Rename AuthMode to Backend, fix LiteLLM variant typo, add image update alerts, clean up Settings

- Fix serde deserialization error: TypeScript sent "lit_llm" but Rust expected "lite_llm"
- Rename AuthMode enum to Backend across Rust and TypeScript (with serde alias for backward compat)
- Add container image update checking via registry digest comparison
- Improve Settings page: fix image address display spacing, remove per-project auth section
- Update UI labels from "Auth" to "Backend" throughout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/src-tauri/src/commands/project_commands.rs

@@ -1,7 +1,7 @@
 use tauri::{Emitter, State};
 
 use crate::docker;
-use crate::models::{container_config, AuthMode, McpServer, Project, ProjectPath, ProjectStatus};
+use crate::models::{container_config, Backend, McpServer, Project, ProjectPath, ProjectStatus};
 use crate::storage::secure;
 use crate::AppState;
 
@@ -179,27 +179,27 @@ pub async fn start_project_container(
     // Resolve enabled MCP servers for this project
     let (enabled_mcp, docker_mcp) = resolve_mcp_servers(&project, &state);
 
-    // Validate auth mode requirements
-    if project.auth_mode == AuthMode::Bedrock {
+    // Validate backend requirements
+    if project.backend == Backend::Bedrock {
         let bedrock = project.bedrock_config.as_ref()
-            .ok_or_else(|| "Bedrock auth mode selected but no Bedrock configuration found.".to_string())?;
+            .ok_or_else(|| "Bedrock backend selected but no Bedrock configuration found.".to_string())?;
         // Region can come from per-project or global
         if bedrock.aws_region.is_empty() && settings.global_aws.aws_region.is_none() {
-            return Err("AWS region is required for Bedrock auth mode. Set it per-project or in global AWS settings.".to_string());
+            return Err("AWS region is required for Bedrock backend. Set it per-project or in global AWS settings.".to_string());
         }
     }
 
-    if project.auth_mode == AuthMode::Ollama {
+    if project.backend == Backend::Ollama {
         let ollama = project.ollama_config.as_ref()
-            .ok_or_else(|| "Ollama auth mode selected but no Ollama configuration found.".to_string())?;
+            .ok_or_else(|| "Ollama backend selected but no Ollama configuration found.".to_string())?;
         if ollama.base_url.is_empty() {
             return Err("Ollama base URL is required.".to_string());
         }
     }
 
-    if project.auth_mode == AuthMode::LiteLlm {
+    if project.backend == Backend::LiteLlm {
         let litellm = project.litellm_config.as_ref()
-            .ok_or_else(|| "LiteLLM auth mode selected but no LiteLLM configuration found.".to_string())?;
+            .ok_or_else(|| "LiteLLM backend selected but no LiteLLM configuration found.".to_string())?;
         if litellm.base_url.is_empty() {
             return Err("LiteLLM base URL is required.".to_string());
         }

app/src-tauri/src/commands/terminal_commands.rs

@@ -1,6 +1,6 @@
 use tauri::{AppHandle, Emitter, State};
 
-use crate::models::{AuthMode, BedrockAuthMethod, Project};
+use crate::models::{Backend, BedrockAuthMethod, Project};
 use crate::AppState;
 
 /// Build the command to run in the container terminal.
@@ -9,7 +9,7 @@ use crate::AppState;
 /// the AWS session first. If the SSO session is expired, runs `aws sso login`
 /// so the user can re-authenticate (the URL is clickable via xterm.js WebLinksAddon).
 fn build_terminal_cmd(project: &Project, state: &AppState) -> Vec<String> {
-    let is_bedrock_profile = project.auth_mode == AuthMode::Bedrock
+    let is_bedrock_profile = project.backend == Backend::Bedrock
         && project
             .bedrock_config
             .as_ref()

app/src-tauri/src/commands/update_commands.rs

@@ -1,8 +1,16 @@
-use crate::models::{GiteaRelease, ReleaseAsset, UpdateInfo};
+use tauri::State;
+
+use crate::docker;
+use crate::models::{container_config, GiteaRelease, ImageUpdateInfo, ReleaseAsset, UpdateInfo};
+use crate::AppState;
 
 const RELEASES_URL: &str =
     "https://repo.anhonesthost.net/api/v1/repos/cybercovellc/triple-c/releases";
 
+/// Gitea container-registry tag object (v2 manifest).
+const REGISTRY_API_BASE: &str =
+    "https://repo.anhonesthost.net/v2/cybercovellc/triple-c/triple-c-sandbox";
+
 #[tauri::command]
 pub fn get_app_version() -> String {
     env!("CARGO_PKG_VERSION").to_string()
@@ -115,3 +123,96 @@ fn extract_version_from_tag(tag: &str) -> Option<String> {
         None
     }
 }
+
+/// Check whether a newer container image is available in the registry.
+///
+/// Compares the local image digest with the remote registry digest using the
+/// Docker Registry HTTP API v2.  Only applies when the image source is
+/// "registry" (the default); for local builds or custom images we cannot
+/// meaningfully check for remote updates.
+#[tauri::command]
+pub async fn check_image_update(
+    state: State<'_, AppState>,
+) -> Result<Option<ImageUpdateInfo>, String> {
+    let settings = state.settings_store.get();
+
+    // Only check for registry images
+    if settings.image_source != crate::models::app_settings::ImageSource::Registry {
+        return Ok(None);
+    }
+
+    let image_name =
+        container_config::resolve_image_name(&settings.image_source, &settings.custom_image_name);
+
+    // 1. Get local image digest via Docker
+    let local_digest = docker::get_local_image_digest(&image_name).await.ok().flatten();
+
+    // 2. Get remote digest from the Gitea container registry (OCI distribution spec)
+    let remote_digest = fetch_remote_digest("latest").await?;
+
+    // No remote digest available — nothing to compare
+    let remote_digest = match remote_digest {
+        Some(d) => d,
+        None => return Ok(None),
+    };
+
+    // If local digest matches remote, no update
+    if let Some(ref local) = local_digest {
+        if *local == remote_digest {
+            return Ok(None);
+        }
+    }
+
+    // There's a difference (or no local image at all)
+    Ok(Some(ImageUpdateInfo {
+        remote_digest,
+        local_digest,
+        remote_updated_at: None,
+    }))
+}
+
+/// Fetch the digest of a tag from the Gitea container registry using the
+/// OCI / Docker Registry HTTP API v2.
+///
+/// We issue a HEAD request to /v2/<repo>/manifests/<tag> and read the
+/// `Docker-Content-Digest` header that the registry returns.
+async fn fetch_remote_digest(tag: &str) -> Result<Option<String>, String> {
+    let url = format!("{}/manifests/{}", REGISTRY_API_BASE, tag);
+
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(15))
+        .build()
+        .map_err(|e| format!("Failed to create HTTP client: {}", e))?;
+
+    let response = client
+        .head(&url)
+        .header(
+            "Accept",
+            "application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.index.v1+json",
+        )
+        .send()
+        .await;
+
+    match response {
+        Ok(resp) => {
+            if !resp.status().is_success() {
+                log::warn!(
+                    "Registry returned status {} when checking image digest",
+                    resp.status()
+                );
+                return Ok(None);
+            }
+            // The digest is returned in the Docker-Content-Digest header
+            if let Some(digest) = resp.headers().get("docker-content-digest") {
+                if let Ok(val) = digest.to_str() {
+                    return Ok(Some(val.to_string()));
+                }
+            }
+            Ok(None)
+        }
+        Err(e) => {
+            log::warn!("Failed to check registry for image update: {}", e);
+            Ok(None)
+        }
+    }
+}