fix(agent,windows): raise timeout on first sensor collection to allow LHM to start

agent/disk.go

@@ -239,9 +239,11 @@ func (d *diskDiscovery) addConfiguredExtraFilesystems(extraFilesystems string) {
 
 // addPartitionExtraFs registers partitions mounted under /extra-filesystems so
 // their display names can come from the folder name while their I/O keys still
-// prefer the underlying partition device.
+// prefer the underlying partition device. Only direct children are matched to
+// avoid registering nested virtual mounts (e.g. /proc, /sys) that are returned by
+// disk.Partitions(true) when the host root is bind-mounted in /extra-filesystems.
 func (d *diskDiscovery) addPartitionExtraFs(p disk.PartitionStat) {
-	if !strings.HasPrefix(p.Mountpoint, d.ctx.efPath) {
+	if filepath.Dir(p.Mountpoint) != d.ctx.efPath {
 		return
 	}
 	device, customName := extraFilesystemPartitionInfo(p)
@@ -629,9 +631,17 @@ func (a *Agent) updateDiskIo(cacheTimeMs uint16, systemStats *system.Stats) {
 	}
 }
 
-// getRootMountPoint returns the appropriate root mount point for the system
+// getRootMountPoint returns the appropriate root mount point for the system.
+// On Windows it returns the system drive (e.g. "C:").
 // For immutable systems like Fedora Silverblue, it returns /sysroot instead of /
 func (a *Agent) getRootMountPoint() string {
+	if runtime.GOOS == "windows" {
+		if sd := os.Getenv("SystemDrive"); sd != "" {
+			return sd
+		}
+		return "C:"
+	}
+
 	// 1. Check if /etc/os-release contains indicators of an immutable system
 	if osReleaseContent, err := os.ReadFile("/etc/os-release"); err == nil {
 		content := string(osReleaseContent)

agent/disk_test.go

@@ -530,6 +530,87 @@ func TestAddExtraFilesystemFolders(t *testing.T) {
 	})
 }
 
+func TestAddPartitionExtraFs(t *testing.T) {
+	makeDiscovery := func(agent *Agent) diskDiscovery {
+		return diskDiscovery{
+			agent: agent,
+			ctx: fsRegistrationContext{
+				isWindows: false,
+				efPath:    "/extra-filesystems",
+				diskIoCounters: map[string]disk.IOCountersStat{
+					"nvme0n1p1": {Name: "nvme0n1p1"},
+					"nvme1n1":   {Name: "nvme1n1"},
+				},
+			},
+		}
+	}
+
+	t.Run("registers direct child of extra-filesystems", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		d.addPartitionExtraFs(disk.PartitionStat{
+			Device:     "/dev/nvme0n1p1",
+			Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root",
+		})
+
+		stats, exists := agent.fsStats["nvme0n1p1"]
+		assert.True(t, exists)
+		assert.Equal(t, "/extra-filesystems/nvme0n1p1__caddy1-root", stats.Mountpoint)
+		assert.Equal(t, "caddy1-root", stats.Name)
+	})
+
+	t.Run("skips nested mount under extra-filesystem bind mount", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		// These simulate the virtual mounts that appear when host / is bind-mounted
+		// with disk.Partitions(all=true) — e.g. /proc, /sys, /dev visible under the mount.
+		for _, nested := range []string{
+			"/extra-filesystems/nvme0n1p1__caddy1-root/proc",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/sys",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/dev",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/run",
+		} {
+			d.addPartitionExtraFs(disk.PartitionStat{Device: "tmpfs", Mountpoint: nested})
+		}
+
+		assert.Empty(t, agent.fsStats)
+	})
+
+	t.Run("registers both direct children, skips their nested mounts", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		partitions := []disk.PartitionStat{
+			{Device: "/dev/nvme0n1p1", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root"},
+			{Device: "/dev/nvme1n1", Mountpoint: "/extra-filesystems/nvme1n1__caddy1-docker"},
+			{Device: "proc", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/proc"},
+			{Device: "sysfs", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/sys"},
+			{Device: "overlay", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/var/lib/docker"},
+		}
+		for _, p := range partitions {
+			d.addPartitionExtraFs(p)
+		}
+
+		assert.Len(t, agent.fsStats, 2)
+		assert.Equal(t, "caddy1-root", agent.fsStats["nvme0n1p1"].Name)
+		assert.Equal(t, "caddy1-docker", agent.fsStats["nvme1n1"].Name)
+	})
+
+	t.Run("skips partition not under extra-filesystems", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		d.addPartitionExtraFs(disk.PartitionStat{
+			Device:     "/dev/nvme0n1p1",
+			Mountpoint: "/",
+		})
+
+		assert.Empty(t, agent.fsStats)
+	})
+}
+
 func TestFindIoDevice(t *testing.T) {
 	t.Run("matches by device name", func(t *testing.T) {
 		ioCounters := map[string]disk.IOCountersStat{

agent/lhm/beszel_lhm.csproj

@@ -8,6 +8,6 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="LibreHardwareMonitorLib" Version="0.9.5" />
+    <PackageReference Include="LibreHardwareMonitorLib" Version="0.9.6" />
   </ItemGroup>
 </Project>

agent/sensors.go

@@ -26,6 +26,7 @@ type SensorConfig struct {
 	isBlacklist    bool
 	hasWildcards   bool
 	skipCollection bool
+	firstRun       bool
 }
 
 func (a *Agent) newSensorConfig() *SensorConfig {
@@ -52,6 +53,7 @@ func (a *Agent) newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal
 		context:        context.Background(),
 		primarySensor:  primarySensor,
 		skipCollection: skipCollection,
+		firstRun:       true,
 		sensors:        make(map[string]struct{}),
 	}
 
@@ -167,6 +169,14 @@ func (a *Agent) getTempsWithTimeout(getTemps getTempsFn) ([]sensors.TemperatureS
 		err   error
 	}
 
+	// Use a longer timeout on the first run to allow for initialization
+	// (e.g. Windows LHM subprocess startup)
+	timeout := temperatureFetchTimeout
+	if a.sensorConfig.firstRun {
+		a.sensorConfig.firstRun = false
+		timeout = 10 * time.Second
+	}
+
 	resultCh := make(chan result, 1)
 	go func() {
 		temps, err := a.getTempsWithPanicRecovery(getTemps)
@@ -176,7 +186,7 @@ func (a *Agent) getTempsWithTimeout(getTemps getTempsFn) ([]sensors.TemperatureS
 	select {
 	case res := <-resultCh:
 		return res.temps, res.err
-	case <-time.After(temperatureFetchTimeout):
+	case <-time.After(timeout):
 		return nil, errTemperatureFetchTimeout
 	}
 }

internal/alerts/alerts_status.go

@@ -109,6 +109,18 @@ func (am *AlertManager) cancelPendingAlert(alertID string) bool {
 	return true
 }
 
+// CancelPendingStatusAlerts cancels all pending status alert timers for a given system.
+// This is called when a system is paused to prevent delayed alerts from firing.
+func (am *AlertManager) CancelPendingStatusAlerts(systemID string) {
+	am.pendingAlerts.Range(func(key, value any) bool {
+		info := value.(*alertInfo)
+		if info.alertData.SystemID == systemID {
+			am.cancelPendingAlert(key.(string))
+		}
+		return true
+	})
+}
+
 // processPendingAlert sends a "down" alert if the pending alert has expired and the system is still down.
 func (am *AlertManager) processPendingAlert(alertID string) {
 	value, loaded := am.pendingAlerts.LoadAndDelete(alertID)

internal/alerts/alerts_status_test.go

@@ -941,3 +941,68 @@ func TestStatusAlertClearedBeforeSend(t *testing.T) {
 		assert.EqualValues(t, 0, alertHistoryCount, "Should have no unresolved alert history records since alert never triggered")
 	})
 }
+
+func TestCancelPendingStatusAlertsClearsAllAlertsForSystem(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	userSettings, err := hub.FindFirstRecordByFilter("user_settings", "user={:user}", map[string]any{"user": user.Id})
+	require.NoError(t, err)
+	userSettings.Set("settings", `{"emails":["test@example.com"],"webhooks":[]}`)
+	require.NoError(t, hub.Save(userSettings))
+
+	systemCollection, err := hub.FindCollectionByNameOrId("systems")
+	require.NoError(t, err)
+
+	system1 := core.NewRecord(systemCollection)
+	system1.Set("name", "system-1")
+	system1.Set("status", "up")
+	system1.Set("host", "127.0.0.1")
+	system1.Set("users", []string{user.Id})
+	require.NoError(t, hub.Save(system1))
+
+	system2 := core.NewRecord(systemCollection)
+	system2.Set("name", "system-2")
+	system2.Set("status", "up")
+	system2.Set("host", "127.0.0.2")
+	system2.Set("users", []string{user.Id})
+	require.NoError(t, hub.Save(system2))
+
+	alertCollection, err := hub.FindCollectionByNameOrId("alerts")
+	require.NoError(t, err)
+
+	alert1 := core.NewRecord(alertCollection)
+	alert1.Set("user", user.Id)
+	alert1.Set("system", system1.Id)
+	alert1.Set("name", "Status")
+	alert1.Set("triggered", false)
+	alert1.Set("min", 5)
+	require.NoError(t, hub.Save(alert1))
+
+	alert2 := core.NewRecord(alertCollection)
+	alert2.Set("user", user.Id)
+	alert2.Set("system", system2.Id)
+	alert2.Set("name", "Status")
+	alert2.Set("triggered", false)
+	alert2.Set("min", 5)
+	require.NoError(t, hub.Save(alert2))
+
+	am := alerts.NewTestAlertManagerWithoutWorker(hub)
+	initialEmailCount := hub.TestMailer.TotalSend()
+
+	// Both systems go down
+	require.NoError(t, am.HandleStatusAlerts("down", system1))
+	require.NoError(t, am.HandleStatusAlerts("down", system2))
+	assert.Equal(t, 2, am.GetPendingAlertsCount(), "both systems should have pending alerts")
+
+	// System 1 is paused — cancel its pending alerts
+	am.CancelPendingStatusAlerts(system1.Id)
+	assert.Equal(t, 1, am.GetPendingAlertsCount(), "only system2 alert should remain pending after pausing system1")
+
+	// Expire and process remaining alerts — only system2 should fire
+	am.ForceExpirePendingAlerts()
+	processed, err := am.ProcessPendingAlerts()
+	require.NoError(t, err)
+	assert.Len(t, processed, 1, "only the non-paused system's alert should be processed")
+	assert.Equal(t, initialEmailCount+1, hub.TestMailer.TotalSend(), "only system2 should send a down notification")
+}

internal/hub/api.go

@@ -25,6 +25,30 @@ type UpdateInfo struct {
 	Url       string `json:"url"`
 }
 
+// Middleware to allow only admin role users
+var requireAdminRole = customAuthMiddleware(func(e *core.RequestEvent) bool {
+	return e.Auth.GetString("role") == "admin"
+})
+
+// Middleware to exclude readonly users
+var excludeReadOnlyRole = customAuthMiddleware(func(e *core.RequestEvent) bool {
+	return e.Auth.GetString("role") != "readonly"
+})
+
+// customAuthMiddleware handles boilerplate for custom authentication middlewares. fn should
+// return true if the request is allowed, false otherwise. e.Auth is guaranteed to be non-nil.
+func customAuthMiddleware(fn func(*core.RequestEvent) bool) func(*core.RequestEvent) error {
+	return func(e *core.RequestEvent) error {
+		if e.Auth == nil {
+			return e.UnauthorizedError("The request requires valid record authorization token.", nil)
+		}
+		if !fn(e) {
+			return e.ForbiddenError("The authorized record is not allowed to perform this action.", nil)
+		}
+		return e.Next()
+	}
+}
+
 // registerMiddlewares registers custom middlewares
 func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 	// authorizes request with user matching the provided email
@@ -33,7 +57,7 @@ func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 			return e.Next()
 		}
 		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
-		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
+		e.Auth, err = e.App.FindAuthRecordByEmail("users", email)
 		if err != nil || !isAuthRefresh {
 			return e.Next()
 		}
@@ -84,19 +108,19 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// send test notification
 	apiAuth.POST("/test-notification", h.SendTestNotification)
 	// heartbeat status and test
-	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus)
-	apiAuth.POST("/test-heartbeat", h.testHeartbeat)
+	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus).BindFunc(requireAdminRole)
+	apiAuth.POST("/test-heartbeat", h.testHeartbeat).BindFunc(requireAdminRole)
 	// get config.yml content
-	apiAuth.GET("/config-yaml", config.GetYamlConfig)
+	apiAuth.GET("/config-yaml", config.GetYamlConfig).BindFunc(requireAdminRole)
 	// handle agent websocket connection
 	apiNoAuth.GET("/agent-connect", h.handleAgentConnect)
 	// get or create universal tokens
-	apiAuth.GET("/universal-token", h.getUniversalToken)
+	apiAuth.GET("/universal-token", h.getUniversalToken).BindFunc(excludeReadOnlyRole)
 	// update / delete user alerts
 	apiAuth.POST("/user-alerts", alerts.UpsertUserAlerts)
 	apiAuth.DELETE("/user-alerts", alerts.DeleteUserAlerts)
 	// refresh SMART devices for a system
-	apiAuth.POST("/smart/refresh", h.refreshSmartData)
+	apiAuth.POST("/smart/refresh", h.refreshSmartData).BindFunc(excludeReadOnlyRole)
 	// get systemd service details
 	apiAuth.GET("/systemd/info", h.getSystemdInfo)
 	// /containers routes
@@ -246,9 +270,6 @@ func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
 
 // getHeartbeatStatus returns current heartbeat configuration and whether it's enabled
 func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	if h.hb == nil {
 		return e.JSON(http.StatusOK, map[string]any{
 			"enabled": false,
@@ -266,9 +287,6 @@ func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {
 
 // testHeartbeat triggers a single heartbeat ping and returns the result
 func (h *Hub) testHeartbeat(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	if h.hb == nil {
 		return e.JSON(http.StatusOK, map[string]any{
 			"err": "Heartbeat not configured. Set HEARTBEAT_URL environment variable.",

internal/hub/api_test.go

@@ -34,19 +34,13 @@ func TestApiRoutesAuthentication(t *testing.T) {
 	user, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
 	require.NoError(t, err, "Failed to create test user")
 
-	adminUser, err := beszelTests.CreateRecord(hub, "users", map[string]any{
-		"email":    "admin@example.com",
-		"password": "password123",
-		"role":     "admin",
-	})
+	adminUser, err := beszelTests.CreateUserWithRole(hub, "admin@example.com", "password123", "admin")
 	require.NoError(t, err, "Failed to create admin user")
 	adminUserToken, err := adminUser.NewAuthToken()
 
-	// superUser, err := beszelTests.CreateRecord(hub, core.CollectionNameSuperusers, map[string]any{
-	// 	"email":    "superuser@example.com",
-	// 	"password": "password123",
-	// })
-	// require.NoError(t, err, "Failed to create superuser")
+	readOnlyUser, err := beszelTests.CreateUserWithRole(hub, "readonly@example.com", "password123", "readonly")
+	require.NoError(t, err, "Failed to create readonly user")
+	readOnlyUserToken, err := readOnlyUser.NewAuthToken()
 
 	userToken, err := user.NewAuthToken()
 	require.NoError(t, err, "Failed to create auth token")
@@ -106,7 +100,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -136,7 +130,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -158,7 +152,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -202,6 +196,39 @@ func TestApiRoutesAuthentication(t *testing.T) {
 			ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:   "GET /universal-token - with readonly auth should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token",
+			Headers: map[string]string{
+				"Authorization": readOnlyUserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - missing system should fail 400 with user auth",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/smart/refresh",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"system parameter is required"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - with readonly auth should fail",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/smart/refresh",
+			Headers: map[string]string{
+				"Authorization": readOnlyUserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
+			TestAppFactory:  testAppFactory,
+		},
 		{
 			Name:            "POST /user-alerts - no auth should fail",
 			Method:          http.MethodPost,

internal/hub/config/config.go

@@ -279,9 +279,6 @@ func createFingerprintRecord(app core.App, systemID, token string) error {
 
 // Returns the current config.yml file as a JSON object
 func GetYamlConfig(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	configContent, err := generateYAML(e.App)
 	if err != nil {
 		return err

internal/hub/systems/system_manager.go

@@ -54,6 +54,7 @@ type hubLike interface {
 	GetSSHKey(dataDir string) (ssh.Signer, error)
 	HandleSystemAlerts(systemRecord *core.Record, data *system.CombinedData) error
 	HandleStatusAlerts(status string, systemRecord *core.Record) error
+	CancelPendingStatusAlerts(systemID string)
 }
 
 // NewSystemManager creates a new SystemManager instance with the provided hub.
@@ -189,6 +190,7 @@ func (sm *SystemManager) onRecordAfterUpdateSuccess(e *core.RecordEvent) error {
 			system.closeSSHConnection()
 		}
 		_ = deactivateAlerts(e.App, e.Record.Id)
+		sm.hub.CancelPendingStatusAlerts(e.Record.Id)
 		return e.Next()
 	case pending:
 		// Resume monitoring, preferring existing WebSocket connection

internal/site/src/components/alerts/alert-button.tsx

@@ -20,7 +20,7 @@ export default memo(function AlertsButton({ system }: { system: SystemRecord })
 				<SheetTrigger asChild>
 					<Button variant="ghost" size="icon" aria-label={t`Alerts`} data-nolink onClick={() => setOpened(true)}>
 						<BellIcon
-							className={cn("h-[1.2em] w-[1.2em] pointer-events-none", {
+							className={cn("size-[1.2em] pointer-events-none", {
 								"fill-primary": hasSystemAlert,
 							})}
 						/>

internal/site/src/components/navbar.tsx

@@ -63,7 +63,7 @@ export default function Navbar() {
 				className="p-2 ps-0 me-3 group"
 				onMouseEnter={runOnce(() => import("@/components/routes/home"))}
 			>
-				<Logo className="h-[1.1rem] md:h-5 fill-foreground" />
+				<Logo className="h-[1.2rem] md:h-5 fill-foreground" />
 			</Link>
 			<Button
 				variant="outline"
@@ -125,15 +125,17 @@ export default function Navbar() {
 									<DropdownMenuSubContent>{AdminLinks}</DropdownMenuSubContent>
 								</DropdownMenuSub>
 							)}
-							<DropdownMenuItem
-								className="flex items-center"
-								onSelect={() => {
-									setAddSystemDialogOpen(true)
-								}}
-							>
-								<PlusIcon className="h-4 w-4 me-2.5" />
-								<Trans>Add {{ foo: systemTranslation }}</Trans>
-							</DropdownMenuItem>
+							{!isReadOnlyUser() && (
+								<DropdownMenuItem
+									className="flex items-center"
+									onSelect={() => {
+										setAddSystemDialogOpen(true)
+									}}
+								>
+									<PlusIcon className="h-4 w-4 me-2.5" />
+									<Trans>Add {{ foo: systemTranslation }}</Trans>
+								</DropdownMenuItem>
+							)}
 						</DropdownMenuGroup>
 						<DropdownMenuSeparator />
 						<DropdownMenuGroup>
@@ -217,10 +219,12 @@ export default function Navbar() {
 						</DropdownMenuItem>
 					</DropdownMenuContent>
 				</DropdownMenu>
-				<Button variant="outline" className="flex gap-1 ms-2" onClick={() => setAddSystemDialogOpen(true)}>
-					<PlusIcon className="h-4 w-4 -ms-1" />
-					<Trans>Add {{ foo: systemTranslation }}</Trans>
-				</Button>
+				{!isReadOnlyUser() && (
+					<Button variant="outline" className="flex gap-1 ms-2" onClick={() => setAddSystemDialogOpen(true)}>
+						<PlusIcon className="h-4 w-4 -ms-1" />
+						<Trans>Add {{ foo: systemTranslation }}</Trans>
+					</Button>
+				)}
 			</div>
 		</div>
 	)

internal/site/src/components/routes/system/smart-table.tsx

@@ -36,7 +36,7 @@ import { Input } from "@/components/ui/input"
 import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table"
 import { Badge } from "@/components/ui/badge"
 import { Button } from "@/components/ui/button"
-import { pb } from "@/lib/api"
+import { isReadOnlyUser, pb } from "@/lib/api"
 import type { SmartDeviceRecord, SmartAttribute } from "@/types"
 import {
 	formatBytes,
@@ -492,7 +492,7 @@ export default function DisksTable({ systemId }: { systemId?: string }) {
 	const tableColumns = useMemo(() => {
 		const columns = createColumns(longestName, longestModel, longestDevice)
 		const baseColumns = systemId ? columns.filter((col) => col.id !== "system") : columns
-		return [...baseColumns, actionColumn]
+		return isReadOnlyUser() ? baseColumns : [...baseColumns, actionColumn]
 	}, [systemId, actionColumn, longestName, longestModel, longestDevice])
 
 	const table = useReactTable({

internal/site/src/components/systems-table/systems-table.tsx

@@ -460,14 +460,14 @@ const SystemCard = memo(
 						}
 					)}
 				>
-					<CardHeader className="py-1 ps-5 pe-3 bg-muted/30 border-b border-border/60">
-						<div className="flex items-center gap-2 w-full overflow-hidden">
-							<CardTitle className="text-base tracking-normal text-primary/90 flex items-center min-w-0 flex-1 gap-2.5">
+					<CardHeader className="py-1 ps-4 pe-2 bg-muted/30 border-b border-border/60">
+						<div className="flex items-center gap-1 w-full overflow-hidden">
+							<h3 className="text-primary/90 min-w-0 flex-1 gap-2.5 font-semibold">
 								<div className="flex items-center gap-2.5 min-w-0 flex-1">
 									<IndicatorDot system={system} />
 									<span className="text-[.95em]/normal tracking-normal text-primary/90 truncate">{system.name}</span>
 								</div>
-							</CardTitle>
+							</h3>
 							{table.getColumn("actions")?.getIsVisible() && (
 								<div className="flex gap-1 shrink-0 relative z-10">
 									<AlertButton system={system} />

internal/site/src/components/ui/alert-dialog.tsx

@@ -43,7 +43,7 @@ const AlertDialogContent = React.forwardRef<
 AlertDialogContent.displayName = AlertDialogPrimitive.Content.displayName
 
 const AlertDialogHeader = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
-	<div className={cn("grid gap-2 text-center sm:text-start", className)} {...props} />
+	<div className={cn("grid gap-2 text-start", className)} {...props} />
 )
 AlertDialogHeader.displayName = "AlertDialogHeader"
 

internal/site/src/components/ui/card.tsx

@@ -18,11 +18,7 @@ CardHeader.displayName = "CardHeader"
 
 const CardTitle = React.forwardRef<HTMLParagraphElement, React.HTMLAttributes<HTMLHeadingElement>>(
 	({ className, ...props }, ref) => (
-		<h3
-			ref={ref}
-			className={cn("text-[1.4em] sm:text-2xl font-semibold leading-none tracking-tight", className)}
-			{...props}
-		/>
+		<h3 ref={ref} className={cn("text-card-title font-semibold leading-none tracking-tight", className)} {...props} />
 	)
 )
 CardTitle.displayName = "CardTitle"

internal/site/src/components/ui/dialog.tsx

@@ -52,7 +52,7 @@ const DialogContent = React.forwardRef<
 DialogContent.displayName = DialogPrimitive.Content.displayName
 
 const DialogHeader = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
-	<div className={cn("grid gap-1.5 text-center sm:text-start", className)} {...props} />
+	<div className={cn("grid gap-1.5 text-start", className)} {...props} />
 )
 DialogHeader.displayName = "DialogHeader"
 

internal/site/src/index.css

@@ -177,6 +177,10 @@
 	}
 }
 
+@utility text-card-title {
+	@apply text-[1.4rem] sm:text-2xl;
+}
+
 .recharts-tooltip-wrapper {
 	z-index: 51;
 	@apply tabular-nums;