Improved Qdrant server startup & client initialization (#770)

.github/workflows/build-and-release.yml

@@ -12,6 +12,10 @@ on:
       - synchronize
       - reopened
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && (github.event.action != 'labeled' || github.event.label.name == 'run-pipeline') && github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' && (github.event.action != 'labeled' || github.event.label.name == 'run-pipeline') }}
+
 env:
   RETENTION_INTERMEDIATE_ASSETS: 1
   RETENTION_RELEASE_ASSETS: 30
@@ -37,6 +41,8 @@ jobs:
         id: determine
         env:
           EVENT_NAME: ${{ github.event_name }}
+          PR_ACTION: ${{ github.event.action }}
+          ACTION_LABEL_NAME: ${{ github.event.label.name }}
           REF: ${{ github.ref }}
           PR_LABELS: ${{ join(github.event.pull_request.labels.*.name, ' ') }}
           PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
@@ -55,6 +61,11 @@ jobs:
             is_internal_pr=true
           fi
 
+          has_run_pipeline_label=false
+          if [[ " $PR_LABELS " == *" run-pipeline "* ]]; then
+            has_run_pipeline_label=true
+          fi
+
           if [[ "$REF" == refs/tags/v* ]]; then
             is_release=true
             build_enabled=true
@@ -65,13 +76,21 @@ jobs:
             build_enabled=true
             artifact_retention_days=7
             skip_reason=""
-          elif [[ "$EVENT_NAME" == "pull_request" && " $PR_LABELS " == *" run-pipeline "* ]]; then
+          elif [[ "$EVENT_NAME" == "pull_request" && "$PR_ACTION" == "labeled" && "$ACTION_LABEL_NAME" == "run-pipeline" ]]; then
             is_labeled_pr=true
             is_pr_build=true
             build_enabled=true
             artifact_retention_days=3
             skip_reason=""
-          elif [[ "$EVENT_NAME" == "pull_request" && " $PR_LABELS " != *" run-pipeline "* ]]; then
+          elif [[ "$EVENT_NAME" == "pull_request" && "$PR_ACTION" != "labeled" && "$has_run_pipeline_label" == "true" ]]; then
+            is_labeled_pr=true
+            is_pr_build=true
+            build_enabled=true
+            artifact_retention_days=3
+            skip_reason=""
+          elif [[ "$EVENT_NAME" == "pull_request" && "$PR_ACTION" == "labeled" ]]; then
+            skip_reason="Build disabled: label '${ACTION_LABEL_NAME}' is not 'run-pipeline'."
+          elif [[ "$EVENT_NAME" == "pull_request" && "$has_run_pipeline_label" != "true" ]]; then
             skip_reason="Build disabled: PR does not have the required 'run-pipeline' label."
           fi
 
@@ -685,11 +704,9 @@ jobs:
         uses: actions/cache@v4
         with:
           path: |
-            ~/.cargo/bin
             ~/.cargo/git/db/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
-            ~/.rustup/toolchains
             runtime/target
             
           key: target-${{ matrix.dotnet_runtime }}-rust-${{ env.RUST_VERSION }}
@@ -700,6 +717,12 @@ jobs:
           toolchain: ${{ env.RUST_VERSION }}
           targets: ${{ matrix.rust_target }}
 
+      - name: Cache Tauri CLI
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo-tauri-cli
+          key: tauri-cli-v2-${{ runner.os }}-${{ runner.arch }}
+      
       - name: Setup dependencies (Ubuntu-specific, x86)
         if: matrix.platform == 'ubuntu-22.04' && contains(matrix.rust_target, 'x86_64')
         run: |
@@ -715,8 +738,11 @@ jobs:
       - name: Setup Tauri (Unix)
         if: matrix.platform != 'windows-latest'
         run: |
+          echo "$HOME/.cargo-tauri-cli/bin" >> "$GITHUB_PATH"
+          export PATH="$HOME/.cargo-tauri-cli/bin:$PATH"
+
           if ! cargo tauri --version 2>/dev/null | grep -Eq '^tauri-cli 2\.'; then
-            cargo install tauri-cli --version "^2.11.0" --locked --force
+            cargo install tauri-cli --version "^2.11.0" --locked --force --root "$HOME/.cargo-tauri-cli"
           else
             echo "Tauri CLI v2 is already installed"
           fi
@@ -724,9 +750,12 @@ jobs:
       - name: Setup Tauri (Windows)
         if: matrix.platform == 'windows-latest'
         run: |
+          "$env:USERPROFILE\.cargo-tauri-cli\bin" >> $env:GITHUB_PATH
+          $env:PATH = "$env:USERPROFILE\.cargo-tauri-cli\bin;$env:PATH"
+
           $tauriVersion = cargo tauri --version 2>$null
           if (-not $tauriVersion -or $tauriVersion -notmatch '^tauri-cli 2\.') {
-            cargo install tauri-cli --version "^2.11.0" --locked --force
+            cargo install tauri-cli --version "^2.11.0" --locked --force --root "$env:USERPROFILE\.cargo-tauri-cli"
           } else {
             Write-Output "Tauri CLI v2 is already installed"
           }
@@ -771,17 +800,29 @@ jobs:
           PRIVATE_PUBLISH_KEY_PASSWORD: ${{ secrets.PRIVATE_PUBLISH_KEY_PASSWORD }}
         run: |
           bundles="${{ matrix.tauri_bundle }}"
+          tauri_config_args=()
 
           if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" = "true" ]; then
             echo "Running PR test build without updater bundle signing"
             bundles="${{ matrix.tauri_bundle_pr }}"
+            tauri_config_args=(--config '{"bundle":{"createUpdaterArtifacts":false}}')
           else
             export TAURI_SIGNING_PRIVATE_KEY="$PRIVATE_PUBLISH_KEY"
             export TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$PRIVATE_PUBLISH_KEY_PASSWORD"
           fi
 
           cd runtime
-          cargo tauri build --target ${{ matrix.rust_target }} --bundles "$bundles"
+          cargo tauri build --target ${{ matrix.rust_target }} --bundles "$bundles" "${tauri_config_args[@]}"
+
+          if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" = "true" ]; then
+            updater_artifact_count=$(find target/${{ matrix.rust_target }}/release/bundle -type f \( -name '*.app.tar.gz*' -o -name '*.AppImage.tar.gz*' -o -name '*nsis.zip*' \) | wc -l)
+
+            if [ "$updater_artifact_count" -ne 0 ]; then
+              echo "PR builds must not generate updater artifacts."
+              find target/${{ matrix.rust_target }}/release/bundle -type f \( -name '*.app.tar.gz*' -o -name '*.AppImage.tar.gz*' -o -name '*nsis.zip*' \)
+              exit 1
+            fi
+          fi
 
           if [ "${{ needs.determine_run_mode.outputs.is_pr_build }}" != "true" ] && [[ "${{ matrix.platform }}" == macos* ]]; then
             app_update_archive_count=$(find target/${{ matrix.rust_target }}/release/bundle/macos -maxdepth 1 -name '*.app.tar.gz' | wc -l)
@@ -800,17 +841,29 @@ jobs:
           PRIVATE_PUBLISH_KEY_PASSWORD: ${{ secrets.PRIVATE_PUBLISH_KEY_PASSWORD }}
         run: |
           $bundles = "${{ matrix.tauri_bundle }}"
+          $tauriConfigArgs = @()
 
           if ("${{ needs.determine_run_mode.outputs.is_pr_build }}" -eq "true") {
             Write-Output "Running PR test build without updater bundle signing"
             $bundles = "${{ matrix.tauri_bundle_pr }}"
+            $tauriConfigArgs = @("--config", '{"bundle":{"createUpdaterArtifacts":false}}')
           } else {
             $env:TAURI_SIGNING_PRIVATE_KEY="$env:PRIVATE_PUBLISH_KEY"
             $env:TAURI_SIGNING_PRIVATE_KEY_PASSWORD="$env:PRIVATE_PUBLISH_KEY_PASSWORD"
           }
 
           cd runtime
-          cargo tauri build --target ${{ matrix.rust_target }} --bundles $bundles
+          cargo tauri build --target ${{ matrix.rust_target }} --bundles $bundles @tauriConfigArgs
+
+          if ("${{ needs.determine_run_mode.outputs.is_pr_build }}" -eq "true") {
+            $updaterArtifacts = Get-ChildItem -Path "target/${{ matrix.rust_target }}/release/bundle" -Recurse -File -Include "*.app.tar.gz*", "*.AppImage.tar.gz*", "*nsis.zip*" -ErrorAction SilentlyContinue
+
+            if ($updaterArtifacts.Count -ne 0) {
+              Write-Error "PR builds must not generate updater artifacts."
+              $updaterArtifacts | ForEach-Object { Write-Error $_.FullName }
+              exit 1
+            }
+          }
 
       - name: Upload artifact (macOS)
         if: startsWith(matrix.platform, 'macos')

AGENTS.md

@@ -49,7 +49,7 @@ Currently, no automated test suite exists in the repository.
 Key modules:
 - `app_window.rs` - Tauri window management, updater integration
 - `dotnet.rs` - Launches and manages the .NET sidecar process
-- `runtime_api.rs` - Rocket-based HTTPS API for .NET ↔ Rust communication
+- `runtime_api.rs` - Axum-based HTTPS API for .NET ↔ Rust communication
 - `certificate.rs` - Generates self-signed TLS certificates for secure IPC
 - `secret.rs` - Secure secret storage using OS keyring (Keychain/Credential Manager)
 - `clipboard.rs` - Cross-platform clipboard operations
@@ -152,7 +152,7 @@ Multi-level confidence scheme allows users to control which providers see which
 
 **Rust:**
 - Tauri 1.8 - Desktop application framework
-- Rocket - HTTPS API server
+- Axum - HTTPS API server
 - tokio - Async runtime
 - keyring - OS keyring integration
 - pdfium-render - PDF text extraction
@@ -187,6 +187,7 @@ Multi-level confidence scheme allows users to control which providers see which
 - **File changes require Write/Edit tools** - Never use bash commands like `cat <<EOF` or `echo >`
 - **End of file formatting** - Do not append an extra empty line at the end of files.
 - **No automated formatting for Rust or .NET files** - Never run automated formatters on Rust files (`.rs`) or .NET files (`.cs`, `.razor`, `.csproj`, etc.). Only make the minimal manual formatting changes required for the specific edit.
+- **I18N resources are generated** - Do not manually edit `app/MindWork AI Studio/Assistants/I18N/allTexts.lua`, `app/MindWork AI Studio/Plugins/languages/en-us-97dfb1ba-50c4-4440-8dfa-6575daf543c8/plugin.lua`, or `app/MindWork AI Studio/Plugins/languages/de-de-43065dbc-78d0-45b7-92be-f14c2926e2dc/plugin.lua`. These files are updated automatically by the I18N process.
 - **Spaces in paths** - Always quote paths with spaces in bash commands
 - **Agent-run .NET builds** - Do not run `.NET` builds from an agent. Ask the user to run the build locally in their IDE, preferably via `cd app/Build && dotnet run build` in an IDE terminal, then wait for their feedback before continuing.
 - **Debug environment** - Reads `startup.env` file with IPC credentials

README.md

@@ -28,12 +28,11 @@ Since November 2024: Work on RAG (integration of your data and files) has begun.
 - [x] ~~App: Implement an [ERI](https://github.com/MindWorkAI/ERI) server coding assistant (PR [#231](https://github.com/MindWorkAI/AI-Studio/pull/231))~~
 - [x] ~~App: Management of data sources (local & external data via [ERI](https://github.com/MindWorkAI/ERI)) (PR [#259](https://github.com/MindWorkAI/AI-Studio/pull/259), [#273](https://github.com/MindWorkAI/AI-Studio/pull/273))~~
 - [x] ~~Runtime: Extract data from txt / md / pdf / docx / xlsx files (PR [#374](https://github.com/MindWorkAI/AI-Studio/pull/374))~~
-- [ ] (*Optional*) Runtime: Implement internal embedding provider through [fastembed-rs](https://github.com/Anush008/fastembed-rs)
 - [x] ~~App: Implement dialog for checking & handling [pandoc](https://pandoc.org/) installation ([PR #393](https://github.com/MindWorkAI/AI-Studio/pull/393), [PR #487](https://github.com/MindWorkAI/AI-Studio/pull/487))~~
 - [x] ~~App: Implement external embedding providers ([PR #654](https://github.com/MindWorkAI/AI-Studio/pull/654))~~
-- [ ] App: Implement the process to vectorize one local file using embeddings
+- [ ] App: Implement the process to vectorize one local file using embeddings (PR [#756](https://github.com/MindWorkAI/AI-Studio/pull/756))
 - [x] ~~Runtime: Integration of the vector database [Qdrant](https://github.com/qdrant/qdrant) ([PR #580](https://github.com/MindWorkAI/AI-Studio/pull/580))~~
-- [ ] App: Implement the continuous process of vectorizing data
+- [ ] App: Implement the continuous process of vectorizing data (PR [#756](https://github.com/MindWorkAI/AI-Studio/pull/756))
 - [x] ~~App: Define a common retrieval context interface for the integration of RAG processes in chats (PR [#281](https://github.com/MindWorkAI/AI-Studio/pull/281), [#284](https://github.com/MindWorkAI/AI-Studio/pull/284), [#286](https://github.com/MindWorkAI/AI-Studio/pull/286), [#287](https://github.com/MindWorkAI/AI-Studio/pull/287))~~
 - [x] ~~App: Define a common augmentation interface for the integration of RAG processes in chats (PR [#288](https://github.com/MindWorkAI/AI-Studio/pull/288), [#289](https://github.com/MindWorkAI/AI-Studio/pull/289))~~
 - [x] ~~App: Integrate data sources in chats (PR [#282](https://github.com/MindWorkAI/AI-Studio/pull/282))~~

app/MindWork AI Studio.sln.DotSettings

@@ -2,6 +2,7 @@
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=AI/@EntryIndexedValue">AI</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=EDI/@EntryIndexedValue">EDI</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=ERI/@EntryIndexedValue">ERI</s:String>
+	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=ERIV/@EntryIndexedValue">ERIV</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=FNV/@EntryIndexedValue">FNV</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=GWDG/@EntryIndexedValue">GWDG</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=HF/@EntryIndexedValue">HF</s:String>

app/MindWork AI Studio/Assistants/I18N/allTexts.lua

@@ -3631,6 +3631,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2879113658"] =
 -- Maximum matches per query
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2889706179"] = "Maximum matches per query"
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2909734556"] = "Failed to read the user's username from the operating system."
+
 -- Open web link, show more information
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2968752071"] = "Open web link, show more information"
 
@@ -3682,6 +3685,27 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T742006305"] = "
 -- Embeddings
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T951463987"] = "Embeddings"
 
+-- Use the same username and password for all users
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1769874785"] = "Use the same username and password for all users"
+
+-- Username and password mode
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1787063064"] = "Username and password mode"
+
+-- How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3081234668"] = "How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?"
+
+-- User-managed username and password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T365340972"] = "User-managed username and password"
+
+-- Export
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3898821075"] = "Export"
+
+-- Read each user's username from the operating system and share one password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T76405695"] = "Read each user's username from the operating system and share one password"
+
+-- Cancel
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T900713019"] = "Cancel"
+
 -- Describe what data this directory contains to help the AI select it.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCELOCALDIRECTORYDIALOG::T1136409150"] = "Describe what data this directory contains to help the AI select it."
 
@@ -4810,6 +4834,12 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T145419
 -- Delete
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1469573738"] = "Delete"
 
+-- Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1577531115"] = "Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin."
+
+-- Cannot export this ERI data source because the authentication secret could not be encrypted.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1592527757"] = "Cannot export this ERI data source because the authentication secret could not be encrypted."
+
 -- External (ERI)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1652430727"] = "External (ERI)"
 
@@ -4840,6 +4870,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T269820
 -- Embedding
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T2838542994"] = "Embedding"
 
+-- This data source is managed by your organization.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3031462878"] = "This data source is managed by your organization."
+
 -- Edit
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3267849393"] = "Edit"
 
@@ -4864,21 +4897,39 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T352566
 -- No data sources configured yet.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3549650120"] = "No data sources configured yet."
 
+-- Export Access Token?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3595669127"] = "Export Access Token?"
+
+-- Export ERI Data Source
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3831281036"] = "Export ERI Data Source"
+
 -- Actions
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3865031940"] = "Actions"
 
+-- This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T4027572258"] = "This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token."
+
 -- Configured Data Sources
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T543942217"] = "Configured Data Sources"
 
 -- Add ERI v1 Data Source
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T590005498"] = "Add ERI v1 Data Source"
 
+-- Cannot export this ERI data source because no enterprise encryption secret is configured.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T750361472"] = "Cannot export this ERI data source because no enterprise encryption secret is configured."
+
 -- External Data (ERI-Server v1)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T774473996"] = "External Data (ERI-Server v1)"
 
+-- Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T782820095"] = "Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}"
+
 -- Local Directory
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T926703547"] = "Local Directory"
 
+-- Export configuration
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T975426229"] = "Export configuration"
+
 -- When enabled, you can preselect some ERI server options.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGERISERVER::T1280666275"] = "When enabled, you can preselect some ERI server options."
 
@@ -6019,18 +6070,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Check for update
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant."
 
 -- Encryption secret: is configured
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1931141322"] = "Encryption secret: is configured"
 
--- We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1943216839"] = "We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust."
-
 -- Copies the following to the clipboard
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2029659664"] = "Copies the following to the clipboard"
 
@@ -6112,6 +6157,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840227993"] = "Used .NET runtim
 -- Explanation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840582448"] = "Explanation"
 
+-- checking availability
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2855535668"] = "checking availability"
+
 -- The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2868174483"] = "The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software."
 
@@ -6133,6 +6181,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3178730036"] = "Have feature ide
 -- Hide Details
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3183837919"] = "Hide Details"
 
+-- Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3208719461"] = "Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface."
+
+-- Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3239817808"] = "Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running."
+
 -- Update Pandoc
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3249965383"] = "Update Pandoc"
 
@@ -6157,6 +6211,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio runs w
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 
@@ -6166,6 +6223,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3574465749"] = "not available"
 -- This library is used to read Excel and OpenDocument spreadsheet files. This is necessary, e.g., for using spreadsheets as a data source for a chat.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3722989559"] = "This library is used to read Excel and OpenDocument spreadsheet files. This is necessary, e.g., for using spreadsheets as a data source for a chat."
 
+-- Username provided by the OS
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3764549776"] = "Username provided by the OS"
+
 -- this version does not met the requirements
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3813932670"] = "this version does not met the requirements"
 
@@ -6187,6 +6247,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4010195468"] = "Versions"
 -- Database
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4036243672"] = "Database"
 
+-- This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4060906280"] = "This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication."
+
 -- This library is used to create asynchronous streams in Rust. It allows us to work with streams of data that can be produced asynchronously, making it easier to handle events or data that arrive over time. We use this, e.g., to stream arbitrary data from the file system to the embedding system.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4079152443"] = "This library is used to create asynchronous streams in Rust. It allows us to work with streams of data that can be produced asynchronously, making it easier to handle events or data that arrive over time. We use this, e.g., to stream arbitrary data from the file system to the embedding system."
 
@@ -6205,6 +6268,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T566998575"] = "This is a library
 -- Used .NET SDK
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T585329785"] = "Used .NET SDK"
 
+-- starting
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T594602073"] = "starting"
+
 -- This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T633932150"] = "This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated."
 
@@ -6226,6 +6292,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T836298648"] = "Provided by confi
 -- We use this library to be able to read PowerPoint files. This allows us to insert content from slides into prompts and take PowerPoint files into account in RAG processes. We thank Nils Kruthoff for his work on this Rust crate.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T855925638"] = "We use this library to be able to read PowerPoint files. This allows us to insert content from slides into prompts and take PowerPoint files into account in RAG processes. We thank Nils Kruthoff for his work on this Rust crate."
 
+-- Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T864851737"] = "Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running."
+
 -- For some data transfers, we need to encode the data in base64. This Rust library is great for this purpose.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T870640199"] = "For some data transfers, we need to encode the data in base64. This Rust library is great for this purpose."
 
@@ -6670,8 +6739,8 @@ UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2708
 -- Unknown preview feature
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2722827307"] = "Unknown preview feature"
 
--- Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text
-UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T714355911"] = "Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text"
+-- Transcription: Convert recordings and audio files into text
+UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T4247148645"] = "Transcription: Convert recordings and audio files into text"
 
 -- Use no data sources, when sending an assistant result to a chat
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::SENDTOCHATDATASOURCEBEHAVIOREXTENSIONS::T1223925477"] = "Use no data sources, when sending an assistant result to a chat"
@@ -6838,6 +6907,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::CONFIDENCESCHEMESEXTENSIONS::T4107860491"] = "
 -- Reason
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1093747001"] = "Reason"
 
+-- Starting
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1233211769"] = "Starting"
+
 -- Unavailable
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T3662391977"] = "Unavailable"
 
@@ -6922,6 +6994,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2858189239"] = "Faile
 -- Failed to retrieve the security requirements: the request was canceled either by the user or due to a timeout.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T286437836"] = "Failed to retrieve the security requirements: the request was canceled either by the user or due to a timeout."
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2909734556"] = "Failed to read the user's username from the operating system."
+
 -- Failed to retrieve the security requirements due to an exception: {0}
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T3221004295"] = "Failed to retrieve the security requirements due to an exception: {0}"
 
@@ -6967,6 +7042,12 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T816853779"] = "Failed
 -- Failed to retrieve the authentication methods: the ERI server did not return a valid response.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T984407320"] = "Failed to retrieve the authentication methods: the ERI server did not return a valid response."
 
+-- AI Studio couldn't install Pandoc because the archive was not found.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1059477764"] = "AI Studio couldn't install Pandoc because the archive was not found."
+
+-- Pandoc doesn't seem to be installed.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1090474732"] = "Pandoc doesn't seem to be installed."
+
 -- Was not able to validate the Pandoc installation.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1364844008"] = "Was not able to validate the Pandoc installation."
 
@@ -6988,20 +7069,20 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2550598062"] = "Pandoc v{0} is instal
 -- Pandoc v{0} is installed, but it does not match the required version (v{1}).
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2555465873"] = "Pandoc v{0} is installed, but it does not match the required version (v{1})."
 
--- Pandoc was not installed successfully, because the archive was not found.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T34210248"] = "Pandoc was not installed successfully, because the archive was not found."
+-- AI Studio couldn't install Pandoc because the archive type is unknown.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3492710362"] = "AI Studio couldn't install Pandoc because the archive type is unknown."
 
 -- Pandoc is not available on the system or the process had issues.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3746116957"] = "Pandoc is not available on the system or the process had issues."
 
--- Pandoc was not installed successfully, because the archive type is unknown.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3962211670"] = "Pandoc was not installed successfully, because the archive type is unknown."
+-- AI Studio couldn't install Pandoc because the executable was not found in the archive.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T403983772"] = "AI Studio couldn't install Pandoc because the executable was not found in the archive."
 
--- It seems that Pandoc is not installed.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T567205144"] = "It seems that Pandoc is not installed."
+-- AI Studio couldn't find the latest Pandoc version and will install version {0} instead.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T695293525"] = "AI Studio couldn't find the latest Pandoc version and will install version {0} instead."
 
--- The latest Pandoc version was not found, installing version {0} instead.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T726914939"] = "The latest Pandoc version was not found, installing version {0} instead."
+-- AI Studio couldn't install Pandoc.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T932858631"] = "AI Studio couldn't install Pandoc."
 
 -- Pandoc is required for Microsoft Word export.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOCEXPORT::T1473115556"] = "Pandoc is required for Microsoft Word export."
@@ -7492,6 +7573,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T18544701
 -- Pandoc may be required for importing files.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T2596465560"] = "Pandoc may be required for importing files."
 
+-- Failed to store the secret data due to an API issue.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T1110203516"] = "Failed to store the secret data due to an API issue."
+
 -- Failed to delete the secret data due to an API issue.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T2303057928"] = "Failed to delete the secret data due to an API issue."
 

app/MindWork AI Studio/Assistants/SlideBuilder/SlideAssistant.razor

@@ -22,7 +22,7 @@
 <MudJustifiedText Typo="Typo.body1" Class="mb-2">
     @T("You might want to specify important aspects that the LLM should consider when creating the slides. For example, the use of emojis or specific topics that should be highlighted.")
 </MudJustifiedText>
-<MudTextField T="string" AutoGrow="true" Lines="3" @bind-Text="@this.importantAspects" class="mb-1" Label="@T("(Optional) Important Aspects")" HelperText="@T("(Optional) Specify aspects that the LLM should consider when creating the slides. For example, the use of emojis or specific topics that should be highlighted.")"  ShrinkLabel="true" Variant="Variant.Outlined" AdornmentIcon="@Icons.Material.Filled.List" Adornment="Adornment.Start"/>
+<MudTextField T="string" AutoGrow="true" Lines="3" @bind-Text="@this.importantAspects" class="mb-1" Label="@T("(Optional) Important Aspects")" HelperText="@T("(Optional) Specify aspects that the LLM should consider when creating the slides. For example, the use of emojis or specific topics that should be highlighted.")"  ShrinkLabel="true" Variant="Variant.Outlined" AdornmentIcon="@Icons.Material.Filled.List" Adornment="Adornment.Start" UserAttributes="@USER_INPUT_ATTRIBUTES"/>
 
 <MudText Typo="Typo.h6"  Class="mb-1 mt-3"> @T("Extent of the planned presentation")</MudText>
 <MudJustifiedText Typo="Typo.body1" Class="mb-2">

app/MindWork AI Studio/Components/Changelog.Logs.cs

@@ -13,6 +13,8 @@ public partial class Changelog
     
     public static readonly Log[] LOGS = 
     [
+        new (239, "v26.5.4, build 239 (2026-05-13 11:58 UTC)", "v26.5.4.md"),
+        new (238, "v26.5.3, build 238 (2026-05-13 09:50 UTC)", "v26.5.3.md"),
         new (237, "v26.5.2, build 237 (2026-05-06 16:38 UTC)", "v26.5.2.md"),
         new (236, "v26.5.1, build 236 (2026-05-06 13:06 UTC)", "v26.5.1.md"),
         new (235, "v26.4.1, build 235 (2026-04-17 17:25 UTC)", "v26.4.1.md"),

app/MindWork AI Studio/Components/Settings/SettingsPanelTranscription.razor

@@ -5,7 +5,6 @@
 @if (PreviewFeatures.PRE_SPEECH_TO_TEXT_2026.IsEnabled(this.SettingsManager))
 {
     <ExpansionPanel HeaderIcon="@Icons.Material.Filled.VoiceChat" HeaderText="@T("Configure Transcription Providers")">
-        <PreviewBeta ApplyInnerScrollingFix="true"/>
         <MudText Typo="Typo.h4" Class="mb-3">
             @T("Configured Transcription Providers")
         </MudText>

app/MindWork AI Studio/Dialogs/DataSourceERIV1UsernamePasswordExportDialog.razor

@@ -0,0 +1,26 @@
+@inherits MSGComponentBase
+
+<MudDialog>
+    <DialogContent>
+        <MudText Typo="Typo.body1" Class="mb-3">
+            @string.Format(T("How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?"), this.DataSource.Name)
+        </MudText>
+
+        <MudSelect @bind-Value="@this.usernamePasswordMode" Text="@this.GetUsernamePasswordModeText()" Label="@T("Username and password mode")" Class="mt-3 mb-3" OpenIcon="@Icons.Material.Filled.ExpandMore" AdornmentColor="Color.Info" Adornment="Adornment.Start">
+            @foreach (var mode in this.availableUsernamePasswordModes)
+            {
+                <MudSelectItem Value="@mode">
+                    @this.GetUsernamePasswordModeText(mode)
+                </MudSelectItem>
+            }
+        </MudSelect>
+    </DialogContent>
+    <DialogActions>
+        <MudButton OnClick="@this.Cancel" Variant="Variant.Filled">
+            @T("Cancel")
+        </MudButton>
+        <MudButton OnClick="@this.Export" Variant="Variant.Filled" Color="Color.Primary">
+            @T("Export")
+        </MudButton>
+    </DialogActions>
+</MudDialog>

app/MindWork AI Studio/Dialogs/DataSourceERIV1UsernamePasswordExportDialog.razor.cs

@@ -0,0 +1,37 @@
+using AIStudio.Components;
+using AIStudio.Settings.DataModel;
+
+using Microsoft.AspNetCore.Components;
+
+namespace AIStudio.Dialogs;
+
+public partial class DataSourceERIV1UsernamePasswordExportDialog : MSGComponentBase
+{
+    [CascadingParameter]
+    private IMudDialogInstance MudDialog { get; set; } = null!;
+
+    [Parameter]
+    public DataSourceERI_V1 DataSource { get; set; }
+
+    private readonly DataSourceERIUsernamePasswordMode[] availableUsernamePasswordModes =
+    [
+        DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD,
+        DataSourceERIUsernamePasswordMode.SHARED_USERNAME_AND_PASSWORD
+    ];
+
+    private DataSourceERIUsernamePasswordMode usernamePasswordMode = DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD;
+
+    private string GetUsernamePasswordModeText() => this.GetUsernamePasswordModeText(this.usernamePasswordMode);
+
+    private string GetUsernamePasswordModeText(DataSourceERIUsernamePasswordMode mode) => mode switch
+    {
+        DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD => T("Read each user's username from the operating system and share one password"),
+        DataSourceERIUsernamePasswordMode.SHARED_USERNAME_AND_PASSWORD => T("Use the same username and password for all users"),
+        
+        _ => T("User-managed username and password"),
+    };
+
+    private void Cancel() => this.MudDialog.Cancel();
+
+    private void Export() => this.MudDialog.Close(DialogResult.Ok(new DataSourceERIV1UsernamePasswordExportDialogResult(this.usernamePasswordMode)));
+}

app/MindWork AI Studio/Dialogs/DataSourceERIV1UsernamePasswordExportDialogResult.cs

@@ -0,0 +1,5 @@
+using AIStudio.Settings.DataModel;
+
+namespace AIStudio.Dialogs;
+
+public readonly record struct DataSourceERIV1UsernamePasswordExportDialogResult(DataSourceERIUsernamePasswordMode UsernamePasswordMode);

app/MindWork AI Studio/Dialogs/DataSourceERI_V1Dialog.razor.cs

@@ -116,7 +116,7 @@ public partial class DataSourceERI_V1Dialog : MSGComponentBase, ISecretId
             if (this.dataAuthMethod is AuthMethod.TOKEN or AuthMethod.USERNAME_PASSWORD)
             {
                 // Load the secret:
-                var requestedSecret = await this.RustService.GetSecret(this);
+                var requestedSecret = await this.RustService.GetSecret(this, SecretStoreType.DATA_SOURCE);
                 if (requestedSecret.Success)
                     this.dataSecret = await requestedSecret.Secret.Decrypt(this.encryption);
                 else
@@ -169,6 +169,7 @@ public partial class DataSourceERI_V1Dialog : MSGComponentBase, ISecretId
             Hostname = cleanedHostname.EndsWith('/') ? cleanedHostname[..^1] : cleanedHostname,
             AuthMethod = this.dataAuthMethod,
             Username = this.dataUsername,
+            UsernamePasswordMode = DataSourceERIUsernamePasswordMode.USER_MANAGED,
             Type = DataSourceType.ERI_V1,
             SecurityPolicy = this.dataSecurityPolicy,
             SelectedRetrievalId = this.dataSelectedRetrievalProcess.Id,
@@ -323,7 +324,7 @@ public partial class DataSourceERI_V1Dialog : MSGComponentBase, ISecretId
         if (!string.IsNullOrWhiteSpace(this.dataSecret))
         {
             // Store the secret in the OS secure storage:
-            var storeResponse = await this.RustService.SetSecret(this, this.dataSecret);
+            var storeResponse = await this.RustService.SetSecret(this, this.dataSecret, SecretStoreType.DATA_SOURCE);
             if (!storeResponse.Success)
             {
                 this.dataSecretStorageIssue = string.Format(T("Failed to store the auth. secret in the operating system. The message was: {0}. Please try again."), storeResponse.Issue);

app/MindWork AI Studio/Dialogs/DataSourceERI_V1InfoDialog.razor

@@ -21,7 +21,7 @@
 
         @if (this.DataSource.AuthMethod is AuthMethod.USERNAME_PASSWORD)
         {
-            <TextInfoLine Icon="@Icons.Material.Filled.Person2" Label="@T("Username")" Value="@this.DataSource.Username" ClipboardTooltipSubject="@T("the username")"/>
+            <TextInfoLine Icon="@Icons.Material.Filled.Person2" Label="@T("Username")" Value="@this.effectiveUsername" ClipboardTooltipSubject="@T("the username")"/>
         }
 
         <TextInfoLines Label="@T("Server description")" MaxLines="14" Value="@this.serverDescription" ClipboardTooltipSubject="@T("the server description")"/>

app/MindWork AI Studio/Dialogs/DataSourceERI_V1InfoDialog.razor.cs

@@ -41,6 +41,7 @@ public partial class DataSourceERI_V1InfoDialog : MSGComponentBase, IAsyncDispos
     private readonly List<string> dataIssues = [];
     
     private string serverDescription = string.Empty;
+    private string effectiveUsername = string.Empty;
     private ProviderType securityRequirements = ProviderType.NONE;
     private IReadOnlyList<RetrievalInfo> retrievalInfoformation = [];
     private RetrievalInfo selectedRetrievalInfo;
@@ -51,6 +52,27 @@ public partial class DataSourceERI_V1InfoDialog : MSGComponentBase, IAsyncDispos
     
     private string Port => this.DataSource.Port == 0 ? string.Empty : $"{this.DataSource.Port}";
 
+    private async Task<(bool Success, DataSourceERI_V1 EffectiveDataSource)> CreateEffectiveDataSource()
+    {
+        this.effectiveUsername = this.DataSource.Username;
+        if (this.DataSource is not { AuthMethod: AuthMethod.USERNAME_PASSWORD, UsernamePasswordMode: DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD })
+            return (true, this.DataSource);
+
+        var osUsername = await this.RustService.ReadUserName();
+        if (string.IsNullOrWhiteSpace(osUsername))
+        {
+            this.dataIssues.Add(T("Failed to read the user's username from the operating system."));
+            return (false, this.DataSource);
+        }
+
+        this.effectiveUsername = osUsername;
+        return (true, this.DataSource with
+        {
+            Username = osUsername,
+            UsernamePasswordMode = DataSourceERIUsernamePasswordMode.SHARED_USERNAME_AND_PASSWORD,
+        });
+    }
+
     private string RetrievalName(RetrievalInfo retrievalInfo)
     {
         var hasId = !string.IsNullOrWhiteSpace(retrievalInfo.Id);
@@ -92,14 +114,18 @@ public partial class DataSourceERI_V1InfoDialog : MSGComponentBase, IAsyncDispos
             this.IsOperationInProgress = true;
             this.StateHasChanged();
 
-            using var client = ERIClientFactory.Get(ERIVersion.V1, this.DataSource);
+            var effectiveDataSourceResult = await this.CreateEffectiveDataSource();
+            if (!effectiveDataSourceResult.Success)
+                return;
+            
+            using var client = ERIClientFactory.Get(ERIVersion.V1, effectiveDataSourceResult.EffectiveDataSource);
             if(client is null)
             {
                 this.dataIssues.Add(T("Failed to connect to the ERI v1 server. The server is not supported."));
                 return;
             }
             
-            var loginResult = await client.AuthenticateAsync(this.RustService);
+            var loginResult = await client.AuthenticateAsync(this.RustService, cancellationToken: this.cts.Token);
             if (!loginResult.Successful)
             {
                 this.dataIssues.Add(loginResult.Message);

app/MindWork AI Studio/Dialogs/Settings/SettingsDialogDataSources.razor

@@ -38,12 +38,27 @@
                 <MudTd>
                     <MudStack Row="true" Class="mb-2 mt-2" Wrap="Wrap.Wrap">
                         <MudIconButton Variant="Variant.Filled" Color="Color.Info" Icon="@Icons.Material.Filled.Info" OnClick="() => this.ShowInformation(context)"/>
+                        @if (context.IsEnterpriseConfiguration)
+                        {
+                            <MudTooltip Text="@T("This data source is managed by your organization.")">
+                                <MudIconButton Color="Color.Info" Icon="@Icons.Material.Filled.Business" Disabled="true"/>
+                            </MudTooltip>
+                        }
+                        else
+                        {
                             <MudButton Variant="Variant.Filled" Color="Color.Info" StartIcon="@Icons.Material.Filled.Edit" OnClick="() => this.EditDataSource(context)">
                                 @T("Edit")
                             </MudButton>
+                            @if (this.SettingsManager.ConfigurationData.App.ShowAdminSettings && context is DataSourceERI_V1)
+                            {
+                                <MudTooltip Text="@T("Export configuration")">
+                                    <MudIconButton Variant="Variant.Filled" Color="Color.Info" Icon="@Icons.Material.Filled.Dataset" OnClick="() => this.ExportDataSource(context)"/>
+                                </MudTooltip>
+                            }
                             <MudButton Variant="Variant.Filled" Color="Color.Error" StartIcon="@Icons.Material.Filled.Delete" OnClick="() => this.DeleteDataSource(context)">
                                 @T("Delete")
                             </MudButton>
+                        }
                     </MudStack>
                 </MudTd>
             </RowTemplate>

app/MindWork AI Studio/Dialogs/Settings/SettingsDialogDataSources.razor.cs

@@ -1,11 +1,17 @@
 using AIStudio.Settings;
 using AIStudio.Settings.DataModel;
 using AIStudio.Tools.ERIClient.DataModel;
+using AIStudio.Tools.PluginSystem;
+
+using Microsoft.AspNetCore.Components;
 
 namespace AIStudio.Dialogs.Settings;
 
 public partial class SettingsDialogDataSources : SettingsDialogBase
 {
+    [Inject]
+    private ISnackbar Snackbar { get; init; } = null!;
+
     private string GetEmbeddingName(IDataSource dataSource)
     {
         if(dataSource is IInternalDataSource internalDataSource)
@@ -87,8 +93,105 @@ public partial class SettingsDialogDataSources : SettingsDialogBase
         await this.MessageBus.SendMessage<bool>(this, Event.CONFIGURATION_CHANGED);
     }
 
+    private async Task ExportDataSource(IDataSource dataSource)
+    {
+        if (!this.SettingsManager.ConfigurationData.App.ShowAdminSettings)
+            return;
+
+        if (dataSource is not DataSourceERI_V1 eriDataSource)
+            return;
+
+        if (eriDataSource.AuthMethod is AuthMethod.KERBEROS)
+        {
+            await this.DialogService.ShowMessageBox(
+                T("Export ERI Data Source"),
+                T("Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin."),
+                T("Close"));
+            return;
+        }
+
+        var needsSecret = eriDataSource.AuthMethod is AuthMethod.TOKEN or AuthMethod.USERNAME_PASSWORD;
+        if (!needsSecret)
+        {
+            var publicLuaCode = eriDataSource.ExportAsConfigurationSection();
+            if (!string.IsNullOrWhiteSpace(publicLuaCode))
+                await this.RustService.CopyText2Clipboard(this.Snackbar, publicLuaCode);
+
+            return;
+        }
+
+        var secretResponse = await this.RustService.GetSecret(eriDataSource, SecretStoreType.DATA_SOURCE, isTrying: true);
+        if (!secretResponse.Success)
+        {
+            await this.DialogService.ShowMessageBox(
+                T("Export ERI Data Source"),
+                string.Format(T("Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}"), secretResponse.Issue),
+                T("Close"));
+            return;
+        }
+
+        var encryption = PluginFactory.EnterpriseEncryption;
+        if (encryption?.IsAvailable != true)
+        {
+            await this.DialogService.ShowMessageBox(
+                T("Export ERI Data Source"),
+                T("Cannot export this ERI data source because no enterprise encryption secret is configured."),
+                T("Close"));
+            return;
+        }
+
+        var usernamePasswordMode = DataSourceERIUsernamePasswordMode.USER_MANAGED;
+        if (eriDataSource.AuthMethod is AuthMethod.TOKEN)
+        {
+            var dialogParameters = new DialogParameters<ConfirmDialog>
+            {
+                { x => x.Message, T("This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token.") },
+            };
+
+            var dialogReference = await this.DialogService.ShowAsync<ConfirmDialog>(T("Export Access Token?"), dialogParameters, DialogOptions.FULLSCREEN);
+            var dialogResult = await dialogReference.Result;
+            if (dialogResult is null || dialogResult.Canceled)
+                return;
+        }
+        else if (eriDataSource.AuthMethod is AuthMethod.USERNAME_PASSWORD)
+        {
+            var dialogParameters = new DialogParameters<DataSourceERIV1UsernamePasswordExportDialog>
+            {
+                { x => x.DataSource, eriDataSource },
+            };
+
+            var dialogReference = await this.DialogService.ShowAsync<DataSourceERIV1UsernamePasswordExportDialog>(T("Export ERI Data Source"), dialogParameters, DialogOptions.FULLSCREEN);
+            var dialogResult = await dialogReference.Result;
+            if (dialogResult is null || dialogResult.Canceled || dialogResult.Data is not DataSourceERIV1UsernamePasswordExportDialogResult exportResult)
+                return;
+
+            usernamePasswordMode = exportResult.UsernamePasswordMode;
+        }
+
+        var decryptedSecret = await secretResponse.Secret.Decrypt(Program.ENCRYPTION);
+        if (!encryption.TryEncrypt(decryptedSecret, out var encryptedSecret))
+        {
+            await this.DialogService.ShowMessageBox(
+                T("Export ERI Data Source"),
+                T("Cannot export this ERI data source because the authentication secret could not be encrypted."),
+                T("Close"));
+            return;
+        }
+
+        var luaCode = eriDataSource.ExportAsConfigurationSection(
+            encryptedSecret,
+            usernamePasswordMode);
+        if (string.IsNullOrWhiteSpace(luaCode))
+            return;
+
+        await this.RustService.CopyText2Clipboard(this.Snackbar, luaCode);
+    }
+    
     private async Task EditDataSource(IDataSource dataSource)
     {
+        if (dataSource.IsEnterpriseConfiguration)
+            return;
+
         IDataSource? editedDataSource = null;
         switch (dataSource)
         {
@@ -151,6 +254,9 @@ public partial class SettingsDialogDataSources : SettingsDialogBase
     
     private async Task DeleteDataSource(IDataSource dataSource)
     {
+        if (dataSource.IsEnterpriseConfiguration)
+            return;
+
         var dialogParameters = new DialogParameters<ConfirmDialog>
         {
             { x => x.Message, string.Format(T("Are you sure you want to delete the data source '{0}' of type {1}?"), dataSource.Name, dataSource.Type.GetDisplayName()) },
@@ -174,7 +280,7 @@ public partial class SettingsDialogDataSources : SettingsDialogBase
             // All other auth methods require a secret, which we need to delete now:
             else
             {
-                var deleteSecretResponse = await this.RustService.DeleteSecret(externalDataSource);
+                var deleteSecretResponse = await this.RustService.DeleteSecret(externalDataSource, SecretStoreType.DATA_SOURCE);
                 if (deleteSecretResponse.Success)
                     applyChanges = true;
             }

app/MindWork AI Studio/Layout/MainLayout.razor.cs

@@ -83,7 +83,9 @@ public partial class MainLayout : LayoutComponentBase, IMessageBusReceiver, ILan
         // Read the user language from Rust:
         //
         var userLanguage = await this.RustService.ReadUserLanguage();
+        var userName = await this.RustService.ReadUserName();
         this.Logger.LogInformation($"The OS says '{userLanguage}' is the user language.");
+        this.Logger.LogInformation($"The OS says '{userName}' is the username.");
         
         // Ensure that all settings are loaded:
         await this.SettingsManager.LoadSettings();

app/MindWork AI Studio/MindWork AI Studio.csproj

@@ -50,12 +50,12 @@
     <ItemGroup>
       <PackageReference Include="CodeBeam.MudBlazor.Extensions" Version="8.3.0" />
       <PackageReference Include="HtmlAgilityPack" Version="1.12.4" />
-      <PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" Version="9.0.15" />
+      <PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" Version="9.0.16" />
       <PackageReference Include="MudBlazor" Version="8.15.0" />
       <PackageReference Include="MudBlazor.Markdown" Version="8.11.0" />
-      <PackageReference Include="Qdrant.Client" Version="1.17.0" />
+      <PackageReference Include="Qdrant.Client" Version="1.18.1" />
       <PackageReference Include="ReverseMarkdown" Version="5.0.0" />
-      <PackageReference Include="LuaCSharp" Version="0.5.3" />
+      <PackageReference Include="LuaCSharp" Version="0.5.5" />
     </ItemGroup>
 
     <ItemGroup>

app/MindWork AI Studio/Pages/Information.razor

@@ -47,6 +47,7 @@
                     <MudListItem T="string" Icon="@Icons.Material.Outlined.Widgets" Text="@MudBlazorVersion"/>
                     <MudListItem T="string" Icon="@Icons.Material.Outlined.Memory" Text="@TauriVersion"/>
                     <MudListItem T="string" Icon="@Icons.Material.Outlined.Translate" Text="@this.OSLanguage"/>
+                    <MudListItem T="string" Icon="@Icons.Material.Outlined.AccountCircle" Text="@this.OSUserName"/>
                     <MudListItem T="string" Icon="@Icons.Material.Outlined.Business">
                         @switch (HasAnyActiveEnvironment)
                         {
@@ -279,10 +280,12 @@
                     <ThirdPartyComponent Name="Rust" Developer="Graydon Hoare, Rust Foundation, Rust developers & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rust-lang/rust/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/rust-lang/rust" UseCase="@T("The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software.")"/>
                     <ThirdPartyComponent Name="Tauri" Developer="Daniel Thompson-Yvetot, Lucas Nogueira, Tensor, Boscop, Serge Zaitsev, George Burton & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/tauri-apps/tauri/blob/dev/LICENSE_MIT" RepositoryUrl="https://github.com/tauri-apps/tauri" UseCase="@T("Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!")"/>
                     <ThirdPartyComponent Name="Qdrant" Developer="Andrey Vasnetsov, Tim Visée, Arnaud Gourlay, Luis Cossío, Ivan Pleshkov, Roman Titov, xzfc, JojiiOfficial & Open Source Community" LicenseName="Apache-2.0" LicenseUrl="https://github.com/qdrant/qdrant/blob/master/LICENSE" RepositoryUrl="https://github.com/qdrant/qdrant" UseCase="@T("Qdrant is a vector database and vector similarity search engine. We use it to realize local RAG—retrieval-augmented generation—within AI Studio. Thanks for the effort and great work that has been and is being put into Qdrant.")"/>
-                    <ThirdPartyComponent Name="Rocket" Developer="Sergio Benitez & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rwf2/Rocket/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/rwf2/Rocket" UseCase="@T("We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust.")"/>
+                    <ThirdPartyComponent Name="axum" Developer="David Pedersen, Jonas Platte, tottoto, David Mládek, Yann Simon, Tobias Bieniek, Open Source Community & Tokio Project" LicenseName="MIT" LicenseUrl="https://github.com/tokio-rs/axum/blob/main/LICENSE" RepositoryUrl="https://github.com/tokio-rs/axum" UseCase="@T("Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running.")"/>
+                    <ThirdPartyComponent Name="axum-server" Developer="Eray Karatay, Adi Salimgereyev, daxpedda & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/programatik29/axum-server/blob/master/LICENSE" RepositoryUrl="https://github.com/programatik29/axum-server" UseCase="@T("Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface.")"/>
+                    <ThirdPartyComponent Name="Rustls" Developer="Joe Birr-Pixton, Dirkjan Ochtman, Daniel McCarney, Brian Smith, Jacob Hoffman-Andrews, Jorge Aparicio & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rustls/rustls/blob/main/LICENSE-MIT" RepositoryUrl="https://github.com/rustls/rustls" UseCase="@T("Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running.")"/>
                     <ThirdPartyComponent Name="serde" Developer="Erick Tryzelaar, David Tolnay & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/serde-rs/serde/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/serde-rs/serde" UseCase="@T("Now we have multiple systems, some developed in .NET and others in Rust. The data format JSON is responsible for translating data between both worlds (called data serialization and deserialization). Serde takes on this task in the Rust world. The counterpart in the .NET world is an integral part of .NET and is located in System.Text.Json.")"/>
                     <ThirdPartyComponent Name="strum_macros" Developer="Peter Glotfelty & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/Peternator7/strum/blob/master/LICENSE" RepositoryUrl="https://github.com/Peternator7/strum" UseCase="@T("This crate provides derive macros for Rust enums, which we use to reduce boilerplate when implementing string conversions and metadata for runtime types. This is helpful for the communication between our Rust and .NET systems.")"/>
-                    <ThirdPartyComponent Name="keyring" Developer="Walther Chen, Daniel Brotsky & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/hwchen/keyring-rs/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/hwchen/keyring-rs" UseCase="@T("In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.")"/>
+                    <ThirdPartyComponent Name="keyring-core" Developer="Daniel Brotsky & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/open-source-cooperative/keyring-core/blob/main/LICENSE-MIT" RepositoryUrl="https://github.com/open-source-cooperative/keyring-core" UseCase="@T("AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.")"/>
                     <ThirdPartyComponent Name="arboard" Developer="Artur Kovacs, Avi Weinstock, 1Password & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/1Password/arboard/blob/master/LICENSE-MIT.txt" RepositoryUrl="https://github.com/1Password/arboard" UseCase="@T("To be able to use the responses of the LLM in other apps, we often use the clipboard of the respective operating system. Unfortunately, in .NET there is no solution that works with all operating systems. Therefore, I have opted for this library in Rust. This way, data transfer to other apps works on every system.")"/>
                     <ThirdPartyComponent Name="tokio" Developer="Alex Crichton, Carl Lerche, Alice Ryhl, Taiki Endo, Ivan Petkov, Eliza Weisman, Lucio Franco & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/tokio-rs/tokio/blob/master/LICENSE" RepositoryUrl="https://github.com/tokio-rs/tokio" UseCase="@T("Code in the Rust language can be specified as synchronous or asynchronous. Unlike .NET and the C# language, Rust cannot execute asynchronous code by itself. Rust requires support in the form of an executor for this. Tokio is one such executor.")"/>
                     <ThirdPartyComponent Name="futures" Developer="Alex Crichton, Taiki Endo, Taylor Cramer, Nemo157, Josef Brandl, Aaron Turon & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/rust-lang/futures-rs/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/rust-lang/futures-rs" UseCase="@T("This is a library providing the foundations for asynchronous programming in Rust. It includes key trait definitions like Stream, as well as utilities like join!, select!, and various futures combinator methods which enable expressive asynchronous control flow.")"/>
@@ -299,6 +302,7 @@
                     <ThirdPartyComponent Name="PDFium" Developer="Lei Zhang, Tom Sepez, Dan Sinclair, and Foxit, Google, Chromium, Collabora, Ada, DocsCorp, Dropbox, Microsoft, and PSPDFKit Teams & Open Source Community" LicenseName="Apache-2.0" LicenseUrl="https://pdfium.googlesource.com/pdfium/+/refs/heads/main/LICENSE" RepositoryUrl="https://pdfium.googlesource.com/pdfium" UseCase="@T("This library is used to read PDF files. This is necessary, e.g., for using PDFs as a data source for a chat.")"/>
                     <ThirdPartyComponent Name="pdfium-render" Developer="Alastair Carey, Dorian Rudolph & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/ajrcarey/pdfium-render/blob/master/LICENSE.md" RepositoryUrl="https://github.com/ajrcarey/pdfium-render" UseCase="@T("This library is used to read PDF files. This is necessary, e.g., for using PDFs as a data source for a chat.")"/>
                     <ThirdPartyComponent Name="sys-locale" Developer="1Password Team, ComplexSpaces & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/1Password/sys-locale/blob/main/LICENSE-MIT" RepositoryUrl="https://github.com/1Password/sys-locale" UseCase="@T("This library is used to determine the language of the operating system. This is necessary to set the language of the user interface.")"/>
+                    <ThirdPartyComponent Name="whoami" Developer="Ardaku Systems, Jeryn Aldaron Lau, Chase Johnson & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/ardaku/whoami/blob/stable/LICENSE_MIT" RepositoryUrl="https://github.com/ardaku/whoami" UseCase="@T("This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication.")"/>
                     <ThirdPartyComponent Name="sysinfo" Developer="Guillaume Gomez & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/GuillaumeGomez/sysinfo/blob/main/LICENSE" RepositoryUrl="https://github.com/GuillaumeGomez/sysinfo" UseCase="@T("This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated.")"/>
                     <ThirdPartyComponent Name="tempfile" Developer="Steven Allen, Ashley Mannix & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/Stebalien/tempfile/blob/master/LICENSE-MIT" RepositoryUrl="https://github.com/Stebalien/tempfile" UseCase="@T("This library is used to create temporary folders for saving the certificate and private key for communication with Qdrant.")"/>
                     <ThirdPartyComponent Name="Lua-CSharp" Developer="Yusuke Nakada & Open Source Community" LicenseName="MIT" LicenseUrl="https://github.com/nuskey8/Lua-CSharp/blob/main/LICENSE" RepositoryUrl="https://github.com/nuskey8/Lua-CSharp" UseCase="@T("We use Lua as the language for plugins. Lua-CSharp lets Lua scripts communicate with AI Studio and vice versa. Thank you, Yusuke Nakada, for this great library.")" />

app/MindWork AI Studio/Pages/Information.razor.cs

@@ -29,7 +29,7 @@ public partial class Information : MSGComponentBase
     private ISnackbar Snackbar { get; init; } = null!;
     
     [Inject]
-    private DatabaseClient DatabaseClient { get; init; } = null!;
+    private DatabaseClientProvider DatabaseClientProvider { get; init; } = null!;
     
     private static readonly Assembly ASSEMBLY = Assembly.GetExecutingAssembly();
     private static readonly MetaDataAttribute META_DATA = ASSEMBLY.GetCustomAttribute<MetaDataAttribute>()!;
@@ -40,6 +40,7 @@ public partial class Information : MSGComponentBase
     private static string TB(string fallbackEN) => I18N.I.T(fallbackEN, typeof(Information).Namespace, nameof(Information));
 
     private string osLanguage = string.Empty;
+    private string osUserName = string.Empty;
     
     private static string VersionApp => $"MindWork AI Studio: v{META_DATA.Version} (commit {META_DATA.AppCommitHash}, build {META_DATA.BuildNum}, {META_DATA_ARCH.Architecture.ToRID().ToUserFriendlyName()})";
     
@@ -49,6 +50,8 @@ public partial class Information : MSGComponentBase
     
     private string OSLanguage => $"{T("User-language provided by the OS")}: '{this.osLanguage}'";
     
+    private string OSUserName => $"{T("Username provided by the OS")}: '{this.osUserName}'";
+
     private string VersionRust => $"{T("Used Rust compiler")}: v{META_DATA.RustVersion}";
     
     private string VersionDotnetRuntime => $"{T("Used .NET runtime")}: v{META_DATA.DotnetVersion}";
@@ -59,9 +62,21 @@ public partial class Information : MSGComponentBase
     
     private string VersionPdfium => $"{T("Used PDFium version")}: v{META_DATA_LIBRARIES.PdfiumVersion}";
     
-    private string VersionDatabase => this.DatabaseClient.IsAvailable
-        ? $"{T("Database version")}: {this.DatabaseClient.Name} v{META_DATA_DATABASES.DatabaseVersion}"
-        : $"{T("Database")}: {this.DatabaseClient.Name} - {T("not available")}";
+    private string VersionDatabase
+    {
+        get
+        {
+            if (this.databaseClient is null)
+                return $"{T("Database")}: {T("checking availability")}";
+
+            return this.databaseClient.Status switch
+            {
+                DatabaseClientStatus.AVAILABLE => $"{T("Database version")}: {this.databaseClient.Name} v{META_DATA_DATABASES.DatabaseVersion}",
+                DatabaseClientStatus.STARTING => $"{T("Database")}: {this.databaseClient.Name} - {T("starting")}",
+                _ => $"{T("Database")}: {this.databaseClient.Name} - {T("not available")}"
+            };
+        }
+    }
     
     private string versionPandoc = TB("Determine Pandoc version, please wait...");
     private PandocInstallation pandocInstallation;
@@ -86,6 +101,8 @@ public partial class Information : MSGComponentBase
     private sealed record MandatoryInfoPanelData(string HeaderText, string PluginName, DataMandatoryInfo Info, DataMandatoryInfoAcceptance? Acceptance);
 
     private readonly List<DatabaseDisplayInfo> databaseDisplayInfo = new();
+    private DatabaseClient? databaseClient;
+    private CancellationTokenSource? databaseRefreshCancellationTokenSource;
 
     private bool HasAnyActiveEnvironment => this.enterpriseEnvironments.Any(e => e.IsActive);
     
@@ -128,12 +145,12 @@ public partial class Information : MSGComponentBase
         this.RefreshEnterpriseConfigurationState();
         
         this.osLanguage = await this.RustService.ReadUserLanguage();
+        this.osUserName = await this.RustService.ReadUserName();
         this.logPaths = await this.RustService.GetLogPaths();
         
-        await foreach (var (label, value) in this.DatabaseClient.GetDisplayInfo())
-        {
-            this.databaseDisplayInfo.Add(new DatabaseDisplayInfo(label, value));
-        }
+        await this.RefreshDatabaseInfo(CancellationToken.None);
+        if (this.databaseClient?.Status is DatabaseClientStatus.STARTING)
+            this.StartShortDatabaseRefreshLoop();
         
         // Determine the Pandoc version may take some time, so we start it here
         // without waiting for the result:
@@ -237,6 +254,69 @@ public partial class Information : MSGComponentBase
         this.showDatabaseDetails = !this.showDatabaseDetails;
     }
 
+    private async Task RefreshDatabaseInfo(CancellationToken cancellationToken)
+    {
+        var refreshedClient = await this.DatabaseClientProvider.RefreshClientAsync(DatabaseRole.VECTOR_STORE, cancellationToken);
+        this.databaseClient = refreshedClient;
+        this.databaseDisplayInfo.Clear();
+
+        try
+        {
+            await foreach (var (label, value) in refreshedClient.GetDisplayInfo().WithCancellation(cancellationToken))
+            {
+                this.databaseDisplayInfo.Add(new DatabaseDisplayInfo(label, value));
+            }
+        }
+        catch (OperationCanceledException)
+        {
+            throw;
+        }
+        catch (Exception e)
+        {
+            this.databaseClient = new NoDatabaseClient(refreshedClient.Name, e.Message, DatabaseClientStatus.STARTING);
+            await foreach (var (label, value) in this.databaseClient.GetDisplayInfo().WithCancellation(cancellationToken))
+            {
+                this.databaseDisplayInfo.Add(new DatabaseDisplayInfo(label, value));
+            }
+        }
+    }
+
+    private void StartShortDatabaseRefreshLoop()
+    {
+        this.databaseRefreshCancellationTokenSource?.Cancel();
+        this.databaseRefreshCancellationTokenSource?.Dispose();
+        this.databaseRefreshCancellationTokenSource = new CancellationTokenSource();
+        var cancellationToken = this.databaseRefreshCancellationTokenSource.Token;
+
+        _ = Task.Run(async () =>
+        {
+            const int MAX_TRIES = 12;
+            for (var attempt = 0; attempt < MAX_TRIES; attempt++)
+            {
+                try
+                {
+                    await Task.Delay(TimeSpan.FromSeconds(1), cancellationToken);
+                    await this.InvokeAsync(async () =>
+                    {
+                        await this.RefreshDatabaseInfo(cancellationToken);
+                        this.StateHasChanged();
+                    });
+
+                    if (this.databaseClient?.Status is not DatabaseClientStatus.STARTING)
+                        return;
+                }
+                catch (OperationCanceledException)
+                {
+                    return;
+                }
+                catch
+                {
+                    return;
+                }
+            }
+        }, cancellationToken);
+    }
+
     private IAvailablePlugin? FindManagedConfigurationPlugin(Guid configurationId)
     {
         return this.configPlugins.FirstOrDefault(plugin => plugin.ManagedConfigurationId == configurationId)
@@ -249,6 +329,13 @@ public partial class Information : MSGComponentBase
         return plugin.ManagedConfigurationId == configurationId && plugin.Id != configurationId;
     }
 
+    protected override void DisposeResources()
+    {
+        this.databaseRefreshCancellationTokenSource?.Cancel();
+        this.databaseRefreshCancellationTokenSource?.Dispose();
+        base.DisposeResources();
+    }
+
     private async Task CopyStartupLogPath()
     {
         await this.RustService.CopyText2Clipboard(this.Snackbar, this.logPaths.LogStartupPath);

app/MindWork AI Studio/Plugins/configuration/plugin.lua

@@ -136,6 +136,54 @@ CONFIG["EMBEDDING_PROVIDERS"] = {}
 --     }
 -- }
 
+-- ERI v1 data sources for retrieval-augmented generation:
+CONFIG["DATA_SOURCES"] = {}
+
+-- Example: ERI v1 data source with a shared access token.
+-- CONFIG["DATA_SOURCES"][#CONFIG["DATA_SOURCES"]+1] = {
+--     ["Id"] = "00000000-0000-0000-0000-000000000000",
+--     ["Name"] = "<user-friendly data source name>",
+--     ["Type"] = "ERI_V1",
+--     ["Hostname"] = "<https address of the ERI server>",
+--     ["Port"] = 443,
+--     ["AuthMethod"] = "TOKEN",
+--     ["Token"] = "ENC:v1:<base64-encoded encrypted token>",
+--     ["SecurityPolicy"] = "SELF_HOSTED",
+--     ["SelectedRetrievalId"] = "<retrieval process ID from the ERI server>",
+--     ["MaxMatches"] = 10,
+-- }
+
+-- Example: ERI v1 data source with a shared username and password.
+-- CONFIG["DATA_SOURCES"][#CONFIG["DATA_SOURCES"]+1] = {
+--     ["Id"] = "00000000-0000-0000-0000-000000000000",
+--     ["Name"] = "<user-friendly data source name>",
+--     ["Type"] = "ERI_V1",
+--     ["Hostname"] = "<https address of the ERI server>",
+--     ["Port"] = 443,
+--     ["AuthMethod"] = "USERNAME_PASSWORD",
+--     ["UsernamePasswordMode"] = "SHARED_USERNAME_AND_PASSWORD",
+--     ["Username"] = "<shared username>",
+--     ["Password"] = "ENC:v1:<base64-encoded encrypted password>",
+--     ["SecurityPolicy"] = "SELF_HOSTED",
+--     ["SelectedRetrievalId"] = "<retrieval process ID from the ERI server>",
+--     ["MaxMatches"] = 10,
+-- }
+
+-- Example: ERI v1 data source using the user's username and a shared password.
+-- CONFIG["DATA_SOURCES"][#CONFIG["DATA_SOURCES"]+1] = {
+--     ["Id"] = "00000000-0000-0000-0000-000000000000",
+--     ["Name"] = "<user-friendly data source name>",
+--     ["Type"] = "ERI_V1",
+--     ["Hostname"] = "<https address of the ERI server>",
+--     ["Port"] = 443,
+--     ["AuthMethod"] = "USERNAME_PASSWORD",
+--     ["UsernamePasswordMode"] = "OS_USERNAME_SHARED_PASSWORD",
+--     ["Password"] = "ENC:v1:<base64-encoded encrypted password>",
+--     ["SecurityPolicy"] = "SELF_HOSTED",
+--     ["SelectedRetrievalId"] = "<retrieval process ID from the ERI server>",
+--     ["MaxMatches"] = 10,
+-- }
+
 CONFIG["SETTINGS"] = {}
 
 -- Configure the update check interval:
@@ -173,8 +221,8 @@ CONFIG["SETTINGS"] = {}
 
 -- Configure the enabled preview features:
 -- Allowed values are can be found in https://github.com/MindWorkAI/AI-Studio/app/MindWork%20AI%20Studio/Settings/DataModel/PreviewFeatures.cs
--- Examples are PRE_WRITER_MODE_2024, PRE_RAG_2024, PRE_SPEECH_TO_TEXT_2026.
--- CONFIG["SETTINGS"]["DataApp.EnabledPreviewFeatures"] = { "PRE_RAG_2024", "PRE_SPEECH_TO_TEXT_2026" }
+-- Examples are PRE_WRITER_MODE_2024 and PRE_RAG_2024.
+-- CONFIG["SETTINGS"]["DataApp.EnabledPreviewFeatures"] = { "PRE_RAG_2024" }
 
 -- Configure the preselected provider.
 -- It must be one of the provider IDs defined in CONFIG["LLM_PROVIDERS"].

app/MindWork AI Studio/Plugins/languages/de-de-43065dbc-78d0-45b7-92be-f14c2926e2dc/plugin.lua

@@ -3633,6 +3633,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2879113658"] =
 -- Maximum matches per query
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2889706179"] = "Maximale Treffer pro Abfrage"
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2909734556"] = "Der Benutzername des Nutzers konnte nicht aus dem Betriebssystem gelesen werden."
+
 -- Open web link, show more information
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2968752071"] = "Weblink öffnen & mehr Informationen anzeigen"
 
@@ -3684,6 +3687,27 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T742006305"] = "
 -- Embeddings
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T951463987"] = "Einbettungen"
 
+-- Use the same username and password for all users
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1769874785"] = "Für alle Benutzer denselben Benutzernamen und dasselbe Passwort verwenden"
+
+-- Username and password mode
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1787063064"] = "Modus für den Benutzernamen und das Passwort"
+
+-- How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3081234668"] = "Wie soll AI Studio die Konfiguration von Benutzername und Passwort für die ERI-v1-Datenquelle „{0}“ exportieren?"
+
+-- User-managed username and password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T365340972"] = "Vom Benutzer verwaltete Anmeldedaten (Benutzername und Passwort)"
+
+-- Export
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3898821075"] = "Exportieren"
+
+-- Read each user's username from the operating system and share one password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T76405695"] = "Den Benutzernamen jedes Benutzers aus dem Betriebssystem auslesen und ein Passwort teilen."
+
+-- Cancel
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T900713019"] = "Abbrechen"
+
 -- Describe what data this directory contains to help the AI select it.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCELOCALDIRECTORYDIALOG::T1136409150"] = "Beschreiben Sie, welche Daten dieses Verzeichnis enthält, um der KI bei der Auswahl zu helfen."
 
@@ -4812,6 +4836,12 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T145419
 -- Delete
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1469573738"] = "Löschen"
 
+-- Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1577531115"] = "Kerberos-/SSO-ERI-Datenquellen können noch nicht exportiert werden. Bitte konfigurieren Sie diese manuell im Konfigurations-Plugin."
+
+-- Cannot export this ERI data source because the authentication secret could not be encrypted.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1592527757"] = "Diese ERI-Datenquelle kann nicht exportiert werden, da das Authentifizierungsgeheimnis nicht verschlüsselt werden konnte."
+
 -- External (ERI)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1652430727"] = "Extern (ERI)"
 
@@ -4842,6 +4872,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T269820
 -- Embedding
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T2838542994"] = "Einbettung"
 
+-- This data source is managed by your organization.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3031462878"] = "Diese Datenquelle wird von Ihrer Organisation verwaltet."
+
 -- Edit
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3267849393"] = "Bearbeiten"
 
@@ -4866,21 +4899,39 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T352566
 -- No data sources configured yet.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3549650120"] = "Noch keine Datenquellen konfiguriert."
 
+-- Export Access Token?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3595669127"] = "Zugriffstoken exportieren?"
+
+-- Export ERI Data Source
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3831281036"] = "ERI-Datenquelle exportieren"
+
 -- Actions
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3865031940"] = "Aktionen"
 
+-- This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T4027572258"] = "Für diese ERI-Datenquelle ist ein Zugriffstoken konfiguriert. Möchten Sie das verschlüsselte Zugriffstoken in den Export aufnehmen? Hinweis: Der Empfänger benötigt dasselbe Geheimnis für die Verschlüsselung, um das Zugriffstoken verwenden zu können."
+
 -- Configured Data Sources
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T543942217"] = "Konfigurierte Datenquellen"
 
 -- Add ERI v1 Data Source
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T590005498"] = "ERI v1 Datenquelle hinzufügen"
 
+-- Cannot export this ERI data source because no enterprise encryption secret is configured.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T750361472"] = "Diese ERI-Datenquelle kann nicht exportiert werden, da kein Geheimnis für die Verschlüsselung konfiguriert ist."
+
 -- External Data (ERI-Server v1)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T774473996"] = "Externe Daten (ERI-Server v1)"
 
+-- Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T782820095"] = "Diese ERI-Datenquelle kann nicht exportiert werden, da kein Authentifizierungsgeheimnis konfiguriert ist. Das Problem war: {0}"
+
 -- Local Directory
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T926703547"] = "Lokaler Ordner"
 
+-- Export configuration
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T975426229"] = "Konfiguration exportieren"
+
 -- When enabled, you can preselect some ERI server options.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGERISERVER::T1280666275"] = "Wenn aktiviert, können Sie einige ERI-Serveroptionen vorauswählen."
 
@@ -6021,18 +6072,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Nach Updates suc
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "Um ein beliebiges LLM nutzen zu können, muss jeder User seinen sogenannten API-Schlüssel für jeden LLM-Anbieter speichern. Dieser Schlüssel muss sicher aufbewahrt werden – ähnlich wie ein Passwort. Die sicherste Methode hierfür bieten Betriebssysteme wie macOS, Windows und Linux: Sie verfügen über Mechanismen, solche Daten – sofern vorhanden – auf spezieller Sicherheits-Hardware zu speichern. Da dies derzeit in .NET nicht möglich ist, verwenden wir diese Rust-Bibliothek."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "Diese Bibliothek wird verwendet, um HTML in Markdown umzuwandeln. Das ist zum Beispiel notwendig, wenn Sie eine URL als Eingabe für einen Assistenten angeben."
 
 -- Encryption secret: is configured
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1931141322"] = "Geheimnis für die Verschlüsselung: ist konfiguriert"
 
--- We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1943216839"] = "Wir verwenden Rocket zur Implementierung der Runtime-API. Dies ist notwendig, da die Runtime mit der Benutzeroberfläche (IPC) kommunizieren muss. Rocket ist ein ausgezeichnetes Framework zur Umsetzung von Web-APIs in Rust."
-
 -- Copies the following to the clipboard
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2029659664"] = "Kopiert Folgendes in die Zwischenablage"
 
@@ -6114,6 +6159,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840227993"] = "Verwendete .NET-
 -- Explanation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840582448"] = "Erklärung"
 
+-- checking availability
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2855535668"] = "Verfügbarkeit wird geprüft"
+
 -- The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2868174483"] = "Das .NET-Backend kann nicht als Desktop-App gestartet werden. Deshalb verwende ich ein zweites Backend in Rust, das ich „Runtime“ nenne. Mit Rust als Runtime kann Tauri genutzt werden, um eine typische Desktop-App zu realisieren. Dank Rust kann diese App für Windows-, macOS- und Linux-Desktops angeboten werden. Rust ist eine großartige Sprache für die Entwicklung sicherer und leistungsstarker Software."
 
@@ -6135,6 +6183,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3178730036"] = "Haben Sie Ideen
 -- Hide Details
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3183837919"] = "Details ausblenden"
 
+-- Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3208719461"] = "Der Axum-Server führt den internen Axum-Dienst über eine sichere lokale Verbindung aus. Dadurch kann AI Studio die Kommunikation zwischen der Rust-Laufzeitumgebung und der Benutzeroberfläche schützen."
+
+-- Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3239817808"] = "Rustls hilft dabei, die interne Verbindung zwischen der Benutzeroberfläche der App und der Rust-Laufzeitumgebung abzusichern. Dadurch wird die lokale Kommunikation geschützt, die AI Studio während der Ausführung benötigt."
+
 -- Update Pandoc
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3249965383"] = "Pandoc aktualisieren"
 
@@ -6159,6 +6213,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio wird m
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri wird verwendet, um die Blazor-Benutzeroberfläche bereitzustellen. Es ist ein großartiges Projekt, das die Erstellung von Desktop-Anwendungen mit Webtechnologien ermöglicht. Ich liebe Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio speichert vertrauliche Daten wie API-Schlüssel im sicheren Speicher Ihres Betriebssystems. Die Bibliothek keyring-core übernimmt dies, indem sie eine Verbindung zum macOS-Schlüsselbund, zur Windows-Anmeldeinformationsverwaltung und zum Linux Secret Service herstellt."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 
@@ -6168,6 +6225,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3574465749"] = "nicht verfügbar
 -- This library is used to read Excel and OpenDocument spreadsheet files. This is necessary, e.g., for using spreadsheets as a data source for a chat.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3722989559"] = "Diese Bibliothek wird verwendet, um Excel- und OpenDocument-Tabellendateien zu lesen. Dies ist zum Beispiel notwendig, wenn Tabellen als Datenquelle für einen Chat verwendet werden sollen."
 
+-- Username provided by the OS
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3764549776"] = "Vom Betriebssystem bereitgestellter Benutzername"
+
 -- this version does not met the requirements
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3813932670"] = "diese Version erfüllt die Anforderungen nicht"
 
@@ -6189,6 +6249,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4010195468"] = "Versionen"
 -- Database
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4036243672"] = "Datenbank"
 
+-- This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4060906280"] = "Diese Bibliothek wird von der Rust-Laufzeitumgebung verwendet, um den Benutzernamen des aktuellen Benutzers auszulesen, z. B. wenn ein von einer Organisation verwalteter ERI-Server den OS-Benutzernamen für die Authentifizierung verwendet."
+
 -- This library is used to create asynchronous streams in Rust. It allows us to work with streams of data that can be produced asynchronously, making it easier to handle events or data that arrive over time. We use this, e.g., to stream arbitrary data from the file system to the embedding system.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4079152443"] = "Diese Bibliothek wird verwendet, um asynchrone Datenströme in Rust zu erstellen. Sie ermöglicht es uns, mit Datenströmen zu arbeiten, die asynchron bereitgestellt werden, wodurch sich Ereignisse oder Daten, die nach und nach eintreffen, leichter verarbeiten lassen. Wir nutzen dies zum Beispiel, um beliebige Daten aus dem Dateisystem an das Einbettungssystem zu übertragen."
 
@@ -6207,6 +6270,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T566998575"] = "Dies ist eine Bib
 -- Used .NET SDK
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T585329785"] = "Verwendetes .NET SDK"
 
+-- starting
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T594602073"] = "wird gestartet"
+
 -- This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T633932150"] = "Diese Bibliothek wird verwendet, um Sidecar-Prozesse zu verwalten und sicherzustellen, dass veraltete oder Zombie-Sidecars erkannt und beendet werden."
 
@@ -6228,6 +6294,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T836298648"] = "Bereitgestellt vo
 -- We use this library to be able to read PowerPoint files. This allows us to insert content from slides into prompts and take PowerPoint files into account in RAG processes. We thank Nils Kruthoff for his work on this Rust crate.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T855925638"] = "Wir verwenden diese Bibliothek, um PowerPoint-Dateien lesen zu können. So ist es möglich, Inhalte aus Folien in Prompts einzufügen und PowerPoint-Dateien in RAG-Prozessen zu berücksichtigen. Wir danken Nils Kruthoff für seine Arbeit an diesem Rust-Crate."
 
+-- Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T864851737"] = "Axum wird verwendet, um den kleinen internen Dienst bereitzustellen, der die Rust-Laufzeitumgebung mit der Benutzeroberfläche der App verbindet. So können beide Teile von AI Studio Informationen austauschen, während die App läuft."
+
 -- For some data transfers, we need to encode the data in base64. This Rust library is great for this purpose.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T870640199"] = "Für einige Datenübertragungen müssen wir die Daten in Base64 kodieren. Diese Rust-Bibliothek eignet sich dafür hervorragend."
 
@@ -6672,8 +6741,8 @@ UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2708
 -- Unknown preview feature
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2722827307"] = "Unbekannte Vorschau-Funktion"
 
--- Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text
-UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T714355911"] = "Transkription: Vorschau unseres Sprache-zu-Text-Systems, mit dem Sie Aufnahmen und Audiodateien in Text transkribieren können"
+-- Transcription: Convert recordings and audio files into text
+UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T4247148645"] = "Transkription: Aufnahmen und Audiodateien in Text umwandeln"
 
 -- Use no data sources, when sending an assistant result to a chat
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::SENDTOCHATDATASOURCEBEHAVIOREXTENSIONS::T1223925477"] = "Keine Datenquellen vorauswählen, wenn ein Ergebnis von einem Assistenten an einen neuen Chat gesendet wird"
@@ -6840,6 +6909,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::CONFIDENCESCHEMESEXTENSIONS::T4107860491"] = "
 -- Reason
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1093747001"] = "Grund"
 
+-- Starting
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1233211769"] = "Wird gestartet"
+
 -- Unavailable
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T3662391977"] = "Nicht verfügbar"
 
@@ -6924,6 +6996,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2858189239"] = "Authe
 -- Failed to retrieve the security requirements: the request was canceled either by the user or due to a timeout.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T286437836"] = "Die Sicherheitsanforderungen konnten nicht abgerufen werden: Die Anfrage wurde entweder vom Benutzer abgebrochen oder ist aufgrund eines Zeitüberschreitungsfehlers fehlgeschlagen."
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2909734556"] = "Der Benutzername konnte nicht aus dem Betriebssystem ausgelesen werden."
+
 -- Failed to retrieve the security requirements due to an exception: {0}
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T3221004295"] = "Die Sicherheitsanforderungen konnten wegen eines Problems nicht abgerufen werden: {0}"
 
@@ -6969,6 +7044,12 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T816853779"] = "Fehler
 -- Failed to retrieve the authentication methods: the ERI server did not return a valid response.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T984407320"] = "Fehler beim Abrufen der Authentifizierungsmethoden: Der ERI-Server hat keine gültige Antwort zurückgegeben."
 
+-- AI Studio couldn't install Pandoc because the archive was not found.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1059477764"] = "AI Studio konnte Pandoc nicht installieren, da das Archiv nicht gefunden wurde."
+
+-- Pandoc doesn't seem to be installed.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1090474732"] = "Pandoc scheint nicht installiert zu sein."
+
 -- Was not able to validate the Pandoc installation.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1364844008"] = "Die Pandoc-Installation konnte nicht überprüft werden."
 
@@ -6990,20 +7071,20 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2550598062"] = "Pandoc v{0} ist insta
 -- Pandoc v{0} is installed, but it does not match the required version (v{1}).
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2555465873"] = "Pandoc v{0} ist installiert, entspricht aber nicht der benötigten Version (v{1})."
 
--- Pandoc was not installed successfully, because the archive was not found.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T34210248"] = "Pandoc wurde nicht erfolgreich installiert, da das Archiv nicht gefunden wurde."
+-- AI Studio couldn't install Pandoc because the archive type is unknown.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3492710362"] = "AI Studio konnte Pandoc nicht installieren, da der Archivtyp unbekannt ist."
 
 -- Pandoc is not available on the system or the process had issues.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3746116957"] = "Pandoc ist auf dem System nicht verfügbar oder der Vorgang ist auf Probleme gestoßen."
 
--- Pandoc was not installed successfully, because the archive type is unknown.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3962211670"] = "Pandoc wurde nicht erfolgreich installiert, da der Archivtyp unbekannt ist."
+-- AI Studio couldn't install Pandoc because the executable was not found in the archive.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T403983772"] = "AI Studio konnte Pandoc nicht installieren, da die ausführbare Datei im Archiv nicht gefunden wurde."
 
--- It seems that Pandoc is not installed.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T567205144"] = "Es scheint, dass Pandoc nicht installiert ist."
+-- AI Studio couldn't find the latest Pandoc version and will install version {0} instead.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T695293525"] = "AI Studio konnte die neueste Pandoc-Version nicht finden und installiert stattdessen Version {0}."
 
--- The latest Pandoc version was not found, installing version {0} instead.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T726914939"] = "Die neueste Pandoc-Version wurde nicht gefunden, stattdessen wird Version {0} installiert."
+-- AI Studio couldn't install Pandoc.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T932858631"] = "AI Studio konnte Pandoc nicht installieren."
 
 -- Pandoc is required for Microsoft Word export.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOCEXPORT::T1473115556"] = "Pandoc wird für den Export nach Microsoft Word benötigt."
@@ -7494,6 +7575,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T18544701
 -- Pandoc may be required for importing files.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T2596465560"] = "Zum Importieren von Dateien kann Pandoc erforderlich sein."
 
+-- Failed to store the secret data due to an API issue.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T1110203516"] = "Fehler beim Speichern der geheimen Daten aufgrund eines API-Problems."
+
 -- Failed to delete the secret data due to an API issue.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T2303057928"] = "Das Löschen der geheimen Daten ist aufgrund eines API-Problems fehlgeschlagen."
 

app/MindWork AI Studio/Plugins/languages/en-us-97dfb1ba-50c4-4440-8dfa-6575daf543c8/plugin.lua

@@ -3633,6 +3633,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2879113658"] =
 -- Maximum matches per query
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2889706179"] = "Maximum matches per query"
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2909734556"] = "Failed to read the user's username from the operating system."
+
 -- Open web link, show more information
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T2968752071"] = "Open web link, show more information"
 
@@ -3684,6 +3687,27 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T742006305"] = "
 -- Embeddings
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERI_V1INFODIALOG::T951463987"] = "Embeddings"
 
+-- Use the same username and password for all users
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1769874785"] = "Use the same username and password for all users"
+
+-- Username and password mode
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T1787063064"] = "Username and password mode"
+
+-- How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3081234668"] = "How should AI Studio export the username and password configuration for the ERI v1 data source '{0}'?"
+
+-- User-managed username and password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T365340972"] = "User-managed username and password"
+
+-- Export
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T3898821075"] = "Export"
+
+-- Read each user's username from the operating system and share one password
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T76405695"] = "Read each user's username from the operating system and share one password"
+
+-- Cancel
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCEERIV1USERNAMEPASSWORDEXPORTDIALOG::T900713019"] = "Cancel"
+
 -- Describe what data this directory contains to help the AI select it.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::DATASOURCELOCALDIRECTORYDIALOG::T1136409150"] = "Describe what data this directory contains to help the AI select it."
 
@@ -4812,6 +4836,12 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T145419
 -- Delete
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1469573738"] = "Delete"
 
+-- Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1577531115"] = "Kerberos/SSO ERI data sources cannot be exported yet. Please configure them manually in the configuration plugin."
+
+-- Cannot export this ERI data source because the authentication secret could not be encrypted.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1592527757"] = "Cannot export this ERI data source because the authentication secret could not be encrypted."
+
 -- External (ERI)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T1652430727"] = "External (ERI)"
 
@@ -4842,6 +4872,9 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T269820
 -- Embedding
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T2838542994"] = "Embedding"
 
+-- This data source is managed by your organization.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3031462878"] = "This data source is managed by your organization."
+
 -- Edit
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3267849393"] = "Edit"
 
@@ -4866,21 +4899,39 @@ UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T352566
 -- No data sources configured yet.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3549650120"] = "No data sources configured yet."
 
+-- Export Access Token?
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3595669127"] = "Export Access Token?"
+
+-- Export ERI Data Source
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3831281036"] = "Export ERI Data Source"
+
 -- Actions
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T3865031940"] = "Actions"
 
+-- This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T4027572258"] = "This ERI data source has an access token configured. Do you want to include the encrypted access token in the export? Note: The recipient will need the same encryption secret to use the access token."
+
 -- Configured Data Sources
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T543942217"] = "Configured Data Sources"
 
 -- Add ERI v1 Data Source
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T590005498"] = "Add ERI v1 Data Source"
 
+-- Cannot export this ERI data source because no enterprise encryption secret is configured.
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T750361472"] = "Cannot export this ERI data source because no enterprise encryption secret is configured."
+
 -- External Data (ERI-Server v1)
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T774473996"] = "External Data (ERI-Server v1)"
 
+-- Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T782820095"] = "Cannot export this ERI data source because no authentication secret is configured. The issue was: {0}"
+
 -- Local Directory
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T926703547"] = "Local Directory"
 
+-- Export configuration
+UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGDATASOURCES::T975426229"] = "Export configuration"
+
 -- When enabled, you can preselect some ERI server options.
 UI_TEXT_CONTENT["AISTUDIO::DIALOGS::SETTINGS::SETTINGSDIALOGERISERVER::T1280666275"] = "When enabled, you can preselect some ERI server options."
 
@@ -6021,18 +6072,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1890416390"] = "Check for update
 -- Vision
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1892426825"] = "Vision"
 
--- In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1915240766"] = "In order to use any LLM, each user must store their so-called API key for each LLM provider. This key must be kept secure, similar to a password. The safest way to do this is offered by operating systems like macOS, Windows, and Linux: They have mechanisms to store such data, if available, on special security hardware. Since this is currently not possible in .NET, we use this Rust library."
-
 -- This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1924365263"] = "This library is used to convert HTML to Markdown. This is necessary, e.g., when you provide a URL as input for an assistant."
 
 -- Encryption secret: is configured
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1931141322"] = "Encryption secret: is configured"
 
--- We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust.
-UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T1943216839"] = "We use Rocket to implement the runtime API. This is necessary because the runtime must be able to communicate with the user interface (IPC). Rocket is a great framework for implementing web APIs in Rust."
-
 -- Copies the following to the clipboard
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2029659664"] = "Copies the following to the clipboard"
 
@@ -6114,6 +6159,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840227993"] = "Used .NET runtim
 -- Explanation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2840582448"] = "Explanation"
 
+-- checking availability
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2855535668"] = "checking availability"
+
 -- The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T2868174483"] = "The .NET backend cannot be started as a desktop app. Therefore, I use a second backend in Rust, which I call runtime. With Rust as the runtime, Tauri can be used to realize a typical desktop app. Thanks to Rust, this app can be offered for Windows, macOS, and Linux desktops. Rust is a great language for developing safe and high-performance software."
 
@@ -6135,6 +6183,12 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3178730036"] = "Have feature ide
 -- Hide Details
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3183837919"] = "Hide Details"
 
+-- Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3208719461"] = "Axum server runs the internal axum service over a secure local connection. This helps AI Studio protect the communication between the Rust runtime and the user interface."
+
+-- Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3239817808"] = "Rustls helps secure the internal connection between the app's user interface and the Rust runtime. This protects the local communication that AI Studio needs while it is running."
+
 -- Update Pandoc
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3249965383"] = "Update Pandoc"
 
@@ -6159,6 +6213,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3449345633"] = "AI Studio runs w
 -- Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3494984593"] = "Tauri is used to host the Blazor user interface. It is a great project that allows the creation of desktop applications using web technologies. I love Tauri!"
 
+-- AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3527399572"] = "AI Studio stores secrets like API keys in your operating system’s secure credential store. The keyring-core library handles this by connecting to macOS Keychain, Windows Credential Manager, and Linux Secret Service."
+
 -- Motivation
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3563271893"] = "Motivation"
 
@@ -6168,6 +6225,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3574465749"] = "not available"
 -- This library is used to read Excel and OpenDocument spreadsheet files. This is necessary, e.g., for using spreadsheets as a data source for a chat.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3722989559"] = "This library is used to read Excel and OpenDocument spreadsheet files. This is necessary, e.g., for using spreadsheets as a data source for a chat."
 
+-- Username provided by the OS
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3764549776"] = "Username provided by the OS"
+
 -- this version does not met the requirements
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T3813932670"] = "this version does not met the requirements"
 
@@ -6189,6 +6249,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4010195468"] = "Versions"
 -- Database
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4036243672"] = "Database"
 
+-- This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4060906280"] = "This library is used by the Rust runtime to read the current user's username, e.g. when an organization-managed ERI server uses the OS username for authentication."
+
 -- This library is used to create asynchronous streams in Rust. It allows us to work with streams of data that can be produced asynchronously, making it easier to handle events or data that arrive over time. We use this, e.g., to stream arbitrary data from the file system to the embedding system.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T4079152443"] = "This library is used to create asynchronous streams in Rust. It allows us to work with streams of data that can be produced asynchronously, making it easier to handle events or data that arrive over time. We use this, e.g., to stream arbitrary data from the file system to the embedding system."
 
@@ -6207,6 +6270,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T566998575"] = "This is a library
 -- Used .NET SDK
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T585329785"] = "Used .NET SDK"
 
+-- starting
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T594602073"] = "starting"
+
 -- This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T633932150"] = "This library is used to manage sidecar processes and to ensure that stale or zombie sidecars are detected and terminated."
 
@@ -6228,6 +6294,9 @@ UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T836298648"] = "Provided by confi
 -- We use this library to be able to read PowerPoint files. This allows us to insert content from slides into prompts and take PowerPoint files into account in RAG processes. We thank Nils Kruthoff for his work on this Rust crate.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T855925638"] = "We use this library to be able to read PowerPoint files. This allows us to insert content from slides into prompts and take PowerPoint files into account in RAG processes. We thank Nils Kruthoff for his work on this Rust crate."
 
+-- Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running.
+UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T864851737"] = "Axum is used to provide the small internal service that connects the Rust runtime with the app's user interface. This lets both parts of AI Studio exchange information while the app is running."
+
 -- For some data transfers, we need to encode the data in base64. This Rust library is great for this purpose.
 UI_TEXT_CONTENT["AISTUDIO::PAGES::INFORMATION::T870640199"] = "For some data transfers, we need to encode the data in base64. This Rust library is great for this purpose."
 
@@ -6672,8 +6741,8 @@ UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2708
 -- Unknown preview feature
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T2722827307"] = "Unknown preview feature"
 
--- Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text
-UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T714355911"] = "Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text"
+-- Transcription: Convert recordings and audio files into text
+UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::PREVIEWFEATURESEXTENSIONS::T4247148645"] = "Transcription: Convert recordings and audio files into text"
 
 -- Use no data sources, when sending an assistant result to a chat
 UI_TEXT_CONTENT["AISTUDIO::SETTINGS::DATAMODEL::SENDTOCHATDATASOURCEBEHAVIOREXTENSIONS::T1223925477"] = "Use no data sources, when sending an assistant result to a chat"
@@ -6840,6 +6909,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::CONFIDENCESCHEMESEXTENSIONS::T4107860491"] = "
 -- Reason
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1093747001"] = "Reason"
 
+-- Starting
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T1233211769"] = "Starting"
+
 -- Unavailable
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::DATABASES::NODATABASECLIENT::T3662391977"] = "Unavailable"
 
@@ -6924,6 +6996,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2858189239"] = "Faile
 -- Failed to retrieve the security requirements: the request was canceled either by the user or due to a timeout.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T286437836"] = "Failed to retrieve the security requirements: the request was canceled either by the user or due to a timeout."
 
+-- Failed to read the user's username from the operating system.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T2909734556"] = "Failed to read the user's username from the operating system."
+
 -- Failed to retrieve the security requirements due to an exception: {0}
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T3221004295"] = "Failed to retrieve the security requirements due to an exception: {0}"
 
@@ -6969,6 +7044,12 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T816853779"] = "Failed
 -- Failed to retrieve the authentication methods: the ERI server did not return a valid response.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::ERICLIENT::ERICLIENTV1::T984407320"] = "Failed to retrieve the authentication methods: the ERI server did not return a valid response."
 
+-- AI Studio couldn't install Pandoc because the archive was not found.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1059477764"] = "AI Studio couldn't install Pandoc because the archive was not found."
+
+-- Pandoc doesn't seem to be installed.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1090474732"] = "Pandoc doesn't seem to be installed."
+
 -- Was not able to validate the Pandoc installation.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T1364844008"] = "Was not able to validate the Pandoc installation."
 
@@ -6990,20 +7071,20 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2550598062"] = "Pandoc v{0} is instal
 -- Pandoc v{0} is installed, but it does not match the required version (v{1}).
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T2555465873"] = "Pandoc v{0} is installed, but it does not match the required version (v{1})."
 
--- Pandoc was not installed successfully, because the archive was not found.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T34210248"] = "Pandoc was not installed successfully, because the archive was not found."
+-- AI Studio couldn't install Pandoc because the archive type is unknown.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3492710362"] = "AI Studio couldn't install Pandoc because the archive type is unknown."
 
 -- Pandoc is not available on the system or the process had issues.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3746116957"] = "Pandoc is not available on the system or the process had issues."
 
--- Pandoc was not installed successfully, because the archive type is unknown.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T3962211670"] = "Pandoc was not installed successfully, because the archive type is unknown."
+-- AI Studio couldn't install Pandoc because the executable was not found in the archive.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T403983772"] = "AI Studio couldn't install Pandoc because the executable was not found in the archive."
 
--- It seems that Pandoc is not installed.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T567205144"] = "It seems that Pandoc is not installed."
+-- AI Studio couldn't find the latest Pandoc version and will install version {0} instead.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T695293525"] = "AI Studio couldn't find the latest Pandoc version and will install version {0} instead."
 
--- The latest Pandoc version was not found, installing version {0} instead.
-UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T726914939"] = "The latest Pandoc version was not found, installing version {0} instead."
+-- AI Studio couldn't install Pandoc.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOC::T932858631"] = "AI Studio couldn't install Pandoc."
 
 -- Pandoc is required for Microsoft Word export.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::PANDOCEXPORT::T1473115556"] = "Pandoc is required for Microsoft Word export."
@@ -7494,6 +7575,9 @@ UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T18544701
 -- Pandoc may be required for importing files.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::PANDOCAVAILABILITYSERVICE::T2596465560"] = "Pandoc may be required for importing files."
 
+-- Failed to store the secret data due to an API issue.
+UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T1110203516"] = "Failed to store the secret data due to an API issue."
+
 -- Failed to delete the secret data due to an API issue.
 UI_TEXT_CONTENT["AISTUDIO::TOOLS::SERVICES::RUSTSERVICE::T2303057928"] = "Failed to delete the secret data due to an API issue."
 

app/MindWork AI Studio/Program.cs

@@ -2,7 +2,6 @@ using AIStudio.Agents;
 using AIStudio.Agents.AssistantAudit;
 using AIStudio.Settings;
 using AIStudio.Tools.Databases;
-using AIStudio.Tools.Databases.Qdrant;
 using AIStudio.Tools.PluginSystem;
 using AIStudio.Tools.PluginSystem.Assistants;
 using AIStudio.Tools.Services;
@@ -28,7 +27,7 @@ internal sealed class Program
     public static string API_TOKEN = null!;
     public static IServiceProvider SERVICE_PROVIDER = null!;
     public static ILoggerFactory LOGGER_FACTORY = null!;
-    public static DatabaseClient DATABASE_CLIENT = null!;
+    public static DatabaseClientProvider DATABASE_CLIENT_PROVIDER = null!;
     
     public static async Task Main()
     {
@@ -87,48 +86,6 @@ internal sealed class Program
             return;
         }
         
-        var qdrantInfo = await rust.GetQdrantInfo();
-        DatabaseClient databaseClient;
-        if (!qdrantInfo.IsAvailable)
-        {
-            Console.WriteLine($"Warning: Qdrant is not available. Starting without vector database. Reason: '{qdrantInfo.UnavailableReason ?? "unknown"}'.");
-            databaseClient = new NoDatabaseClient("Qdrant", qdrantInfo.UnavailableReason);
-        }
-        else
-        {
-            if (qdrantInfo.Path == string.Empty)
-            {
-                Console.WriteLine("Error: Failed to get the Qdrant path from Rust.");
-                return;
-            }
-            
-            if (qdrantInfo.PortHttp == 0)
-            {
-                Console.WriteLine("Error: Failed to get the Qdrant HTTP port from Rust.");
-                return;
-            }
-
-            if (qdrantInfo.PortGrpc == 0)
-            {
-                Console.WriteLine("Error: Failed to get the Qdrant gRPC port from Rust.");
-                return;
-            }
-
-            if (qdrantInfo.Fingerprint == string.Empty)
-            {
-                Console.WriteLine("Error: Failed to get the Qdrant fingerprint from Rust.");
-                return;
-            }
-            
-            if (qdrantInfo.ApiToken == string.Empty)
-            {
-                Console.WriteLine("Error: Failed to get the Qdrant API token from Rust.");
-                return;
-            }
-
-            databaseClient = new QdrantClientImplementation("Qdrant", qdrantInfo.Path, qdrantInfo.PortHttp, qdrantInfo.PortGrpc, qdrantInfo.Fingerprint, qdrantInfo.ApiToken);
-        }
-        
         var builder = WebApplication.CreateBuilder();
         builder.WebHost.ConfigureKestrel(kestrelServerOptions =>
         {
@@ -183,7 +140,7 @@ internal sealed class Program
         builder.Services.AddHostedService<UpdateService>();
         builder.Services.AddHostedService<TemporaryChatService>();
         builder.Services.AddHostedService<EnterpriseEnvironmentService>();
-        builder.Services.AddSingleton(databaseClient);
+        builder.Services.AddSingleton<DatabaseClientProvider>();
         builder.Services.AddHostedService<GlobalShortcutService>();
         builder.Services.AddHostedService<RustAvailabilityMonitorService>();
         
@@ -242,10 +199,7 @@ internal sealed class Program
 
         RUST_SERVICE = rust;
         ENCRYPTION = encryption;
-        
-        var databaseLogger = app.Services.GetRequiredService<ILogger<DatabaseClient>>();
-        databaseClient.SetLogger(databaseLogger);
-        DATABASE_CLIENT = databaseClient;
+        DATABASE_CLIENT_PROVIDER = app.Services.GetRequiredService<DatabaseClientProvider>();
 
         programLogger.LogInformation("Initialize internal file system.");
         app.Use(Redirect.HandlerContentAsync);
@@ -283,7 +237,7 @@ internal sealed class Program
         await serverTask;
         
         RUST_SERVICE.Dispose();
-        DATABASE_CLIENT.Dispose();
+        DATABASE_CLIENT_PROVIDER.Dispose();
         PluginFactory.Dispose();
         programLogger.LogInformation("The AI Studio server was stopped.");
     }

app/MindWork AI Studio/Settings/DataModel/DataSourceERIUsernamePasswordMode.cs

@@ -0,0 +1,19 @@
+namespace AIStudio.Settings.DataModel;
+
+public enum DataSourceERIUsernamePasswordMode
+{
+    /// <summary>
+    /// The user manages the username and password locally.
+    /// </summary>
+    USER_MANAGED,
+
+    /// <summary>
+    /// The username and password are shared by all users and provided by configuration.
+    /// </summary>
+    SHARED_USERNAME_AND_PASSWORD,
+
+    /// <summary>
+    /// The username is read from the operating system, and the password is shared by all users.
+    /// </summary>
+    OS_USERNAME_SHARED_PASSWORD,
+}

app/MindWork AI Studio/Settings/DataModel/DataSourceERI_V1.cs

@@ -4,9 +4,12 @@ using AIStudio.Assistants.ERI;
 using AIStudio.Chat;
 using AIStudio.Tools.ERIClient;
 using AIStudio.Tools.ERIClient.DataModel;
+using AIStudio.Tools.PluginSystem;
 using AIStudio.Tools.RAG;
 using AIStudio.Tools.Services;
 
+using Lua;
+
 using ChatThread = AIStudio.Chat.ChatThread;
 using ContentType = AIStudio.Tools.ERIClient.DataModel.ContentType;
 
@@ -17,6 +20,8 @@ namespace AIStudio.Settings.DataModel;
 /// </summary>
 public readonly record struct DataSourceERI_V1 : IERIDataSource
 {
+    private static readonly ILogger<DataSourceERI_V1> LOGGER = Program.LOGGER_FACTORY.CreateLogger<DataSourceERI_V1>();
+
     public DataSourceERI_V1()
     {
     }
@@ -45,9 +50,18 @@ public readonly record struct DataSourceERI_V1 : IERIDataSource
     /// <inheritdoc />
     public string Username { get; init; } = string.Empty;
 
+    /// <inheritdoc />
+    public DataSourceERIUsernamePasswordMode UsernamePasswordMode { get; init; } = DataSourceERIUsernamePasswordMode.USER_MANAGED;
+
     /// <inheritdoc />
     public DataSourceSecurity SecurityPolicy { get; init; } = DataSourceSecurity.NOT_SPECIFIED;
 
+    /// <inheritdoc />
+    public bool IsEnterpriseConfiguration { get; init; }
+
+    /// <inheritdoc />
+    public Guid EnterpriseConfigurationPluginId { get; init; } = Guid.Empty;
+    
     /// <inheritdoc />
     public ERIVersion Version { get; init; } = ERIVersion.V1;
     
@@ -82,7 +96,7 @@ public readonly record struct DataSourceERI_V1 : IERIDataSource
                 
                 Thread = await thread.ToERIChatThread(token),
                 MaxMatches = this.MaxMatches,
-                RetrievalProcessId = string.IsNullOrWhiteSpace(this.SelectedRetrievalId) ? null : this.SelectedRetrievalId,
+                RetrievalProcessId = this.SelectedRetrievalId,
                 Parameters = null, // The ERI server selects useful default parameters
             };
             
@@ -139,4 +153,240 @@ public readonly record struct DataSourceERI_V1 : IERIDataSource
         logger.LogWarning($"Was not able to authenticate with the ERI data source '{this.Name}'. Message: {authResponse.Message}");
         return [];
     }
+
+    public static bool TryParseConfiguration(int idx, LuaTable table, Guid configPluginId, out DataSourceERI_V1 dataSource)
+    {
+        dataSource = default;
+        if (!table.TryGetValue("Id", out var idValue) || !idValue.TryRead<string>(out var idText) || !Guid.TryParse(idText, out var id))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid ID. The ID must be a valid GUID. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("Name", out var nameValue) || !nameValue.TryRead<string>(out var name) || string.IsNullOrWhiteSpace(name))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid name. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("Type", out var typeValue) || !typeValue.TryRead<string>(out var typeText) || !Enum.TryParse<DataSourceType>(typeText, true, out var type) || type is not DataSourceType.ERI_V1)
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a supported data source type. Only ERI_V1 is supported. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("Hostname", out var hostnameValue) || !hostnameValue.TryRead<string>(out var hostname) || string.IsNullOrWhiteSpace(hostname))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid hostname. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("Port", out var portValue) || !portValue.TryRead<int>(out var port) || port is < 1 or > 65535)
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid port. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("AuthMethod", out var authMethodValue) || !authMethodValue.TryRead<string>(out var authMethodText) || !Enum.TryParse<AuthMethod>(authMethodText, true, out var authMethod))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid auth method. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("SecurityPolicy", out var securityPolicyValue) || !securityPolicyValue.TryRead<string>(out var securityPolicyText) || !Enum.TryParse<DataSourceSecurity>(securityPolicyText, true, out var securityPolicy))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid security policy. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (securityPolicy is DataSourceSecurity.NOT_SPECIFIED)
+        {
+            LOGGER.LogWarning($"The configured data source {idx} must specify a security policy. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("SelectedRetrievalId", out var selectedRetrievalIdValue) || !selectedRetrievalIdValue.TryRead<string>(out var selectedRetrievalId) || string.IsNullOrWhiteSpace(selectedRetrievalId))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} must specify a selected retrieval ID. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!table.TryGetValue("MaxMatches", out var maxMatchesValue) || !maxMatchesValue.TryRead<int>(out var maxMatches) || maxMatches is < 1 or > ushort.MaxValue)
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid maximum number of matches. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        var username = string.Empty;
+        var usernamePasswordMode = DataSourceERIUsernamePasswordMode.USER_MANAGED;
+        if (table.TryGetValue("UsernamePasswordMode", out var usernamePasswordModeValue) && usernamePasswordModeValue.TryRead<string>(out var usernamePasswordModeText))
+        {
+            if (!Enum.TryParse(usernamePasswordModeText, true, out usernamePasswordMode))
+            {
+                LOGGER.LogWarning($"The configured data source {idx} does not contain a valid username/password mode. (Plugin ID: {configPluginId})");
+                return false;
+            }
+
+            if (usernamePasswordMode is DataSourceERIUsernamePasswordMode.USER_MANAGED)
+            {
+                LOGGER.LogWarning($"The configured data source {idx} uses the user-managed username/password mode. This mode is not allowed in configuration plugins. (Plugin ID: {configPluginId})");
+                return false;
+            }
+        }
+
+        if (authMethod is AuthMethod.USERNAME_PASSWORD)
+        {
+            if (!table.TryGetValue("UsernamePasswordMode", out _) || usernamePasswordMode is DataSourceERIUsernamePasswordMode.USER_MANAGED)
+            {
+                LOGGER.LogWarning($"The configured data source {idx} must specify an organization-managed username/password mode. (Plugin ID: {configPluginId})");
+                return false;
+            }
+
+            if (usernamePasswordMode is DataSourceERIUsernamePasswordMode.SHARED_USERNAME_AND_PASSWORD &&
+                (!table.TryGetValue("Username", out var usernameValue) || !usernameValue.TryRead<string>(out username) || string.IsNullOrWhiteSpace(username)))
+            {
+                LOGGER.LogWarning($"The configured data source {idx} must specify a username. (Plugin ID: {configPluginId})");
+                return false;
+            }
+        }
+
+        dataSource = new DataSourceERI_V1
+        {
+            Num = 0,
+            Id = id.ToString(),
+            Name = name,
+            Type = DataSourceType.ERI_V1,
+            Hostname = CleanHostname(hostname),
+            Port = port,
+            AuthMethod = authMethod,
+            Username = username,
+            UsernamePasswordMode = usernamePasswordMode,
+            SecurityPolicy = securityPolicy,
+            Version = ERIVersion.V1,
+            SelectedRetrievalId = selectedRetrievalId,
+            MaxMatches = (ushort)maxMatches,
+            IsEnterpriseConfiguration = true,
+            EnterpriseConfigurationPluginId = configPluginId,
+        };
+
+        return TryQueueEnterpriseSecret(idx, table, configPluginId, dataSource);
+    }
+
+    /// <summary>
+    /// Exports the ERI v1 data source configuration as a Lua configuration section.
+    /// </summary>
+    /// <param name="encryptedSecret">Optional encrypted token or password to include in the export.</param>
+    /// <param name="usernamePasswordMode">The organization-managed username/password mode to export.</param>
+    /// <returns>A Lua configuration section string.</returns>
+    public string ExportAsConfigurationSection(string? encryptedSecret = null, DataSourceERIUsernamePasswordMode usernamePasswordMode = DataSourceERIUsernamePasswordMode.USER_MANAGED)
+    {
+        var secretLine = string.Empty;
+        var usernamePasswordModeLine = string.Empty;
+        var usernameLine = string.Empty;
+
+        switch (this.AuthMethod)
+        {
+            case AuthMethod.TOKEN:
+                secretLine = CreateSecretLine("Token", encryptedSecret);
+                break;
+
+            case AuthMethod.USERNAME_PASSWORD:
+                if (usernamePasswordMode is DataSourceERIUsernamePasswordMode.USER_MANAGED)
+                    usernamePasswordMode = DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD;
+
+                usernamePasswordModeLine = $"""
+                                           ["UsernamePasswordMode"] = "{usernamePasswordMode}",
+                                           """;
+
+                if (usernamePasswordMode is DataSourceERIUsernamePasswordMode.SHARED_USERNAME_AND_PASSWORD)
+                {
+                    var username = string.IsNullOrWhiteSpace(this.Username) ? "<shared username>" : this.Username;
+                    usernameLine = $"""
+                                   ["Username"] = "{LuaTools.EscapeLuaString(username)}",
+                                   """;
+                }
+
+                secretLine = CreateSecretLine("Password", encryptedSecret);
+                break;
+        }
+
+        return $$"""
+                CONFIG["DATA_SOURCES"][#CONFIG["DATA_SOURCES"]+1] = {
+                    ["Id"] = "{{Guid.NewGuid().ToString()}}",
+                    ["Name"] = "{{LuaTools.EscapeLuaString(this.Name)}}",
+                    ["Type"] = "ERI_V1",
+                    ["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}",
+                    ["Port"] = {{this.Port}},
+                    ["AuthMethod"] = "{{this.AuthMethod}}",
+                    {{usernamePasswordModeLine}}
+                    {{usernameLine}}
+                    {{secretLine}}
+                    ["SecurityPolicy"] = "{{this.SecurityPolicy}}",
+                    ["SelectedRetrievalId"] = "{{LuaTools.EscapeLuaString(this.SelectedRetrievalId)}}",
+                    ["MaxMatches"] = {{this.MaxMatches}},
+                }
+                """;
+    }
+
+    private static bool TryQueueEnterpriseSecret(int idx, LuaTable table, Guid configPluginId, DataSourceERI_V1 dataSource)
+    {
+        var secretFieldName = dataSource.AuthMethod switch
+        {
+            AuthMethod.TOKEN => "Token",
+            AuthMethod.USERNAME_PASSWORD => "Password",
+            _ => string.Empty,
+        };
+
+        if (string.IsNullOrWhiteSpace(secretFieldName))
+            return true;
+
+        if (!table.TryGetValue(secretFieldName, out var secretValue) || !secretValue.TryRead<string>(out var encryptedSecret) || string.IsNullOrWhiteSpace(encryptedSecret))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} does not contain a valid encrypted {secretFieldName}. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!EnterpriseEncryption.IsEncrypted(encryptedSecret))
+        {
+            LOGGER.LogWarning($"The configured data source {idx} contains a plaintext {secretFieldName}. Only encrypted secrets (starting with 'ENC:v1:') are supported. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        var encryption = PluginFactory.EnterpriseEncryption;
+        if (encryption?.IsAvailable != true)
+        {
+            LOGGER.LogWarning($"The configured data source {idx} contains an encrypted {secretFieldName}, but no encryption secret is configured. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        if (!encryption.TryDecrypt(encryptedSecret, out var decryptedSecret))
+        {
+            LOGGER.LogWarning($"Failed to decrypt the {secretFieldName} for data source {idx}. The encryption secret may be incorrect. (Plugin ID: {configPluginId})");
+            return false;
+        }
+
+        PendingEnterpriseSecrets.Add(new(
+            $"{ISecretId.ENTERPRISE_KEY_PREFIX}::{dataSource.Id}",
+            dataSource.Name,
+            decryptedSecret,
+            SecretStoreType.DATA_SOURCE));
+        LOGGER.LogDebug($"Successfully decrypted the {secretFieldName} for data source {idx}. It will be stored in the OS keyring. (Plugin ID: {configPluginId})");
+        return true;
+    }
+
+    private static string CreateSecretLine(string fieldName, string? encryptedSecret)
+    {
+        if (string.IsNullOrWhiteSpace(encryptedSecret))
+            return string.Empty;
+
+        return $"""
+               ["{fieldName}"] = "{LuaTools.EscapeLuaString(encryptedSecret)}",
+               """;
+    }
+
+    private static string CleanHostname(string hostname)
+    {
+        var cleanedHostname = hostname.Trim();
+        return cleanedHostname.EndsWith('/') ? cleanedHostname[..^1] : cleanedHostname;
+    }
 }

app/MindWork AI Studio/Settings/DataModel/DataSourceLocalDirectory.cs

@@ -36,6 +36,12 @@ public readonly record struct DataSourceLocalDirectory : IInternalDataSource
     /// <inheritdoc />
     public DataSourceSecurity SecurityPolicy { get; init; } = DataSourceSecurity.NOT_SPECIFIED;
 
+    /// <inheritdoc />
+    public bool IsEnterpriseConfiguration { get; init; }
+
+    /// <inheritdoc />
+    public Guid EnterpriseConfigurationPluginId { get; init; } = Guid.Empty;
+    
     /// <inheritdoc />
     public ushort MaxMatches { get; init; } = 10;
     

app/MindWork AI Studio/Settings/DataModel/DataSourceLocalFile.cs

@@ -36,6 +36,12 @@ public readonly record struct DataSourceLocalFile : IInternalDataSource
     /// <inheritdoc />
     public DataSourceSecurity SecurityPolicy { get; init; } = DataSourceSecurity.NOT_SPECIFIED;
 
+    /// <inheritdoc />
+    public bool IsEnterpriseConfiguration { get; init; }
+
+    /// <inheritdoc />
+    public Guid EnterpriseConfigurationPluginId { get; init; } = Guid.Empty;
+    
     /// <inheritdoc />
     public ushort MaxMatches { get; init; } = 10;
     

app/MindWork AI Studio/Settings/DataModel/PreviewFeaturesExtensions.cs

@@ -14,7 +14,7 @@ public static class PreviewFeaturesExtensions
         PreviewFeatures.PRE_PLUGINS_2025 => TB("Plugins: Preview of our plugin system where you can extend the functionality of the app"),
         PreviewFeatures.PRE_READ_PDF_2025 => TB("Read PDF: Preview of our PDF reading system where you can read and extract text from PDF files"),
         PreviewFeatures.PRE_DOCUMENT_ANALYSIS_2025 => TB("Document Analysis: Preview of our document analysis system where you can analyze and extract information from documents"),
-        PreviewFeatures.PRE_SPEECH_TO_TEXT_2026 => TB("Transcription: Preview of our speech to text system where you can transcribe recordings and audio files into text"),
+        PreviewFeatures.PRE_SPEECH_TO_TEXT_2026 => TB("Transcription: Convert recordings and audio files into text"),
         
         _ => TB("Unknown preview feature")
     };
@@ -33,6 +33,7 @@ public static class PreviewFeaturesExtensions
         PreviewFeatures.PRE_READ_PDF_2025 => true,
         PreviewFeatures.PRE_PLUGINS_2025 => true,
         PreviewFeatures.PRE_DOCUMENT_ANALYSIS_2025 => true,
+        PreviewFeatures.PRE_SPEECH_TO_TEXT_2026 => true,
         
         _ => false
     };

app/MindWork AI Studio/Settings/DataModel/PreviewVisibilityExtensions.cs

@@ -12,7 +12,6 @@ public static class PreviewVisibilityExtensions
         if (visibility >= PreviewVisibility.BETA)
         {
             features.Add(PreviewFeatures.PRE_DOCUMENT_ANALYSIS_2025);
-            features.Add(PreviewFeatures.PRE_SPEECH_TO_TEXT_2026);
         }
         
         if (visibility >= PreviewVisibility.ALPHA)

app/MindWork AI Studio/Settings/IDataSource.cs

@@ -2,6 +2,7 @@ using System.Text.Json.Serialization;
 
 using AIStudio.Chat;
 using AIStudio.Settings.DataModel;
+using AIStudio.Tools.PluginSystem;
 using AIStudio.Tools.RAG;
 
 namespace AIStudio.Settings;
@@ -13,23 +14,8 @@ namespace AIStudio.Settings;
 [JsonDerivedType(typeof(DataSourceLocalDirectory), nameof(DataSourceType.LOCAL_DIRECTORY))]
 [JsonDerivedType(typeof(DataSourceLocalFile), nameof(DataSourceType.LOCAL_FILE))]
 [JsonDerivedType(typeof(DataSourceERI_V1), nameof(DataSourceType.ERI_V1))]
-public interface IDataSource
+public interface IDataSource : IConfigurationObject
 {
-    /// <summary>
-    /// The number of the data source.
-    /// </summary>
-    public uint Num { get; init; }
-
-    /// <summary>
-    /// The unique identifier of the data source.
-    /// </summary>
-    public string Id { get; init; }
-
-    /// <summary>
-    /// The name of the data source.
-    /// </summary>
-    public string Name { get; init; }
-
     /// <summary>
     /// Which type of data source is this?
     /// </summary>

app/MindWork AI Studio/Settings/IERIDataSource.cs

@@ -1,4 +1,5 @@
 using AIStudio.Assistants.ERI;
+using AIStudio.Settings.DataModel;
 using AIStudio.Tools.ERIClient.DataModel;
 
 namespace AIStudio.Settings;
@@ -25,6 +26,11 @@ public interface IERIDataSource : IExternalDataSource
     /// </summary>
     public string Username { get; init; }
 
+    /// <summary>
+    /// How username/password authentication should obtain the username.
+    /// </summary>
+    public DataSourceERIUsernamePasswordMode UsernamePasswordMode { get; init; }
+    
     /// <summary>
     /// The ERI specification to use.
     /// </summary>

app/MindWork AI Studio/Settings/IExternalDataSource.cs

@@ -7,7 +7,7 @@ public interface IExternalDataSource : IDataSource, ISecretId
     #region Implementation of ISecretId
 
     [JsonIgnore]
-    string ISecretId.SecretId => this.Id;
+    string ISecretId.SecretId => this.IsEnterpriseConfiguration ? $"{ENTERPRISE_KEY_PREFIX}::{this.Id}" : this.Id;
 
     [JsonIgnore]
     string ISecretId.SecretName => this.Name;

app/MindWork AI Studio/Tools/Databases/DatabaseClient.cs

@@ -4,7 +4,11 @@ public abstract class DatabaseClient(string name, string path)
 {
     public string Name => name;
 
-    public virtual bool IsAvailable => true;
+    public virtual string CacheKey => name;
+
+    public virtual DatabaseClientStatus Status => DatabaseClientStatus.AVAILABLE;
+
+    public bool IsAvailable => this.Status is DatabaseClientStatus.AVAILABLE;
     
     private string Path => path;
 

app/MindWork AI Studio/Tools/Databases/DatabaseClientProvider.cs

@@ -0,0 +1,180 @@
+using AIStudio.Tools.Databases.Qdrant;
+using AIStudio.Tools.Rust;
+using AIStudio.Tools.Services;
+
+namespace AIStudio.Tools.Databases;
+
+public sealed class DatabaseClientProvider(RustService rustService, ILoggerFactory loggerFactory) : IDisposable
+{
+    private readonly Dictionary<DatabaseRole, DatabaseClient> clients = new();
+    private readonly Dictionary<DatabaseRole, SemaphoreSlim> locks = new();
+    private readonly Lock locksLock = new();
+    private readonly ILogger<DatabaseClientProvider> logger = loggerFactory.CreateLogger<DatabaseClientProvider>();
+    private readonly ILogger<DatabaseClient> databaseClientLogger = loggerFactory.CreateLogger<DatabaseClient>();
+
+    public async Task<DatabaseClient> GetClientAsync(DatabaseRole databaseRole, CancellationToken cancellationToken = default)
+    {
+        var databaseLock = this.GetLock(databaseRole);
+        await databaseLock.WaitAsync(cancellationToken);
+        try
+        {
+            if (this.clients.TryGetValue(databaseRole, out var cachedClient) && cachedClient.IsAvailable)
+                return cachedClient;
+
+            var client = await this.CreateClientAsync(databaseRole, cancellationToken);
+            return this.CacheIfAvailable(databaseRole, client);
+        }
+        finally
+        {
+            databaseLock.Release();
+        }
+    }
+
+    public async Task<DatabaseClient> RefreshClientAsync(DatabaseRole databaseRole, CancellationToken cancellationToken = default)
+    {
+        var databaseLock = this.GetLock(databaseRole);
+        await databaseLock.WaitAsync(cancellationToken);
+        try
+        {
+            var client = await this.CreateClientAsync(databaseRole, cancellationToken);
+            return this.CacheIfAvailable(databaseRole, client);
+        }
+        finally
+        {
+            databaseLock.Release();
+        }
+    }
+
+    private DatabaseClient CacheIfAvailable(DatabaseRole databaseRole, DatabaseClient client)
+    {
+        if (!client.IsAvailable)
+            return client;
+
+        if (this.clients.TryGetValue(databaseRole, out var cachedClient))
+        {
+            if (IsSameClient(cachedClient, client))
+            {
+                client.Dispose();
+                return cachedClient;
+            }
+
+            cachedClient.Dispose();
+        }
+
+        this.clients[databaseRole] = client;
+        return client;
+    }
+
+    private SemaphoreSlim GetLock(DatabaseRole databaseRole)
+    {
+        lock (this.locksLock)
+        {
+            if (this.locks.TryGetValue(databaseRole, out var databaseLock))
+                return databaseLock;
+
+            databaseLock = new SemaphoreSlim(1, 1);
+            this.locks[databaseRole] = databaseLock;
+            return databaseLock;
+        }
+    }
+
+    private async Task<DatabaseClient> CreateClientAsync(DatabaseRole databaseRole, CancellationToken cancellationToken) => databaseRole switch
+    {
+        DatabaseRole.VECTOR_STORE => await this.CreateQdrantClientAsync(cancellationToken),
+        _ => new NoDatabaseClient(databaseRole.ToString(), "The requested database role is not supported.")
+    };
+
+    private async Task<DatabaseClient> CreateQdrantClientAsync(CancellationToken cancellationToken)
+    {
+        var qdrantInfo = await rustService.GetQdrantInfo(cancellationToken);
+        if (qdrantInfo.Status is QdrantStatus.STARTING)
+        {
+            return this.CreateNoDatabaseClient(
+                "Qdrant",
+                "Qdrant is starting. Details will appear shortly.",
+                DatabaseClientStatus.STARTING);
+        }
+
+        if (!qdrantInfo.IsAvailable || qdrantInfo.Status is QdrantStatus.UNAVAILABLE)
+        {
+            var reason = qdrantInfo.UnavailableReason ?? "unknown";
+            this.logger.LogWarning("Qdrant is not available. Starting without vector database. Reason: '{Reason}'.", reason);
+            return this.CreateNoDatabaseClient("Qdrant", qdrantInfo.UnavailableReason, DatabaseClientStatus.UNAVAILABLE);
+        }
+
+        if (!HasValidQdrantConnectionInfo(qdrantInfo, out var invalidReason))
+            return this.CreateNoDatabaseClient("Qdrant", invalidReason, DatabaseClientStatus.UNAVAILABLE);
+
+        var client = new QdrantClientImplementation("Qdrant", qdrantInfo.Path, qdrantInfo.PortHttp, qdrantInfo.PortGrpc, qdrantInfo.Fingerprint, qdrantInfo.ApiToken);
+        client.SetLogger(this.databaseClientLogger);
+
+        try
+        {
+            await client.CheckAvailabilityAsync();
+            return client;
+        }
+        catch (Exception e)
+        {
+            client.Dispose();
+            this.logger.LogWarning(e, "Qdrant reported as available by Rust, but the health check failed.");
+            return this.CreateNoDatabaseClient("Qdrant", e.Message, DatabaseClientStatus.STARTING);
+        }
+    }
+
+    private static bool HasValidQdrantConnectionInfo(QdrantInfo qdrantInfo, out string invalidReason)
+    {
+        if (qdrantInfo.Path == string.Empty)
+        {
+            invalidReason = "Failed to get the Qdrant path from Rust.";
+            return false;
+        }
+
+        if (qdrantInfo.PortHttp == 0)
+        {
+            invalidReason = "Failed to get the Qdrant HTTP port from Rust.";
+            return false;
+        }
+
+        if (qdrantInfo.PortGrpc == 0)
+        {
+            invalidReason = "Failed to get the Qdrant gRPC port from Rust.";
+            return false;
+        }
+
+        if (qdrantInfo.Fingerprint == string.Empty)
+        {
+            invalidReason = "Failed to get the Qdrant fingerprint from Rust.";
+            return false;
+        }
+
+        if (qdrantInfo.ApiToken == string.Empty)
+        {
+            invalidReason = "Failed to get the Qdrant API token from Rust.";
+            return false;
+        }
+
+        invalidReason = string.Empty;
+        return true;
+    }
+
+    private NoDatabaseClient CreateNoDatabaseClient(string name, string? unavailableReason, DatabaseClientStatus status)
+    {
+        var client = new NoDatabaseClient(name, unavailableReason, status);
+        client.SetLogger(this.databaseClientLogger);
+        return client;
+    }
+
+    private static bool IsSameClient(DatabaseClient left, DatabaseClient right) =>
+        left.IsAvailable
+        && right.IsAvailable
+        && left.CacheKey == right.CacheKey;
+
+    public void Dispose()
+    {
+        foreach (var client in this.clients.Values)
+            client.Dispose();
+
+        foreach (var databaseLock in this.locks.Values)
+            databaseLock.Dispose();
+    }
+}

app/MindWork AI Studio/Tools/Databases/DatabaseClientStatus.cs

@@ -0,0 +1,8 @@
+namespace AIStudio.Tools.Databases;
+
+public enum DatabaseClientStatus
+{
+    STARTING,
+    AVAILABLE,
+    UNAVAILABLE,
+}

app/MindWork AI Studio/Tools/Databases/DatabaseRole.cs

@@ -0,0 +1,6 @@
+namespace AIStudio.Tools.Databases;
+
+public enum DatabaseRole
+{
+    VECTOR_STORE,
+}

app/MindWork AI Studio/Tools/Databases/NoDatabaseClient.cs

@@ -2,15 +2,19 @@ using AIStudio.Tools.PluginSystem;
 
 namespace AIStudio.Tools.Databases;
 
-public sealed class NoDatabaseClient(string name, string? unavailableReason) : DatabaseClient(name, string.Empty)
+public sealed class NoDatabaseClient(string name, string? unavailableReason, DatabaseClientStatus status = DatabaseClientStatus.UNAVAILABLE) : DatabaseClient(name, string.Empty)
 {
     private static string TB(string fallbackEN) => I18N.I.T(fallbackEN, typeof(NoDatabaseClient).Namespace, nameof(NoDatabaseClient));
     
-    public override bool IsAvailable => false;
+    public override DatabaseClientStatus Status => status;
 
     public override async IAsyncEnumerable<(string Label, string Value)> GetDisplayInfo()
     {
-        yield return (TB("Status"), TB("Unavailable"));
+        yield return (TB("Status"), status switch
+        {
+            DatabaseClientStatus.STARTING => TB("Starting"),
+            _ => TB("Unavailable")
+        });
 
         if (!string.IsNullOrWhiteSpace(unavailableReason))
             yield return (TB("Reason"), unavailableReason);

app/MindWork AI Studio/Tools/Databases/Qdrant/QdrantClientImplementation.cs

@@ -27,6 +27,8 @@ public class QdrantClientImplementation : DatabaseClient
         this.GrpcClient = this.CreateQdrantClient();
     }
 
+    public override string CacheKey => $"{this.Name}:{this.HttpPort}:{this.GrpcPort}:{this.Fingerprint}";
+    
     private const string IP_ADDRESS = "localhost";
 
     private QdrantClient CreateQdrantClient()
@@ -47,6 +49,11 @@ public class QdrantClientImplementation : DatabaseClient
         return $"v{operation.Version}";
     }
 
+    public async Task CheckAvailabilityAsync()
+    {
+        await this.GrpcClient.HealthAsync();
+    }
+
     private async Task<string> GetCollectionsAmount()
     {
         var operation = await this.GrpcClient.ListCollectionsAsync();

app/MindWork AI Studio/Tools/ERIClient/ERIClientV1.cs

@@ -2,6 +2,7 @@ using System.Text;
 using System.Text.Json;
 
 using AIStudio.Settings;
+using AIStudio.Settings.DataModel;
 using AIStudio.Tools.ERIClient.DataModel;
 using AIStudio.Tools.PluginSystem;
 using AIStudio.Tools.Services;
@@ -102,10 +103,23 @@ public class ERIClientV1(IERIDataSource dataSource) : ERIClientBase(dataSource),
                     }
             
                 case AuthMethod.USERNAME_PASSWORD:
+                    if (this.DataSource.UsernamePasswordMode is DataSourceERIUsernamePasswordMode.OS_USERNAME_SHARED_PASSWORD)
+                    {
+                        username = await rustService.ReadUserName();
+                        if (string.IsNullOrWhiteSpace(username))
+                        {
+                            return new()
+                            {
+                                Successful = false,
+                                Message = TB("Failed to read the user's username from the operating system.")
+                            };
+                        }
+                    }
+
                     string password;
                     if (string.IsNullOrWhiteSpace(temporarySecret))
                     {
-                        var passwordResponse = await rustService.GetSecret(this.DataSource);
+                        var passwordResponse = await rustService.GetSecret(this.DataSource, SecretStoreType.DATA_SOURCE);
                         if (!passwordResponse.Success)
                         {
                             return new()
@@ -159,7 +173,7 @@ public class ERIClientV1(IERIDataSource dataSource) : ERIClientBase(dataSource),
                     string token;
                     if (string.IsNullOrWhiteSpace(temporarySecret))
                     {
-                        var tokenResponse = await rustService.GetSecret(this.DataSource);
+                        var tokenResponse = await rustService.GetSecret(this.DataSource, SecretStoreType.DATA_SOURCE);
                         if (!tokenResponse.Success)
                         {
                             return new()

app/MindWork AI Studio/Tools/Pandoc.cs

@@ -35,12 +35,13 @@ public static partial class Pandoc
     private static bool HAS_LOGGED_AVAILABILITY_CHECK_ONCE;
 
     private static readonly HttpClient WEB_CLIENT = new();
+    private static readonly SemaphoreSlim INSTALLATION_LOCK = new(1, 1);
 
     /// <summary>
     /// Prepares a Pandoc process by using the Pandoc process builder.
     /// </summary>
     /// <returns>The Pandoc process builder with default settings.</returns>
-    public static PandocProcessBuilder PreparePandocProcess() => PandocProcessBuilder.Create();
+    private static PandocProcessBuilder PreparePandocProcess() => PandocProcessBuilder.Create();
 
     /// <summary>
     /// Checks if pandoc is available on the system and can be started as a process or is present in AI Studio's data dir.
@@ -145,12 +146,12 @@ public static partial class Pandoc
         catch (Exception e)
         {
             if (showMessages)
-                await MessageBus.INSTANCE.SendError(new(@Icons.Material.Filled.AppsOutage, TB("It seems that Pandoc is not installed.")));
+                await MessageBus.INSTANCE.SendError(new(@Icons.Material.Filled.AppsOutage, TB("Pandoc doesn't seem to be installed.")));
 
             if(shouldLog)
                 LOG.LogError(e, "Pandoc availability check failed. This usually means Pandoc is not installed or not in the system PATH.");
             
-            return new(false, TB("It seems that Pandoc is not installed."), false, string.Empty, false);
+            return new(false, TB("Pandoc doesn't seem to be installed."), false, string.Empty, false);
         }
         finally
         {
@@ -165,76 +166,230 @@ public static partial class Pandoc
     /// <returns>None</returns>
     public static async Task InstallAsync(RustService rustService)
     {
+        await INSTALLATION_LOCK.WaitAsync();
+
         var latestVersion = await FetchLatestVersionAsync();
         var installDir = await GetPandocDataFolder(rustService);
-        ClearFolder(installDir);
+        var installParentDir = Path.GetDirectoryName(installDir) ?? Path.GetTempPath();
+        var stagingDir = Path.Combine(installParentDir, $"pandoc-install-{Guid.NewGuid():N}");
+        var pandocTempDownloadFile = Path.GetTempFileName();
         
         LOG.LogInformation("Trying to install Pandoc v{0} to '{1}'...", latestVersion, installDir);
         
         try
         {
-            if (!Directory.Exists(installDir))
-                Directory.CreateDirectory(installDir);
-            
-            // Create a temporary file to download the archive to:
-            var pandocTempDownloadFile = Path.GetTempFileName();
+            if (!Directory.Exists(installParentDir))
+                Directory.CreateDirectory(installParentDir);
             
             //
             // Download the latest Pandoc archive from GitHub:
             //
-            var uri = await GenerateArchiveUriAsync();
-            var response = await WEB_CLIENT.GetAsync(uri);
+            var uri = GenerateArchiveUri(latestVersion);
+            if (string.IsNullOrWhiteSpace(uri))
+            {
+                await MessageBus.INSTANCE.SendError(new (Icons.Material.Filled.Error, TB("AI Studio couldn't install Pandoc because the archive type is unknown.")));
+                LOG.LogError("Pandoc was not installed, no archive is available for architecture '{Architecture}'.", CPU_ARCHITECTURE.ToUserFriendlyName());
+                return;
+            }
+
+            using var response = await WEB_CLIENT.GetAsync(uri);
             if (!response.IsSuccessStatusCode)
             {
-                await MessageBus.INSTANCE.SendError(new(Icons.Material.Filled.Error, TB("Pandoc was not installed successfully, because the archive was not found.")));
+                await MessageBus.INSTANCE.SendError(new(Icons.Material.Filled.Error, TB("AI Studio couldn't install Pandoc because the archive was not found.")));
                 LOG.LogError("Pandoc was not installed successfully, because the archive was not found (status code {0}): url='{1}', message='{2}'", response.StatusCode, uri, response.RequestMessage);
                 return;
             }
 
             // Download the archive to the temporary file:
-            await using var tempFileStream = File.Create(pandocTempDownloadFile);
+            await using (var tempFileStream = File.Create(pandocTempDownloadFile))
+            {
                 await response.Content.CopyToAsync(tempFileStream);
+                await tempFileStream.FlushAsync();
+            }
 
+            Directory.CreateDirectory(stagingDir);
             if (uri.EndsWith(".zip", StringComparison.OrdinalIgnoreCase))
             {
-                ZipFile.ExtractToDirectory(pandocTempDownloadFile, installDir);
+                await RunWithRetriesAsync(
+                    () =>
+                    {
+                        ZipFile.ExtractToDirectory(pandocTempDownloadFile, stagingDir, true);
+                        return Task.CompletedTask;
+                    },
+                    "extracting the Pandoc ZIP archive");
             }
             else if (uri.EndsWith(".tar.gz", StringComparison.OrdinalIgnoreCase))
+            {
+                await RunWithRetriesAsync(
+                    async () =>
                     {
                         await using var tgzStream = File.Open(pandocTempDownloadFile, FileMode.Open, FileAccess.Read, FileShare.Read);
                         await using var uncompressedStream = new GZipStream(tgzStream, CompressionMode.Decompress);
-                await TarFile.ExtractToDirectoryAsync(uncompressedStream, installDir, true);
+                        await TarFile.ExtractToDirectoryAsync(uncompressedStream, stagingDir, true);
+                    },
+                    "extracting the Pandoc TAR archive");
             }
             else
             {
-                await MessageBus.INSTANCE.SendError(new (Icons.Material.Filled.Error, TB("Pandoc was not installed successfully, because the archive type is unknown.")));
+                await MessageBus.INSTANCE.SendError(new (Icons.Material.Filled.Error, TB("AI Studio couldn't install Pandoc because the archive type is unknown.")));
                 LOG.LogError("Pandoc was not installed, the archive is unknown: url='{0}'", uri);
                 return;
             }
 
-            File.Delete(pandocTempDownloadFile);
+            var stagedPandocExecutable = FindExecutableInDirectory(stagingDir, PandocProcessBuilder.PandocExecutableName);
+            if (string.IsNullOrWhiteSpace(stagedPandocExecutable))
+            {
+                await MessageBus.INSTANCE.SendError(new (Icons.Material.Filled.Error, TB("AI Studio couldn't install Pandoc because the executable was not found in the archive.")));
+                LOG.LogError("Pandoc was not installed, the executable was not found in the extracted archive: '{StagingDir}'.", stagingDir);
+                return;
+            }
 
+            LOG.LogInformation("Found Pandoc executable in downloaded archive: '{Executable}'.", stagedPandocExecutable);
+
+            await ReplaceInstallationDirectoryAsync(stagingDir, installDir);
             await MessageBus.INSTANCE.SendSuccess(new(Icons.Material.Filled.CheckCircle, string.Format(TB("Pandoc v{0} was installed successfully."), latestVersion)));
             LOG.LogInformation("Pandoc v{0} was installed successfully.", latestVersion);
         }
         catch (Exception ex)
         {
+            await MessageBus.INSTANCE.SendError(new(Icons.Material.Filled.Error, TB("AI Studio couldn't install Pandoc.")));
             LOG.LogError(ex, "An error occurred while installing Pandoc.");
         }
+        finally
+        {
+            TryDeleteFile(pandocTempDownloadFile);
+
+            if (Directory.Exists(stagingDir))
+                await TryDeleteFolderAsync(stagingDir);
+
+            INSTALLATION_LOCK.Release();
+        }
     }
     
-    private static void ClearFolder(string path)
+    private static async Task ReplaceInstallationDirectoryAsync(string stagingDir, string installDir)
     {
-        if (!Directory.Exists(path))
+        var backupDir = $"{installDir}.backup-{Guid.NewGuid():N}";
+        var hasBackup = false;
+        var stagingWasMoved = false;
+
+        try
+        {
+            if (Directory.Exists(installDir))
+            {
+                await MoveDirectoryWithRetriesAsync(installDir, backupDir, "moving the previous Pandoc installation to backup");
+                hasBackup = true;
+            }
+
+            await MoveDirectoryWithRetriesAsync(stagingDir, installDir, "moving the new Pandoc installation into place");
+            stagingWasMoved = true;
+        }
+        catch (Exception ex)
+        {
+            if (hasBackup && !stagingWasMoved && !Directory.Exists(installDir) && Directory.Exists(backupDir))
+            {
+                try
+                {
+                    await MoveDirectoryWithRetriesAsync(backupDir, installDir, "restoring the previous Pandoc installation");
+                    hasBackup = false;
+                }
+                catch (Exception rollbackEx)
+                {
+                    LOG.LogError(rollbackEx, "Error restoring previous Pandoc installation directory. Keeping backup directory at: '{BackupDir}'.", backupDir);
+                }
+            }
+
+            LOG.LogError(ex, "Error replacing pandoc installation directory.");
+            throw;
+        }
+        finally
+        {
+            if (hasBackup && stagingWasMoved && Directory.Exists(backupDir))
+                await TryDeleteFolderAsync(backupDir);
+        }
+    }
+
+    private static string FindExecutableInDirectory(string rootDirectory, string executableName)
+    {
+        if (!Directory.Exists(rootDirectory))
+            return string.Empty;
+
+        var rootExecutablePath = Path.Combine(rootDirectory, executableName);
+        if (File.Exists(rootExecutablePath))
+            return rootExecutablePath;
+
+        foreach (var subdirectory in Directory.GetDirectories(rootDirectory, "*", SearchOption.AllDirectories))
+        {
+            var pandocPath = Path.Combine(subdirectory, executableName);
+            if (File.Exists(pandocPath))
+                return pandocPath;
+        }
+
+        return string.Empty;
+    }
+
+    private static async Task MoveDirectoryWithRetriesAsync(string sourceDir, string destinationDir, string operationName)
+    {
+        await RunWithRetriesAsync(
+            () =>
+            {
+                Directory.Move(sourceDir, destinationDir);
+                return Task.CompletedTask;
+            },
+            operationName,
+            maxAttempts: 8);
+    }
+
+    private static async Task RunWithRetriesAsync(Func<Task> operation, string operationName, int maxAttempts = 4)
+    {
+        for (var attempt = 1; attempt <= maxAttempts; attempt++)
+        {
+            try
+            {
+                await operation();
+                return;
+            }
+            catch (Exception ex) when (attempt < maxAttempts && ex is IOException or UnauthorizedAccessException)
+            {
+                LOG.LogWarning(ex, "Error while {OperationName}; retrying attempt {Attempt}/{MaxAttempts}.", operationName, attempt + 1, maxAttempts);
+                await Task.Delay(TimeSpan.FromMilliseconds(250 * attempt));
+            }
+        }
+    }
+
+    private static void TryDeleteFile(string path)
+    {
+        if (string.IsNullOrWhiteSpace(path) || !File.Exists(path))
             return;
 
         try
         {
-            Directory.Delete(path, true);
+            File.Delete(path);
         }
         catch (Exception ex)
         {
-            LOG.LogError(ex, "Error clearing pandoc installation directory.");
+            LOG.LogWarning(ex, "Was not able to delete temporary Pandoc archive: '{Path}'.", path);
+        }
+    }
+
+    private static async Task TryDeleteFolderAsync(string path)
+    {
+        if (string.IsNullOrWhiteSpace(path) || !Directory.Exists(path))
+            return;
+
+        try
+        {
+            await RunWithRetriesAsync(
+                () =>
+                {
+                    Directory.Delete(path, true);
+                    return Task.CompletedTask;
+                },
+                $"deleting temporary Pandoc directory '{path}'",
+                maxAttempts: 3);
+        }
+        catch (Exception ex)
+        {
+            LOG.LogWarning(ex, "Was not able to delete temporary Pandoc directory: '{Path}'.", path);
         }
     }
     
@@ -248,7 +403,7 @@ public static partial class Pandoc
         if (!response.IsSuccessStatusCode)
         {
             LOG.LogError("Code {StatusCode}: Could not fetch Pandoc's latest page: {Response}", response.StatusCode, response.RequestMessage);
-            await MessageBus.INSTANCE.SendWarning(new (Icons.Material.Filled.Warning, string.Format(TB("The latest Pandoc version was not found, installing version {0} instead."), FALLBACK_VERSION.ToString())));
+            await MessageBus.INSTANCE.SendWarning(new (Icons.Material.Filled.Warning, string.Format(TB("AI Studio couldn't find the latest Pandoc version and will install version {0} instead."), FALLBACK_VERSION.ToString())));
             return FALLBACK_VERSION.ToString();
         }
 
@@ -257,7 +412,7 @@ public static partial class Pandoc
         if (!versionMatch.Success)
         {
             LOG.LogError("The latest version regex returned nothing: {0}", versionMatch.Groups.ToString());
-            await MessageBus.INSTANCE.SendWarning(new (Icons.Material.Filled.Warning, string.Format(TB("The latest Pandoc version was not found, installing version {0} instead."), FALLBACK_VERSION.ToString())));
+            await MessageBus.INSTANCE.SendWarning(new (Icons.Material.Filled.Warning, string.Format(TB("AI Studio couldn't find the latest Pandoc version and will install version {0} instead."), FALLBACK_VERSION.ToString())));
             return FALLBACK_VERSION.ToString();
         }
         
@@ -272,6 +427,11 @@ public static partial class Pandoc
     public static async Task<string> GenerateArchiveUriAsync()
     {
         var version = await FetchLatestVersionAsync();
+        return GenerateArchiveUri(version);
+    }
+
+    private static string GenerateArchiveUri(string version)
+    {
         var baseUri = $"{DOWNLOAD_URL}/{version}/pandoc-{version}-";
         return CPU_ARCHITECTURE switch
         {

app/MindWork AI Studio/Tools/PandocProcessBuilder.cs

@@ -220,6 +220,17 @@ public sealed class PandocProcessBuilder
                 }
             }
 
+            foreach (var candidate in SystemPandocExecutableCandidates(PandocExecutableName))
+            {
+                if (!File.Exists(candidate))
+                    continue;
+
+                if (shouldLog)
+                    LOGGER.LogInformation("Found system Pandoc installation at: '{Path}'.", candidate);
+
+                return new(candidate, false);
+            }
+
             //
             // When no local installation was found, we assume that the pandoc executable is in the system PATH:
             //
@@ -238,4 +249,59 @@ public sealed class PandocProcessBuilder
     /// Reads the os platform to determine the used executable name.
     /// </summary>
     public static string PandocExecutableName => CPU_ARCHITECTURE is RID.WIN_ARM64 or RID.WIN_X64 ? "pandoc.exe" : "pandoc";
+
+    private static IEnumerable<string> SystemPandocExecutableCandidates(string executableName)
+    {
+        var candidates = new List<string>();
+
+        switch (CPU_ARCHITECTURE)
+        {
+            case RID.WIN_X64 or RID.WIN_ARM64:
+                AddCandidate(candidates, Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Pandoc", executableName);
+                AddCandidate(candidates, Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles), "Pandoc", executableName);
+                AddCandidate(candidates, Environment.GetFolderPath(Environment.SpecialFolder.ProgramFilesX86), "Pandoc", executableName);
+                break;
+
+            case RID.OSX_X64 or RID.OSX_ARM64:
+                AddCandidate(candidates, "/opt/homebrew/bin", executableName);
+                AddCandidate(candidates, "/usr/local/bin", executableName);
+                AddCandidate(candidates, "/usr/bin", executableName);
+                break;
+
+            case RID.LINUX_X64 or RID.LINUX_ARM64:
+                AddCandidate(candidates, "/usr/local/bin", executableName);
+                AddCandidate(candidates, "/usr/bin", executableName);
+                AddCandidate(candidates, "/snap/bin", executableName);
+
+                var homeDirectory = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+                AddCandidate(candidates, homeDirectory, ".local", "bin", executableName);
+                break;
+        }
+
+        foreach (var pathDirectory in GetPathDirectories())
+            AddCandidate(candidates, pathDirectory, executableName);
+
+        var comparer = CPU_ARCHITECTURE is RID.WIN_X64 or RID.WIN_ARM64
+            ? StringComparer.OrdinalIgnoreCase
+            : StringComparer.Ordinal;
+        return candidates.Distinct(comparer);
+    }
+
+    private static IEnumerable<string> GetPathDirectories()
+    {
+        var pathValue = Environment.GetEnvironmentVariable("PATH");
+        if (string.IsNullOrWhiteSpace(pathValue))
+            yield break;
+
+        foreach (var pathDirectory in pathValue.Split(Path.PathSeparator, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
+            yield return pathDirectory;
+    }
+
+    private static void AddCandidate(List<string> candidates, params string[] pathParts)
+    {
+        if (pathParts.Any(string.IsNullOrWhiteSpace))
+            return;
+
+        candidates.Add(Path.Combine(pathParts));
+    }
 }

app/MindWork AI Studio/Tools/PluginSystem/PendingEnterpriseApiKey.cs

@@ -14,36 +14,3 @@ public sealed record PendingEnterpriseApiKey(
     string SecretName,
     string ApiKey,
     SecretStoreType StoreType);
-
-/// <summary>
-/// Static container for pending API keys during plugin loading.
-/// </summary>
-public static class PendingEnterpriseApiKeys
-{
-    private static readonly List<PendingEnterpriseApiKey> PENDING_KEYS = [];
-    private static readonly Lock LOCK = new();
-
-    /// <summary>
-    /// Adds a pending API key to the list.
-    /// </summary>
-    /// <param name="key">The pending API key to add.</param>
-    public static void Add(PendingEnterpriseApiKey key)
-    {
-        lock (LOCK)
-            PENDING_KEYS.Add(key);
-    }
-
-    /// <summary>
-    /// Gets and clears all pending API keys.
-    /// </summary>
-    /// <returns>A list of all pending API keys.</returns>
-    public static IReadOnlyList<PendingEnterpriseApiKey> GetAndClear()
-    {
-        lock (LOCK)
-        {
-            var keys = PENDING_KEYS.ToList();
-            PENDING_KEYS.Clear();
-            return keys;
-        }
-    }
-}

app/MindWork AI Studio/Tools/PluginSystem/PendingEnterpriseApiKeys.cs

@@ -0,0 +1,34 @@
+namespace AIStudio.Tools.PluginSystem;
+
+/// <summary>
+/// Static container for pending API keys during plugin loading.
+/// </summary>
+public static class PendingEnterpriseApiKeys
+{
+    private static readonly List<PendingEnterpriseApiKey> PENDING_KEYS = [];
+    private static readonly Lock LOCK = new();
+
+    /// <summary>
+    /// Adds a pending API key to the list.
+    /// </summary>
+    /// <param name="key">The pending API key to add.</param>
+    public static void Add(PendingEnterpriseApiKey key)
+    {
+        lock (LOCK)
+            PENDING_KEYS.Add(key);
+    }
+
+    /// <summary>
+    /// Gets and clears all pending API keys.
+    /// </summary>
+    /// <returns>A list of all pending API keys.</returns>
+    public static IReadOnlyList<PendingEnterpriseApiKey> GetAndClear()
+    {
+        lock (LOCK)
+        {
+            var keys = PENDING_KEYS.ToList();
+            PENDING_KEYS.Clear();
+            return keys;
+        }
+    }
+}

app/MindWork AI Studio/Tools/PluginSystem/PendingEnterpriseSecret.cs

@@ -0,0 +1,14 @@
+namespace AIStudio.Tools.PluginSystem;
+
+/// <summary>
+/// Represents a pending enterprise secret that needs to be stored in the OS keyring.
+/// </summary>
+/// <param name="SecretId">The secret ID.</param>
+/// <param name="SecretName">The secret name.</param>
+/// <param name="SecretData">The decrypted secret data.</param>
+/// <param name="StoreType">The type of secret store to use.</param>
+public sealed record PendingEnterpriseSecret(
+    string SecretId,
+    string SecretName,
+    string SecretData,
+    SecretStoreType StoreType);

app/MindWork AI Studio/Tools/PluginSystem/PendingEnterpriseSecrets.cs

@@ -0,0 +1,34 @@
+namespace AIStudio.Tools.PluginSystem;
+
+/// <summary>
+/// Static container for pending enterprise secrets during plugin loading.
+/// </summary>
+public static class PendingEnterpriseSecrets
+{
+    private static readonly List<PendingEnterpriseSecret> PENDING_SECRETS = [];
+    private static readonly Lock LOCK = new();
+
+    /// <summary>
+    /// Adds a pending enterprise secret to the list.
+    /// </summary>
+    /// <param name="secret">The pending enterprise secret to add.</param>
+    public static void Add(PendingEnterpriseSecret secret)
+    {
+        lock (LOCK)
+            PENDING_SECRETS.Add(secret);
+    }
+
+    /// <summary>
+    /// Gets and clears all pending enterprise secrets.
+    /// </summary>
+    /// <returns>A list of all pending enterprise secrets.</returns>
+    public static IReadOnlyList<PendingEnterpriseSecret> GetAndClear()
+    {
+        lock (LOCK)
+        {
+            var secrets = PENDING_SECRETS.ToList();
+            PENDING_SECRETS.Clear();
+            return secrets;
+        }
+    }
+}

app/MindWork AI Studio/Tools/PluginSystem/PluginConfiguration.cs

@@ -39,12 +39,43 @@ public sealed class PluginConfiguration(bool isInternal, LuaState state, PluginT
         {
             // Store any decrypted API keys from enterprise configuration in the OS keyring:
             await StoreEnterpriseApiKeysAsync();
+            await StoreEnterpriseSecretsAsync();
 
             await SETTINGS_MANAGER.StoreSettings();
             await MessageBus.INSTANCE.SendMessage<bool>(null, Event.CONFIGURATION_CHANGED);
         }
     }
 
+    /// <summary>
+    /// Stores any pending enterprise secrets in the OS keyring.
+    /// </summary>
+    private static async Task StoreEnterpriseSecretsAsync()
+    {
+        var pendingSecrets = PendingEnterpriseSecrets.GetAndClear();
+        if (pendingSecrets.Count == 0)
+            return;
+
+        LOG.LogInformation($"Storing {pendingSecrets.Count} enterprise secret(s) in the OS keyring.");
+        var rustService = Program.SERVICE_PROVIDER.GetRequiredService<RustService>();
+        foreach (var pendingSecret in pendingSecrets)
+        {
+            try
+            {
+                var secretId = new TemporarySecretId(pendingSecret.SecretId, pendingSecret.SecretName);
+                var result = await rustService.SetSecret(secretId, pendingSecret.SecretData, pendingSecret.StoreType);
+
+                if (result.Success)
+                    LOG.LogDebug($"Successfully stored enterprise secret for '{pendingSecret.SecretName}' in the OS keyring.");
+                else
+                    LOG.LogWarning($"Failed to store enterprise secret for '{pendingSecret.SecretName}': {result.Issue}");
+            }
+            catch (Exception ex)
+            {
+                LOG.LogError(ex, $"Exception while storing enterprise secret for '{pendingSecret.SecretName}'.");
+            }
+        }
+    }
+
     /// <summary>
     /// Stores any pending enterprise API keys in the OS keyring.
     /// </summary>
@@ -153,6 +184,9 @@ public sealed class PluginConfiguration(bool isInternal, LuaState state, PluginT
         // Handle configured chat templates:
         PluginConfigurationObject.TryParse(PluginConfigurationObjectType.CHAT_TEMPLATE, x => x.ChatTemplates, x => x.NextChatTemplateNum, mainTable, this.Id, ref this.configObjects, dryRun);
 
+        // Handle configured data sources:
+        PluginConfigurationObject.TryParseDataSources(mainTable, this.Id, ref this.configObjects, dryRun);
+        
         // Handle configured profiles:
         PluginConfigurationObject.TryParse(PluginConfigurationObjectType.PROFILE, x => x.Profiles, x => x.NextProfileNum, mainTable, this.Id, ref this.configObjects, dryRun);
         

app/MindWork AI Studio/Tools/PluginSystem/PluginConfigurationObject.cs

@@ -162,6 +162,87 @@ public sealed record PluginConfigurationObject
         return true;
     }
 
+    /// <summary>
+    /// Parses configured data sources from a configuration plugin.
+    /// </summary>
+    /// <param name="mainTable">The Lua table containing entries to parse into data sources.</param>
+    /// <param name="configPluginId">The unique identifier of the plugin associated with the data sources.</param>
+    /// <param name="configObjects">The list to populate with the parsed configuration objects.</param>
+    /// <param name="dryRun">Specifies whether to perform the operation as a dry run.</param>
+    /// <returns>True if the table was present and processed; otherwise false.</returns>
+    public static bool TryParseDataSources(
+        LuaTable mainTable,
+        Guid configPluginId,
+        ref List<PluginConfigurationObject> configObjects,
+        bool dryRun)
+    {
+        const string LUA_TABLE_NAME = "DATA_SOURCES";
+        if (!mainTable.TryGetValue(LUA_TABLE_NAME, out var luaValue) || !luaValue.TryRead<LuaTable>(out var luaTable))
+        {
+            LOG.LogWarning("The table '{LuaTableName}' does not exist or is not a valid table (config plugin id: {ConfigPluginId}).", LUA_TABLE_NAME, configPluginId);
+            return false;
+        }
+
+        var storedObjects = SETTINGS_MANAGER.ConfigurationData.DataSources;
+        var numberObjects = luaTable.ArrayLength;
+        ThreadSafeRandom? random = null;
+        for (var i = 1; i <= numberObjects; i++)
+        {
+            var luaObjectTableValue = luaTable[i];
+            if (!luaObjectTableValue.TryRead<LuaTable>(out var luaObjectTable))
+            {
+                LOG.LogWarning("The table '{LuaTableName}' entry at index {Index} is not a valid table (config plugin id: {ConfigPluginId}).", LUA_TABLE_NAME, i, configPluginId);
+                continue;
+            }
+
+            if (!DataSourceERI_V1.TryParseConfiguration(i, luaObjectTable, configPluginId, out var configObject))
+            {
+                LOG.LogWarning("The table '{LuaTableName}' entry at index {Index} does not contain a valid data source (config plugin id: {ConfigPluginId}).", LUA_TABLE_NAME, i, configPluginId);
+                continue;
+            }
+
+            configObjects.Add(new()
+            {
+                ConfigPluginId = configPluginId,
+                Id = Guid.Parse(configObject.Id),
+                Type = PluginConfigurationObjectType.DATA_SOURCE,
+            });
+
+            if (dryRun)
+                continue;
+
+            var objectIndex = storedObjects.FindIndex(t => t.Id == configObject.Id);
+            if (objectIndex > -1)
+            {
+                var existingObject = storedObjects[objectIndex];
+                configObject = configObject with { Num = existingObject.Num };
+                storedObjects[objectIndex] = configObject;
+            }
+            else
+            {
+                if (IncrementDataSourceNum() is { Success: true, UpdatedValue: var nextNum })
+                {
+                    configObject = configObject with { Num = nextNum };
+                    storedObjects.Add(configObject);
+                }
+                else
+                {
+                    random ??= new ThreadSafeRandom();
+                    configObject = configObject with { Num = (uint)random.Next(500_000, 1_000_000) };
+                    storedObjects.Add(configObject);
+                    LOG.LogWarning("The next number for the data source '{ConfigObjectName}' (id={ConfigObjectId}) could not be incremented. Using a random number instead (config plugin id: {ConfigPluginId}).", configObject.Name, configObject.Id, configPluginId);
+                }
+            }
+        }
+
+        return true;
+
+        static IncrementResult<uint> IncrementDataSourceNum()
+        {
+            return ((Expression<Func<Data, uint>>)(x => x.NextDataSourceNum)).TryIncrement(SETTINGS_MANAGER.ConfigurationData, IncrementType.POST);
+        }
+    }
+
     /// <summary>
     /// Cleans up configuration objects of a specified type that are no longer associated with any available plugin.
     /// </summary>
@@ -171,13 +252,15 @@ public sealed record PluginConfigurationObject
     /// <param name="availablePlugins">A list of currently available plugins.</param>
     /// <param name="configObjectList">A list of all existing configuration objects.</param>
     /// <param name="secretStoreType">An optional parameter specifying the type of secret store to use for deleting associated API keys from the OS keyring, if applicable.</param>
+    /// <param name="deleteSecret">When true, delete the associated non-API-key secret from the OS keyring.</param>
     /// <returns>Returns true if the configuration was altered during cleanup; otherwise, false.</returns>
     public static async Task<bool> CleanLeftOverConfigurationObjects<TClass>(
         PluginConfigurationObjectType configObjectType,
         Expression<Func<Data, List<TClass>>> configObjectSelection,
         IList<IAvailablePlugin> availablePlugins,
         IList<PluginConfigurationObject> configObjectList,
-        SecretStoreType? secretStoreType = null) where TClass : IConfigurationObject
+        SecretStoreType? secretStoreType = null,
+        bool deleteSecret = false) where TClass : IConfigurationObject
     {
         var configuredObjects = configObjectSelection.Compile()(SETTINGS_MANAGER.ConfigurationData);
         var leftOverObjects = new List<TClass>();
@@ -220,7 +303,15 @@ public sealed record PluginConfigurationObject
             configuredObjects.Remove(item);
         
             // Delete the API key from the OS keyring if the removed object has one:
-            if(secretStoreType is not null && item is ISecretId secretId)
+            if(deleteSecret && item is ISecretId regularSecretId)
+            {
+                var deleteResult = await RUST_SERVICE.DeleteSecret(regularSecretId, secretStoreType ?? SecretStoreType.DATA_SOURCE);
+                if (deleteResult.Success)
+                    LOG.LogInformation($"Successfully deleted secret for removed enterprise object '{item.Name}' from the OS keyring.");
+                else
+                    LOG.LogWarning($"Failed to delete secret for removed enterprise object '{item.Name}' from the OS keyring: {deleteResult.Issue}");
+            }
+            else if(secretStoreType is not null && item is ISecretId secretId)
             {
                 var deleteResult = await RUST_SERVICE.DeleteAPIKey(secretId, secretStoreType.Value);
                 if (deleteResult.Success)

app/MindWork AI Studio/Tools/PluginSystem/PluginFactory.Loading.cs

@@ -174,6 +174,10 @@ public static partial class PluginFactory
         if(await PluginConfigurationObject.CleanLeftOverConfigurationObjects(PluginConfigurationObjectType.EMBEDDING_PROVIDER, x => x.EmbeddingProviders, AVAILABLE_PLUGINS, configObjectList, SecretStoreType.EMBEDDING_PROVIDER))
             wasConfigurationChanged = true;
 
+        // Check data sources:
+        if(await PluginConfigurationObject.CleanLeftOverConfigurationObjects(PluginConfigurationObjectType.DATA_SOURCE, x => x.DataSources, AVAILABLE_PLUGINS, configObjectList, SecretStoreType.DATA_SOURCE, deleteSecret: true))
+            wasConfigurationChanged = true;
+
         // Check chat templates:
         if(await PluginConfigurationObject.CleanLeftOverConfigurationObjects(PluginConfigurationObjectType.CHAT_TEMPLATE, x => x.ChatTemplates, AVAILABLE_PLUGINS, configObjectList))
             wasConfigurationChanged = true;

app/MindWork AI Studio/Tools/Rust/FileTypes.cs

@@ -9,7 +9,7 @@ namespace AIStudio.Tools.Rust;
 /// </summary>
 public static class FileTypes
 {
-    private static string TB(string fallbackEn) => I18N.I.T(fallbackEn, typeof(FileTypeFilter).Namespace, nameof(FileTypeFilter));
+    private static string TB(string fallbackEn) => I18N.I.T(fallbackEn, typeof(FileTypes).Namespace, nameof(FileTypes));
     
     public static readonly FileTypeFilter SOURCE_LIKE_FILE_NAMES = FileTypeFilter.Leaf(TB("Source like"),
         "Dockerfile", "Containerfile", "Jenkinsfile", "Makefile", "GNUmakefile", "Procfile", "Vagrantfile",

app/MindWork AI Studio/Tools/Rust/QdrantInfo.cs

@@ -5,6 +5,8 @@
 /// </summary>
 public readonly record struct QdrantInfo
 {
+    public QdrantStatus Status { get; init; }
+
     public bool IsAvailable { get; init; }
 
     public string? UnavailableReason { get; init; }

app/MindWork AI Studio/Tools/Rust/QdrantStatus.cs

@@ -0,0 +1,8 @@
+namespace AIStudio.Tools.Rust;
+
+public enum QdrantStatus
+{
+    STARTING,
+    AVAILABLE,
+    UNAVAILABLE,
+}

app/MindWork AI Studio/Tools/SecretStoreType.cs

@@ -1,10 +1,10 @@
 namespace AIStudio.Tools;
 
 /// <summary>
-/// Represents the type of secret store used for API keys.
+/// Represents the type of secret store used for API keys and other secrets.
 /// </summary>
 /// <remarks>
-/// Different provider types use different prefixes for storing API keys.
+/// Different provider and secret types use different prefixes for storing secrets.
 /// This prevents collisions when the same instance name is used across
 /// different provider types (e.g., LLM, Embedding, Transcription).
 /// </remarks>
@@ -29,4 +29,9 @@ public enum SecretStoreType
     /// Image provider secrets. Uses the "image::" prefix.
     /// </summary>
     IMAGE_PROVIDER,
+
+    /// <summary>
+    /// Data source secrets. Uses the "data-source::" prefix.
+    /// </summary>
+    DATA_SOURCE,
 }

app/MindWork AI Studio/Tools/SecretStoreTypeExtensions.cs

@@ -9,12 +9,14 @@ public static class SecretStoreTypeExtensions
     /// LLM_PROVIDER uses the legacy "provider" prefix for backward compatibility.
     /// </remarks>
     /// <param name="type">The SecretStoreType enum value.</param>
-    /// <returns>>The corresponding prefix string.</returns>
+    /// <returns>The corresponding prefix string.</returns>
     public static string Prefix(this SecretStoreType type) => type switch
     {
         SecretStoreType.LLM_PROVIDER => "provider",
         SecretStoreType.EMBEDDING_PROVIDER => "embedding",
         SecretStoreType.TRANSCRIPTION_PROVIDER => "transcription",
+        SecretStoreType.IMAGE_PROVIDER => "image",
+        SecretStoreType.DATA_SOURCE => "data-source",
         
         _ => "provider",
     };

app/MindWork AI Studio/Tools/Services/EnterpriseEnvironmentService.cs

@@ -200,7 +200,7 @@ public sealed class EnterpriseEnvironmentService(ILogger<EnterpriseEnvironmentSe
             {
                 logger.LogInformation("The enterprise encryption secret changed. Refreshing the enterprise encryption service and reloading plugins.");
                 PluginFactory.InitializeEnterpriseEncryption(enterpriseEncryptionSecret);
-                await this.RemoveEnterpriseManagedApiKeysAsync();
+                await this.RemoveEnterpriseManagedSecretsAsync();
                 await PluginFactory.LoadAll();
             }
 
@@ -249,34 +249,36 @@ public sealed class EnterpriseEnvironmentService(ILogger<EnterpriseEnvironmentSe
         return serverUrl.Trim().TrimEnd('/');
     }
 
-    private async Task RemoveEnterpriseManagedApiKeysAsync()
+    private async Task RemoveEnterpriseManagedSecretsAsync()
     {
         var secretTargets = GetEnterpriseManagedSecretTargets();
         if (secretTargets.Count == 0)
         {
-            logger.LogInformation("No enterprise-managed API keys are currently known in the settings. No keyring cleanup is required.");
+            logger.LogInformation("No enterprise-managed secrets are currently known in the settings. No keyring cleanup is required.");
             return;
         }
 
-        logger.LogInformation("Removing {SecretCount} enterprise-managed API key(s) from the OS keyring after an enterprise encryption secret change.", secretTargets.Count);
+        logger.LogInformation("Removing {SecretCount} enterprise-managed secret(s) from the OS keyring after an enterprise encryption secret change.", secretTargets.Count);
         foreach (var target in secretTargets)
         {
             try
             {
-                var deleteResult = await rustService.DeleteAPIKey(target, target.StoreType);
+                var deleteResult = target.StoreType is SecretStoreType.DATA_SOURCE
+                    ? await rustService.DeleteSecret(target, target.StoreType)
+                    : await rustService.DeleteAPIKey(target, target.StoreType);
                 if (deleteResult.Success)
                 {
                     if (deleteResult.WasEntryFound)
-                        logger.LogInformation("Successfully deleted enterprise-managed API key '{SecretName}' from the OS keyring.", target.SecretName);
+                        logger.LogInformation("Successfully deleted enterprise-managed secret '{SecretName}' from the OS keyring.", target.SecretName);
                     else
-                        logger.LogInformation("Enterprise-managed API key '{SecretName}' was already absent from the OS keyring.", target.SecretName);
+                        logger.LogInformation("Enterprise-managed secret '{SecretName}' was already absent from the OS keyring.", target.SecretName);
                 }
                 else
-                    logger.LogWarning("Failed to delete enterprise-managed API key '{SecretName}' from the OS keyring: {Issue}", target.SecretName, deleteResult.Issue);
+                    logger.LogWarning("Failed to delete enterprise-managed secret '{SecretName}' from the OS keyring: {Issue}", target.SecretName, deleteResult.Issue);
             }
             catch (Exception e)
             {
-                logger.LogWarning(e, "Failed to delete enterprise-managed API key '{SecretName}' from the OS keyring.", target.SecretName);
+                logger.LogWarning(e, "Failed to delete enterprise-managed secret '{SecretName}' from the OS keyring.", target.SecretName);
             }
         }
     }
@@ -289,6 +291,7 @@ public sealed class EnterpriseEnvironmentService(ILogger<EnterpriseEnvironmentSe
         AddEnterpriseManagedSecretTargets(configurationData.Providers, SecretStoreType.LLM_PROVIDER, secretTargets);
         AddEnterpriseManagedSecretTargets(configurationData.EmbeddingProviders, SecretStoreType.EMBEDDING_PROVIDER, secretTargets);
         AddEnterpriseManagedSecretTargets(configurationData.TranscriptionProviders, SecretStoreType.TRANSCRIPTION_PROVIDER, secretTargets);
+        AddEnterpriseManagedSecretTargets(configurationData.DataSources.OfType<IExternalDataSource>(), SecretStoreType.DATA_SOURCE, secretTargets);
 
         return secretTargets.ToList();
     }

app/MindWork AI Studio/Tools/Services/GlobalShortcutService.cs

@@ -185,9 +185,7 @@ public sealed class GlobalShortcutService : BackgroundService, IMessageBusReceiv
             return new(shortcut, isEnabled, false);
 
         var fallbackShortcut = settingsSnapshot.App.ShortcutVoiceRecording;
-        var fallbackEnabled =
-            settingsSnapshot.App.EnabledPreviewFeatures.Contains(PreviewFeatures.PRE_SPEECH_TO_TEXT_2026) &&
-            !string.IsNullOrWhiteSpace(settingsSnapshot.App.UseTranscriptionProvider);
+        var fallbackEnabled = !string.IsNullOrWhiteSpace(settingsSnapshot.App.UseTranscriptionProvider);
 
         if (!fallbackEnabled || string.IsNullOrWhiteSpace(fallbackShortcut))
             return new(shortcut, isEnabled, false);

app/MindWork AI Studio/Tools/Services/RustService.Databases.cs

@@ -4,13 +4,27 @@ namespace AIStudio.Tools.Services;
 
 public sealed partial class RustService
 {
-    public async Task<QdrantInfo> GetQdrantInfo()
+    public async Task<QdrantInfo> GetQdrantInfo(CancellationToken cancellationToken = default)
     {
         try
         {
-            var cts = new CancellationTokenSource(TimeSpan.FromSeconds(45));
-            var response = await this.http.GetFromJsonAsync<QdrantInfo>("/system/qdrant/info", this.jsonRustSerializerOptions, cts.Token);
-            return response;
+            using var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
+            cts.CancelAfter(TimeSpan.FromSeconds(45));
+            
+            return await this.http.GetFromJsonAsync<QdrantInfo>("/system/qdrant/info", this.jsonRustSerializerOptions, cts.Token);
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            if(this.logger is not null)
+                this.logger.LogWarning("Fetching Qdrant info from Rust service was cancelled by caller.");
+            else
+                Console.WriteLine("Fetching Qdrant info from Rust service was cancelled by caller.");
+            
+            return new QdrantInfo
+            {
+                Status = QdrantStatus.UNAVAILABLE,
+                UnavailableReason = "Operation cancelled by caller."
+            };
         }
         catch (Exception e)
         {
@@ -19,7 +33,11 @@ public sealed partial class RustService
             else
                 Console.WriteLine($"Error while fetching Qdrant info from Rust service: '{e}'.");
             
-            return default;
+            return new QdrantInfo
+            {
+                Status = QdrantStatus.UNAVAILABLE,
+                UnavailableReason = e.Message
+            };
         }
     }
 }

app/MindWork AI Studio/Tools/Services/RustService.FileSystem.cs

@@ -7,7 +7,8 @@ public sealed partial class RustService
     public async Task<DirectorySelectionResponse> SelectDirectory(string title, string? initialDirectory = null)
     {
         PreviousDirectory? previousDirectory = initialDirectory is null ? null : new (initialDirectory);
-        var result = await this.http.PostAsJsonAsync($"/select/directory?title={title}", previousDirectory, this.jsonRustSerializerOptions);
+        var encodedTitle = Uri.EscapeDataString(title);
+        var result = await this.http.PostAsJsonAsync($"/select/directory?title={encodedTitle}", previousDirectory, this.jsonRustSerializerOptions);
         if (!result.IsSuccessStatusCode)
         {
             this.logger!.LogError($"Failed to select a directory: '{result.StatusCode}'");

app/MindWork AI Studio/Tools/Services/RustService.OS.cs

@@ -32,4 +32,35 @@ public sealed partial class RustService
             this.userLanguageLock.Release();
         }
     }
+
+    public async Task<string> ReadUserName(bool forceRequest = false)
+    {
+        if (!forceRequest && !string.IsNullOrWhiteSpace(this.cachedUserName))
+            return this.cachedUserName;
+
+        await this.userNameLock.WaitAsync();
+        try
+        {
+            if (!forceRequest && !string.IsNullOrWhiteSpace(this.cachedUserName))
+                return this.cachedUserName;
+
+            var response = await this.http.GetAsync("/system/username");
+            if (!response.IsSuccessStatusCode)
+            {
+                this.logger!.LogError($"Failed to read the user name from Rust: '{response.StatusCode}'");
+                return string.Empty;
+            }
+
+            var userName = (await response.Content.ReadAsStringAsync()).Trim();
+            if (string.IsNullOrWhiteSpace(userName))
+                return string.Empty;
+
+            this.cachedUserName = userName;
+            return userName;
+        }
+        finally
+        {
+            this.userNameLock.Release();
+        }
+    }
 }

app/MindWork AI Studio/Tools/Services/RustService.Retrieval.cs

@@ -13,7 +13,16 @@ public sealed partial class RustService
         var response = await this.http.SendAsync(request, HttpCompletionOption.ResponseHeadersRead);
 
         if (!response.IsSuccessStatusCode)
+        {
+            var responseBody = await response.Content.ReadAsStringAsync();
+            this.logger?.LogError(
+                "Failed to read arbitrary file data from Rust runtime. Status: {StatusCode}, reason: '{ReasonPhrase}', path: '{Path}', body: '{Body}'",
+                response.StatusCode,
+                response.ReasonPhrase,
+                path,
+                responseBody);
             return string.Empty;
+        }
 
         var resultBuilder = new StringBuilder();
 

app/MindWork AI Studio/Tools/Services/RustService.Secrets.cs

@@ -4,26 +4,34 @@ namespace AIStudio.Tools.Services;
 
 public sealed partial class RustService
 {
+    private static string SecretKey(ISecretId secretId, SecretStoreType storeType) => $"{storeType.Prefix()}::{secretId.SecretId}::{secretId.SecretName}";
+
+    private static string LegacySecretKey(ISecretId secretId) => $"secret::{secretId.SecretId}::{secretId.SecretName}";
+
     /// <summary>
     /// Try to get the secret data for the given secret ID.
     /// </summary>
     /// <param name="secretId">The secret ID to get the data for.</param>
+    /// <param name="storeType">The secret store type.</param>
     /// <param name="isTrying">Indicates if we are trying to get the data. In that case, we don't log errors.</param>
     /// <returns>The requested secret.</returns>
-    public async Task<RequestedSecret> GetSecret(ISecretId secretId, bool isTrying = false)
+    public async Task<RequestedSecret> GetSecret(ISecretId secretId, SecretStoreType storeType, bool isTrying = false)
     {
-        var secretRequest = new SelectSecretRequest($"secret::{secretId.SecretId}::{secretId.SecretName}", Environment.UserName, isTrying);
-        var result = await this.http.PostAsJsonAsync("/secrets/get", secretRequest, this.jsonRustSerializerOptions);
-        if (!result.IsSuccessStatusCode)
+        var secretKey = SecretKey(secretId, storeType);
+        var secret = await this.GetSecretByKey(secretKey, isTrying || storeType is SecretStoreType.DATA_SOURCE);
+        if (secret.Success || storeType is not SecretStoreType.DATA_SOURCE)
+            return secret;
+
+        var legacySecretKey = LegacySecretKey(secretId);
+        var legacySecret = await this.GetSecretByKey(legacySecretKey, isTrying: true);
+        if (legacySecret.Success)
         {
-            if(!isTrying)
-                this.logger!.LogError($"Failed to get the secret data for secret ID '{secretId.SecretId}' due to an API issue: '{result.StatusCode}'");
-            return new RequestedSecret(false, new EncryptedText(string.Empty), TB("Failed to get the secret data due to an API issue."));
+            this.logger!.LogDebug($"Successfully retrieved the legacy data source secret for '{legacySecretKey}'.");
+            return legacySecret;
         }
 
-        var secret = await result.Content.ReadFromJsonAsync<RequestedSecret>(this.jsonRustSerializerOptions);
         if (!secret.Success && !isTrying)
-            this.logger!.LogError($"Failed to get the secret data for secret ID '{secretId.SecretId}': '{secret.Issue}'");
+            this.logger!.LogError($"Failed to get the secret data for '{secretKey}': '{secret.Issue}'");
         
         return secret;
     }
@@ -33,21 +41,26 @@ public sealed partial class RustService
     /// </summary>
     /// <param name="secretId">The secret ID to store the data for.</param>
     /// <param name="secretData">The data to store.</param>
+    /// <param name="storeType">The secret store type.</param>
     /// <returns>The store secret response.</returns>
-    public async Task<StoreSecretResponse> SetSecret(ISecretId secretId, string secretData)
+    public async Task<StoreSecretResponse> SetSecret(ISecretId secretId, string secretData, SecretStoreType storeType)
     {
+        var secretKey = SecretKey(secretId, storeType);
         var encryptedSecret = await this.encryptor!.Encrypt(secretData);
-        var request = new StoreSecretRequest($"secret::{secretId.SecretId}::{secretId.SecretName}", Environment.UserName, encryptedSecret);
+        var request = new StoreSecretRequest(secretKey, Environment.UserName, encryptedSecret);
         var result = await this.http.PostAsJsonAsync("/secrets/store", request, this.jsonRustSerializerOptions);
         if (!result.IsSuccessStatusCode)
         {
-            this.logger!.LogError($"Failed to store the secret data for secret ID '{secretId.SecretId}' due to an API issue: '{result.StatusCode}'");
-            return new StoreSecretResponse(false, TB("Failed to get the secret data due to an API issue."));
+            this.logger!.LogError($"Failed to store the secret data for '{secretKey}' due to an API issue: '{result.StatusCode}'");
+            return new StoreSecretResponse(false, TB("Failed to store the secret data due to an API issue."));
         }
         
         var state = await result.Content.ReadFromJsonAsync<StoreSecretResponse>(this.jsonRustSerializerOptions);
         if (!state.Success)
-            this.logger!.LogError($"Failed to store the secret data for secret ID '{secretId.SecretId}': '{state.Issue}'");
+            this.logger!.LogError($"Failed to store the secret data for '{secretKey}': '{state.Issue}'");
+
+        if (state.Success && storeType is SecretStoreType.DATA_SOURCE)
+            await this.DeleteSecretByKey(LegacySecretKey(secretId));
         
         return state;
     }
@@ -56,20 +69,48 @@ public sealed partial class RustService
     /// Tries to delete the secret data for the given secret ID.
     /// </summary>
     /// <param name="secretId">The secret ID to delete the data for.</param>
+    /// <param name="storeType">The secret store type.</param>
     /// <returns>The delete secret response.</returns>
-    public async Task<DeleteSecretResponse> DeleteSecret(ISecretId secretId)
+    public async Task<DeleteSecretResponse> DeleteSecret(ISecretId secretId, SecretStoreType storeType)
     {
-        var request = new SelectSecretRequest($"secret::{secretId.SecretId}::{secretId.SecretName}", Environment.UserName, false);
+        var deleteResult = await this.DeleteSecretByKey(SecretKey(secretId, storeType));
+        if (storeType is not SecretStoreType.DATA_SOURCE || !deleteResult.Success)
+            return deleteResult;
+
+        var legacyDeleteResult = await this.DeleteSecretByKey(LegacySecretKey(secretId));
+        if (!legacyDeleteResult.Success)
+            return legacyDeleteResult;
+
+        return deleteResult with { WasEntryFound = deleteResult.WasEntryFound || legacyDeleteResult.WasEntryFound };
+    }
+
+    private async Task<RequestedSecret> GetSecretByKey(string secretKey, bool isTrying)
+    {
+        var secretRequest = new SelectSecretRequest(secretKey, Environment.UserName, isTrying);
+        var result = await this.http.PostAsJsonAsync("/secrets/get", secretRequest, this.jsonRustSerializerOptions);
+        if (!result.IsSuccessStatusCode)
+        {
+            if(!isTrying)
+                this.logger!.LogError($"Failed to get the secret data for '{secretKey}' due to an API issue: '{result.StatusCode}'");
+            return new RequestedSecret(false, new EncryptedText(string.Empty), TB("Failed to get the secret data due to an API issue."));
+        }
+
+        return await result.Content.ReadFromJsonAsync<RequestedSecret>(this.jsonRustSerializerOptions);
+    }
+
+    private async Task<DeleteSecretResponse> DeleteSecretByKey(string secretKey)
+    {
+        var request = new SelectSecretRequest(secretKey, Environment.UserName, false);
         var result = await this.http.PostAsJsonAsync("/secrets/delete", request, this.jsonRustSerializerOptions);
         if (!result.IsSuccessStatusCode)
         {
-            this.logger!.LogError($"Failed to delete the secret data for secret ID '{secretId.SecretId}' due to an API issue: '{result.StatusCode}'");
+            this.logger!.LogError($"Failed to delete the secret data for '{secretKey}' due to an API issue: '{result.StatusCode}'");
             return new DeleteSecretResponse{Success = false, WasEntryFound = false, Issue = TB("Failed to delete the secret data due to an API issue.")};
         }
         
         var state = await result.Content.ReadFromJsonAsync<DeleteSecretResponse>(this.jsonRustSerializerOptions);
         if (!state.Success)
-            this.logger!.LogError($"Failed to delete the secret data for secret ID '{secretId.SecretId}': '{state.Issue}'");
+            this.logger!.LogError($"Failed to delete the secret data for '{secretKey}': '{state.Issue}'");
         
         return state;
     }

app/MindWork AI Studio/Tools/Services/RustService.cs

@@ -18,6 +18,7 @@ public sealed partial class RustService : BackgroundService
     
     private readonly HttpClient http;
     private readonly SemaphoreSlim userLanguageLock = new(1, 1);
+    private readonly SemaphoreSlim userNameLock = new(1, 1);
 
     private readonly JsonSerializerOptions jsonRustSerializerOptions = new()
     {
@@ -31,6 +32,7 @@ public sealed partial class RustService : BackgroundService
     private ILogger<RustService>? logger;
     private Encryption? encryptor;
     private string? cachedUserLanguage;
+    private string? cachedUserName;
     
     private readonly string apiPort;
     private readonly string certificateFingerprint;
@@ -91,6 +93,7 @@ public sealed partial class RustService : BackgroundService
     {
         this.http.Dispose();
         this.userLanguageLock.Dispose();
+        this.userNameLock.Dispose();
         base.Dispose();
     }
 

app/MindWork AI Studio/packages.lock.json

@@ -22,24 +22,28 @@
       },
       "LuaCSharp": {
         "type": "Direct",
-        "requested": "[0.5.3, )",
-        "resolved": "0.5.3",
-        "contentHash": "qpgmCaNx08+eiWOmz7U/mXOH8DXUyLW8fsCukKjN8hVled2y4HrapsZlmrnIf9iaNfEQusUR/8d1M2XX6NIzbQ=="
+        "requested": "[0.5.5, )",
+        "resolved": "0.5.5",
+        "contentHash": "IL44DCbMtEafyiy8DzHFd/f+1pXuDUVFJMCJPAu8vQHNfO3ADSoWSOKMg9Py1za/ZE1K0gs0jll1viInoN+19Q==",
+        "dependencies": {
+          "LuaCSharp.Annotations": "0.5.5",
+          "LuaCSharp.SourceGenerator": "0.5.5"
+        }
       },
       "Microsoft.Extensions.FileProviders.Embedded": {
         "type": "Direct",
-        "requested": "[9.0.15, )",
-        "resolved": "9.0.15",
-        "contentHash": "XFlI3ZISL344QdPLtaXG0yPyjkHQR82DYXrJa9aF00Qeu7dDnFxwFgP/ItkkyiLjAe/NSj6vksxOdnelXGT1vQ==",
+        "requested": "[9.0.16, )",
+        "resolved": "9.0.16",
+        "contentHash": "QRlSWz7zEplBxETrySKK3qpPm/7NPaRGnUpEXQNP3k6Ht2KdVy59JcoUPXlNGnNE3tJd3ycXfMeWqxBG6SyV0w==",
         "dependencies": {
-          "Microsoft.Extensions.FileProviders.Abstractions": "9.0.15"
+          "Microsoft.Extensions.FileProviders.Abstractions": "9.0.16"
         }
       },
       "Microsoft.NET.ILLink.Tasks": {
         "type": "Direct",
-        "requested": "[9.0.15, )",
-        "resolved": "9.0.15",
-        "contentHash": "EejcbfCMR77Dthy77qxRbEShmzLApHZUPqXMBVQK+A0pNrRThkaHoGGMGvbq/gTkC/waKcDEgjBkbaejB58Wtw=="
+        "requested": "[9.0.16, )",
+        "resolved": "9.0.16",
+        "contentHash": "ccPBYGLPJt8DeJTUzQ0JzOh/iuUAgnjayU63PokVywAhUOx+dzDKSPTL7AG94U/VpvNXflTT2AjsFAIF1+bXBw=="
       },
       "MudBlazor": {
         "type": "Direct",
@@ -64,9 +68,9 @@
       },
       "Qdrant.Client": {
         "type": "Direct",
-        "requested": "[1.17.0, )",
-        "resolved": "1.17.0",
-        "contentHash": "QFNtVu4Kiz6NHAAi2UQk+Ia64/qyX1NMecQGIBGnKqFOlpnxI3OCCBRBKXWGPk/c+4vAmR3Dj+cQ9apqX0zU8A==",
+        "requested": "[1.18.1, )",
+        "resolved": "1.18.1",
+        "contentHash": "eBwFLihGMvN02/jr/BNdcop2XmtA10y8VMOclVZ7K2H8yheAhl7jbkf7I8e4X3RYpT+cAxgcalP4xmOhgs4KJg==",
         "dependencies": {
           "Google.Protobuf": "3.31.0",
           "Grpc.Net.Client": "2.71.0"
@@ -113,6 +117,16 @@
           "Grpc.Core.Api": "2.71.0"
         }
       },
+      "LuaCSharp.Annotations": {
+        "type": "Transitive",
+        "resolved": "0.5.5",
+        "contentHash": "5VcwcTNGCY5YXLz2BRko5/Z0YGd6MZqNsnnfPOsGHHpAtqWPFbD0vtOZR4jUqaQLtQUvl2+WRfmIOhp6L2S0rw=="
+      },
+      "LuaCSharp.SourceGenerator": {
+        "type": "Transitive",
+        "resolved": "0.5.5",
+        "contentHash": "2xHKGc1bYXTsmSzZCNmKkuAU6A+1azulNiPY/ICKBSHIgEPMNRQ7JS6PvAClrHe6bk8SKcC/fbba6igtDzDaAw=="
+      },
       "Markdig": {
         "type": "Transitive",
         "resolved": "0.41.3",
@@ -182,10 +196,10 @@
       },
       "Microsoft.Extensions.FileProviders.Abstractions": {
         "type": "Transitive",
-        "resolved": "9.0.15",
-        "contentHash": "yzWilnNU/MvHINapPhY6iFAeApZnhToXbEBplORucn01hFc1F6ZaKt0V9dHYpUMun8WR9cSnq1ky35FWREVZbA==",
+        "resolved": "9.0.16",
+        "contentHash": "/YLSWDs+p0Y4+UGPoWI3uUNq7R5/f/8zw8XeViuhfSTGnPowoqbllBE9aR4TteFgNfIH4IHkhUwSlhMLB0aL8g==",
         "dependencies": {
-          "Microsoft.Extensions.Primitives": "9.0.15"
+          "Microsoft.Extensions.Primitives": "9.0.16"
         }
       },
       "Microsoft.Extensions.Localization": {
@@ -223,8 +237,8 @@
       },
       "Microsoft.Extensions.Primitives": {
         "type": "Transitive",
-        "resolved": "9.0.15",
-        "contentHash": "WRPJ9kpIwsOcghRT0tduIqiz7CDv7WsnL4kTJavtHS4j5AW++4LlR63oOSTL2o/zLR4T1z0/FQMgrnsPJ5bpQQ=="
+        "resolved": "9.0.16",
+        "contentHash": "w5RE1MR0lnAElsRJaFd2POIXl/H62aBKmfX8ibYmRmbk0JB9V/9jR0VD5NxiP1ETWpnDAnPguTSe7fF/FdsHEQ=="
       },
       "Microsoft.JSInterop": {
         "type": "Transitive",

app/MindWork AI Studio/wwwroot/changelog/v26.5.3.md

@@ -1 +1,2 @@
-# v26.5.3, build 238 (2026-05-xx xx:xx UTC)
+# v26.5.3, build 238 (2026-05-13 09:50 UTC)
+- Migrated away from Rocket to Axum for our internal IPC API. Please do not install this prerelease manually. Production versions, such as v26.4.1, will ignore this update. We are using this prerelease to test the clean update path. After a successful test, this prerelease will be removed.

app/MindWork AI Studio/wwwroot/changelog/v26.5.4.md

@@ -0,0 +1,2 @@
+# v26.5.4, build 239 (2026-05-13 11:58 UTC)
+- Migrated away from Rocket to Axum for our internal IPC API. Please do not install this prerelease manually. Production versions, such as v26.4.1, will ignore this update. We are using this prerelease to test the clean update path. After a successful test, this prerelease will be removed.

app/MindWork AI Studio/wwwroot/changelog/v26.5.5.md

@@ -0,0 +1,18 @@
+# v26.5.5, build 240 (2026-05-xx xx:xx UTC)
+- Released the voice recording and transcription for all users. You no longer need to enable a preview feature to configure transcription providers, select a transcription provider, or use dictation.
+- Added support for organization-managed ERI servers in configuration plugins, so admins can preconfigure external data sources for users.
+- Added an export option for ERI server data sources, so admins can create configuration plugin snippets without writing the Lua code manually.
+- Added the username to the information page to make organization support easier when users share their screen.
+- Improved the app's security foundation with major modernization of the native runtime and its internal communication layer. This work is mostly invisible during everyday use, but it replaces older components that no longer received the security updates we require. We also continued updating security-sensitive dependencies so AI Studio stays on a healthier, better maintained base.
+- Improved the Pandoc management and detection process to make it more reliable.
+- Improved the Qdrant startup and vector database initialization, so AI Studio can start more reliably while the local vector database is still starting.
+- Fixed the Pandoc installation, which could fail and prevent AI Studio from installing its local Pandoc dependency.
+- Fixed an issue where the spellchecking setting was not applied to all text fields in the slide builder assistant.
+- Fixed missing translations for file type names in file selection dialogs.
+- Upgraded the native secret storage integration to `keyring-core`, keeping API keys in the secure credential store provided by the operating system.
+- Upgraded Rust to v1.95.0.
+- Upgraded .NET to v9.0.16.
+- Upgraded Tauri to v2.11.1.
+- Upgraded PDFium to v148.0.7763.0.
+- Upgraded Qdrant to v1.18.0.
+- Upgraded other dependencies as well.

documentation/Build.md

@@ -9,7 +9,7 @@ Therefore, we cannot provide a static list here that is valid for all Linux syst
 ## Prerequisites
 1. Install the [.NET 9 SDK](https://dotnet.microsoft.com/en-us/download/dotnet/9.0).
 2. [Install the Rust compiler](https://www.rust-lang.org/tools/install) in the latest stable version.
-3. Met the prerequisites for building [Tauri](https://tauri.app/v1/guides/getting-started/prerequisites/). Node.js is **not** required, though.
+3. Meet the prerequisites for building [Tauri](https://v2.tauri.app/start/prerequisites/). Node.js is **not** required, though.
 4. The core team uses [JetBrains](https://www.jetbrains.com/) [Rider](https://www.jetbrains.com/rider/) and [RustRover](https://www.jetbrains.com/rust/) for development. Both IDEs are free to use for open-source projects for non-commercial use. They are available for macOS, Linux, and Windows systems. Profiles are provided for these IDEs, so you can get started right away. However, you can also use a different IDE.
 4. Clone the repository.
 
@@ -17,7 +17,7 @@ Therefore, we cannot provide a static list here that is valid for all Linux syst
 Regardless of whether you want to build the app locally for yourself (not trusting the pre-built binaries) or test your changes before creating a PR, you have to run the following commands at least once:
 
 1. Open a terminal.
-2. Install the Tauri CLI by running `cargo install --version 1.6.2 tauri-cli`.
+2. Install the Tauri CLI by running `cargo install tauri-cli --version 2.11.0 --locked`.
 3. Navigate to the `/app/Build` directory within the repository.
 4. Run `dotnet run build` to build the entire app.
 

documentation/Setup.md

@@ -84,4 +84,4 @@ We have to figure out if you have an Intel/AMD or a modern ARM system on your Li
 2. Open a terminal and navigate to the Downloads folder: `cd Downloads`.
 3. Make the AppImage executable: `chmod +x mind-work-ai-studio_amd64.AppImage`.
 4. You might want to move the AppImage to a more convenient location, e.g., your home directory: `mv mind-work-ai-studio_amd64.AppImage ~/`.
-4. Now you can run the AppImage from your file manager (double-click) or the terminal: `./mind-work-ai-studio_amd64.AppImage`.
+5. Now you can run the AppImage from your file manager (double-click) or the terminal: `./mind-work-ai-studio_amd64.AppImage`.

metadata.txt

@@ -1,12 +1,12 @@
-26.5.2
-2026-05-06 16:38:01 UTC
-237
-9.0.116 (commit fb4af7e1b3)
-9.0.15 (commit 4250c8399a)
+26.5.4
+2026-05-13 11:58:02 UTC
+239
+9.0.117 (commit 6e241a69c1)
+9.0.16 (commit a1e6809fb8)
 1.95.0 (commit 59807616e)
 8.15.0
 2.11.1
-bcf15e91881, release
+0089849e0c3, release
 osx-arm64
-144.0.7543.0
-1.17.1
+148.0.7763.0
+1.18.0

runtime/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mindwork-ai-studio"
-version = "26.5.2"
+version = "26.5.4"
 edition = "2024"
 description = "MindWork AI Studio"
 authors = ["Thorsten Sommer"]
@@ -16,45 +16,48 @@ tauri-plugin-dialog = "2.7.1"
 tauri-plugin-opener = "2.5.4"
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.149"
-keyring = { version = "3.6.2", features = ["apple-native", "windows-native", "sync-secret-service"] }
+keyring-core = "1.0.0"
 arboard = "3.6.1"
-tokio = { version = "1.50.0", features = ["rt", "rt-multi-thread", "macros", "process"] }
+tokio = { version = "1.52.3", features = ["rt", "rt-multi-thread", "macros", "process"] }
 tokio-stream = "0.1.18"
 futures = "0.3.32"
 async-stream = "0.3.6"
 flexi_logger = "0.31.8"
 log = { version = "0.4.29", features = ["kv"] }
 once_cell = "1.21.4"
-rocket = { version = "0.5.1", features = ["json", "tls"] }
+axum = { version = "0.8.9", features = ["http2", "json", "query", "tokio"] }
+axum-server = { version = "0.8.0", features = ["tls-rustls"] }
+rustls = { version = "0.23.28", default-features = false, features = ["aws_lc_rs"] }
 rand = "0.10.1"
 rand_chacha = "0.10.0"
 base64 = "0.22.1"
-aes = "0.8.4"
-cbc = "0.1.2"
-pbkdf2 = "0.12.2"
-hmac = "0.12.1"
-sha2 = "0.10.8"
-rcgen = { version = "0.14.7", features = ["pem"] }
+aes = "0.9.0"
+cbc = "0.2.0"
+pbkdf2 = "0.13.0"
+hmac = "0.13.0"
+sha2 = "0.11.0"
+rcgen = { version = "0.14.8", features = ["pem"] }
 file-format = "0.29.0"
-calamine = "0.34.0"
-pdfium-render = "0.8.37"
+calamine = "0.35.0"
+pdfium-render = "0.9.1"
 sys-locale = "0.3.2"
+whoami = "2.1.2"
 cfg-if = "1.0.4"
 pptx-to-md = "0.4.0"
 tempfile = "3.27.0"
 strum_macros = "0.28.0"
-sysinfo = "0.38.4"
-
-# Fixes security vulnerability downstream, where the upstream is not fixed yet:
-time = "0.3.47" # -> Rocket
-bytes = "1.11.1" # -> almost every dependency
-
-[target.'cfg(target_os = "linux")'.dependencies]
-# See issue https://github.com/tauri-apps/tauri/issues/4470
-reqwest = { version = "0.13.2", features = ["native-tls-vendored"] }
+sysinfo = "0.39.1"
+bytes = "1.11.1"
 
 [target.'cfg(target_os = "windows")'.dependencies]
 windows-registry = "0.6.1"
+windows-native-keyring-store = "1.0.0"
+
+[target.'cfg(target_os = "macos")'.dependencies]
+apple-native-keyring-store = { version = "1.0.0", features = ["keychain"] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+dbus-secret-service-keyring-store = { version = "1.0.0", features = ["crypto-rust"] }
 
 [target.'cfg(not(any(target_os = "android", target_os = "ios")))'.dependencies]
 tauri-plugin-global-shortcut = "2"

runtime/src/app_window.rs

@@ -1,13 +1,16 @@
 use std::collections::HashMap;
+use std::convert::Infallible;
 use std::sync::Mutex;
 use std::time::Duration;
+use async_stream::stream;
+use axum::body::Body;
+use axum::http::header::CONTENT_TYPE;
+use axum::response::{IntoResponse, Response};
+use axum::Json;
+use bytes::Bytes;
 use log::{debug, error, info, trace, warn};
 use once_cell::sync::Lazy;
-use rocket::{get, post};
-use rocket::response::stream::TextStream;
-use rocket::serde::json::Json;
-use rocket::serde::Serialize;
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};
 use strum_macros::Display;
 use tauri::{DragDropEvent,RunEvent, Manager, WindowEvent, generate_context};
 use tauri::path::PathResolver;
@@ -22,7 +25,7 @@ use crate::dotnet::{cleanup_dotnet_server, start_dotnet_server, stop_dotnet_serv
 use crate::environment::{is_prod, is_dev, CONFIG_DIRECTORY, DATA_DIRECTORY};
 use crate::log::switch_to_file_logging;
 use crate::pdfium::PDFIUM_LIB_PATH;
-use crate::qdrant::{cleanup_qdrant, start_qdrant_server, stop_qdrant_server};
+use crate::qdrant::{start_qdrant_server, stop_qdrant_server};
 #[cfg(debug_assertions)]
 use crate::dotnet::create_startup_env_file;
 
@@ -145,7 +148,6 @@ pub fn start_tauri() {
                 start_dotnet_server(app.handle().clone());
             }
 
-            cleanup_qdrant();
             start_qdrant_server(app.handle().clone());
 
             info!(Source = "Bootloader Tauri"; "Reconfigure the file logger to use the app data directory {data_path:?}");
@@ -242,11 +244,9 @@ fn should_open_in_system_browser<R: tauri::Runtime>(webview: &tauri::Webview<R>,
         }
     }
 
-    if let Ok(current_url) = webview.url() {
-        if same_origin(&current_url, url) {
+    if let Ok(current_url) = webview.url() && same_origin(&current_url, url) {
         return false;
     }
-    }
 
     !is_local_host(url.host_str())
 }
@@ -256,8 +256,7 @@ fn should_open_in_system_browser<R: tauri::Runtime>(webview: &tauri::Webview<R>,
 /// When the client disconnects, the stream is closed. But we try to not lose events in between.
 /// The client is expected to reconnect automatically when the connection is closed and continue
 /// listening for events.
-#[get("/events")]
-pub async fn get_event_stream(_token: APIToken) -> TextStream![String] {
+pub async fn get_event_stream(_token: APIToken) -> Response {
     // Get the lock to the event broadcast sender:
     let event_broadcast_lock = EVENT_BROADCAST.lock().unwrap();
 
@@ -269,8 +268,7 @@ pub async fn get_event_stream(_token: APIToken) -> TextStream![String] {
     // Drop the lock to allow other access to the sender:
     drop(event_broadcast_lock);
 
-    // Create the event stream:
-    TextStream! {
+    let stream = stream! {
         loop {
             // Wait at most 3 seconds for an event:
             match time::timeout(Duration::from_secs(3), event_receiver.recv()).await {
@@ -281,11 +279,11 @@ pub async fn get_event_stream(_token: APIToken) -> TextStream![String] {
                     // is serialized as a single line so that the client can parse it
                     // correctly:
                     let event_json = serde_json::to_string(&event).unwrap();
-                    yield event_json;
+                    yield Ok::<Bytes, Infallible>(Bytes::from(event_json));
 
                     // The client expects a newline after each event because we are using
                     // a method to read the stream line-by-line:
-                    yield "\n".to_string();
+                    yield Ok::<Bytes, Infallible>(Bytes::from("\n"));
                 },
 
                 // Case: we lagged behind and missed some events
@@ -305,15 +303,17 @@ pub async fn get_event_stream(_token: APIToken) -> TextStream![String] {
 
                     // Again, we have to serialize the event as a single line:
                     let event_json = serde_json::to_string(&ping_event).unwrap();
-                    yield event_json;
+                    yield Ok::<Bytes, Infallible>(Bytes::from(event_json));
 
                     // The client expects a newline after each event because we are using
                     // a method to read the stream line-by-line:
-                    yield "\n".to_string();
+                    yield Ok::<Bytes, Infallible>(Bytes::from("\n"));
                 },
             }
         }
-    }
+    };
+
+    ([(CONTENT_TYPE, "application/jsonl")], Body::from_stream(stream)).into_response()
 }
 
 /// Data structure representing a Tauri event for our event API.
@@ -412,11 +412,9 @@ pub async fn change_location_to(url: &str) {
         }
     }
 
-    if let Ok(parsed_url) = tauri::Url::parse(url) {
-        if is_local_http_url(&parsed_url) {
+    if let Ok(parsed_url) = tauri::Url::parse(url) && is_local_http_url(&parsed_url) {
         *APPROVED_APP_URL.lock().unwrap() = Some(parsed_url);
     }
-    }
 
     let js_location_change = format!("window.location = '{url}';");
     let main_window = main_window_spawn_clone.lock().unwrap();
@@ -428,7 +426,6 @@ pub async fn change_location_to(url: &str) {
 }
 
 /// Checks for updates.
-#[get("/updates/check")]
 pub async fn check_for_update(_token: APIToken) -> Json<CheckUpdateResponse> {
     if is_dev() {
         warn!(Source = "Updater"; "The app is running in development mode; skipping update check.");
@@ -514,7 +511,6 @@ pub struct CheckUpdateResponse {
 }
 
 /// Installs the update.
-#[get("/updates/install")]
 pub async fn install_update(_token: APIToken) {
     if is_dev() {
         warn!(Source = "Updater"; "The app is running in development mode; skipping update installation.");
@@ -623,8 +619,7 @@ fn register_shortcut_with_callback<R: tauri::Runtime>(
 }
 
 /// Requests a controlled shutdown of the entire desktop application.
-#[post("/app/exit")]
-pub fn exit_app(_token: APIToken) -> Json<AppExitResponse> {
+pub async fn exit_app(_token: APIToken) -> Json<AppExitResponse> {
     let app_handle = {
         let main_window_lock = MAIN_WINDOW.lock().unwrap();
         match main_window_lock.as_ref() {
@@ -653,8 +648,7 @@ pub fn exit_app(_token: APIToken) -> Json<AppExitResponse> {
 
 /// Registers or updates a global shortcut. If the shortcut string is empty,
 /// the existing shortcut for that name will be unregistered.
-#[post("/shortcuts/register", data = "<payload>")]
-pub fn register_shortcut(_token: APIToken, payload: Json<RegisterShortcutRequest>) -> Json<ShortcutResponse> {
+pub async fn register_shortcut(_token: APIToken, payload: Json<RegisterShortcutRequest>) -> Json<ShortcutResponse> {
     let id = payload.id;
     let new_shortcut = payload.shortcut.clone();
 
@@ -686,14 +680,12 @@ pub fn register_shortcut(_token: APIToken, payload: Json<RegisterShortcutRequest
     let mut registered_shortcuts = REGISTERED_SHORTCUTS.lock().unwrap();
 
     // Unregister the old shortcut if one exists for this name:
-    if let Some(old_shortcut) = registered_shortcuts.get(&id) {
-        if !old_shortcut.is_empty() {
+    if let Some(old_shortcut) = registered_shortcuts.get(&id) && !old_shortcut.is_empty() {
         match shortcut_manager.unregister(old_shortcut.as_str()) {
             Ok(_) => info!(Source = "Tauri"; "Unregistered old shortcut '{old_shortcut}' for '{}'.", id),
             Err(error) => warn!(Source = "Tauri"; "Failed to unregister old shortcut '{old_shortcut}': {error}"),
         }
     }
-    }
 
     // When the new shortcut is empty, we're done (just unregistering):
     if new_shortcut.is_empty() {
@@ -761,8 +753,7 @@ pub struct ShortcutValidationResponse {
 /// Validates a shortcut string without registering it.
 /// Checks if the shortcut syntax is valid and if it
 /// conflicts with existing shortcuts.
-#[post("/shortcuts/validate", data = "<payload>")]
-pub fn validate_shortcut(_token: APIToken, payload: Json<ValidateShortcutRequest>) -> Json<ShortcutValidationResponse> {
+pub async fn validate_shortcut(_token: APIToken, payload: Json<ValidateShortcutRequest>) -> Json<ShortcutValidationResponse> {
     let shortcut = payload.shortcut.clone();
 
     // Empty shortcuts are always valid (means "disabled"):
@@ -816,8 +807,7 @@ pub fn validate_shortcut(_token: APIToken, payload: Json<ValidateShortcutRequest
 /// The shortcuts remain in our internal map, so they can be re-registered on resume.
 /// This is useful when opening a dialog to configure shortcuts, so the user can
 /// press the current shortcut to re-enter it without triggering the action.
-#[post("/shortcuts/suspend")]
-pub fn suspend_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
+pub async fn suspend_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
     // Get the main window to access the global shortcut manager:
     let main_window_lock = MAIN_WINDOW.lock().unwrap();
     let main_window = match main_window_lock.as_ref() {
@@ -853,8 +843,7 @@ pub fn suspend_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
 }
 
 /// Resumes shortcut processing by re-registering all shortcuts with the OS.
-#[post("/shortcuts/resume")]
-pub fn resume_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
+pub async fn resume_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
     // Get the main window to access the global shortcut manager:
     let main_window_lock = MAIN_WINDOW.lock().unwrap();
     let main_window = match main_window_lock.as_ref() {
@@ -893,7 +882,7 @@ pub fn resume_shortcuts(_token: APIToken) -> Json<ShortcutResponse> {
             continue;
         }
 
-        match register_shortcut_with_callback(&app_handle, shortcut, *shortcut_id, event_sender.clone()) {
+        match register_shortcut_with_callback(app_handle, shortcut, *shortcut_id, event_sender.clone()) {
             Ok(_) => {
                 info!(Source = "Tauri"; "Re-registered shortcut '{shortcut}' for '{}'.", shortcut_id);
                 success_count += 1;
@@ -954,6 +943,35 @@ fn validate_shortcut_syntax(shortcut: &str) -> bool {
     has_key
 }
 
+fn set_pdfium_path<R: tauri::Runtime>(path_resolver: &PathResolver<R>) {
+    let resource_dir = match path_resolver.resource_dir() {
+        Ok(path) => path,
+        Err(error) => {
+            error!(Source = "Bootloader Tauri"; "Failed to resolve resource dir: {error}");
+            return;
+        }
+    };
+
+    let candidate_paths = [
+        resource_dir.join("resources").join("libraries"),
+        resource_dir.join("libraries"),
+    ];
+
+    let pdfium_source_path = candidate_paths
+        .iter()
+        .find(|path| path.exists())
+        .map(|path| path.to_string_lossy().to_string());
+
+    match pdfium_source_path {
+        Some(path) => {
+            *PDFIUM_LIB_PATH.lock().unwrap() = Some(path);
+        }
+        None => {
+            error!(Source = "Bootloader Tauri"; "Failed to set the PDFium library path.");
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -983,32 +1001,3 @@ mod tests {
         assert!(!is_local_http_url(&url));
     }
 }
-
-fn set_pdfium_path<R: tauri::Runtime>(path_resolver: &PathResolver<R>) {
-    let resource_dir = match path_resolver.resource_dir() {
-        Ok(path) => path,
-        Err(error) => {
-            error!(Source = "Bootloader Tauri"; "Failed to resolve resource dir: {error}");
-            return;
-        }
-    };
-
-    let candidate_paths = [
-        resource_dir.join("resources").join("libraries"),
-        resource_dir.join("libraries"),
-    ];
-
-    let pdfium_source_path = candidate_paths
-        .iter()
-        .find(|path| path.exists())
-        .map(|path| path.to_string_lossy().to_string());
-
-    match pdfium_source_path {
-        Some(path) => {
-            *PDFIUM_LIB_PATH.lock().unwrap() = Some(path);
-        }
-        None => {
-            error!(Source = "Bootloader Tauri"; "Failed to set the PDFium library path.");
-        }
-    }
-}

runtime/src/clipboard.rs

@@ -1,14 +1,13 @@
 use arboard::Clipboard;
 use log::{debug, error};
-use rocket::post;
-use rocket::serde::json::Json;
+use axum::Json;
 use serde::Serialize;
 use crate::api_token::APIToken;
 use crate::encryption::{EncryptedText, ENCRYPTION};
 
 /// Sets the clipboard text to the provided encrypted text.
-#[post("/clipboard/set", data = "<encrypted_text>")]
-pub fn set_clipboard(_token: APIToken, encrypted_text: EncryptedText) -> Json<SetClipboardResponse> {
+pub async fn set_clipboard(_token: APIToken, encrypted_text: String) -> Json<SetClipboardResponse> {
+    let encrypted_text = EncryptedText::new(encrypted_text);
 
     // Decrypt this text first:
     let decrypted_text = match ENCRYPTION.decrypt(&encrypted_text) {

runtime/src/dotnet.rs

@@ -5,7 +5,6 @@ use base64::Engine;
 use base64::prelude::BASE64_STANDARD;
 use log::{error, info, warn};
 use once_cell::sync::Lazy;
-use rocket::get;
 use tauri::Url;
 use tauri_plugin_shell::process::{CommandChild, CommandEvent};
 use tauri_plugin_shell::ShellExt;
@@ -89,8 +88,7 @@ fn sanitize_stdout_line(line: &str) -> String {
 
 /// Returns the desired port of the .NET server. Our .NET app calls this endpoint to get
 /// the port where the .NET server should listen to.
-#[get("/system/dotnet/port")]
-pub fn dotnet_port(_token: APIToken) -> String {
+pub async fn dotnet_port(_token: APIToken) -> String {
     let dotnet_server_port = *DOTNET_SERVER_PORT;
     format!("{dotnet_server_port}")
 }
@@ -179,7 +177,6 @@ pub fn start_dotnet_server<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>) {
 }
 
 /// This endpoint is called by the .NET server to signal that the server is ready.
-#[get("/system/dotnet/ready")]
 pub async fn dotnet_ready(_token: APIToken) {
 
     // We create a manual scope for the lock to be released as soon as possible.

runtime/src/encryption.rs

@@ -2,26 +2,20 @@ use std::fmt;
 use std::time::Instant;
 use base64::Engine;
 use base64::prelude::BASE64_STANDARD;
-use aes::cipher::{block_padding::Pkcs7, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::cipher::{block_padding::Pkcs7, BlockModeDecrypt, BlockModeEncrypt, KeyIvInit};
 use hmac::Hmac;
 use log::{error, info};
 use once_cell::sync::Lazy;
 use pbkdf2::pbkdf2;
 use rand::rngs::SysRng;
 use rand::{Rng, SeedableRng};
-use rocket::{data, Data, Request};
-use rocket::data::ToByteUnit;
-use rocket::http::Status;
-use rocket::serde::{Deserialize, Serialize};
+use serde::{Deserialize, Serialize};
 use sha2::Sha512;
-use tokio::io::AsyncReadExt;
 
 type Aes256CbcEnc = cbc::Encryptor<aes::Aes256>;
 
 type Aes256CbcDec = cbc::Decryptor<aes::Aes256>;
 
-type DataOutcome<'r, T> = data::Outcome<'r, T>;
-
 /// The encryption instance used for the IPC channel.
 pub static ENCRYPTION: Lazy<Encryption> = Lazy::new(|| {
     //
@@ -113,7 +107,7 @@ impl Encryption {
         let mut buffer = vec![0u8; data.len() + 16];
         buffer[..data.len()].copy_from_slice(data);
         let encrypted = cipher
-            .encrypt_padded_mut::<Pkcs7>(&mut buffer, data.len())
+            .encrypt_padded::<Pkcs7>(&mut buffer, data.len())
             .map_err(|e| format!("Error encrypting data: {e}"))?;
         let mut result = BASE64_STANDARD.encode(self.secret_key_salt);
         result.push_str(&BASE64_STANDARD.encode(encrypted));
@@ -136,7 +130,7 @@ impl Encryption {
         let cipher = Aes256CbcDec::new(&self.key.into(), &self.iv.into());
         let mut buffer = encrypted.to_vec();
         let decrypted = cipher
-            .decrypt_padded_mut::<Pkcs7>(&mut buffer)
+            .decrypt_padded::<Pkcs7>(&mut buffer)
             .map_err(|e| format!("Error decrypting data: {e}"))?;
 
         String::from_utf8(decrypted.to_vec()).map_err(|e| format!("Error converting decrypted data to string: {}", e))
@@ -171,26 +165,3 @@ impl fmt::Display for EncryptedText {
         write!(f, "**********")
     }
 }
-
-/// Use Case: When we receive encrypted text from the client as body (e.g., in a POST request).
-/// We must interpret the body as EncryptedText.
-#[rocket::async_trait]
-impl<'r> data::FromData<'r> for EncryptedText {
-    type Error = String;
-    
-    /// Parses the data as EncryptedText.
-    async fn from_data(req: &'r Request<'_>, data: Data<'r>) -> DataOutcome<'r, Self> {
-        let content_type = req.content_type();
-        if content_type.map_or(true, |ct| !ct.is_text()) {
-            return DataOutcome::Forward((data, Status::Ok));
-        }
-
-        let mut stream = data.open(2.mebibytes());
-        let mut body = String::new();
-        if let Err(e) = stream.read_to_string(&mut body).await {
-            return DataOutcome::Error((Status::InternalServerError, format!("Failed to read data: {}", e)));
-        }
-
-        DataOutcome::Success(EncryptedText(body))
-    }
-}

runtime/src/environment.rs

@@ -1,7 +1,6 @@
 use crate::api_token::APIToken;
-use log::{debug, info, warn};
-use rocket::get;
-use rocket::serde::json::Json;
+use axum::Json;
+use log::{debug, error, info, warn};
 use serde::Serialize;
 use std::collections::{HashMap, HashSet};
 use std::env;
@@ -29,8 +28,7 @@ pub static CONFIG_DIRECTORY: OnceLock<String> = OnceLock::new();
 static USER_LANGUAGE: OnceLock<String> = OnceLock::new();
 
 /// Returns the config directory.
-#[get("/system/directories/config")]
-pub fn get_config_directory(_token: APIToken) -> String {
+pub async fn get_config_directory(_token: APIToken) -> String {
     match CONFIG_DIRECTORY.get() {
         Some(config_directory) => config_directory.clone(),
         None => String::from(""),
@@ -38,14 +36,21 @@ pub fn get_config_directory(_token: APIToken) -> String {
 }
 
 /// Returns the data directory.
-#[get("/system/directories/data")]
-pub fn get_data_directory(_token: APIToken) -> String {
+pub async fn get_data_directory(_token: APIToken) -> String {
     match DATA_DIRECTORY.get() {
         Some(data_directory) => data_directory.clone(),
         None => String::from(""),
     }
 }
 
+/// Returns the current user's username.
+pub async fn read_user_name(_token: APIToken) -> String {
+    whoami::username().unwrap_or_else(|e| {
+        error!("Failed to read the current OS username: {e}.");
+        String::new()
+    })
+}
+
 /// Returns true if the application is running in development mode.
 pub fn is_dev() -> bool {
     cfg!(debug_assertions)
@@ -90,11 +95,9 @@ fn normalize_locale_tag(locale: &str) -> Option<String> {
         return None;
     }
 
-    if let Some(region) = segments.next() {
-        if region.len() == 2 && region.chars().all(|c| c.is_ascii_alphabetic()) {
+    if let Some(region) = segments.next() && region.len() == 2 && region.chars().all(|c| c.is_ascii_alphabetic()) {
         return Some(format!("{}-{}", language, region.to_ascii_uppercase()));
     }
-    }
 
     Some(language)
 }
@@ -150,8 +153,7 @@ fn detect_user_language() -> (String, LanguageDetectionSource) {
     )
 }
 
-#[get("/system/language")]
-pub fn read_user_language(_token: APIToken) -> String {
+pub async fn read_user_language(_token: APIToken) -> String {
     USER_LANGUAGE
         .get_or_init(|| {
             let (user_language, source) = detect_user_language();
@@ -194,8 +196,7 @@ struct EnterpriseSourceData {
     encryption_secret: String,
 }
 
-#[get("/system/enterprise/config/id")]
-pub fn read_enterprise_env_config_id(_token: APIToken) -> String {
+pub async fn read_enterprise_env_config_id(_token: APIToken) -> String {
     debug!("Trying to read the effective enterprise configuration ID.");
     resolve_effective_enterprise_config_source()
         .configs
@@ -205,8 +206,7 @@ pub fn read_enterprise_env_config_id(_token: APIToken) -> String {
         .unwrap_or_default()
 }
 
-#[get("/system/enterprise/config/server")]
-pub fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
+pub async fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
     debug!("Trying to read the effective enterprise configuration server URL.");
     resolve_effective_enterprise_config_source()
         .configs
@@ -216,15 +216,13 @@ pub fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
         .unwrap_or_default()
 }
 
-#[get("/system/enterprise/config/encryption_secret")]
-pub fn read_enterprise_env_config_encryption_secret(_token: APIToken) -> String {
+pub async fn read_enterprise_env_config_encryption_secret(_token: APIToken) -> String {
     debug!("Trying to read the effective enterprise configuration encryption secret.");
     resolve_effective_enterprise_secret_source().encryption_secret
 }
 
 /// Returns all enterprise configurations from the effective source.
-#[get("/system/enterprise/configs")]
-pub fn read_enterprise_configs(_token: APIToken) -> Json<Vec<EnterpriseConfig>> {
+pub async fn read_enterprise_configs(_token: APIToken) -> Json<Vec<EnterpriseConfig>> {
     info!("Trying to read the effective enterprise configurations.");
     Json(resolve_effective_enterprise_config_source().configs)
 }
@@ -426,12 +424,11 @@ fn load_policy_values_from_directories(directories: &[PathBuf]) -> HashMap<Strin
         }
 
         let secret_path = directory.join(ENTERPRISE_POLICY_SECRET_FILE_NAME);
-        if let Some(secret_values) = read_policy_yaml_mapping(&secret_path) {
-            if let Some(secret) = secret_values.get("config_encryption_secret") {
+        if let Some(secret_values) = read_policy_yaml_mapping(&secret_path)
+            && let Some(secret) = secret_values.get("config_encryption_secret") {
             insert_first_non_empty_value(&mut values, "config_encryption_secret", secret);
         }
     }
-    }
 
     values
 }

runtime/src/file_actions.rs

@@ -1,7 +1,7 @@
 use log::{error, info};
-use rocket::post;
-use rocket::serde::{Deserialize, Serialize};
-use rocket::serde::json::Json;
+use axum::extract::Query;
+use axum::Json;
+use serde::{Deserialize, Serialize};
 use tauri_plugin_dialog::{DialogExt, FileDialogBuilder};
 use crate::api_token::APIToken;
 use crate::app_window::MAIN_WINDOW;
@@ -11,6 +11,11 @@ pub struct PreviousDirectory {
     path: String,
 }
 
+#[derive(Deserialize)]
+pub struct SelectDirectoryQuery {
+    title: String,
+}
+
 #[derive(Clone, Deserialize)]
 pub struct FileTypeFilter {
     filter_name: String,
@@ -61,10 +66,9 @@ pub struct PreviousFile {
 }
 
 /// Let the user select a directory.
-#[post("/select/directory?<title>", data = "<previous_directory>")]
-pub fn select_directory(
+pub async fn select_directory(
     _token: APIToken,
-    title: &str,
+    Query(query): Query<SelectDirectoryQuery>,
     previous_directory: Option<Json<PreviousDirectory>>,
 ) -> Json<DirectorySelectionResponse> {
     let main_window_lock = MAIN_WINDOW.lock().unwrap();
@@ -79,7 +83,7 @@ pub fn select_directory(
         }
     };
 
-    let mut dialog = main_window.dialog().file().set_parent(main_window).set_title(title);
+    let mut dialog = main_window.dialog().file().set_parent(main_window).set_title(&query.title);
     if let Some(previous) = previous_directory {
         dialog = dialog.set_directory(previous.path.clone());
     }
@@ -118,8 +122,7 @@ pub fn select_directory(
 }
 
 /// Let the user select a file.
-#[post("/select/file", data = "<payload>")]
-pub fn select_file(
+pub async fn select_file(
     _token: APIToken,
     payload: Json<SelectFileOptions>,
 ) -> Json<FileSelectionResponse> {
@@ -178,8 +181,7 @@ pub fn select_file(
 }
 
 /// Let the user select some files.
-#[post("/select/files", data = "<payload>")]
-pub fn select_files(
+pub async fn select_files(
     _token: APIToken,
     payload: Json<SelectFileOptions>,
 ) -> Json<FilesSelectionResponse> {
@@ -229,8 +231,7 @@ pub fn select_files(
     }
 }
 
-#[post("/save/file", data = "<payload>")]
-pub fn save_file(_token: APIToken, payload: Json<SaveFileOptions>) -> Json<FileSaveResponse> {
+pub async fn save_file(_token: APIToken, payload: Json<SaveFileOptions>) -> Json<FileSaveResponse> {
     // Create a new file dialog builder:
     let file_dialog = MAIN_WINDOW
         .lock()

runtime/src/file_data.rs

@@ -1,22 +1,24 @@
 use std::cmp::min;
+use std::convert::Infallible;
 use crate::api_token::APIToken;
 use crate::pandoc::PandocProcessBuilder;
 use crate::pdfium::PdfiumInit;
 use async_stream::stream;
+use axum::extract::Query;
+use axum::extract::rejection::QueryRejection;
+use axum::response::sse::{Event, Sse};
 use base64::{engine::general_purpose, Engine as _};
 use calamine::{open_workbook_auto, Reader};
 use file_format::{FileFormat, Kind};
 use futures::{Stream, StreamExt};
 use pdfium_render::prelude::Pdfium;
 use pptx_to_md::{ImageHandlingMode, ParserConfig, PptxContainer};
-use rocket::get;
-use rocket::response::stream::{Event, EventStream};
-use rocket::serde::Serialize;
-use rocket::tokio::select;
-use rocket::Shutdown;
+use serde::{Deserialize, Deserializer, Serialize};
+use serde::de::{Error as SerdeError, Visitor};
 use std::path::Path;
 use std::pin::Pin;
-use log::{debug, error};
+use std::fmt;
+use log::{debug, error, warn};
 use tokio::io::AsyncBufReadExt;
 use tokio::sync::mpsc;
 use tokio_stream::wrappers::ReceiverStream;
@@ -82,39 +84,95 @@ const IMAGE_SEGMENT_SIZE_IN_CHARS: usize = 8_192; // equivalent to ~ 5500 token
 type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>;
 type ChunkStream = Pin<Box<dyn Stream<Item = Result<Chunk>> + Send>>;
 
-#[get("/retrieval/fs/extract?<path>&<stream_id>&<extract_images>")]
-pub async fn extract_data(_token: APIToken, path: String, stream_id: String, extract_images: bool, mut end: Shutdown) -> EventStream![] {
-    EventStream! {
-        let stream_result = stream_data(&path, extract_images).await;
-        let id_ref = &stream_id;
+#[derive(Deserialize)]
+pub struct ExtractDataQuery {
+    path: String,
+    stream_id: String,
+    #[serde(deserialize_with = "deserialize_bool_case_insensitive")]
+    extract_images: bool,
+}
+
+fn deserialize_bool_case_insensitive<'de, D>(deserializer: D) -> std::result::Result<bool, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    struct BoolVisitor;
+
+    impl<'de> Visitor<'de> for BoolVisitor {
+        type Value = bool;
+
+        fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
+            formatter.write_str("a boolean value")
+        }
+
+        fn visit_bool<E>(self, value: bool) -> std::result::Result<Self::Value, E> {
+            Ok(value)
+        }
+
+        fn visit_str<E>(self, value: &str) -> std::result::Result<Self::Value, E>
+        where
+            E: SerdeError,
+        {
+            match value.to_ascii_lowercase().as_str() {
+                "true" | "1" => Ok(true),
+                "false" | "0" => Ok(false),
+                _ => Err(E::invalid_value(serde::de::Unexpected::Str(value), &self)),
+            }
+        }
+    }
+
+    deserializer.deserialize_any(BoolVisitor)
+}
+
+pub async fn extract_data(
+    _token: APIToken,
+    query: std::result::Result<Query<ExtractDataQuery>, QueryRejection>,
+) -> Sse<impl Stream<Item = std::result::Result<Event, Infallible>>> {
+    let query = match query {
+        Ok(Query(query)) => Ok(query),
+        Err(e) => {
+            let message = format!("Invalid query for '/retrieval/fs/extract': {e}");
+            warn!("{message}");
+            Err(message)
+        },
+    };
+
+    let stream = stream! {
+        match query {
+            Ok(query) => {
+                let stream_result = stream_data(&query.path, query.extract_images).await;
+                let id_ref = &query.stream_id;
 
                 match stream_result {
                     Ok(mut stream) => {
-                loop {
-                    let chunk = select! {
-                        chunk = stream.next() => match chunk {
-                            Some(Ok(mut chunk)) => {
+                        while let Some(chunk) = stream.next().await {
+                            match chunk {
+                                Ok(mut chunk) => {
                                     chunk.set_stream_id(id_ref);
-                                chunk
+                                    yield Ok(Event::default().json_data(&chunk).unwrap_or_else(|e| Event::default().data(format!("Error: {e}"))));
                                 },
-                            Some(Err(e)) => {
-                                yield Event::json(&format!("Error: {e}"));
+
+                                Err(e) => {
+                                    yield Ok(Event::default().json_data(format!("Error: {e}")).unwrap_or_else(|_| Event::default().data(format!("Error: {e}"))));
                                     break;
                                 },
-                            None => break,
-                        },
-                        _ = &mut end => break,
-                    };
-                    
-                    yield Event::json(&chunk);
+                            }
                         }
                     },
 
                     Err(e) => {
-                yield Event::json(&format!("Error starting stream: {e}"));
-            }
+                        yield Ok(Event::default().json_data(format!("Error starting stream: {e}")).unwrap_or_else(|_| Event::default().data(format!("Error starting stream: {e}"))));
                     }
+                };
+            },
+
+            Err(e) => {
+                yield Ok(Event::default().json_data(format!("Error starting stream: {e}")).unwrap_or_else(|_| Event::default().data(format!("Error starting stream: {e}"))));
+            },
         }
+    };
+
+    Sse::new(stream)
 }
 
 async fn stream_data(file_path: &str, extract_images: bool) -> Result<ChunkStream> {

runtime/src/log.rs

@@ -8,9 +8,8 @@ use flexi_logger::{DeferredNow, Duplicate, FileSpec, Logger, LoggerHandle};
 use flexi_logger::writers::FileLogWriter;
 use log::{kv, Level};
 use log::kv::{Key, Value, VisitSource};
-use rocket::{get, post};
-use rocket::serde::json::Json;
-use rocket::serde::{Deserialize, Serialize};
+use axum::Json;
+use serde::{Deserialize, Serialize};
 use crate::api_token::APIToken;
 use crate::environment::is_dev;
 
@@ -34,14 +33,17 @@ pub fn init_logging() {
         false => log_config.push_str("info, "),
     };
 
-    // Set the log level for the Rocket library:
-    log_config.push_str("rocket=info, ");
-
-    // Set the log level for the Rocket server:
-    log_config.push_str("rocket::server=warn, ");
-
-    // Set the log level for the Reqwest library:
-    log_config.push_str("reqwest::async_impl::client=info");
+    // Keep noisy HTTP/TLS internals at info level even in development builds:
+    log_config.push_str("h2=info, ");
+    log_config.push_str("hyper=info, ");
+    log_config.push_str("hyper_util=info, ");
+    log_config.push_str("axum=info, ");
+    log_config.push_str("axum_server=info, ");
+    log_config.push_str("tower=info, ");
+    log_config.push_str("tower_http=info, ");
+    log_config.push_str("rustls=info, ");
+    log_config.push_str("tokio_rustls=info, ");
+    log_config.push_str("reqwest=info");
 
     // Configure the initial filename. On Unix systems, the file should start
     // with a dot to be hidden.
@@ -224,7 +226,6 @@ fn file_logger_format(
     write!(w, "{}", &record.args())
 }
 
-#[get("/log/paths")]
 pub async fn get_log_paths(_token: APIToken) -> Json<LogPathsResponse> {
     Json(LogPathsResponse {
         log_startup_path: LOG_STARTUP_PATH.get().expect("No startup log path was set").clone(),
@@ -269,9 +270,7 @@ fn log_with_level(
 }
 
 /// Logs an event from the .NET server.
-#[post("/log/event", data = "<event>")]
-pub fn log_event(_token: APIToken, event: Json<LogEvent>) -> Json<LogEventResponse> {
-    let event = event.into_inner();
+pub async fn log_event(_token: APIToken, Json(event): Json<LogEvent>) -> Json<LogEventResponse> {
     let level = parse_dotnet_log_level(&event.level);
     let message = event.message.as_str();
     let category = event.category.as_str();

runtime/src/main.rs

@@ -1,7 +1,6 @@
 // Prevents an additional console window on Windows in release, DO NOT REMOVE!!
 #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
 
-extern crate rocket;
 extern crate core;
 
 use log::{info, warn};
@@ -11,7 +10,7 @@ use mindwork_ai_studio::environment::is_dev;
 use mindwork_ai_studio::log::init_logging;
 use mindwork_ai_studio::metadata::MetaData;
 use mindwork_ai_studio::runtime_api::start_runtime_api;
-
+use mindwork_ai_studio::secret::init_secret_store;
 
 #[tokio::main]
 async fn main() {
@@ -43,6 +42,7 @@ async fn main() {
         info!("Running in production mode.");
     }
 
+    init_secret_store();
     generate_runtime_certificate();
     start_runtime_api();
     

runtime/src/pandoc.rs

@@ -1,13 +1,16 @@
-use std::path::{Path, PathBuf};
+use std::collections::HashSet;
+use std::env;
 use std::fs;
+use std::path::{Path, PathBuf};
 use std::sync::OnceLock;
-use log::warn;
+use log::{info, warn};
 use tokio::process::Command;
 use crate::environment::DATA_DIRECTORY;
 use crate::metadata::META_DATA;
 
 /// Tracks whether the RID mismatch warning has been logged.
 static HAS_LOGGED_RID_MISMATCH: OnceLock<()> = OnceLock::new();
+static HAS_LOGGED_PANDOC_PATH: OnceLock<()> = OnceLock::new();
 
 pub struct PandocExecutable {
     pub executable: String,
@@ -114,28 +117,42 @@ impl PandocProcessBuilder {
         // Any local installation should be preferred over the system-wide installation.
         let data_folder = PathBuf::from(DATA_DIRECTORY.get().unwrap());
         let local_installation_root_directory = data_folder.join("pandoc");
-
-        if local_installation_root_directory.exists() {
         let executable_name = Self::pandoc_executable_name();
 
-            if let Ok(entries) = fs::read_dir(&local_installation_root_directory) {
-                for entry in entries.flatten() {
-                    let path = entry.path();
-                    if path.is_dir() {
-                        if let Ok(pandoc_path) = Self::find_executable_in_dir(&path, &executable_name) {
+        if local_installation_root_directory.exists()
+            && let Ok(pandoc_path) = Self::find_executable_in_dir(&local_installation_root_directory, &executable_name) {
+            HAS_LOGGED_PANDOC_PATH.get_or_init(|| {
+                info!(Source = "PandocProcessBuilder"; "Found local Pandoc installation at: '{}'.", pandoc_path.to_string_lossy()
+                );
+            });
+
             return PandocExecutable {
                 executable: pandoc_path.to_string_lossy().to_string(),
                 is_local_installation: true,
             };
         }
-                    }
-                }
+
+        for candidate in Self::system_pandoc_executable_candidates(&executable_name) {
+            if candidate.exists() && candidate.is_file() {
+                HAS_LOGGED_PANDOC_PATH.get_or_init(|| {
+                    info!(Source = "PandocProcessBuilder"; "Found system Pandoc installation at: '{}'.", candidate.to_string_lossy()
+                    );
+                });
+
+                return PandocExecutable {
+                    executable: candidate.to_string_lossy().to_string(),
+                    is_local_installation: false,
+                };
             }
         }
 
         // When no local installation was found, we assume that the pandoc executable is in the system PATH:
+        HAS_LOGGED_PANDOC_PATH.get_or_init(|| {
+            warn!(Source = "PandocProcessBuilder"; "Falling back to system PATH for the Pandoc executable: '{}'.", executable_name);
+        });
+
         PandocExecutable {
-            executable: Self::pandoc_executable_name(),
+            executable: executable_name,
             is_local_installation: false,
         }
     }
@@ -150,17 +167,65 @@ impl PandocProcessBuilder {
         if let Ok(entries) = fs::read_dir(dir) {
             for entry in entries.flatten() {
                 let path = entry.path();
-                if path.is_dir() {
-                    if let Ok(found_path) = Self::find_executable_in_dir(&path, executable_name) {
+                if path.is_dir() && let Ok(found_path) = Self::find_executable_in_dir(&path, executable_name) {
                     return Ok(found_path);
                 }
             }
         }
-        }
 
         Err("Executable not found".into())
     }
 
+    fn system_pandoc_executable_candidates(executable_name: &str) -> Vec<PathBuf> {
+        let mut candidates: Vec<PathBuf> = Vec::new();
+        match env::consts::OS {
+            "windows" => {
+                Self::push_env_candidate(&mut candidates, "LOCALAPPDATA", &["Pandoc", executable_name]);
+                Self::push_env_candidate(&mut candidates, "ProgramFiles", &["Pandoc", executable_name]);
+                Self::push_env_candidate(&mut candidates, "ProgramFiles(x86)", &["Pandoc", executable_name]);
+            },
+            "macos" => {
+                candidates.push(PathBuf::from("/opt/homebrew/bin").join(executable_name));
+                candidates.push(PathBuf::from("/usr/local/bin").join(executable_name));
+                candidates.push(PathBuf::from("/usr/bin").join(executable_name));
+            },
+            "linux" => {
+                candidates.push(PathBuf::from("/usr/local/bin").join(executable_name));
+                candidates.push(PathBuf::from("/usr/bin").join(executable_name));
+                candidates.push(PathBuf::from("/snap/bin").join(executable_name));
+
+                if let Some(home_dir) = env::var_os("HOME") {
+                    candidates.push(PathBuf::from(home_dir).join(".local").join("bin").join(executable_name));
+                }
+            },
+            _ => {},
+        }
+
+        if let Some(path_value) = env::var_os("PATH") {
+            for path_dir in env::split_paths(&path_value) {
+                candidates.push(path_dir.join(executable_name));
+            }
+        }
+
+        let mut seen = HashSet::new();
+        candidates
+            .into_iter()
+            .filter(|path| seen.insert(path.clone()))
+            .collect()
+    }
+
+    fn push_env_candidate(candidates: &mut Vec<PathBuf>, env_name: &str, parts: &[&str]) {
+        if let Some(root) = env::var_os(env_name) {
+            let mut path = PathBuf::from(root);
+
+            for part in parts {
+                path.push(part);
+            }
+
+            candidates.push(path);
+        }
+    }
+
     /// Determines the executable name based on the current OS at runtime.
     ///
     /// This uses runtime detection instead of metadata to ensure correct behavior
@@ -172,8 +237,7 @@ impl PandocProcessBuilder {
             let runtime_os = std::env::consts::OS;
             let runtime_arch = std::env::consts::ARCH;
 
-            if let Ok(metadata) = META_DATA.lock() {
-                if let Some(metadata) = metadata.as_ref() {
+            if let Ok(metadata) = META_DATA.lock() && let Some(metadata) = metadata.as_ref() {
                 let metadata_arch = &metadata.architecture;
 
                 // Determine expected OS from metadata:
@@ -200,7 +264,6 @@ impl PandocProcessBuilder {
                     );
                 }
             }
-            }
         });
 
         // Use std::env::consts::OS for runtime detection instead of metadata

runtime/src/qdrant.rs

@@ -5,11 +5,11 @@ use std::fs::File;
 use std::io::Write;
 use std::path::Path;
 use std::sync::{Arc, Mutex, OnceLock};
+use std::time::Duration;
 use log::{debug, error, info, warn};
 use once_cell::sync::Lazy;
-use rocket::get;
-use rocket::serde::json::Json;
-use rocket::serde::Serialize;
+use axum::Json;
+use serde::Serialize;
 use crate::api_token::{APIToken};
 use crate::environment::{is_dev, DATA_DIRECTORY};
 use crate::certificate_factory::generate_certificate;
@@ -19,6 +19,7 @@ use tauri::path::BaseDirectory;
 use tempfile::{TempDir, Builder};
 use crate::stale_process_cleanup::{kill_stale_process, log_potential_stale_process};
 use crate::sidecar_types::SidecarType;
+use tokio::time;
 use tauri_plugin_shell::process::{CommandChild, CommandEvent};
 use tauri_plugin_shell::ShellExt;
 
@@ -41,14 +42,24 @@ static API_TOKEN: Lazy<APIToken> = Lazy::new(|| {
 });
 
 static TMPDIR: Lazy<Mutex<Option<TempDir>>> = Lazy::new(|| Mutex::new(None));
-static QDRANT_STATUS: Lazy<Mutex<QdrantStatus>> = Lazy::new(|| Mutex::new(QdrantStatus::default()));
+static QDRANT_STATUS: Lazy<Mutex<QdrantStatusInfo>> = Lazy::new(|| Mutex::new(QdrantStatusInfo::default()));
 
 const PID_FILE_NAME: &str = "qdrant.pid";
 const SIDECAR_TYPE:SidecarType = SidecarType::Qdrant;
+const STARTUP_TIMEOUT: Duration = Duration::from_secs(60);
+const STARTUP_CHECK_INTERVAL: Duration = Duration::from_millis(250);
+
+#[derive(Clone, Copy, Default, Serialize, PartialEq, Eq)]
+enum QdrantStatus {
+    #[default]
+    Starting,
+    Available,
+    Unavailable,
+}
 
 #[derive(Default)]
-struct QdrantStatus {
-    is_available: bool,
+struct QdrantStatusInfo {
+    status: QdrantStatus,
     unavailable_reason: Option<String>,
 }
 
@@ -61,6 +72,7 @@ fn qdrant_base_path() -> PathBuf {
 
 #[derive(Serialize)]
 pub struct ProvideQdrantInfo {
+    status: QdrantStatus,
     path: String,
     port_http: u16,
     port_grpc: u16,
@@ -70,13 +82,14 @@ pub struct ProvideQdrantInfo {
     unavailable_reason: Option<String>,
 }
 
-#[get("/system/qdrant/info")]
-pub fn qdrant_port(_token: APIToken) -> Json<ProvideQdrantInfo> {
+pub async fn qdrant_port(_token: APIToken) -> Json<ProvideQdrantInfo> {
     let status = QDRANT_STATUS.lock().unwrap();
-    let is_available = status.is_available;
+    let current_status = status.status;
+    let is_available = current_status == QdrantStatus::Available;
     let unavailable_reason = status.unavailable_reason.clone();
 
     Json(ProvideQdrantInfo {
+        status: current_status,
         path: if is_available {
             qdrant_base_path().to_string_lossy().to_string()
         } else {
@@ -101,13 +114,19 @@ pub fn qdrant_port(_token: APIToken) -> Json<ProvideQdrantInfo> {
 
 /// Starts the Qdrant server in a separate process.
 pub fn start_qdrant_server<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>){
+    set_qdrant_starting();
+    tauri::async_runtime::spawn(async move {
+        cleanup_qdrant();
+        start_qdrant_server_internal(app_handle);
+    });
+}
+
+fn start_qdrant_server_internal<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>){
     let path = qdrant_base_path();
-    if !path.exists() {
-        if let Err(e) = fs::create_dir_all(&path){
+    if !path.exists() && let Err(e) = fs::create_dir_all(&path){
         error!(Source="Qdrant"; "The required directory to host the Qdrant database could not be created: {}", e);
         set_qdrant_unavailable(format!("The Qdrant data directory could not be created: {e}"));
         return;
-        };
     }
 
     let (cert_path, key_path) = match create_temp_tls_files(&path) {
@@ -121,12 +140,13 @@ pub fn start_qdrant_server<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>){
 
     let storage_path = path.join("storage").to_string_lossy().to_string();
     let snapshot_path = path.join("snapshots").to_string_lossy().to_string();
-    let init_path = path.join(".qdrant-initialized").to_string_lossy().to_string();
+    let init_path = path.join(".qdrant-initialized");
+    let init_path_environment = init_path.to_string_lossy().to_string();
     
     let qdrant_server_environment: HashMap<String, String> = HashMap::from_iter([
         (String::from("QDRANT__SERVICE__HTTP_PORT"), QDRANT_SERVER_PORT_HTTP.to_string()),
         (String::from("QDRANT__SERVICE__GRPC_PORT"), QDRANT_SERVER_PORT_GRPC.to_string()),
-        (String::from("QDRANT_INIT_FILE_PATH"), init_path),
+        (String::from("QDRANT_INIT_FILE_PATH"), init_path_environment),
         (String::from("QDRANT__STORAGE__STORAGE_PATH"), storage_path),
         (String::from("QDRANT__STORAGE__SNAPSHOTS_PATH"), snapshot_path),
         (String::from("QDRANT__TLS__CERT"), cert_path.to_string_lossy().to_string()),
@@ -176,13 +196,24 @@ pub fn start_qdrant_server<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>){
         };
 
         let server_pid = child.pid();
-        set_qdrant_available();
         info!(Source = "Bootloader Qdrant"; "Qdrant server process started with PID={server_pid}.");
         log_potential_stale_process(path.join(PID_FILE_NAME), server_pid, SIDECAR_TYPE);
 
         // Save the server process to stop it later:
         *server_spawn_clone.lock().unwrap() = Some(child);
 
+        let init_path_clone = init_path.clone();
+        tauri::async_runtime::spawn(async move {
+            if wait_for_qdrant_startup(init_path_clone).await {
+                set_qdrant_available();
+                info!(Source = "Qdrant"; "Qdrant is available.");
+            } else {
+                let reason = "Qdrant did not become available within the startup timeout.".to_string();
+                error!(Source = "Qdrant"; "{reason}");
+                set_qdrant_unavailable(reason);
+            }
+        });
+
         // Log the output of the Qdrant server:
         while let Some(event) = rx.recv().await {
             match event {
@@ -208,6 +239,14 @@ pub fn start_qdrant_server<R: tauri::Runtime>(app_handle: tauri::AppHandle<R>){
                 _ => {}
             }
         }
+
+        let is_available = QDRANT_STATUS.lock().unwrap().status == QdrantStatus::Available;
+        let unavailable_reason = if is_available {
+            "Qdrant server process stopped.".to_string()
+        } else {
+            "Qdrant server process stopped before it became available.".to_string()
+        };
+        set_qdrant_unavailable(unavailable_reason);
     });
 }
 
@@ -230,6 +269,20 @@ pub fn stop_qdrant_server() {
     cleanup_qdrant();
 }
 
+async fn wait_for_qdrant_startup(init_path: PathBuf) -> bool {
+    let mut elapsed = Duration::ZERO;
+    while elapsed < STARTUP_TIMEOUT {
+        if init_path.exists() {
+            return true;
+        }
+
+        time::sleep(STARTUP_CHECK_INTERVAL).await;
+        elapsed += STARTUP_CHECK_INTERVAL;
+    }
+
+    false
+}
+
 /// Create a temporary directory with TLS relevant files
 pub fn create_temp_tls_files(path: &PathBuf) -> Result<(PathBuf, PathBuf), Box<dyn Error>> {
     let cert = generate_certificate();
@@ -282,13 +335,19 @@ pub fn cleanup_qdrant() {
 
 fn set_qdrant_available() {
     let mut status = QDRANT_STATUS.lock().unwrap();
-    status.is_available = true;
+    status.status = QdrantStatus::Available;
+    status.unavailable_reason = None;
+}
+
+fn set_qdrant_starting() {
+    let mut status = QDRANT_STATUS.lock().unwrap();
+    status.status = QdrantStatus::Starting;
     status.unavailable_reason = None;
 }
 
 fn set_qdrant_unavailable(reason: String) {
     let mut status = QDRANT_STATUS.lock().unwrap();
-    status.is_available = false;
+    status.status = QdrantStatus::Unavailable;
     status.unavailable_reason = Some(reason);
 }
 

runtime/src/runtime_api.rs

@@ -1,12 +1,16 @@
 use log::info;
 use once_cell::sync::Lazy;
-use rocket::config::Shutdown;
-use rocket::figment::Figment;
-use rocket::routes;
+use axum::routing::{get, post};
+use axum::Router;
+use axum_server::tls_rustls::RustlsConfig;
+use std::net::SocketAddr;
+use std::sync::Once;
 use crate::runtime_certificate::{CERTIFICATE, CERTIFICATE_PRIVATE_KEY};
 use crate::environment::is_dev;
 use crate::network::get_available_port;
 
+static RUSTLS_CRYPTO_PROVIDER_INIT: Once = Once::new();
+
 /// The port used for the runtime API server. In the development environment, we use a fixed
 /// port, in the production environment we use the next available port. This differentiation
 /// is necessary because we cannot communicate the port to the .NET server in the development
@@ -25,108 +29,55 @@ pub fn start_runtime_api() {
     let api_port = *API_SERVER_PORT;
     info!("Try to start the API server on 'http://localhost:{api_port}'...");
 
-    // Get the shutdown configuration:
-    let shutdown = create_shutdown();
+    let app = Router::new()
+        .route("/system/dotnet/port", get(crate::dotnet::dotnet_port))
+        .route("/system/dotnet/ready", get(crate::dotnet::dotnet_ready))
+        .route("/system/qdrant/info", get(crate::qdrant::qdrant_port))
+        .route("/clipboard/set", post(crate::clipboard::set_clipboard))
+        .route("/events", get(crate::app_window::get_event_stream))
+        .route("/updates/check", get(crate::app_window::check_for_update))
+        .route("/updates/install", get(crate::app_window::install_update))
+        .route("/app/exit", post(crate::app_window::exit_app))
+        .route("/select/directory", post(crate::file_actions::select_directory))
+        .route("/select/file", post(crate::file_actions::select_file))
+        .route("/select/files", post(crate::file_actions::select_files))
+        .route("/save/file", post(crate::file_actions::save_file))
+        .route("/secrets/get", post(crate::secret::get_secret))
+        .route("/secrets/store", post(crate::secret::store_secret))
+        .route("/secrets/delete", post(crate::secret::delete_secret))
+        .route("/system/directories/config", get(crate::environment::get_config_directory))
+        .route("/system/directories/data", get(crate::environment::get_data_directory))
+        .route("/system/language", get(crate::environment::read_user_language))
+        .route("/system/username", get(crate::environment::read_user_name))
+        .route("/system/enterprise/config/id", get(crate::environment::read_enterprise_env_config_id))
+        .route("/system/enterprise/config/server", get(crate::environment::read_enterprise_env_config_server_url))
+        .route("/system/enterprise/config/encryption_secret", get(crate::environment::read_enterprise_env_config_encryption_secret))
+        .route("/system/enterprise/configs", get(crate::environment::read_enterprise_configs))
+        .route("/retrieval/fs/extract", get(crate::file_data::extract_data))
+        .route("/log/paths", get(crate::log::get_log_paths))
+        .route("/log/event", post(crate::log::log_event))
+        .route("/shortcuts/register", post(crate::app_window::register_shortcut))
+        .route("/shortcuts/validate", post(crate::app_window::validate_shortcut))
+        .route("/shortcuts/suspend", post(crate::app_window::suspend_shortcuts))
+        .route("/shortcuts/resume", post(crate::app_window::resume_shortcuts));
 
-    // Configure the runtime API server:
-    let figment = Figment::from(rocket::Config::release_default())
-
-        // We use the next available port which was determined before:
-        .merge(("port", api_port))
-
-        // The runtime API server should be accessible only from the local machine:
-        .merge(("address", "127.0.0.1"))
-
-        // We do not want to use the Ctrl+C signal to stop the server:
-        .merge(("ctrlc", false))
-
-        // Set a name for the server:
-        .merge(("ident", "AI Studio Runtime API"))
-
-        // Set the maximum number of workers and blocking threads:
-        .merge(("workers", 3))
-        .merge(("max_blocking", 12))
-
-        // No colors and emojis in the log output:
-        .merge(("cli_colors", false))
-
-        // Read the TLS certificate and key from the generated certificate data in-memory:
-        .merge(("tls.certs", CERTIFICATE.get().unwrap()))
-        .merge(("tls.key", CERTIFICATE_PRIVATE_KEY.get().unwrap()))
-
-        // Set the shutdown configuration:
-        .merge(("shutdown", shutdown));
-
-    //
-    // Start the runtime API server in a separate thread. This is necessary
-    // because the server is blocking, and we need to run the Tauri app in
-    // parallel:
-    //
     tauri::async_runtime::spawn(async move {
-        rocket::custom(figment)
-            .mount("/", routes![
-                crate::dotnet::dotnet_port,
-                crate::dotnet::dotnet_ready,
-                crate::qdrant::qdrant_port,
-                crate::clipboard::set_clipboard,
-                crate::app_window::get_event_stream,
-                crate::app_window::check_for_update,
-                crate::app_window::install_update,
-                crate::app_window::exit_app,
-                crate::file_actions::select_directory,
-                crate::file_actions::select_file,
-                crate::file_actions::select_files,
-                crate::file_actions::save_file,
-                crate::secret::get_secret,
-                crate::secret::store_secret,
-                crate::secret::delete_secret,
-                crate::environment::get_data_directory,
-                crate::environment::get_config_directory,
-                crate::environment::read_user_language,
-                crate::environment::read_enterprise_env_config_id,
-                crate::environment::read_enterprise_env_config_server_url,
-                crate::environment::read_enterprise_env_config_encryption_secret,
-                crate::environment::read_enterprise_configs,
-                crate::file_data::extract_data,
-                crate::log::get_log_paths,
-                crate::log::log_event,
-                crate::app_window::register_shortcut,
-                crate::app_window::validate_shortcut,
-                crate::app_window::suspend_shortcuts,
-                crate::app_window::resume_shortcuts,
-            ])
-            .ignite().await.unwrap()
-            .launch().await.unwrap();
+        install_rustls_crypto_provider();
+
+        let cert = CERTIFICATE.get().unwrap().clone();
+        let key = CERTIFICATE_PRIVATE_KEY.get().unwrap().clone();
+        let tls_config = RustlsConfig::from_pem(cert, key).await.unwrap();
+        let addr = SocketAddr::from(([127, 0, 0, 1], api_port));
+
+        axum_server::bind_rustls(addr, tls_config)
+            .serve(app.into_make_service())
+            .await
+            .unwrap();
     });
 }
 
-fn create_shutdown() -> Shutdown {
-    //
-    // Create a shutdown configuration, depending on the operating system:
-    //
-    #[cfg(unix)]
-    {
-        use std::collections::HashSet;
-        let mut shutdown = Shutdown {
-            // We do not want to use the Ctrl+C signal to stop the server:
-            ctrlc: false,
-
-            // Everything else is set to default for now:
-            ..Shutdown::default()
-        };
-
-        shutdown.signals = HashSet::new();
-        shutdown
-    }
-
-    #[cfg(windows)]
-    {
-        Shutdown {
-            // We do not want to use the Ctrl+C signal to stop the server:
-            ctrlc: false,
-
-            // Everything else is set to default for now:
-            ..Shutdown::default()
-        }
-    }
+fn install_rustls_crypto_provider() {
+    RUSTLS_CRYPTO_PROVIDER_INIT.call_once(|| {
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+    });
 }

runtime/src/runtime_api_token.rs

@@ -1,33 +1,29 @@
 use once_cell::sync::Lazy;
-use rocket::http::Status;
-use rocket::Request;
-use rocket::request::FromRequest;
+use axum::extract::FromRequestParts;
+use axum::http::request::Parts;
+use axum::http::StatusCode;
 use crate::api_token::{generate_api_token, APIToken};
 
-pub static API_TOKEN: Lazy<APIToken> = Lazy::new(|| generate_api_token());
+pub static API_TOKEN: Lazy<APIToken> = Lazy::new(generate_api_token);
 
-/// The request outcome type used to handle API token requests.
-type RequestOutcome<R, T> = rocket::request::Outcome<R, T>;
+impl<S> FromRequestParts<S> for APIToken
+where
+    S: Send + Sync,
+{
+    type Rejection = StatusCode;
 
-/// The request outcome implementation for the API token.
-#[rocket::async_trait]
-impl<'r> FromRequest<'r> for APIToken {
-    type Error = APITokenError;
-
-    /// Handles the API token requests.
-    async fn from_request(request: &'r Request<'_>) -> RequestOutcome<Self, Self::Error> {
-        let token = request.headers().get_one("token");
-        match token {
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        match parts.headers.get("token").and_then(|value| value.to_str().ok()) {
             Some(token) => {
                 let received_token = APIToken::from_hex_text(token);
                 if API_TOKEN.validate(&received_token) {
-                    RequestOutcome::Success(received_token)
+                    Ok(received_token)
                 } else {
-                    RequestOutcome::Error((Status::Unauthorized, APITokenError::Invalid))
+                    Err(StatusCode::UNAUTHORIZED)
                 }
             }
 
-            None => RequestOutcome::Error((Status::Unauthorized, APITokenError::Missing)),
+            None => Err(StatusCode::UNAUTHORIZED),
         }
     }
 }

runtime/src/secret.rs

@@ -1,15 +1,45 @@
-use keyring::Entry;
+use axum::Json;
+use keyring_core::{Entry, Error as KeyringError};
 use log::{error, info, warn};
-use rocket::post;
-use rocket::serde::json::Json;
 use serde::{Deserialize, Serialize};
-use keyring::error::Error::NoEntry;
 use crate::api_token::APIToken;
 use crate::encryption::{EncryptedText, ENCRYPTION};
 
+/// Initializes the native credential store used by keyring-core.
+pub fn init_secret_store() {
+    cfg_if::cfg_if! {
+        if #[cfg(target_os = "macos")] {
+            match apple_native_keyring_store::keychain::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the macOS Keychain credential store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the macOS Keychain credential store: {e}."),
+            }
+        } else if #[cfg(target_os = "windows")] {
+            match windows_native_keyring_store::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the Windows Credential Manager store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the Windows Credential Manager store: {e}."),
+            }
+        } else if #[cfg(target_os = "linux")] {
+            match dbus_secret_service_keyring_store::Store::new() {
+                Ok(store) => {
+                    keyring_core::set_default_store(store);
+                    info!(Source = "Secret Store"; "Initialized the DBus Secret Service credential store.");
+                },
+                Err(e) => error!(Source = "Secret Store"; "Failed to initialize the DBus Secret Service credential store: {e}."),
+            }
+        } else {
+            warn!(Source = "Secret Store"; "No native credential store is configured for this platform.");
+        }
+    }
+}
+
 /// Stores a secret in the secret store using the operating system's keyring.
-#[post("/secrets/store", data = "<request>")]
-pub fn store_secret(_token: APIToken, request: Json<StoreSecret>) -> Json<StoreSecretResponse> {
+pub async fn store_secret(_token: APIToken, request: Json<StoreSecret>) -> Json<StoreSecretResponse> {
     let user_name = request.user_name.as_str();
     let decrypted_text = match ENCRYPTION.decrypt(&request.secret) {
         Ok(text) => text,
@@ -23,7 +53,16 @@ pub fn store_secret(_token: APIToken, request: Json<StoreSecret>) -> Json<StoreS
     };
 
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            error!(Source = "Secret Store"; "Failed to create secret entry for {service} and user {user_name}: {e}.");
+            return Json(StoreSecretResponse {
+                success: false,
+                issue: e.to_string(),
+            });
+        },
+    };
     let result = entry.set_password(decrypted_text.as_str());
     match result {
         Ok(_) => {
@@ -60,11 +99,23 @@ pub struct StoreSecretResponse {
 }
 
 /// Retrieves a secret from the secret store using the operating system's keyring.
-#[post("/secrets/get", data = "<request>")]
-pub fn get_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<RequestedSecret> {
+pub async fn get_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<RequestedSecret> {
     let user_name = request.user_name.as_str();
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            if !request.is_trying {
+                error!(Source = "Secret Store"; "Failed to create secret entry for '{service}' and user '{user_name}': {e}.");
+            }
+
+            return Json(RequestedSecret {
+                success: false,
+                secret: EncryptedText::new(String::from("")),
+                issue: format!("Failed to create secret entry for '{service}' and user '{user_name}': {e}"),
+            });
+        },
+    };
     let secret = entry.get_password();
     match secret {
         Ok(s) => {
@@ -121,11 +172,20 @@ pub struct RequestedSecret {
 }
 
 /// Deletes a secret from the secret store using the operating system's keyring.
-#[post("/secrets/delete", data = "<request>")]
-pub fn delete_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<DeleteSecretResponse> {
+pub async fn delete_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<DeleteSecretResponse> {
     let user_name = request.user_name.as_str();
     let service = format!("mindwork-ai-studio::{}", request.destination);
-    let entry = Entry::new(service.as_str(), user_name).unwrap();
+    let entry = match Entry::new(service.as_str(), user_name) {
+        Ok(entry) => entry,
+        Err(e) => {
+            error!(Source = "Secret Store"; "Failed to create secret entry for {service} and user {user_name}: {e}.");
+            return Json(DeleteSecretResponse {
+                success: false,
+                was_entry_found: false,
+                issue: e.to_string(),
+            });
+        },
+    };
     let result = entry.delete_credential();
 
     match result {
@@ -138,7 +198,7 @@ pub fn delete_secret(_token: APIToken, request: Json<RequestSecret>) -> Json<Del
             })
         },
 
-        Err(NoEntry) => {
+        Err(KeyringError::NoEntry) => {
             warn!(Source = "Secret Store"; "No secret for {service} and user {user_name} was found.");
             Json(DeleteSecretResponse {
                 success: true,

runtime/src/stale_process_cleanup.rs

@@ -50,7 +50,7 @@ pub fn kill_stale_process(pid_file_path: PathBuf, sidecar_type: SidecarType) ->
 
         let killed = process.kill_with(Signal::Kill).unwrap_or_else(|| process.kill());
         if !killed {
-            return Err(Error::new(ErrorKind::Other, "Failed to kill process"));
+            return Err(Error::other("Failed to kill process"));
         }
         info!(Source="Stale Process Cleanup";"{}: Killed process: \"{}\"", sidecar_type,pid_file_path.display());
     } else {

runtime/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "productName": "MindWork AI Studio",
   "mainBinaryName": "MindWork AI Studio",
-  "version": "26.5.2",
+  "version": "26.5.4",
   "identifier": "com.github.mindwork-ai.ai-studio",
   
   "build": {
@@ -43,7 +43,7 @@
         "installMode": "passive"
       },
       "endpoints": [
-        "https://github.com/MindWorkAI/AI-Studio/releases/download/v26.5.3/latest.json"
+        "https://github.com/MindWorkAI/AI-Studio/releases/download/v26.5.4/latest.json"
       ],
       "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDM3MzE4MTM4RTNDMkM0NEQKUldSTnhNTGpPSUV4TjFkczFxRFJOZWgydzFQN1dmaFlKbXhJS1YyR1RKS1RnR09jYUpMaGsrWXYK"
     }