
+    return '${parts[0]}.${parts[1]}.${parts[2]}.0/24';
+  }
+
+  // fix #2: respect prefix length instead of always generating 254 hosts
+  static List<String> hostsInSubnet(String subnet) {
+    final slash = subnet.indexOf('/');
+    if (slash < 0) return [];
+    final base = subnet.substring(0, slash);
+    final prefix = int.tryParse(subnet.substring(slash + 1));
+    if (prefix == null || prefix < 0 || prefix > 32) return [];
+    final parts = base.split('.').map(int.tryParse).toList();
+    if (parts.length != 4 || parts.any((o) => o == null)) return [];
+    final network = (parts[0]! << 24) | (parts[1]! << 16) | (parts[2]! << 8) | parts[3]!;
+    final hostBits = 32 - prefix;
+    final count = (1 << hostBits) - 2;
+    if (count <= 0) return [];
+    return List.generate(count, (i) {
+      final addr = network + i + 1;
+      return '${(addr >> 24) & 0xff}.${(addr >> 16) & 0xff}.${(addr >> 8) & 0xff}.${addr & 0xff}';
+    });
+  }
+
+  /// Returns null when [subnet] is a valid x.x.x.x/y string (prefix /16–/32).
+  static String? validateSubnet(String subnet) {
+    final parts = subnet.split('/');
+    if (parts.length != 2) return 'Expected format: 192.168.1.0/24';
+    final octets = parts[0].split('.');
+    if (octets.length != 4) return 'Expected 4 octets';
+    for (final o in octets) {
+      final n = int.tryParse(o);
+      if (n == null || n < 0 || n > 255) return 'Invalid octet: $o';
+    }
+    final prefix = int.tryParse(parts[1]);
+    if (prefix == null || prefix < 16 || prefix > 32) {
+      return 'Prefix must be /16–/32';
+    }
+    return null;
+  }
+
+  @override
+  String toString() => '$displayName ($address) — $subnet';
+}

app/lib/models/firewall_status.dart

@@ -0,0 +1,136 @@
+enum FirewallType { ufw, iptables, nftables, none }
+
+class FirewallStatus {
+  final FirewallType type;
+  final bool enabled;
+  final String? defaultInboundPolicy;
+  final List<FirewallRule> rules;
+
+  const FirewallStatus({
+    required this.type,
+    required this.enabled,
+    this.defaultInboundPolicy,
+    required this.rules,
+  });
+
+  static const _kNone = FirewallStatus(
+    type: FirewallType.none,
+    enabled: false,
+    rules: [],
+  );
+
+  factory FirewallStatus.fromShellOutput(String output) {
+    if (output.contains('__NO_FIREWALL__')) return _kNone;
+    if (output.contains('Status: active') || output.contains('Status: inactive')) {
+      return _parseUfw(output);
+    }
+    if (output.contains('*filter') ||
+        RegExp(r'-A (INPUT|OUTPUT|FORWARD)').hasMatch(output)) {
+      return _parseIptables(output);
+    }
+    if (output.contains('hook input') && output.contains('chain')) {
+      return _parseNft(output);
+    }
+    return _kNone;
+  }
+
+  static FirewallStatus _parseUfw(String output) {
+    final enabled = output.contains('Status: active');
+    String? defaultPolicy;
+    final rules = <FirewallRule>[];
+    for (final line in output.split('\n')) {
+      final t = line.trim();
+      if (t.startsWith('Default:')) {
+        final m = RegExp(r'Default: (\w+) \(incoming\)').firstMatch(t);
+        defaultPolicy = m?.group(1)?.toUpperCase();
+      }
+      final m = RegExp(r'^\[\s*\d+\]\s+(.+?)\s{2,}(ALLOW|DENY|LIMIT|REJECT)\s').firstMatch(t);
+      if (m != null) {
+        rules.add(FirewallRule(description: t, action: m.group(2), chain: null));
+      }
+    }
+    return FirewallStatus(
+      type: FirewallType.ufw,
+      enabled: enabled,
+      defaultInboundPolicy: defaultPolicy,
+      rules: rules,
+    );
+  }
+
+  static FirewallStatus _parseIptables(String output) {
+    String? defaultPolicy;
+    final rules = <FirewallRule>[];
+    bool inFilter = false;
+    for (final line in output.split('\n')) {
+      final t = line.trim();
+      if (t == '*filter') {
+        inFilter = true;
+        continue;
+      }
+      if (t == 'COMMIT') {
+        inFilter = false;
+        continue;
+      }
+      if (!inFilter) continue;
+      final chain = RegExp(r'^:INPUT (\w+)').firstMatch(t);
+      if (chain != null) defaultPolicy = chain.group(1);
+      final rule = RegExp(r'^-A (\w+) .+ -j (\w+)').firstMatch(t);
+      if (rule != null) {
+        rules.add(FirewallRule(
+          description: t,
+          action: rule.group(2),
+          chain: rule.group(1),
+        ));
+      }
+    }
+    return FirewallStatus(
+      type: FirewallType.iptables,
+      enabled: true,
+      defaultInboundPolicy: defaultPolicy,
+      rules: rules,
+    );
+  }
+
+  static FirewallStatus _parseNft(String output) {
+    final policyMatch = RegExp(r'hook input[^;]*;\s*policy (\w+);').firstMatch(output);
+    final defaultPolicy = policyMatch?.group(1)?.toUpperCase();
+    final rules = <FirewallRule>[];
+    for (final line in output.split('\n')) {
+      final t = line.trim();
+      if (t.isEmpty ||
+          t.startsWith('table') ||
+          t.startsWith('chain') ||
+          t.startsWith('type') ||
+          t == '{' ||
+          t == '}') {
+        continue;
+      }
+      if (t.contains('accept') || t.contains('drop') || t.contains('reject')) {
+        final action = t.contains('accept')
+            ? 'ACCEPT'
+            : t.contains('drop')
+                ? 'DROP'
+                : 'REJECT';
+        rules.add(FirewallRule(description: t, action: action, chain: 'input'));
+      }
+    }
+    return FirewallStatus(
+      type: FirewallType.nftables,
+      enabled: true,
+      defaultInboundPolicy: defaultPolicy,
+      rules: rules,
+    );
+  }
+}
+
+class FirewallRule {
+  final String description;
+  final String? action;
+  final String? chain;
+
+  const FirewallRule({
+    required this.description,
+    this.action,
+    this.chain,
+  });
+}