feat: keep secrets in sync via age-encrypted master key (#208 )

Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: add build mode, Dart version, timestamp to crash report (#205 )
2026-05-24 16:32:27 +02:00 · 2026-05-24 16:06:32 +02:00 · 2026-05-24 15:47:21 +02:00 · 2026-05-24 15:11:56 +02:00 · 2026-05-24 15:07:00 +02:00 · 2026-05-24 14:55:07 +02:00
46 changed files with 2483 additions and 445 deletions
@@ -10,6 +10,7 @@ FROM ghcr.io/catthehacker/ubuntu:go-24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    stunnel4 \
    netcat-openbsd \
    age \
    && rm -rf /var/lib/apt/lists/*
 # Dagger CLI — pinned to match the engine version on the runner host
@@ -3,7 +3,41 @@ name: CI
 on:
  push:
    branches: [main]
    paths:
      - 'lib/**'
      - 'test/**'
      - 'integration_test/**'
      - 'android/**'
      - 'linux/**'
      - 'assets/**'
      - '!assets/changelog.txt'
      - 'pubspec.yaml'
      - 'pubspec.lock'
      - 'analysis_options.yaml'
      - 'scripts/**'
      - 'stalwart-dev/**'
      - 'ci/**'
      - 'Taskfile.yml'
      - 'drift_schemas/**'
      - '.forgejo/workflows/ci.yml'
  pull_request:
    paths:
      - 'lib/**'
      - 'test/**'
      - 'integration_test/**'
      - 'android/**'
      - 'linux/**'
      - 'assets/**'
      - '!assets/changelog.txt'
      - 'pubspec.yaml'
      - 'pubspec.lock'
      - 'analysis_options.yaml'
      - 'scripts/**'
      - 'stalwart-dev/**'
      - 'ci/**'
      - 'Taskfile.yml'
      - 'drift_schemas/**'
      - '.forgejo/workflows/ci.yml'
 jobs:
  check:
@@ -30,11 +64,48 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Locate Docker daemon for local Dagger engine
        run: |
          # Skip if remote Dagger engine is already configured (preferred path)
          if [ -n "${_DAGGER_RUNNER_HOST:-}" ]; then
            echo "Remote Dagger engine configured, no local Docker needed."
            exit 0
          fi
          # Try host Docker socket (DooD) if runner mounts it
          if [ -S /var/run/docker.sock ]; then
            if DOCKER_HOST=unix:///var/run/docker.sock docker info >/dev/null 2>&1; then
              echo "Docker available via host socket."
              echo "DOCKER_HOST=unix:///var/run/docker.sock" >> "$GITHUB_ENV"
              exit 0
            fi
          fi
          echo "WARNING: No remote Dagger engine and no local Docker found." >&2
          echo "  - Remote engine: check DAGGER_STUNNEL_URL secret and that the host proxy is running." >&2
          echo "  - Local Docker: runner does not expose /var/run/docker.sock." >&2
          echo "CI will likely fail at the Dagger step." >&2
      - name: Prune Dagger cache before check
        env:
          DAGGER_NO_NAG: "1"
        # prune(maxUsedSpace) also reclaims named cache volumes (gradle-cache, go-build-cache, etc.)
        # when total cache exceeds the limit; without args only unreferenced entries are removed.
        run: |
          dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }' || true
      - name: Run Full Check Suite
        env:
          DAGGER_NO_NAG: "1"
        run: task check-dagger
      - name: Prune Dagger cache after check
        if: always()
        env:
          DAGGER_NO_NAG: "1"
        run: |
          dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }' || true
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
@@ -6,20 +6,66 @@ on:
  workflow_dispatch:
 jobs:
-  test-android-firebase:
+  check-changes:
-    name: Android Instrumented Tests (Firebase Test Lab)
+    name: Detect Changed Files
    runs-on: ubuntu-latest
-    timeout-minutes: 60
+    timeout-minutes: 5
    outputs:
      android: ${{ steps.diff.outputs.android }}
      linux: ${{ steps.diff.outputs.linux }}
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 50
+          fetch-depth: 2
      - name: Detect Android and Linux changes
        id: diff
        shell: bash
        run: |
          # On workflow_dispatch always build everything
          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
            echo "android=true" >> "$GITHUB_OUTPUT"
            echo "linux=true"   >> "$GITHUB_OUTPUT"
            exit 0
          fi
          # Diff the HEAD commit against its parent; fall back to listing HEAD's files
          # when the parent is unavailable (initial commit, shallow clone).
          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null \
            || git show --name-only --format= HEAD)
          echo "Changed files:"
          echo "$CHANGED"
          android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/)'
          linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'
          echo "$CHANGED" | grep -qE "$android_re" \
            && echo "android=true" >> "$GITHUB_OUTPUT" \
            || echo "android=false" >> "$GITHUB_OUTPUT"
          echo "$CHANGED" | grep -qE "$linux_re" \
            && echo "linux=true"   >> "$GITHUB_OUTPUT" \
            || echo "linux=false"  >> "$GITHUB_OUTPUT"
  test-android-firebase:
    name: Android Instrumented Tests (Firebase Test Lab)
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.android == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
@@ -30,10 +76,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
-      - name: Run Android Tests on Firebase Test Lab
+      - name: Decrypt production secrets
        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
        env:
          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
        run: scripts/secrets-decrypt.sh
      - name: Run Android Tests on Firebase Test Lab
        if: env.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != ''
        env:
          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
          DAGGER_NO_NAG: "1"
        run: task test-android-firebase
@@ -45,16 +96,19 @@ jobs:
    name: Build & Deploy to Play Store
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.android == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 50
+          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
@@ -65,22 +119,58 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
-      - name: Publish Android to Play Store
+      - name: Decrypt production secrets
        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
        env:
          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
        run: scripts/secrets-decrypt.sh
      - name: Publish Android to Play Store
        if: env.PLAY_STORE_CONFIG_JSON != ''
        env:
          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          DAGGER_NO_NAG: "1"
        run: task publish-android
-      - name: Build & Deploy APK to server
+      - name: Cleanup TLS credentials
-        continue-on-error: true
+        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
  deploy-apk:
    name: Build & Deploy APK to Server
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.android == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
        env:
          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Decrypt production secrets
        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
        env:
          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
        run: scripts/secrets-decrypt.sh
      - name: Build & Deploy APK to server
        if: env.SSH_PRIVATE_KEY != ''
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          DAGGER_NO_NAG: "1"
        run: task deploy-apk
@@ -92,16 +182,19 @@ jobs:
    name: Build Linux Release
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.linux == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 50
+          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
@@ -112,12 +205,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
-      - name: Build & Deploy Linux to server
+      - name: Decrypt production secrets
-        continue-on-error: true
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
        env:
          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
        run: scripts/secrets-decrypt.sh
      - name: Build & Deploy Linux to server
        if: env.SSH_PRIVATE_KEY != ''
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task deploy-linux
@@ -128,21 +224,22 @@ jobs:
  publish-website:
    name: Publish Website Build History
    runs-on: ubuntu-latest
-    needs: [build-linux, deploy-playstore]
+    needs: [build-linux, deploy-playstore, deploy-apk]
    if: |
      always() &&
-      (needs.build-linux.result == 'success' || needs.deploy-playstore.result == 'success')
+      (needs.build-linux.result == 'success' || needs.deploy-playstore.result == 'success' || needs.deploy-apk.result == 'success')
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 50
+          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
@@ -153,12 +250,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
-      - name: Generate build history and deploy website
+      - name: Decrypt production secrets
-        continue-on-error: true
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
        env:
          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
        run: scripts/secrets-decrypt.sh
      - name: Generate build history and deploy website
        if: env.SSH_PRIVATE_KEY != ''
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task publish-website
@@ -169,8 +269,14 @@ jobs:
  label-deploy-health:
    name: Update Deploy Health Label
    runs-on: ubuntu-latest
-    needs: [test-android-firebase, deploy-playstore, build-linux]
+    needs: [test-android-firebase, deploy-playstore, deploy-apk, build-linux]
-    if: always() && vars.DEPLOY_HEALTH_ISSUE != ''
+    if: |
      always() && vars.DEPLOY_HEALTH_ISSUE != '' && (
        needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'failure' ||
        needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'failure' ||
        needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'failure' ||
        needs.build-linux.result == 'success' || needs.build-linux.result == 'failure'
      )
    timeout-minutes: 5
    steps:
@@ -179,7 +285,7 @@ jobs:
          FORGEJO_TOKEN: ${{ github.token }}
          FORGEJO_URL: ${{ github.server_url }}
          DEPLOY_HEALTH_ISSUE: ${{ vars.DEPLOY_HEALTH_ISSUE }}
-          ALL_SUCCEEDED: ${{ needs.test-android-firebase.result == 'success' && needs.deploy-playstore.result == 'success' && needs.build-linux.result == 'success' }}
+          ALL_SUCCEEDED: ${{ (needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'skipped') && (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
        run: |
          python3 - << 'PYEOF'
          import os, json, urllib.request, urllib.error
@@ -11,7 +11,6 @@ jobs:
    name: Build & Deploy Windows (Nightly)
    runs-on: windows-runner
    if: false
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
@@ -32,7 +31,6 @@ jobs:
      - name: Set up SSH key
        if: env.SKIP_BUILD != 'true'
        continue-on-error: true
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        run: |
@@ -42,7 +40,6 @@ jobs:
      - name: Deploy Windows to server
        if: env.SKIP_BUILD != 'true'
        continue-on-error: true
        env:
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
@@ -202,6 +202,8 @@ jobs:
          mkdir -p ~/.ssh
          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts
      - name: Build Linux release
        run: |
@@ -215,20 +217,20 @@ jobs:
          REMOTE_DIR="public_html/builds/$DATE_PATH"
          TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
          tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+          ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-          scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+          scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
          DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
-          EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" \
+          EXISTING=$(ssh "$SSH_USER@$SSH_HOST" \
            "cat public_html/latest.json 2>/dev/null || echo '{}'")
          WINDOWS_URL=$(echo "$EXISTING" | \
            python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
            2>/dev/null || true)
          if [ -n "$WINDOWS_URL" ]; then
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          else
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          fi
      - name: Generate build history pages
@@ -244,6 +246,5 @@ jobs:
          rsync -avz --delete \
            --exclude='*.apk' \
            --exclude='*.tar.gz' \
            -e "ssh -o StrictHostKeyChecking=no" \
            website/public/ \
            "$SSH_USER@$SSH_HOST:public_html/"
@@ -22,6 +22,7 @@ assets/changelog.txt
 .env.local
 .envrc
 .direnv/
 secrets.env      # plaintext secrets — encrypted version (secrets.age) is committed
 # --- Android ---
 android/.gradle/
@@ -91,3 +91,153 @@ The CI workflow in `.forgejo/workflows/ci.yml` is configured to use the Dagger m
 - **Check Suite:** Runs analysis and tests in parallel.
 - **Builds:** Produces Linux and Android artifacts.
 - **Caching:** When using the shared engine, CI runners benefit from the persistent cache on the host.
 ## Credential Security — Keeping Production Secrets Off Codeberg
 ### Problem
 The current setup stores two categories of secrets in Codeberg repository secrets:
 1. **Dagger access credentials** — TLS certificates used to connect to the remote Dagger engine via stunnel (`DAGGER_CA_CERT`, `DAGGER_CLIENT_CERT`, `DAGGER_CLIENT_KEY`, `DAGGER_STUNNEL_URL`).
 2. **Production secrets** — actual credentials for external services: `ANDROID_KEYSTORE_BASE64`, `ANDROID_KEYSTORE_PASSWORD`, `PLAY_STORE_CONFIG_JSON`, `SSH_PRIVATE_KEY`, `FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY`.
 If Codeberg is compromised, both categories are leaked. The Dagger TLS certificates enable access only to the Dagger engine and have limited blast radius. But the production secrets give direct access to the Play Store, the Android signing key, the deployment server, and Firebase — a much larger blast radius.
 **Goal:** Keep only Dagger access credentials in Codeberg. Store all production secrets on the Dagger host machine so they never touch Codeberg.
 ### Option 1: Runner-level environment variables
 Store production secrets as environment variables in the Forgejo runner's systemd service (e.g., via a `EnvironmentFile=` in the service override). The runner injects host env vars into job processes automatically. CI workflows drop the `${{ secrets.XYZ }}` references for production secrets entirely — the variables are already present in the job environment.
 **Pro:**
 - No new infrastructure required.
 - Works with the existing `dagger call --progress=plain --secret env:VAR_NAME` argument style.
 - Secrets never enter Codeberg.
 - Straightforward to set up on a single self-hosted runner.
 **Con:**
 - Env vars are visible to every process on the runner host (e.g., via `/proc/<pid>/environ`).
 - Rotating a secret requires host access (no API).
 - Does not scale cleanly to multiple runners without a shared secrets mechanism.
 ### Option 2: Secret files on the CI host with restricted permissions
 Store production secrets as files owned by the runner user with mode `600` (e.g., `/home/forgejo-runner/secrets/play_store.json`). A small setup script reads the files and either exports them as env vars or passes them directly as file-type arguments to `dagger call --progress=plain`. CI workflows contain no secret references at all.
 **Pro:**
 - OS-level file permissions limit access to the runner user.
 - Natural format for JSON payloads and key files.
 - Easy to audit (list files, check mtime).
 - No new infrastructure.
 **Con:**
 - Plaintext files on disk; root or backup access exposes them.
 - Workflow must know file paths (either hardcoded or by convention).
 - Rotation still requires host filesystem access.
 ### Option 3: Dagger host as pipeline orchestrator
 Instead of the CI runner invoking the Dagger CLI directly, the CI job sends a trigger to the Dagger host over SSH. The Dagger host runs the pipeline locally against its own environment, where secrets live as env vars or files. Codeberg only stores the SSH key to reach the Dagger host — not the production secrets.
 ```yaml
 # CI job only does this:
 - name: Trigger pipeline on Dagger host
  run: ssh dagger-host "cd sharedinbox && task publish-android"
  env:
    SSH_PRIVATE_KEY: ${{ secrets.DAGGER_TRIGGER_SSH_KEY }}
 ```
 **Pro:**
 - Production secrets never leave the Dagger host.
 - Codeberg stores exactly one secret: the trigger SSH key.
 - All deployment logic and secrets are fully contained on the host.
 **Con:**
 - Harder to stream structured CI logs back to Codeberg Actions.
 - Dynamic context (commit SHA, PR branch) must be passed explicitly over SSH.
 - The trigger SSH key still grants shell access to the host, so its compromise has its own blast radius.
 - CI becomes a "fire-and-forget" call, making failure attribution harder.
 ### Option 4: External secret manager (e.g., HashiCorp Vault)
 Run a secret manager co-located with the Dagger host. The CI job authenticates with a short-lived AppRole credential (stored in Codeberg) and retrieves secrets at runtime. Vault can also be configured with IP-allow-lists to further restrict who can authenticate.
 **Pro:**
 - Full audit trail: every secret read is logged with a timestamp and caller identity.
 - Fine-grained access control per secret.
 - Built-in versioning and rotation support.
 - Industry-standard approach; scales to team or multi-runner setups.
 **Con:**
 - Significant additional infrastructure to install, configure, and maintain.
 - Vault credentials (RoleID + SecretID) still need to be in Codeberg, though with a smaller blast radius than raw secrets.
 - Vault itself becomes a security-critical single point of failure.
 - Operational overhead likely disproportionate for a small single-developer project.
 ### Option 5: Encrypted secrets file (age) — **implemented**
 Store all production secrets in a file (`secrets.env`) that is encrypted with
 [age](https://age-encryption.org/) into `secrets.age`. The encrypted file is
 committed to the repository. Only the age private key — a single string — is
 stored in Codeberg as `SECRETS_AGE_KEY`. Any CI job or developer with the key
 can decrypt the file and obtain all secrets.
 **How it works:**
 1. Generate a key pair once:
   ```bash
   age-keygen -o ~/.config/age/sharedinbox.key
   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
   ```
 2. Copy `secrets.env.example` to `secrets.env`, fill in all values, then encrypt:
   ```bash
   scripts/secrets-encrypt.sh   # reads public key from .age-public-key
   git add secrets.age && git commit -m "chore: update encrypted secrets"
   ```
 3. Add the private key content as `SECRETS_AGE_KEY` in Codeberg repository secrets.
 4. CI jobs call `scripts/secrets-decrypt.sh` (with `SECRETS_AGE_KEY` set) before
   any step that needs production credentials. The script writes each variable
   to `$GITHUB_ENV` so subsequent steps see them automatically.
 **Keeping local and CI in sync:**
 When you rotate a secret locally, update `secrets.env`, re-run
 `scripts/secrets-encrypt.sh`, and commit the new `secrets.age`. CI will pick
 up the fresh secrets on the next push — no manual CI variable updates needed.
 Multi-line values (SSH keys, certificates) must be stored as a single line
 with `\n` escape sequences inside double quotes. Example:
 ```
 SSH_PRIVATE_KEY="<header>\n<base64 key body>\n<footer>"
 ```
 **Pro:**
 - One secret (`SECRETS_AGE_KEY`) in Codeberg instead of many.
 - Encrypted secrets are version-controlled — rotating a secret is a git commit.
 - Local dev environment and CI always use the same encrypted source of truth.
 - `age` is a simple, audited tool with no server infrastructure.
 - The private key never appears in workflow files or logs.
 **Con:**
 - `secrets.age` exposes the list of variable *names* (visible in the encrypted
  file if the format leaks, though not the values).
 - All credentials share a single key — compromising `SECRETS_AGE_KEY` exposes
  everything at once.
 - Key rotation requires re-encrypting `secrets.age` and updating the CI secret.
 ### Recommendation
 **Option 5** (encrypted secrets file) is now the active approach. It reduces
 Codeberg secrets to exactly two categories:
 - **Dagger access credentials** — `DAGGER_STUNNEL_URL`, `DAGGER_CA_CERT`,
  `DAGGER_CLIENT_CERT`, `DAGGER_CLIENT_KEY`.
 - **Master key** — `SECRETS_AGE_KEY`.
 **Option 1** (runner-level env vars) or **Option 2** (secret files) remain
 valid if you prefer not to commit an encrypted file to the repository.
 **Option 3** (Dagger host as orchestrator) is worth considering once the
 trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest
 security boundary at the cost of reduced CI observability.
 **Option 4** (Vault) becomes worthwhile if the project grows to multiple
 runners or team members who each need audited access to deploy credentials.
@@ -215,8 +215,10 @@ tasks:
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
  build-android-bundle:
    desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
@@ -251,17 +253,24 @@ tasks:
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
      - sh: test -n "$ANDROID_KEYSTORE_BASE64"
        msg: "ANDROID_KEYSTORE_BASE64 is not set"
      - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
        msg: "ANDROID_KEYSTORE_PASSWORD is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
  publish-website:
    desc: Build and publish website via Dagger
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
  check-dagger:
    desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -284,8 +293,13 @@ tasks:
          for attempt in 1 2 3; do
            run_dagger "$@" && return 0
            RC=$?
-            if [ "$attempt" -lt 3 ] && grep -qE "connection reset|context canceled|connection refused" "$DAGGER_OUT"; then
+            if [ "$attempt" -lt 3 ] && grep -qE "connection reset|context canceled|connection refused|invalid return status code" "$DAGGER_OUT"; then
              echo "$(_ts) dagger: network error on attempt $attempt/3, retrying..." >&2
            elif [ "$attempt" -lt 3 ] && grep -q "No space left on device" "$DAGGER_OUT"; then
              echo "$(_ts) dagger: disk space error on attempt $attempt/3, pruning Dagger cache..." >&2
              dagger query '{ engine { localCache { prune(targetSpace: "20gb") } } }' 2>/dev/null || true
              echo "$(_ts) dagger: waiting 90s for freed space to settle..." >&2
              sleep 90
            else
              return "$RC"
            fi
@@ -315,6 +329,12 @@ tasks:
        wait "$RECV_PID" 2>/dev/null || true
        exit $RC
  dagger-prune:
    desc: Prune the Dagger engine cache (keeps named volumes unless total exceeds 75 GB, then targets 50 GB)
    cmds:
      - |
        dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }'
  integration-android:
    desc: UI integration tests on a connected Android emulator (Stalwart on host, emulator reaches it via 10.0.2.2)
    deps: [_preflight, _android-sdk-check, _android-avd-setup]
@@ -362,25 +382,29 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
        tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+        scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
        # Merge with any existing latest.json so we don't overwrite the windows key
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        WINDOWS_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" 2>/dev/null || true)
        if [ -n "$WINDOWS_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $TARBALL and updated latest.json"
@@ -405,24 +429,28 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        ZIPFILE="sharedinbox-windows-x64-$HASH.zip"
        cd build/windows/x64/runner && zip -r /tmp/$ZIPFILE Release/ && cd -
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
+        scp /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$ZIPFILE"
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        LINUX_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('linux',''))" 2>/dev/null || true)
        if [ -n "$LINUX_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$LINUX_URL\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $ZIPFILE and updated latest.json"
@@ -572,14 +600,18 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        APK_NAME="sharedinbox-mua-$HASH.apk"
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no \
+        scp \
          build/app/outputs/flutter-apk/app-release.apk \
          "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$APK_NAME"
        echo "Uploaded $APK_NAME to $REMOTE_DIR"
@@ -608,18 +640,27 @@ tasks:
  website-deploy:
    desc: Deploy the website via rsync to public_html
    deps: [website-build]
    preconditions:
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        rsync -avz --delete \
          --exclude='*.apk' \
          --exclude='*.tar.gz' \
          -e "ssh -o StrictHostKeyChecking=no" \
          website/public/ \
          ${SSH_USER}@${SSH_HOST}:public_html/
  check-fast:
    desc: Pre-commit checks — analyze + unit+widget tests + coverage gate (no build, no integration)
-    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks]
+    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks, check-secrets]
  check-secrets:
    desc: Test secrets encrypt/decrypt scripts (requires age)
    cmds:
      - bash scripts/test_secrets.sh
  check-layers:
    desc: Enforce architecture — ui/ must not import data/ (only core/ interfaces allowed)
@@ -183,7 +183,7 @@ func (m *Ci) toolchain() *dagger.Container {
 	return dag.Container().
 		From("ghcr.io/cirruslabs/flutter:3.41.6").
 		WithExec([]string{"apt-get", "-qq", "update"}).
-		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld"}).
+		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld", "age"}).
 		WithExec([]string{"useradd", "-m", "-s", "/bin/bash", "ci"}).
 		WithExec([]string{"/bin/sh", "-c",
 			`flutter_dir=$(dirname $(dirname $(which flutter))); ` +
@@ -195,7 +195,8 @@ func (m *Ci) toolchain() *dagger.Container {
 		WithUser("ci").
 		WithExec([]string{"/bin/sh", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`})
+				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`}).
 		WithExec([]string{"flutter", "precache", "--linux", "--no-android", "--no-ios"})
 }
 // Base is the Flutter toolchain container with mutable cache mounts attached.
@@ -221,7 +222,7 @@ func (m *Ci) pubGetLayer() *dagger.Container {
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter pub get >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
-				`grep -vE '^[+~><] ' "$tmp" || true`}).
+				`grep -vE '^(\+|Downloading packages)' "$tmp" || true`}).
 		WithExec([]string{"python3", "-c",
 			"import json, os\n" +
 				"f='.dart_tool/package_config.json'; d=json.load(open(f)); [d.pop(k,None) for k in ('generated','generatorVersion')]; json.dump(d,open(f,'w'))\n" +
@@ -245,7 +246,7 @@ func (m *Ci) codegenBase() *dagger.Container {
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter pub run build_runner build --delete-conflicting-outputs >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
-				`grep -vE '^\[' "$tmp" || true`})
+				`grep -vE '^\[.*s\] \|' "$tmp" || true`})
 }
 // setup overlays platform-specific source files onto the shared codegen base.
@@ -312,17 +313,19 @@ func (m *Ci) Hugo() *dagger.Container {
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "curl", "tar", "libc6-compat", "libstdc++", "gcompat"}).
 		WithExec([]string{"curl", "-sL", "https://github.com/gohugoio/hugo/releases/download/v0.152.2/hugo_extended_0.152.2_linux-amd64.tar.gz", "-o", "/tmp/hugo.tar.gz"}).
 		WithExec([]string{"sh", "-c", "echo '416bcfbdf5f68469ec9644dbe507da50fc21b94b69a125b059d64ed2cb4d8c27  /tmp/hugo.tar.gz' | sha256sum -c -"}).
 		WithExec([]string{"tar", "-xzf", "/tmp/hugo.tar.gz", "-C", "/usr/local/bin", "hugo"}).
 		WithExec([]string{"rm", "/tmp/hugo.tar.gz"})
 }
 // Deploy container for rsync/ssh
-func (m *Ci) Deployer(sshKey *dagger.Secret) *dagger.Container {
+func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithEnvVariable("RSYNC_RSH", "ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519")
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }
 // Stalwart mail server service for backend and integration tests.
@@ -378,6 +381,21 @@ func (m *Ci) CheckHygiene(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }
 // CheckSecrets verifies the secrets encrypt/decrypt scripts work correctly.
 func (m *Ci) CheckSecrets(ctx context.Context) (string, error) {
 	scriptSrc := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"scripts/secrets-encrypt.sh", "scripts/secrets-decrypt.sh", "scripts/test_secrets.sh"},
 	})
 	return dag.Container().
 		From("ghcr.io/cirruslabs/flutter:3.41.6").
 		WithExec([]string{"apt-get", "-qq", "update"}).
 		WithExec([]string{"apt-get", "install", "-y", "-qq", "age"}).
 		WithDirectory("/src", scriptSrc).
 		WithWorkdir("/src").
 		WithExec([]string{"bash", "scripts/test_secrets.sh"}).
 		Stdout(ctx)
 }
 // CheckLayers enforces that ui/ does not import data/.
 func (m *Ci) CheckLayers(ctx context.Context) (string, error) {
 	return m.Base().
@@ -410,7 +428,7 @@ func (m *Ci) CheckMocks(ctx context.Context) (string, error) {
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter pub run build_runner build --delete-conflicting-outputs >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
-				`grep -vE '^\[' "$tmp" || true`}).
+				`grep -vE '^\[.*s\] \|' "$tmp" || true`}).
 		WithExec([]string{"/bin/bash", "-c", "CHANGED=$(find . -name '*.mocks.dart' | xargs -r git diff --exit-code); if [ $? -ne 0 ]; then echo \"ERROR: Mocks are out of date\"; exit 1; fi; echo \"Mocks are up to date.\""}).
 		Stdout(ctx)
 }
@@ -468,6 +486,9 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 	if _, err := m.CheckLayers(ctx); err != nil {
 		return "Layer check failed", err
 	}
 	if _, err := m.CheckSecrets(ctx); err != nil {
 		return "Secrets script check failed", err
 	}
 	checkSetup := m.setup(m.checkSrc())
@@ -513,6 +534,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 func (m *Ci) GenerateBuildHistory(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
@@ -524,7 +546,7 @@ func (m *Ci) GenerateBuildHistory(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "openssh-client"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithExec([]string{"chmod", "700", "/root/.ssh"}).
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("SSH_USER", sshUser).
 		WithEnvVariable("SSH_HOST", sshHost).
 		WithDirectory("/src", scriptSource).
@@ -537,10 +559,11 @@ func (m *Ci) GenerateBuildHistory(
 func (m *Ci) BuildWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
-	buildHistory := m.GenerateBuildHistory(ctx, sshKey, sshUser, sshHost)
+	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)
 	websiteSource := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"website/"},
@@ -557,12 +580,13 @@ func (m *Ci) BuildWebsite(
 func (m *Ci) PublishWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
 		WithExec([]string{"rsync", "-avz", "--delete",
 			"--exclude=*.apk", "--exclude=*.tar.gz",
@@ -588,6 +612,7 @@ func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 func (m *Ci) DeployLinux(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -598,11 +623,11 @@ func (m *Ci) DeployLinux(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	tarball := fmt.Sprintf("sharedinbox-linux-amd64-%s.tar.gz", commitHash)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/bundle", bundle).
 		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("tar -czf /tmp/%s -C /bundle .", tarball)}).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
 		Stdout(ctx)
 }
@@ -625,6 +650,7 @@ func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *da
 func (m *Ci) DeployApk(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -638,10 +664,10 @@ func (m *Ci) DeployApk(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	apkName := fmt.Sprintf("sharedinbox-mua-%s.apk", commitHash)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithFile("/tmp/app.apk", apk).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
 		Stdout(ctx)
 }
@@ -649,9 +675,12 @@ func (m *Ci) DeployApk(
 // Returns a flat directory with app-debug.apk and app-debug-androidTest.apk.
 func (m *Ci) BuildAndroidDebugApks() *dagger.Directory {
 	built := m.setup(m.firebaseSrc()).
 		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"), dagger.ContainerWithMountedCacheOpts{Owner: "ci"}).
 		WithExec([]string{"flutter", "build", "apk", "--debug", "--no-pub"}).
 		WithWorkdir("/src/android").
-		WithExec([]string{"./gradlew", "app:assembleAndroidTest"}).
+		// --no-daemon avoids connecting to a stale daemon whose registry file was
 		// preserved in the Dagger layer snapshot but whose process no longer exists.
 		WithExec([]string{"./gradlew", "--no-daemon", "app:assembleAndroidTest"}).
 		WithWorkdir("/src").
 		WithExec([]string{"/bin/bash", "-c",
 			`apk=$(find /src -path "*androidTest*" -name "*.apk" -type f 2>/dev/null | head -1) && \
@@ -735,7 +764,7 @@ func (m *Ci) UploadToPlayStore(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "curl"}).
 		WithMountedCache("/root/.cache/pip", dag.CacheVolume("pip-cache")).
-		WithExec([]string{"pip", "install", "requests", "google-auth"}).
+		WithExec([]string{"pip", "install", "google-auth", "requests"}).
 		WithFile("/src/build/app/outputs/bundle/release/app-release.aab", aab).
 		WithFile("/src/scripts/deploy_playstore.py", scriptSource.File("scripts/deploy_playstore.py")).
 		WithSecretVariable("PLAY_STORE_CONFIG_JSON", playStoreConfig).
@@ -800,7 +829,7 @@ func (m *Ci) Graph() string {
 ` + "```" + `mermaid
 flowchart TD
    subgraph dagger ["Dagger · Check pipeline"]
-        toolchain["toolchain\nflutter:3.41.6 + NDK + apt"]
+        toolchain["toolchain\nflutter:3.41.6 + NDK + apt + precache"]
        pubGet["pubGetLayer\nflutter pub get"]
        codegen["codegenBase\nbuild_runner build\n(shared cache)"]
        stalwart(["Stalwart service\nIMAP · JMAP · SMTP · Sieve"])
@@ -810,6 +839,7 @@ flowchart TD
        pubGet --> hygiene["CheckHygiene"]
        pubGet --> layers["CheckLayers"]
        pubGet --> secrets["CheckSecrets\nage encrypt/decrypt"]
        pubGet --> mocks["CheckMocks\n(own build_runner run)"]
        codegen --> fmt["Format"]
@@ -823,6 +853,7 @@ flowchart TD
        hygiene    --> check{{"✓ Check"}}
        layers     --> check
        secrets    --> check
        fmt        --> check
        analyze    --> check
        mocks      --> check
@@ -831,16 +862,25 @@ flowchart TD
        integration --> check
    end
-    subgraph forgejo ["Codeberg CI · .forgejo/workflows/ci.yml"]
+    subgraph forgejo_ci ["Codeberg CI · ci.yml (push/PR, source paths only)"]
        ciCheck["check"]
-        buildLinux["build-linux\n(main only)"]
+    end
        deployPS["deploy-playstore\n(main only)"]
        pubWeb["publish-website\n(main only)"]
-        ciCheck --> buildLinux
+    subgraph forgejo_deploy ["Codeberg CI · deploy.yml (hourly schedule + workflow_dispatch)"]
-        ciCheck --> deployPS
+        detectChanges["check-changes\ndetect android / linux diff"]
        buildLinux["build-linux\n(linux changed)"]
        deployPS["deploy-playstore\n(android changed)"]
        deployApk["deploy-apk\n(android changed)"]
        fbTest["test-android-firebase\n(android changed)"]
        pubWeb["publish-website\n(any build succeeded)"]
        detectChanges --> buildLinux
        detectChanges --> deployPS
        detectChanges --> deployApk
        detectChanges --> fbTest
        buildLinux  --> pubWeb
        deployPS    --> pubWeb
        deployApk   --> pubWeb
    end
    check -- "task check-dagger" --> ciCheck
@@ -1,24 +1,17 @@
 #!/usr/bin/env python3
 """
 Cron deploy script for sharedinbox website.
-Runs every 5 minutes; skips if origin/main has not changed since last successful deploy.
+Runs every 5 minutes; skips if origin/main has not changed since last trigger.
-Gives up and creates a Codeberg issue after 5 consecutive failures on the same commit.
+Triggers the 'Deploy Website' Forgejo Actions workflow via fgj on each new commit.
 Forgejo Actions handles failure reporting.
 """
 import subprocess
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
 REPO_DIR = Path(__file__).parent.resolve()
-SHA_FILE        = REPO_DIR / '.last_deployed_sha'
+SHA_FILE = REPO_DIR / '.last_deployed_sha'
 FAILED_SHA_FILE = REPO_DIR / '.last_failed_sha'
 FAIL_COUNT_FILE = REPO_DIR / '.fail_count'
 ERROR_FILE      = REPO_DIR / '.last_deploy_error'
 ISSUE_SHA_FILE  = REPO_DIR / '.last_issue_sha'
 MAX_FAILURES = 5
 REPO = 'guettli/sharedinbox'
 CODEBERG = 'https://codeberg.org'
 def git(*args):
@@ -32,115 +25,30 @@ def read(path: Path) -> str:
    return path.read_text().strip() if path.exists() else ''
 def read_int(path: Path) -> int:
    try:
        return int(read(path))
    except ValueError:
        return 0
 def issue_exists_for(sha: str) -> bool:
    """Check Codeberg for an open issue referencing this commit SHA."""
    result = subprocess.run(
        ['tea', 'issue', 'list', '--repo', REPO, '--state', 'open',
         '--limit', '50', '--output', 'simple'],
        capture_output=True, text=True,
    )
    return sha[:8] in result.stdout
 def create_issue(failed_sha: str, fail_count: int) -> None:
    error_output = read(ERROR_FILE)
    tail = '\n'.join(error_output.splitlines()[-40:]) if error_output else '(no output captured)'
    commit_url = f'{CODEBERG}/{REPO}/commit/{failed_sha}'
    script_url = f'{CODEBERG}/{REPO}/src/branch/main/deploy_cron.py'
    timestamp = datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')
    title = f'Deploy failed {fail_count}x on {failed_sha[:8]} — needs fix'
    body = f"""\
 ## Deploy failure — action needed
 The automated deploy cron failed **{fail_count} times** on commit \
 [{failed_sha[:8]}]({commit_url}) and has stopped retrying.
 | | |
 |---|---|
 | **Detected** | {timestamp} |
 | **Failing commit** | [{failed_sha}]({commit_url}) |
 | **Failures** | {fail_count} / {MAX_FAILURES} |
 | **Deploy script** | [deploy_cron.py]({script_url}) |
 | **Log file** | `~/si-deploy-cron/deploy.log` |
 ### Last deploy output
 ```
 {tail}
 ```
 ### Next steps
 Push a fix to `main` — the cron (every 5 min) will retry automatically on the next commit.
 """
    result = subprocess.run(
        ['tea', 'issue', 'create',
         '--repo', REPO,
         '--title', title,
         '--description', body,
         '--labels', 'State/Ready,Prio/High'],
        capture_output=True, text=True,
    )
    if result.returncode != 0:
        print(f'Failed to create issue: {result.stderr}', file=sys.stderr)
    else:
        print(f'Issue created: {result.stdout.strip()}')
 def main():
-    git('fetch', 'origin', 'main')
+    try:
        git('fetch', 'origin', 'main')
    except subprocess.CalledProcessError as exc:
        print(f'git fetch failed (transient?): {exc} — skipping this run.', file=sys.stderr)
        return
    remote_sha = git('rev-parse', 'origin/main')
-
+    last_sha = read(SHA_FILE)
    last_sha    = read(SHA_FILE)
    last_failed = read(FAILED_SHA_FILE)
    fail_count  = read_int(FAIL_COUNT_FILE) if remote_sha == last_failed else 0
    last_issue  = read(ISSUE_SHA_FILE)
    if remote_sha == last_sha:
        print(f'No changes since {remote_sha[:8]}, skipping.')
        return
-    if fail_count >= MAX_FAILURES:
+    print(f'New commit {remote_sha[:8]} (was {last_sha[:8] or "none"}) — triggering workflow...')
        if remote_sha != last_issue and not issue_exists_for(remote_sha):
            print(f'{remote_sha[:8]} failed {fail_count}x — creating issue.')
            create_issue(remote_sha, fail_count)
            ISSUE_SHA_FILE.write_text(remote_sha + '\n')
        else:
            print(f'{remote_sha[:8]} failed {fail_count}x, issue already exists, skipping.')
        return
    attempt = fail_count + 1
    print(f'Deploying {remote_sha[:8]} (attempt {attempt}/{MAX_FAILURES}, was {last_sha[:8] or "none"})...')
    git('pull', '--ff-only', 'origin', 'main')
    result = subprocess.run(
-        ['task', 'publish-website'],
+        ['fgj', 'actions', 'workflow', 'run', 'website.yml', '-R', REPO],
        cwd=REPO_DIR,
        capture_output=True, text=True,
    )
    combined = result.stdout + result.stderr
    print(combined, end='')
    if result.returncode != 0:
-        print(f'Deploy failed (exit {result.returncode}), attempt {attempt}/{MAX_FAILURES}', file=sys.stderr)
+        print(f'fgj workflow run failed: {result.stderr}', file=sys.stderr)
        FAILED_SHA_FILE.write_text(remote_sha + '\n')
        FAIL_COUNT_FILE.write_text(str(attempt) + '\n')
        ERROR_FILE.write_text(combined)
        sys.exit(1)
    SHA_FILE.write_text(remote_sha + '\n')
-    for f in (FAILED_SHA_FILE, FAIL_COUNT_FILE, ERROR_FILE, ISSUE_SHA_FILE):
+    print('Workflow triggered.')
        f.unlink(missing_ok=True)
    print('Deploy complete.')
 if __name__ == '__main__':
@@ -87,6 +87,9 @@
            # Website
            hugo
            # Secrets management (master-key encryption for CI sync)
            age
            # Utilities
            git
            curl
@@ -94,8 +97,9 @@
            sqlite
            # python3 base + Google Play API client (for scripts/deploy_playstore.py)
            (python3.withPackages (ps: with ps; [
-              google-auth
+              google-api-python-client
-              requests
+              google-auth-httplib2
              httplib2
            ]))  # used by stalwart-dev/start and deploy_playstore.py
            fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
          ]);
@@ -13,7 +13,7 @@ Future<void> initNotifications() async {
  try {
    const android = AndroidInitializationSettings('@mipmap/ic_launcher');
    await _plugin.initialize(
-      const InitializationSettings(android: android),
+      settings: const InitializationSettings(android: android),
      onDidReceiveNotificationResponse: (_) {},
    );
    await _plugin
@@ -31,10 +31,10 @@ Future<void> initNotifications() async {
 Future<void> showNewMailNotification(String accountEmail) async {
  if (!Platform.isAndroid || !_initialized) return;
  await _plugin.show(
-    accountEmail.hashCode & 0x7FFFFFFF,
+    id: accountEmail.hashCode & 0x7FFFFFFF,
-    'New mail',
+    title: 'New mail',
-    accountEmail,
+    body: accountEmail,
-    const NotificationDetails(
+    notificationDetails: const NotificationDetails(
      android: AndroidNotificationDetails(
        _kChannelId,
        _kChannelName,
@@ -4,38 +4,39 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/di.dart';
-class UndoService extends StateNotifier<List<UndoAction>> {
+class UndoService extends Notifier<List<UndoAction>> {
  UndoService(this._ref) : super([]);
  final Ref _ref;
  static const int _maxHistory = 10;
-  // Resolves once init() has loaded persisted history. Default to an already-
+  // Resolves once build() has loaded persisted history.
-  // resolved future so operations are safe even if init() is never called.
+  late Future<void> _ready;
  Future<void> _ready = Future.value();
-  Future<void> init() async {
+  @override
-    _ready = _ref.read(undoRepositoryProvider).getHistory().then((history) {
+  List<UndoAction> build() {
-      if (mounted) state = history;
+    _ready = ref.read(undoRepositoryProvider).getHistory().then((history) {
      if (ref.mounted) state = history;
    });
-    await _ready;
+    return [];
  }
  /// Waits for the persisted history to finish loading. Called by tests to
  /// ensure the provider is ready before asserting state.
  Future<void> init() => _ready;
  Future<void> pushAction(UndoAction action) async {
    await _ready;
    final newList = [...state, action];
    if (newList.length > _maxHistory) {
      final removed = newList.removeAt(0);
-      await _ref.read(undoRepositoryProvider).deleteAction(removed.id);
+      await ref.read(undoRepositoryProvider).deleteAction(removed.id);
    }
    state = newList;
-    await _ref.read(undoRepositoryProvider).saveAction(action);
+    await ref.read(undoRepositoryProvider).saveAction(action);
  }
  Future<void> clear() async {
    await _ready;
    state = [];
-    unawaited(_ref.read(undoRepositoryProvider).clearHistory());
+    unawaited(ref.read(undoRepositoryProvider).clearHistory());
  }
  Future<void> undo({String? actionId}) async {
@@ -57,7 +58,7 @@ class UndoService extends StateNotifier<List<UndoAction>> {
    // happened and retry if the undo failed (e.g. after an IMAP sync reverted
    // the local change). The inverse action added below allows undoing the undo.
-    final repo = _ref.read(emailRepositoryProvider);
+    final repo = ref.read(emailRepositoryProvider);
    for (final id in action.emailIds) {
      // 1. Try to cancel the original change (if not started yet).
@@ -1,6 +1,7 @@
 import 'dart:async';
 import 'package:enough_mail/enough_mail.dart' as imap;
 import 'package:flutter/services.dart' show MissingPluginException;
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart' show SyncEmailsResult;
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -294,6 +295,7 @@ class _AccountSync implements _SyncLoop {
  bool _isPermanentError(Object e) {
    if (isTlsConfigError(e)) return true;
    if (e is MissingPluginException) return true;
    final s = e.toString().toLowerCase();
    // enough_mail doesn't always have typed exceptions for auth, so we check strings.
    return s.contains('invalid credentials') ||
@@ -546,6 +548,7 @@ class _JmapAccountSync implements _SyncLoop {
  bool _isPermanentError(Object e) {
    if (isTlsConfigError(e)) return true;
    if (e is MissingPluginException) return true;
    final s = e.toString().toLowerCase();
    return s.contains('invalid credentials') ||
        s.contains('authentication failed') ||
@@ -6,6 +6,7 @@ import 'package:drift/drift.dart';
 import 'package:drift/native.dart';
 import 'package:enough_mail/enough_mail.dart' as imap;
 import 'package:flutter/services.dart';
 import 'package:flutter/widgets.dart';
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
@@ -24,6 +25,9 @@ const _kResourceType = 'background_check';
@pragma('vm:entry-point')
 void callbackDispatcher() {
  // Required so that path_provider and other plugins are available in this
  // background isolate (issue #192).
  WidgetsFlutterBinding.ensureInitialized();
  Workmanager().executeTask((_, __) async {
    try {
      await _doBackgroundSync();
@@ -596,8 +596,10 @@ Future<void> initDatabasePath() async {
 Future<String> _resolveDatabasePath() async {
  if (_dbPath != null) return _dbPath!;
  // initDatabasePath() failed (channel not ready before runApp). Retry now
-  // that the engine is fully initialised, with brief back-off.
+  // that the engine is fully initialised, with back-off. Some slow Android
-  const delays = [100, 300, 600];
+  // devices need several seconds for the Pigeon channel to become ready
  // (issue #166), so use a longer schedule than the initial attempt.
  const delays = [200, 500, 1000, 2000, 4000];
  for (final ms in delays) {
    try {
      final dir = await getApplicationSupportDirectory();
@@ -607,6 +609,17 @@ Future<String> _resolveDatabasePath() async {
      await Future<void>.delayed(Duration(milliseconds: ms));
    }
  }
  // On Android, path_provider can be permanently broken on some devices
  // regardless of how long we wait (issue #192).  Derive the path from
  // /proc/self/cmdline (the Android process name == package name) without
  // a platform channel as a last resort so the app can still open its DB.
  if (Platform.isAndroid) {
    final fallback = await _androidFallbackPath();
    if (fallback != null) {
      _dbPath = fallback;
      return _dbPath!;
    }
  }
  throw PlatformException(
    code: 'channel-error',
    message: 'path_provider unavailable after ${delays.length + 1} attempts — '
@@ -614,6 +627,45 @@ Future<String> _resolveDatabasePath() async {
  );
 }
 // Reads /proc/self/cmdline to extract the Android package name, then
 // constructs the standard app files-dir path without a platform channel.
 // Returns null when the path cannot be determined or created.
 Future<String?> _androidFallbackPath() async {
  try {
    final bytes = await File('/proc/self/cmdline').readAsBytes();
    final end = bytes.indexOf(0);
    final packageName = String.fromCharCodes(
      end >= 0 ? bytes.sublist(0, end) : bytes,
    ).trim();
    // A valid Android package name contains dots but not slashes.
    if (packageName.isEmpty ||
        !packageName.contains('.') ||
        packageName.contains('/')) {
      return null;
    }
    for (final base in [
      '/data/user/0/$packageName/files',
      '/data/data/$packageName/files',
    ]) {
      try {
        await Directory(base).create(recursive: true);
        return p.join(base, 'sharedinbox.db');
      } catch (_) {
        continue;
      }
    }
    return null;
  } catch (_) {
    return null;
  }
 }
 // These functions are only called from unit tests (database_path_test.dart).
 // They expose internals that cannot be reached via the public API.
 Future<String> resolveDatabasePathForTesting() => _resolveDatabasePath();
 void resetDatabasePathForTesting() => _dbPath = null;
 Future<String?> androidFallbackPathForTesting() => _androidFallbackPath();
 LazyDatabase _openConnection() {
  return LazyDatabase(() async {
    final file = File(await _resolveDatabasePath());
@@ -11,6 +11,7 @@ import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
 import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/core/repositories/undo_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
@@ -101,7 +102,7 @@ final searchHistoryRepositoryProvider =
  return SearchHistoryRepositoryImpl(ref.watch(dbProvider));
 });
-final syncLogRepositoryProvider = Provider((ref) {
+final syncLogRepositoryProvider = Provider<SyncLogRepository>((ref) {
  return SyncLogRepositoryImpl(ref.watch(dbProvider));
 });
@@ -181,11 +182,7 @@ final manageSieveProbeServiceProvider = Provider<ManageSieveProbeService>((
 });
 final undoServiceProvider =
-    StateNotifierProvider<UndoService, List<UndoAction>>((ref) {
+    NotifierProvider<UndoService, List<UndoAction>>(UndoService.new);
  final service = UndoService(ref);
  unawaited(service.init());
  return service;
 });
 /// Loads email header + body and marks the email as seen.
 /// Owned by [EmailDetailScreen]; decouples data loading from the widget tree.
@@ -194,16 +191,18 @@ final emailDetailProvider = AsyncNotifierProvider.autoDispose
  EmailDetailNotifier.new,
 );
-class EmailDetailNotifier
+class EmailDetailNotifier extends AsyncNotifier<(Email?, EmailBody)> {
-    extends AutoDisposeFamilyAsyncNotifier<(Email?, EmailBody), String> {
+  EmailDetailNotifier(this._emailId);
  final String _emailId;
  @override
-  Future<(Email?, EmailBody)> build(String emailId) async {
+  Future<(Email?, EmailBody)> build() async {
    final repo = ref.read(emailRepositoryProvider);
    final results = await Future.wait([
-      repo.getEmail(emailId),
+      repo.getEmail(_emailId),
-      repo.getEmailBody(emailId),
+      repo.getEmailBody(_emailId),
    ]);
-    unawaited(repo.setFlag(emailId, seen: true));
+    unawaited(repo.setFlag(_emailId, seen: true));
    return (results[0] as Email?, results[1] as EmailBody);
  }
 }
@@ -3,6 +3,7 @@ import 'dart:io';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:sharedinbox/core/services/notification_service.dart';
 import 'package:sharedinbox/core/sync/background_sync.dart';
@@ -47,10 +47,14 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    final osName = _capitalize(Platform.operatingSystem);
    final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
-    return '## sharedinbox.de\n\n'
+    final gitCommitLine = _gitHash.isNotEmpty
        ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
        : '';
    return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
        '| Property | Value |\n'
        '|----------|-------|\n'
        '| App Version | $versionDisplay |\n'
        '$gitCommitLine'
        '| Platform | ${Platform.operatingSystem} |\n'
        '| $osName Version | ${Platform.operatingSystemVersion} |\n'
        '| Resolution | ${physW}x$physH px'
@@ -32,11 +32,15 @@ enum _Step { generatingKey, showingPubKey, scanning, importing, done, error }
 class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  _Step _step = _Step.generatingKey;
  ShareKeyMaterial? _keyMaterial;
  DateTime? _keyExpiresAt;
  String? _pubKeyQr;
  String? _errorMessage;
  bool _scannerActive = false;
  MobileScannerController? _scannerController;
  // True when the scanner plugin fails to initialise at runtime (e.g.
  // MissingPluginException on some Android builds).
  bool _scannerFailed = false;
  @override
  void initState() {
@@ -61,6 +65,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
      );
      setState(() {
        _keyMaterial = material;
        _keyExpiresAt = DateTime.now().toUtc().add(const Duration(minutes: 20));
        _pubKeyQr = qr;
        _step = _Step.showingPubKey;
      });
@@ -76,8 +81,37 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
    setState(() {
      _step = _Step.scanning;
      _scannerActive = true;
      _scannerController = MobileScannerController();
    });
    if (_cameraScanSupported()) {
      unawaited(_initScanner());
    }
  }
  // Pre-flight: probe the scanner's permission-state method to verify the
  // plugin is registered.  MissingPluginException is thrown on Android builds
  // where the plugin is not linked (issue #204).  All other exceptions mean
  // the plugin exists but something else failed — the MobileScanner widget
  // will surface those via its own error builder.
  Future<void> _initScanner() async {
    bool available = false;
    try {
      await const MethodChannel(
        'dev.steenbakker.mobile_scanner/scanner/method',
      ).invokeMethod<int>('state');
      available = true;
    } on MissingPluginException {
      // Plugin not registered on this device; text fallback will be shown.
    } catch (_) {
      // Plugin registered but state check failed; let the scanner widget
      // handle it via its errorBuilder.
      available = true;
    }
    if (!mounted) return;
    if (available) {
      setState(() => _scannerController = MobileScannerController());
    } else {
      setState(() => _scannerFailed = true);
    }
  }
  Future<void> _onScanned(String rawValue) async {
@@ -244,7 +278,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
            },
          ),
          const SizedBox(height: 8),
-          const _ExpiryHint(),
+          _ExpiryHint(expiresAt: _keyExpiresAt!),
          const SizedBox(height: 32),
          if (_errorMessage != null) ...[
            Text(
@@ -266,11 +300,14 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  }
  Widget _buildScannerView(BuildContext context) {
-    // On platforms where the camera scanner is not available (Linux desktop),
+    // Fall back to text input when the platform has no camera support or when
-    // fall back to a text-input field.
+    // the scanner plugin fails to initialise at runtime (MissingPluginException).
-    if (!_cameraScanSupported()) {
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
    if (_scannerController == null) {
      return const Center(child: CircularProgressIndicator());
    }
    return Stack(
      children: [
@@ -371,8 +408,37 @@ bool _cameraScanSupported() =>
    Platform.isMacOS ||
    Platform.isWindows;
-class _ExpiryHint extends StatelessWidget {
+class _ExpiryHint extends StatefulWidget {
-  const _ExpiryHint();
+  const _ExpiryHint({required this.expiresAt});
  final DateTime expiresAt;
  @override
  State<_ExpiryHint> createState() => _ExpiryHintState();
 }
 class _ExpiryHintState extends State<_ExpiryHint> {
  late Timer _timer;
  @override
  void initState() {
    super.initState();
    _timer = Timer.periodic(const Duration(seconds: 1), (_) => setState(() {}));
  }
  @override
  void dispose() {
    _timer.cancel();
    super.dispose();
  }
  String _formatRemaining() {
    final remaining = widget.expiresAt.difference(DateTime.now().toUtc());
    if (remaining.isNegative) return 'expired';
    final minutes = remaining.inMinutes;
    final seconds = remaining.inSeconds % 60;
    return '${minutes.toString().padLeft(2, '0')}:${seconds.toString().padLeft(2, '0')}';
  }
  @override
  Widget build(BuildContext context) {
@@ -382,7 +448,7 @@ class _ExpiryHint extends StatelessWidget {
        Icon(Icons.timer_outlined, size: 14, color: Colors.grey[600]),
        const SizedBox(width: 4),
        Text(
-          'This key expires in 20 minutes',
+          'This key expires in ${_formatRemaining()}',
          style: TextStyle(fontSize: 12, color: Colors.grey[600]),
        ),
      ],
@@ -45,12 +45,42 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  bool _scannerActive = true;
  MobileScannerController? _scannerController;
  // True when the scanner plugin fails to initialise at runtime (e.g.
  // MissingPluginException on some Android builds).
  bool _scannerFailed = false;
  @override
  void initState() {
    super.initState();
    if (_cameraScanSupported()) {
-      _scannerController = MobileScannerController();
+      unawaited(_initScanner());
    }
  }
  // Pre-flight: probe the scanner's permission-state method to verify the
  // plugin is registered.  MissingPluginException is thrown on Android builds
  // where the plugin is not linked (issue #204).  All other exceptions mean
  // the plugin exists but something else failed — the MobileScanner widget
  // will surface those via its own error builder.
  Future<void> _initScanner() async {
    bool available = false;
    try {
      await const MethodChannel(
        'dev.steenbakker.mobile_scanner/scanner/method',
      ).invokeMethod<int>('state');
      available = true;
    } on MissingPluginException {
      // Plugin not registered on this device; text fallback will be shown.
    } catch (_) {
      // Plugin registered but state check failed; let the scanner widget
      // handle it via its errorBuilder.
      available = true;
    }
    if (!mounted) return;
    if (available) {
      setState(() => _scannerController = MobileScannerController());
    } else {
      setState(() => _scannerFailed = true);
    }
  }
@@ -178,9 +208,12 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  }
  Widget _buildScanStep(BuildContext context) {
-    if (!_cameraScanSupported()) {
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
    if (_scannerController == null) {
      return const Center(child: CircularProgressIndicator());
    }
    return Stack(
      children: [
@@ -162,7 +162,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
  }
  Future<void> _pickAttachments() async {
-    final result = await FilePicker.platform.pickFiles(allowMultiple: true);
+    final result = await FilePicker.pickFiles();
    if (result == null) return;
    final files = result.files.where((f) => f.path != null).toList();
    if (!mounted) return;
@@ -1,5 +1,6 @@
 import 'dart:io';
 import 'package:flutter/foundation.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:package_info_plus/package_info_plus.dart';
@@ -10,21 +11,42 @@ class CrashScreen extends StatelessWidget {
    super.key,
    required this.exception,
    required this.stackTrace,
    this.gitHash = const String.fromEnvironment('GIT_HASH'),
  });
  final Object exception;
  final StackTrace? stackTrace;
  final String gitHash;
-  Future<String> _buildReport() async {
+  String get _buildMode {
-    String version = 'unknown';
+    if (kDebugMode) return 'debug';
    if (kProfileMode) return 'profile';
    return 'release';
  }
  Future<String> _fetchVersion() async {
    try {
      final info = await PackageInfo.fromPlatform();
-      version = '${info.version}+${info.buildNumber}';
+      return '${info.version}+${info.buildNumber}';
-    } catch (_) {}
+    } catch (_) {
      return 'unknown';
    }
  }
  Future<String> _buildReport() async {
    final version = await _fetchVersion();
    final platform =
        '${Platform.operatingSystem} ${Platform.operatingSystemVersion}';
    final gitLine = gitHash.isNotEmpty
        ? 'Git Commit: [$gitHash](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)\n'
        : '';
    final timestamp = DateTime.now().toUtc().toIso8601String();
    return 'App Version: $version\n'
-        'Platform: $platform\n\n'
+        'Build Mode: $_buildMode\n'
        '$gitLine'
        'Platform: $platform\n'
        'Dart: ${Platform.version}\n'
        'Timestamp: $timestamp\n\n'
        'Error:\n```\n$exception\n```\n\n'
        'Stack Trace:\n```\n$stackTrace\n```';
  }
@@ -50,6 +72,41 @@ class CrashScreen extends StatelessWidget {
                  style: Theme.of(ctx).textTheme.titleMedium,
                  textAlign: TextAlign.center,
                ),
                const SizedBox(height: 4),
                FutureBuilder<String>(
                  future: _fetchVersion(),
                  builder: (context, snapshot) => Text(
                    'v${snapshot.data ?? '…'}  •  $_buildMode  •  '
                    '${Platform.operatingSystem} ${Platform.operatingSystemVersion}',
                    style: Theme.of(context).textTheme.bodySmall?.copyWith(
                          color: Colors.grey[600],
                        ),
                    textAlign: TextAlign.center,
                  ),
                ),
                if (gitHash.isNotEmpty) ...[
                  const SizedBox(height: 8),
                  GestureDetector(
                    onTap: () async {
                      final url = Uri.parse(
                        'https://codeberg.org/guettli/sharedinbox/commit/$gitHash',
                      );
                      await launchUrl(
                        url,
                        mode: LaunchMode.externalApplication,
                      );
                    },
                    child: Text(
                      'Git Commit: $gitHash',
                      style: const TextStyle(
                        fontSize: 12,
                        color: Colors.blue,
                        decoration: TextDecoration.underline,
                      ),
                      textAlign: TextAlign.center,
                    ),
                  ),
                ],
                const SizedBox(height: 24),
                const Text(
                  'Error Details:',
@@ -43,15 +43,15 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    ref.listen<AsyncValue<(Email?, EmailBody)>>(
      emailDetailProvider(widget.emailId),
      (_, next) {
-        final email = next.valueOrNull?.$1;
+        final email = next.value?.$1;
        if (email != null && mounted) {
          setState(() => _isFlagged = email.isFlagged);
        }
      },
    );
-    final header = detail.valueOrNull?.$1;
+    final header = detail.value?.$1;
-    final body = detail.valueOrNull?.$2;
+    final body = detail.value?.$2;
    final isMobile = defaultTargetPlatform == TargetPlatform.android ||
        defaultTargetPlatform == TargetPlatform.iOS;
@@ -261,9 +261,9 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  Widget _buildSyncButton(EmailRepository emailRepo) {
    final isSyncing =
-        ref.watch(isSyncingProvider(widget.accountId)).valueOrNull ?? false;
+        ref.watch(isSyncingProvider(widget.accountId)).value ?? false;
    final hasError =
-        ref.watch(syncLastErrorProvider(widget.accountId)).valueOrNull != null;
+        ref.watch(syncLastErrorProvider(widget.accountId)).value != null;
    return IconButton(
      tooltip: isSyncing
          ? 'Syncing…'
@@ -350,7 +350,7 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  Widget _buildSyncErrorBanner() {
    final errorAsync = ref.watch(syncLastErrorProvider(widget.accountId));
-    final error = errorAsync.valueOrNull;
+    final error = errorAsync.value;
    if (error == null || error == _dismissedError) {
      return const SizedBox.shrink();
    }
@@ -313,6 +313,14 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "2.2.0"
  ffi_leak_tracker:
    dependency: transitive
    description:
      name: ffi_leak_tracker
      sha256: "4093d4ef9ca06ffe2786e73bfb25e22aa92112b9bb4ec941f11e3e6b61489a97"
      url: "https://pub.dev"
    source: hosted
    version: "0.1.2"
  file:
    dependency: transitive
    description:
@@ -325,10 +333,10 @@ packages:
    dependency: "direct main"
    description:
      name: file_picker
-      sha256: ab13ae8ef5580a411c458d6207b6774a6c237d77ac37011b13994879f68a8810
+      sha256: "0204695694b687b167fd497da5252e9f4aaa162e8d274d6fa1e757380f2a5f46"
      url: "https://pub.dev"
    source: hosted
-    version: "8.3.7"
+    version: "12.0.0-beta.4"
  fixnum:
    dependency: transitive
    description:
@@ -351,34 +359,42 @@ packages:
    dependency: "direct dev"
    description:
      name: flutter_lints
-      sha256: "3f41d009ba7172d5ff9be5f6e6e6abb4300e263aab8866d2a0842ed2a70f8f0c"
+      sha256: "3105dc8492f6183fb076ccf1f351ac3d60564bff92e20bfc4af9cc1651f4e7e1"
      url: "https://pub.dev"
    source: hosted
-    version: "4.0.0"
+    version: "6.0.0"
  flutter_local_notifications:
    dependency: "direct main"
    description:
      name: flutter_local_notifications
-      sha256: ef41ae901e7529e52934feba19ed82827b11baa67336829564aeab3129460610
+      sha256: "0d9035862236fe38250fe1644d7ed3b8254e34a21b2c837c9f539fbb3bba5ef1"
      url: "https://pub.dev"
    source: hosted
-    version: "18.0.1"
+    version: "21.0.0"
  flutter_local_notifications_linux:
    dependency: transitive
    description:
      name: flutter_local_notifications_linux
-      sha256: "8f685642876742c941b29c32030f6f4f6dacd0e4eaecb3efbb187d6a3812ca01"
+      sha256: e0f25e243c6c44c825bbbc6b2b2e76f7d9222362adcfe9fd780bf01923c840bd
      url: "https://pub.dev"
    source: hosted
-    version: "5.0.0"
+    version: "8.0.0"
  flutter_local_notifications_platform_interface:
    dependency: transitive
    description:
      name: flutter_local_notifications_platform_interface
-      sha256: "6c5b83c86bf819cdb177a9247a3722067dd8cc6313827ce7c77a4b238a26fd52"
+      sha256: e7db3d5b49c2b7ecc68deba4aaaa67a348f92ee0fef34c8e4b4459dbef0d7307
      url: "https://pub.dev"
    source: hosted
-    version: "8.0.0"
+    version: "11.0.0"
  flutter_local_notifications_windows:
    dependency: transitive
    description:
      name: flutter_local_notifications_windows
      sha256: "3a2654ba104fbb52c618ebed9def24ef270228470718c43b3a6afcd5c81bef0c"
      url: "https://pub.dev"
    source: hosted
    version: "3.0.0"
  flutter_markdown_plus:
    dependency: "direct main"
    description:
@@ -399,34 +415,34 @@ packages:
    dependency: "direct main"
    description:
      name: flutter_riverpod
-      sha256: "9532ee6db4a943a1ed8383072a2e3eeda041db5657cdf6d2acecf3c21ecbe7e1"
+      sha256: "4e166be88e1dbbaa34a280bdb744aeae73b7ef25fdf8db7a3bb776760a3648e2"
      url: "https://pub.dev"
    source: hosted
-    version: "2.6.1"
+    version: "3.3.1"
  flutter_secure_storage:
    dependency: "direct main"
    description:
      name: flutter_secure_storage
-      sha256: "6848263f9744072d0977347c383fb8b57d9780319a6bf5238b5a2866a029de62"
+      sha256: d2a6ac2df7353f5ca47eb159a5407c1dba7ec48ca0e02dc38c9ff4d29447b261
      url: "https://pub.dev"
    source: hosted
-    version: "10.2.0"
+    version: "10.3.0"
  flutter_secure_storage_darwin:
    dependency: transitive
    description:
      name: flutter_secure_storage_darwin
-      sha256: "67cd1ff671add31dc13e45194398187a04bb63804b37fa47866afae296d73fcb"
+      sha256: "82329fa5cdf343773b1b6897dea959105a29f092454259edff92f9f6637e8149"
      url: "https://pub.dev"
    source: hosted
-    version: "0.3.1"
+    version: "0.3.2"
  flutter_secure_storage_linux:
    dependency: transitive
    description:
      name: flutter_secure_storage_linux
-      sha256: "2b5c76dce569ab752d55a1cee6a2242bcc11fdba927078fb88c503f150767cda"
+      sha256: a5f35ddab43cf5c8215d2feb4ce1957851f28c5c37e6f04335066a0602087bf5
      url: "https://pub.dev"
    source: hosted
-    version: "3.0.0"
+    version: "3.0.1"
  flutter_secure_storage_platform_interface:
    dependency: transitive
    description:
@@ -447,10 +463,10 @@ packages:
    dependency: transitive
    description:
      name: flutter_secure_storage_windows
-      sha256: "3b7c8e068875dfd46719ff57c90d8c459c87f2302ed6b00ff006b3c9fcad1613"
+      sha256: "471951813a97006d899db4948acc654a4f28c440083ea08178935ce20b173ec1"
      url: "https://pub.dev"
    source: hosted
-    version: "4.1.0"
+    version: "4.2.2"
  flutter_test:
    dependency: "direct dev"
    description: flutter
@@ -486,10 +502,10 @@ packages:
    dependency: "direct main"
    description:
      name: go_router
-      sha256: f02fd7d2a4dc512fec615529824fdd217fecb3a3d3de68360293a551f21634b3
+      sha256: "92d8cee7c57dff0a6c409c05597b460002434eccf7424a712283225b3962d03f"
      url: "https://pub.dev"
    source: hosted
-    version: "14.8.1"
+    version: "17.2.3"
  graphs:
    dependency: transitive
    description:
@@ -587,10 +603,10 @@ packages:
    dependency: transitive
    description:
      name: lints
-      sha256: "976c774dd944a42e83e2467f4cc670daef7eed6295b10b36ae8c85bcbf828235"
+      sha256: "12f842a479589fea194fe5c5a3095abc7be0c1f2ddfa9a0e76aed1dbd26a87df"
      url: "https://pub.dev"
    source: hosted
-    version: "4.0.0"
+    version: "6.1.0"
  logging:
    dependency: transitive
    description:
@@ -643,10 +659,10 @@ packages:
    dependency: "direct main"
    description:
      name: mobile_scanner
-      sha256: d234581c090526676fd8fab4ada92f35c6746e3fb4f05a399665d75a399fb760
+      sha256: c92c26bf2231695b6d3477c8dcf435f51e28f87b1745966b1fe4c47a286171ce
      url: "https://pub.dev"
    source: hosted
-    version: "5.2.3"
+    version: "7.2.0"
  mockito:
    dependency: "direct dev"
    description:
@@ -699,18 +715,18 @@ packages:
    dependency: "direct main"
    description:
      name: package_info_plus
-      sha256: "16eee997588c60225bda0488b6dcfac69280a6b7a3cf02c741895dd370a02968"
+      sha256: "4bf625947f6c7713ee242296a682e23e44823c09cf9d79e4f1238923c92db852"
      url: "https://pub.dev"
    source: hosted
-    version: "8.3.1"
+    version: "10.1.0"
  package_info_plus_platform_interface:
    dependency: transitive
    description:
      name: package_info_plus_platform_interface
-      sha256: "202a487f08836a592a6bd4f901ac69b3a8f146af552bbd14407b6b41e1c3f086"
+      sha256: db762cb2f4f25ee60fb6359773861b0f199e00b90d237bd85a76a1e806b46ef4
      url: "https://pub.dev"
    source: hosted
-    version: "3.2.1"
+    version: "4.1.0"
  path:
    dependency: "direct main"
    description:
@@ -875,26 +891,26 @@ packages:
    dependency: transitive
    description:
      name: riverpod
-      sha256: "59062512288d3056b2321804332a13ffdd1bf16df70dcc8e506e411280a72959"
+      sha256: "8c22216be8ad3ef2b44af3a329693558c98eca7b8bd4ef495c92db0bba279f83"
      url: "https://pub.dev"
    source: hosted
-    version: "2.6.1"
+    version: "3.2.1"
  share_plus:
    dependency: "direct main"
    description:
      name: share_plus
-      sha256: "223873d106614442ea6f20db5a038685cc5b32a2fba81cdecaefbbae0523f7fa"
+      sha256: a857d8b1479250aff6b57a51b2c02d31ca05848d441817c43f1640c885c286c0
      url: "https://pub.dev"
    source: hosted
-    version: "12.0.2"
+    version: "13.1.0"
  share_plus_platform_interface:
    dependency: transitive
    description:
      name: share_plus_platform_interface
-      sha256: "88023e53a13429bd65d8e85e11a9b484f49d4c190abbd96c7932b74d6927cc9a"
+      sha256: "7f7ae28cf400d13f811e297ff37742dba83b79e0a6f5dce14eec0248274e6ce9"
      url: "https://pub.dev"
    source: hosted
-    version: "6.1.0"
+    version: "7.1.0"
  shelf:
    dependency: transitive
    description:
@@ -976,10 +992,10 @@ packages:
    dependency: "direct main"
    description:
      name: sqlite3_flutter_libs
-      sha256: eeb9e3a45207649076b808f8a5a74d68770d0b7f26ccef6d5f43106eee5375ad
+      sha256: "3ed7553eee7bb368f8950f58ba29f634e06e813c029aff6a0d60862b96de8454"
      url: "https://pub.dev"
    source: hosted
-    version: "0.5.42"
+    version: "0.6.0+eol"
  sqlparser:
    dependency: transitive
    description:
@@ -1080,10 +1096,10 @@ packages:
    dependency: transitive
    description:
      name: timezone
-      sha256: dd14a3b83cfd7cb19e7888f1cbc20f258b8d71b54c06f79ac585f14093a287d1
+      sha256: "784a5e34d2eb62e1326f24d6f600aaaee452eb8ca8ef2f384a59244e292d158b"
      url: "https://pub.dev"
    source: hosted
-    version: "0.10.1"
+    version: "0.11.0"
  typed_data:
    dependency: transitive
    description:
@@ -1104,10 +1120,10 @@ packages:
    dependency: transitive
    description:
      name: url_launcher_android
-      sha256: "3bb000251e55d4a209aa0e2e563309dc9bb2befea2295fd0cec1f51760aac572"
+      sha256: "17bc677f0b301615530dd1d67e0a9828cafa2d0b6b6eae4cd3679b7eac4a273c"
      url: "https://pub.dev"
    source: hosted
-    version: "6.3.29"
+    version: "6.3.30"
  url_launcher_ios:
    dependency: transitive
    description:
@@ -1264,10 +1280,10 @@ packages:
    dependency: transitive
    description:
      name: win32
-      sha256: d7cb55e04cd34096cd3a79b3330245f54cb96a370a1c27adb3c84b917de8b08e
+      sha256: ba6f4bba816c8d7e3c1580e170f3786d216951cc6b94babc3b814c08d2cb2738
      url: "https://pub.dev"
    source: hosted
-    version: "5.15.0"
+    version: "6.3.0"
  workmanager:
    dependency: "direct main"
    description:
@@ -19,15 +19,15 @@ dependencies:
  # Local persistence (offline-first)
  drift: ^2.20.3
-  sqlite3_flutter_libs: ^0.5.28
+  sqlite3_flutter_libs: ^0.6.0+eol
  path_provider: ^2.1.5
  path: ^1.9.1
  # State management
-  flutter_riverpod: ^2.6.1
+  flutter_riverpod: ^3.0.0
  # Navigation
-  go_router: ^14.8.1
+  go_router: ^17.2.3
  # Secure credential storage (passwords)
  flutter_secure_storage: ^10.0.0
@@ -36,7 +36,7 @@ dependencies:
  intl: any
  # File picking (compose attachments) and opening downloaded attachments
-  file_picker: ^8.0.0
+  file_picker: ^12.0.0-beta.4
  open_filex: ^4.6.0
  mime: ^2.0.0
@@ -47,7 +47,7 @@ dependencies:
  cryptography: ^2.7.0
  # QR code scanning (camera) for secure account import
-  mobile_scanner: ^5.0.0
+  mobile_scanner: ^7.2.0
  # HTML rendering for email bodies
  webview_flutter: ^4.0.0
@@ -55,19 +55,19 @@ dependencies:
  flutter_markdown_plus: ^1.0.7
  # Background sync and local notifications
-  flutter_local_notifications: ^18.0.1
+  flutter_local_notifications: ^21.0.0
  workmanager: ^0.9.0
  # App version metadata for crash reports
-  package_info_plus: ^8.0.0
+  package_info_plus: ^10.1.0
-  share_plus: ^12.0.2
+  share_plus: ^13.1.0
 dev_dependencies:
  flutter_test:
    sdk: flutter
  integration_test:
    sdk: flutter
-  flutter_lints: ^4.0.0
+  flutter_lints: ^6.0.0
  drift_dev: ^2.20.3
  build_runner: ^2.4.13
  test: ^1.25.0
@@ -8,12 +8,15 @@ Flow
   a. Age > 1 h  → kill it, set its issue to State/Question, exit 1
   b. Age ≤ 1 h  → print status, exit 0  (let it keep working)
 2. No agent running → extract pending_issue from state (if any), then check CI
-   a. CI is running         → save pending-ci state, exit 0
+   a. pending_issue + open PR → check PR branch CI, merge/fix/wait as needed
-   b. Latest CI failed      → start fix-CI agent (preserving pending_issue), exit 0
+   b. Catch-up: orphaned issue-N-fix PRs with passing CI → merge them
-   c. CI ok + pending_issue → close the issue (CI passed), exit 0
+   c. Main CI running         → save pending-ci state, exit 0
-   d. CI ok (or no run yet) → find oldest Ready issue, start issue agent,
+   d. Main CI failed          → start fix-CI agent (pushes fix to main), exit 0
-                              save state, exit 0
+   e. Main CI ok + pending_issue → close the issue, exit 0  (dead code path —
-   e. No Ready issues       → print "nothing to do", exit 0
+                                   section 2a always returns first)
   f. Main CI ok (or no run yet) → find oldest Ready issue, start issue agent,
                                   save state, exit 0
   g. No Ready issues         → print "nothing to do", exit 0
 Issue agents must NOT close the issue themselves; the loop closes it after CI passes.
@@ -22,14 +25,16 @@ State file: ~/.sharedinbox-agent-state.json
    "started_at": "2026-05-15T12:00:00+00:00", "type": "issue" }
 Output is written to ~/.sharedinbox-agent-logs/<session>-<timestamp>.log.
-Resume the Claude conversation afterward with:
+To resume the Claude conversation, look up the session UUID first:
-  claude --resume issue-91
+  scripts/agent_loop.py list          # shows NAME and UUID columns
  claude --resume <uuid>              # use the UUID, NOT the session name
 """
 import argparse
 import json
 import os
 import re
 import shlex
 import subprocess
 import sys
@@ -140,10 +145,21 @@ def _ready_issues() -> list[dict]:
    return ready
-def _latest_ci_run() -> dict | None:
+def _latest_main_ci_run() -> dict | None:
-    data = _tea_get(f"repos/{REPO}/actions/runs?limit=1")
+    """Return the latest ci.yml run on the main branch.
    Forgejo reports scheduled/dispatch workflows (e.g. deploy.yml) with
    event=push and prettyref=main, so filtering by event alone is not enough.
    We also require workflow_id == "ci.yml".
    """
    data = _tea_get(f"repos/{REPO}/actions/runs?limit=20")
    runs = (data or {}).get("workflow_runs", [])
-    return runs[0] if runs else None
+    for run in runs:
        if (run.get("event") == "push"
                and run.get("prettyref") == "main"
                and run.get("workflow_id") == "ci.yml"):
            return run
    return None
 def _latest_ci_run_for_branch(branch: str) -> dict | None:
@@ -163,17 +179,17 @@ def _latest_ci_run_for_branch(branch: str) -> dict | None:
                    return run
            except (json.JSONDecodeError, AttributeError):
                pass
-        else:
+        elif run.get("event") == "push":
            if run.get("prettyref") == branch:
                return run
    return None
-def _find_pr_for_branch(branch: str) -> dict | None:
+def _find_pr_for_branch(branch: str, state: str = "open") -> dict | None:
-    """Return the first open PR whose head branch matches, or None."""
+    """Return the first PR in the given state whose head branch matches, or None."""
    result = subprocess.run(
        ["fgj", "--hostname", "codeberg.org", "pr", "list",
-         "--repo", REPO, "--state", "open", "--json"],
+         "--repo", REPO, "--state", state, "--json"],
        capture_output=True, text=True,
    )
    if result.returncode != 0 or not result.stdout.strip():
@@ -187,6 +203,40 @@ def _find_pr_for_branch(branch: str) -> dict | None:
    return None
 def _open_issue_prs() -> list[dict]:
    """Return all open PRs with issue-{N}-fix branches, oldest-first."""
    result = subprocess.run(
        ["fgj", "--hostname", "codeberg.org", "pr", "list",
         "--repo", REPO, "--state", "open", "--json"],
        capture_output=True, text=True,
    )
    if result.returncode != 0 or not result.stdout.strip():
        return []
    prs = json.loads(result.stdout)
    issue_prs = []
    for pr in prs:
        head = pr.get("head", {})
        ref = head.get("ref") or head.get("label", "").split(":")[-1]
        if re.match(r"^issue-\d+-fix$", ref or ""):
            issue_prs.append(pr)
    issue_prs.sort(key=lambda p: p["number"])
    return issue_prs
 def _latest_ci_run_for_pr(pr_number: int) -> dict | None:
    """Return the latest CI run triggered by a pull_request event for the given PR number."""
    data = _tea_get(f"repos/{REPO}/actions/runs?event=pull_request&limit=50")
    runs = (data or {}).get("workflow_runs", [])
    for run in runs:
        try:
            payload = json.loads(run.get("event_payload", "{}"))
            if payload.get("pull_request", {}).get("number") == pr_number:
                return run
        except (json.JSONDecodeError, AttributeError):
            pass
    return None
 def _merge_pr(pr_number: int) -> None:
    """Squash-merge a PR via fgj."""
    _fgj("pr", "merge", str(pr_number), "--repo", REPO, "--merge-method", "squash")
@@ -225,6 +275,30 @@ def _clear_state() -> None:
    STATE_FILE.unlink(missing_ok=True)
 def _find_session_uuid(session_name: str) -> str | None:
    """Return the Claude session UUID for *session_name*, or None if not found.
    Claude stores session metadata in JSONL files; the first entry with
    type=="agent-name" contains both the human-readable name and the UUID
    needed for ``claude --resume <uuid>``.
    """
    if not CLAUDE_PROJECTS_DIR.exists():
        return None
    for jsonl in CLAUDE_PROJECTS_DIR.glob("*.jsonl"):
        try:
            with jsonl.open() as fh:
                for line in fh:
                    line = line.strip()
                    if not line:
                        continue
                    d = json.loads(line)
                    if d.get("type") == "agent-name" and d.get("agentName") == session_name:
                        return d.get("sessionId")
        except Exception:
            continue
    return None
 # ── agent launcher ────────────────────────────────────────────────────────────
@@ -255,7 +329,7 @@ def _start_agent(prompt: str, session_name: str) -> int:
    proc.stdin.close()
    print(f"Started agent pid={proc.pid}, log={log_file}")
-    print(f"  Resume: claude --resume {shlex.quote(session_name)}")
+    print(f"  Resume: run 'scripts/agent_loop.py list' to get the UUID-based resume command")
    return proc.pid
@@ -273,6 +347,15 @@ def _agent_alive(state: dict) -> bool:
        return True
 def _is_claude_process(pid: int) -> bool:
    """Return True if pid's comm name indicates it is a claude/node process."""
    try:
        comm = Path(f"/proc/{pid}/comm").read_text().strip()
        return comm in ("claude", "node")
    except OSError:
        return False
 def _agent_age_seconds(state: dict) -> float:
    """Seconds elapsed since the agent was launched, from the state file timestamp."""
    try:
@@ -307,11 +390,13 @@ def _git_summary() -> str:
 def _kill_agent(state: dict) -> None:
    """Forcefully stop the running agent."""
    pid = state.get("pid")
-    if pid:
+    if pid and _is_claude_process(pid):
        try:
            os.kill(pid, 9)
        except ProcessLookupError:
            pass
    elif pid:
        print(f"WARNING: pid {pid} is not a claude process — skipping kill to avoid hitting recycled PID")
 # ── subcommands ───────────────────────────────────────────────────────────────
@@ -399,7 +484,13 @@ def _run_loop() -> int:
            return 1
        session_name = state.get("session_name")
-        resume_cmd = f"claude --resume {shlex.quote(session_name)}" if session_name else ""
+        uuid = _find_session_uuid(session_name) if session_name else None
        if uuid:
            resume_cmd = f"claude --resume {shlex.quote(uuid)}"
        elif session_name:
            resume_cmd = f"claude --resume <uuid>  # run: scripts/agent_loop.py list"
        else:
            resume_cmd = ""
        git_info = _git_summary()
        parts = [
            f"Agent pid={pid!r} ({kind}, {issue_ref}) still running ({age/60:.0f} min). Waiting.",
@@ -443,6 +534,9 @@ def _run_loop() -> int:
                    "Fetch the CI logs using the task ci-logs command or the Codeberg API. "
                    "Identify the failure, fix it, commit, and push to the same branch. "
                    "Do NOT push to main, do NOT close the issue, do NOT merge the PR. "
                    "Do NOT reference any issue numbers in commit messages "
                    "(no 'closes #N', 'fixes #N', or similar) — auto-closing the wrong "
                    "issue via a commit message would be a bug. "
                    "Verify locally with 'task check' before pushing. "
                    "When done, stop."
                )
@@ -480,14 +574,104 @@ def _run_loop() -> int:
                return 0
            # CI passed on the PR branch — squash-merge and close.
-            print(f"CI passed on branch {branch!r} — merging PR #{pr_number}.")
+            print(f"CI passed {_ci_run_url(pr_run['id'])} on branch {branch!r} — merging PR #{pr_number}.")
-            _merge_pr(pr_number)
+            try:
                _merge_pr(pr_number)
            except RuntimeError as e:
                print(f"Merge of PR #{pr_number} failed: {e} — setting to State/Question.")
                _set_labels(pending_issue, add=[LABEL_QUESTION], remove=[LABEL_IN_PROGRESS])
                _comment_issue(
                    pending_issue,
                    f"Automatic merge of PR #{pr_number} failed: {e}. Please merge manually.",
                )
                return 0
            if _find_pr_for_branch(branch):
                print(f"PR #{pr_number} is still open after merge attempt — setting to State/Question.")
                _set_labels(pending_issue, add=[LABEL_QUESTION], remove=[LABEL_IN_PROGRESS])
                _comment_issue(
                    pending_issue,
                    f"Automatic merge of PR #{pr_number} failed (PR is still open after the "
                    "merge command). Please merge manually.",
                )
                return 0
            _close_issue(pending_issue)
            print(f"Merged PR #{pr_number} and closed {_issue_url(pending_issue)}.")
            return 0
-    # ── 3. Global CI check (agent pushed to main, or no pending issue) ────────
+        # No open PR — check if it was already merged.
-    run = _latest_ci_run()
+        merged_pr = _find_pr_for_branch(branch, state="closed")
        if merged_pr and merged_pr.get("merged"):
            print(f"PR for branch {branch!r} was already merged — closing issue #{pending_issue}.")
            _close_issue(pending_issue)
            return 0
        # No open or merged PR — the agent may not have created one, or it was
        # closed without merging (the bug this block was added to catch).
        print(
            f"No open or merged PR found for branch {branch!r} "
            f"(issue #{pending_issue}) — setting to State/Question."
        )
        _set_labels(pending_issue, add=[LABEL_QUESTION], remove=[LABEL_IN_PROGRESS])
        _comment_issue(
            pending_issue,
            f"Agent finished but no open or merged PR was found for branch `{branch}`. "
            "Please investigate and resume manually.",
        )
        return 0
    # ── 2b. Catch-up: scan open issue-N-fix PRs orphaned by a cleared state ─────
    # This handles PRs whose CI has passed but were never merged because the
    # state file was cleared (loop restart, killed agent, manual intervention).
    open_prs = _open_issue_prs()
    for pr in open_prs:
        pr_number = pr["number"]
        pr_url = f"{REPO_URL}/pulls/{pr_number}"
        head = pr.get("head", {})
        branch = head.get("ref") or head.get("label", "").split(":")[-1]
        m = re.match(r"^issue-(\d+)-fix$", branch or "")
        issue_num = int(m.group(1)) if m else None
        pr_run = _latest_ci_run_for_pr(pr_number)
        if pr_run and pr_run.get("status") == "running":
            print(f"Catch-up: CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} still running. Waiting.")
            _write_state(None, issue_num, "pending-ci")
            return 0
        if pr_run and pr_run.get("status") in ("failure", "error"):
            print(f"Catch-up: CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} failed — skipping.")
            continue
        if pr_run and pr_run.get("status") == "success":
            print(f"Catch-up: CI passed on PR #{pr_number} ({pr_url}) — merging.")
            try:
                _merge_pr(pr_number)
            except RuntimeError as e:
                print(f"Catch-up: merge of PR #{pr_number} failed: {e} — skipping.")
                continue
            # Verify the merge actually happened; fgj can exit 0 without merging
            # (e.g. branch-protection rules not satisfied).
            if _find_pr_for_branch(branch):
                print(
                    f"Catch-up: PR #{pr_number} is still open after merge attempt "
                    "— skipping to avoid infinite retry."
                )
                if issue_num:
                    _set_labels(issue_num, add=[LABEL_QUESTION], remove=[LABEL_IN_PROGRESS])
                    _comment_issue(
                        issue_num,
                        f"Automatic merge of PR #{pr_number} failed (PR is still open "
                        "after the merge command). Please merge manually.",
                    )
                continue
            if issue_num:
                _close_issue(issue_num)
                print(f"Merged PR #{pr_number} and closed issue #{issue_num}.")
            else:
                print(f"Merged PR #{pr_number}.")
            return 0
    # ── 3. Global CI check (main branch only) ────────────────────────────────
    run = _latest_main_ci_run()
    if run and run.get("status") == "running":
        print(f"CI run {_ci_run_url(run['id'])} is still running. Waiting.")
@@ -496,17 +680,39 @@ def _run_loop() -> int:
        return 0
    if run and run.get("status") in ("failure", "error"):
        # Guard: if the same main CI run has been failing since the last ci-fix
        # agent started, that agent pushed to a branch instead of main.  Before
        # spawning another agent, check whether any CI run is currently in
        # progress (the branch run) and wait if so.
        if ci_run_id_at_start is not None and run["id"] == ci_run_id_at_start:
            check = _tea_get(f"repos/{REPO}/actions/runs?limit=5")
            in_flight = [
                r for r in (check or {}).get("workflow_runs", [])
                if r.get("status") == "running"
            ]
            if in_flight:
                print(
                    f"Main CI still shows the same failed run {run['id']}; "
                    f"{_ci_run_url(in_flight[0]['id'])} is running "
                    "(previous ci-fix pushed to a branch). Waiting."
                )
                return 0
        print(f"CI run {_ci_run_url(run['id'])} failed — starting fix agent.")
        prompt = (
-            "The Codeberg CI for guettli/sharedinbox just failed. "
+            "The Codeberg CI for guettli/sharedinbox just failed on the main branch. "
            f"The CI run ID is {run['id']}. "
            "Fetch the CI logs using the task ci-logs command or the Codeberg API. "
-            "Identify the failure, fix it, commit, and push. "
+            "Identify the failure, fix it, commit, and push directly to main. "
            "Verify locally with 'task check' before pushing. "
            "Do NOT reference any issue numbers in commit messages "
            "(no 'closes #N', 'fixes #N', or similar) — this is a CI fix, "
            "not an issue fix, and auto-closing an issue via a commit message would be a bug. "
            "Do NOT close any issues. "
            "When done, stop."
        )
        pid = _start_agent(prompt, "ci-fix")
-        _write_state(pid, pending_issue, "ci-fix", session_name="ci-fix")
+        _write_state(pid, pending_issue, "ci-fix", session_name="ci-fix",
                     ci_run_id=run["id"] if run else None)
        return 0
    # CI is ok (or no run).
@@ -528,7 +734,8 @@ def _run_loop() -> int:
            )
            return 0
        _close_issue(pending_issue)
-        print(f"CI passed — closed {_issue_url(pending_issue)}.")
+        ci_run_part = f" {_ci_run_url(run['id'])}" if run else ""
        print(f"CI passed{ci_run_part} — closed {_issue_url(pending_issue)}.")
        return 0
    # Find a Ready issue.
@@ -564,7 +771,10 @@ Instructions:
 - Implement the required change, following the existing code style.
 - Write or update tests as appropriate.
 - Run 'task check' locally and fix any failures before committing.
- Commit with a descriptive message referencing the issue number (e.g. "feat: ... (#{issue_number})").
+- Commit with a descriptive message and include (#{issue_number}) in the title,
  e.g. "feat: description (#{issue_number})".
  Do NOT use "Closes #N" or "Fixes #N" keywords — the loop closes the issue
  after CI passes; using those keywords would close it prematurely or wrongly.
 - Create a branch named `issue-{issue_number}-fix`, push your changes there, and open a PR against main:
      git checkout -b issue-{issue_number}-fix
      git push -u origin issue-{issue_number}-fix
@@ -6,76 +6,49 @@ import os
 import sys
 import time
 import requests
 from google.auth.transport.requests import AuthorizedSession
 from google.oauth2 import service_account
 PACKAGE_NAME = "de.sharedinbox.mua"
 AAB_PATH = "build/app/outputs/bundle/release/app-release.aab"
 TRACK = "internal"
 _TIMEOUT = 300  # seconds — AAB uploads can be large
 _MAX_UPLOAD_ATTEMPTS = 3
 _BASE = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications"
 _UPLOAD_BASE = "https://androidpublisher.googleapis.com/upload/androidpublisher/v3/applications"
 _MAX_UPLOAD_ATTEMPTS = 3
-def _make_session(config_json: str) -> AuthorizedSession:
+def _upload_aab_resumable(session, package, edit_id, aab_path):
-    creds = service_account.Credentials.from_service_account_info(
+    """Upload AAB using the Google resumable upload protocol."""
-        json.loads(config_json),
+    file_size = os.path.getsize(aab_path)
-        scopes=["https://www.googleapis.com/auth/androidpublisher"],
+    init_url = f"{_UPLOAD_BASE}/{package}/edits/{edit_id}/bundles"
    # Step 1: initiate the resumable upload session
    init_resp = session.post(
        init_url,
        params={"uploadType": "resumable"},
        headers={
            "X-Upload-Content-Type": "application/octet-stream",
            "X-Upload-Content-Length": str(file_size),
            "Content-Length": "0",
        },
        timeout=60,
    )
-    return AuthorizedSession(creds)
+    init_resp.raise_for_status()
    upload_url = init_resp.headers["Location"]
-
+    # Step 2: upload the file in a single PUT to the session URI
-def _upload_aab(session: AuthorizedSession, edit_id: str) -> int:
+    with open(aab_path, "rb") as f:
-    """Resumable upload of the AAB. Returns the version code."""
+        upload_resp = session.put(
-    file_size = os.path.getsize(AAB_PATH)
+            upload_url,
-
+            data=f,
-    with open(AAB_PATH, "rb") as f:
+            headers={
-        data = f.read()
+                "Content-Type": "application/octet-stream",
-
+                "Content-Length": str(file_size),
-    last_exc = None
+            },
-    for attempt in range(_MAX_UPLOAD_ATTEMPTS):
+            timeout=600,
-        try:
+        )
-            # Each attempt needs a fresh resumable upload URL — the previous URL expires on failure.
+    upload_resp.raise_for_status()
-            init_resp = session.post(
+    return upload_resp.json()
                f"{_UPLOAD_BASE}/{PACKAGE_NAME}/edits/{edit_id}/bundles",
                params={"uploadType": "resumable"},
                headers={
                    "X-Upload-Content-Type": "application/octet-stream",
                    "X-Upload-Content-Length": str(file_size),
                },
                json={},
                timeout=30,
            )
            if not init_resp.ok:
                print(f"Init attempt {attempt + 1} failed: HTTP {init_resp.status_code}: {init_resp.text[:500]}")
                init_resp.raise_for_status()
            upload_url = init_resp.headers["Location"]
            upload_resp = session.put(
                upload_url,
                data=data,
                headers={
                    "Content-Type": "application/octet-stream",
                    "Content-Length": str(file_size),
                },
                timeout=_TIMEOUT,
            )
            if not upload_resp.ok:
                print(f"Upload attempt {attempt + 1} failed: HTTP {upload_resp.status_code}: {upload_resp.text[:500]}")
                upload_resp.raise_for_status()
            return upload_resp.json()["versionCode"]
        except requests.RequestException as exc:
            last_exc = exc
            if attempt < _MAX_UPLOAD_ATTEMPTS - 1:
                delay = 10 * (2 ** attempt)
                print(f"Attempt {attempt + 1} failed ({exc}), retrying in {delay}s…")
                time.sleep(delay)
    raise RuntimeError(
        f"AAB upload failed after {_MAX_UPLOAD_ATTEMPTS} attempts"
    ) from last_exc
 def main():
@@ -88,25 +61,45 @@ def main():
        print(f"Error: AAB not found at {AAB_PATH}", file=sys.stderr)
        sys.exit(1)
-    session = _make_session(config_json)
+    creds = service_account.Credentials.from_service_account_info(
-
+        json.loads(config_json),
-    edit_resp = session.post(
+        scopes=["https://www.googleapis.com/auth/androidpublisher"],
        f"{_BASE}/{PACKAGE_NAME}/edits",
        json={},
        timeout=30,
    )
    session = AuthorizedSession(creds)
    edit_resp = session.post(f"{_BASE}/{PACKAGE_NAME}/edits", json={}, timeout=30)
    edit_resp.raise_for_status()
    edit_id = edit_resp.json()["id"]
-    version_code = _upload_aab(session, edit_id)
+    last_exc = None
    bundle = None
    for attempt in range(_MAX_UPLOAD_ATTEMPTS):
        try:
            bundle = _upload_aab_resumable(session, PACKAGE_NAME, edit_id, AAB_PATH)
            break
        except Exception as exc:
            last_exc = exc
            if attempt < _MAX_UPLOAD_ATTEMPTS - 1:
                delay = 10 * (2 ** attempt)
                print(
                    f"Upload attempt {attempt + 1} failed ({type(exc).__name__}: {exc}), "
                    f"retrying in {delay}s…"
                )
                time.sleep(delay)
    if bundle is None:
        raise RuntimeError(
            f"AAB upload failed after {_MAX_UPLOAD_ATTEMPTS} attempts"
        ) from last_exc
    version_code = bundle["versionCode"]
    print(f"Uploaded AAB, version code: {version_code}")
-    tracks_resp = session.put(
+    track_resp = session.put(
        f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}/tracks/{TRACK}",
        json={"releases": [{"versionCodes": [version_code], "status": "completed"}]},
        timeout=30,
    )
-    tracks_resp.raise_for_status()
+    track_resp.raise_for_status()
    commit_resp = session.post(
        f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}:commit",
@@ -33,9 +33,6 @@ def list_remote_files(ssh_user: str, ssh_host: str, pattern: str) -> list[str]:
    result = subprocess.run(
        [
            "ssh",
            "-v",
            "-o", "StrictHostKeyChecking=no",
            "-i", "/root/.ssh/id_ed25519",
            f"{ssh_user}@{ssh_host}",
            f"find {REMOTE_BUILDS_DIR} -name '{pattern}' -type f | sort",
        ],
@@ -0,0 +1,85 @@
 #!/usr/bin/env bash
 # Decrypts secrets.age and exports all KEY=VALUE pairs as environment variables.
 #
 # In CI (GITHUB_ENV set): writes to $GITHUB_ENV so subsequent job steps can
 # read the variables. Multi-line values use the heredoc syntax required by
 # Forgejo/GitHub Actions.
 #
 # Locally: prints an eval-safe export block to stdout. Source it with:
 #   eval "$(SECRETS_AGE_KEY=$(cat ~/.config/age/sharedinbox.key) scripts/secrets-decrypt.sh)"
 #   or pass a key file:
 #   eval "$(scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key)"
 #
 # Private key sources (first match wins):
 #   1. Path to a key file passed as $1
 #   2. SECRETS_AGE_KEY env var (the raw private key content — used in CI)
 set -euo pipefail
 REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
 SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
 if [ ! -f "$SECRETS_AGE" ]; then
    echo "ERROR: secrets.age not found at $SECRETS_AGE" >&2
    echo "  Run: scripts/secrets-encrypt.sh to create it." >&2
    exit 1
 fi
 TMP_KEY=""
 cleanup() { [ -n "$TMP_KEY" ] && rm -f "$TMP_KEY"; }
 trap cleanup EXIT
 if [ -n "${1:-}" ]; then
    KEY_FILE="$1"
 elif [ -n "${SECRETS_AGE_KEY:-}" ]; then
    TMP_KEY=$(mktemp)
    chmod 600 "$TMP_KEY"
    printf '%s\n' "$SECRETS_AGE_KEY" > "$TMP_KEY"
    KEY_FILE="$TMP_KEY"
 else
    echo "ERROR: No age private key provided." >&2
    echo "  Pass a key file: scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key" >&2
    echo "  Or set SECRETS_AGE_KEY env var (CI: store as SECRETS_AGE_KEY secret)." >&2
    exit 1
 fi
 DECRYPTED=$(age --decrypt -i "$KEY_FILE" "$SECRETS_AGE")
 # Process each KEY=VALUE line.
 # Double-quoted values have \n escape sequences converted to real newlines.
 process_secrets() {
    local line key raw_value value
    while IFS= read -r line; do
        [[ -z "$line" || "$line" == \#* ]] && continue
        [[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
        key="${line%%=*}"
        raw_value="${line#*=}"
        # Double-quoted: strip quotes and expand \n → newline
        if [[ "$raw_value" == '"'*'"' ]]; then
            raw_value="${raw_value:1:${#raw_value}-2}"
            value=$(printf '%b' "$raw_value")
        # Single-quoted: strip quotes, no expansion
        elif [[ "$raw_value" == "'"*"'" ]]; then
            value="${raw_value:1:${#raw_value}-2}"
        else
            value="$raw_value"
        fi
        if [ -n "${GITHUB_ENV:-}" ]; then
            # Heredoc syntax handles multi-line values safely
            local delim="EOF_${key}_$$"
            printf '%s<<%s\n%s\n%s\n' "$key" "$delim" "$value" "$delim" >> "$GITHUB_ENV"
        else
            # Print as export statements for eval
            printf "export %s=%q\n" "$key" "$value"
        fi
    done <<< "$DECRYPTED"
 }
 process_secrets
 if [ -n "${GITHUB_ENV:-}" ]; then
    echo "Secrets written to \$GITHUB_ENV." >&2
 fi
@@ -0,0 +1,42 @@
 #!/usr/bin/env bash
 # Encrypts secrets.env → secrets.age using an age public key.
 #
 # Usage:
 #   scripts/secrets-encrypt.sh [AGE1...]   public key as positional argument
 #   AGE_PUBLIC_KEY=AGE1... scripts/secrets-encrypt.sh
 #   scripts/secrets-encrypt.sh             reads public key from .age-public-key
 #
 # The private key never touches this script. Only the public key is needed to
 # encrypt. Store the private key in CI as SECRETS_AGE_KEY and keep a local
 # copy at ~/.config/age/sharedinbox.key (or wherever you prefer).
 set -euo pipefail
 REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
 SECRETS_ENV="${SECRETS_ENV:-${REPO_ROOT}/secrets.env}"
 SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
 KEY_FILE="${REPO_ROOT}/.age-public-key"
 if [ -n "${1:-}" ]; then
    PUBLIC_KEY="$1"
 elif [ -n "${AGE_PUBLIC_KEY:-}" ]; then
    PUBLIC_KEY="$AGE_PUBLIC_KEY"
 elif [ -f "$KEY_FILE" ]; then
    PUBLIC_KEY=$(cat "$KEY_FILE")
    PUBLIC_KEY="${PUBLIC_KEY%%$'\n'*}"  # take only the first line
 else
    echo "ERROR: No age public key provided." >&2
    echo "  Pass it as an argument: scripts/secrets-encrypt.sh AGE1..." >&2
    echo "  Or store it in .age-public-key: age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key" >&2
    exit 1
 fi
 if [ ! -f "$SECRETS_ENV" ]; then
    echo "ERROR: secrets.env not found at $SECRETS_ENV" >&2
    echo "  Copy secrets.env.example to secrets.env and fill in values." >&2
    exit 1
 fi
 age --encrypt --recipient "$PUBLIC_KEY" --output "$SECRETS_AGE" "$SECRETS_ENV"
 echo "Encrypted $SECRETS_ENV → $SECRETS_AGE"
 echo "Commit secrets.age to keep CI in sync."
@@ -14,14 +14,42 @@ if [ "$host" == "$port" ]; then
    port="8774"
 fi
-echo "Probing $host:$port..."
+MAX_PROBE_ATTEMPTS=5
-if ! nc -zw 3 "$host" "$port" 2>/dev/null; then
+PROBE_DELAY=30
-    echo "Error: No Dagger server responded on $host:$port"
+for attempt in $(seq 1 $MAX_PROBE_ATTEMPTS); do
-    exit 1
+    echo "Probing $host:$port (attempt $attempt/$MAX_PROBE_ATTEMPTS)..."
-fi
+    if nc -zw 5 "$host" "$port" 2>/dev/null; then
-echo "Found active Dagger server on $host:$port"
+        echo "Found active server on $host:$port"
        break
    fi
    if [ "$attempt" -eq "$MAX_PROBE_ATTEMPTS" ]; then
        echo "Warning: No Dagger server responded on $host:$port after $MAX_PROBE_ATTEMPTS attempts"
        echo "Remote engine unavailable — CI will use the local Dagger engine."
        exit 0
    fi
    echo "Dagger server not responding, waiting ${PROBE_DELAY}s before retry..."
    sleep $PROBE_DELAY
 done
-# 2. Setup TLS credentials (passed as env vars from secrets)
+# 2a. Try plain TCP connection first (works when server is a plain TCP proxy, no TLS)
 echo "Trying plain TCP Dagger connection at tcp://$host:$port..."
 if _DAGGER_RUNNER_HOST="tcp://$host:$port" \
   _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port" \
   timeout 8 dagger version >/dev/null 2>&1; then
    echo "Plain TCP Dagger connection succeeded — no TLS stunnel needed."
    if [ -n "${GITHUB_ENV:-}" ]; then
        echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
        echo "_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
    else
        export _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port"
        export _DAGGER_RUNNER_HOST="tcp://$host:$port"
        echo "Dagger configured at tcp://$host:$port (plain TCP)"
    fi
    exit 0
 fi
 echo "Plain TCP connection not available; trying TLS stunnel..."
 # 2b. Setup TLS credentials (passed as env vars from secrets)
 mkdir -p /tmp/dagger-tls
 echo "$DAGGER_CA_CERT" > /tmp/dagger-tls/ca.crt
 echo "$DAGGER_CLIENT_CERT" > /tmp/dagger-tls/client.crt
@@ -88,21 +88,47 @@ class TestAgentAlive(unittest.TestCase):
        self.assertFalse(agent_loop._agent_alive({"pid": None}))
 class TestIsClaudeProcess(unittest.TestCase):
    def test_returns_true_for_claude_comm(self):
        with patch.object(agent_loop.Path, "read_text", return_value="claude\n"):
            self.assertTrue(agent_loop._is_claude_process(1234))
    def test_returns_true_for_node_comm(self):
        with patch.object(agent_loop.Path, "read_text", return_value="node\n"):
            self.assertTrue(agent_loop._is_claude_process(1234))
    def test_returns_false_for_other_process(self):
        with patch.object(agent_loop.Path, "read_text", return_value="bash\n"):
            self.assertFalse(agent_loop._is_claude_process(1234))
    def test_returns_false_when_proc_missing(self):
        with patch.object(agent_loop.Path, "read_text", side_effect=OSError):
            self.assertFalse(agent_loop._is_claude_process(1234))
 class TestKillAgent(unittest.TestCase):
    def test_kill_sends_sigkill(self):
-        with patch("agent_loop.os.kill") as mock_kill:
+        with patch("agent_loop._is_claude_process", return_value=True):
-            agent_loop._kill_agent({"pid": 1234})
+            with patch("agent_loop.os.kill") as mock_kill:
-            mock_kill.assert_called_once_with(1234, 9)
+                agent_loop._kill_agent({"pid": 1234})
                mock_kill.assert_called_once_with(1234, 9)
    def test_kill_ignores_missing_process(self):
-        with patch("agent_loop.os.kill", side_effect=ProcessLookupError):
+        with patch("agent_loop._is_claude_process", return_value=True):
-            agent_loop._kill_agent({"pid": 1234})  # Should not raise.
+            with patch("agent_loop.os.kill", side_effect=ProcessLookupError):
                agent_loop._kill_agent({"pid": 1234})  # Should not raise.
    def test_kill_noop_when_no_pid(self):
        with patch("agent_loop.os.kill") as mock_kill:
            agent_loop._kill_agent({})
            mock_kill.assert_not_called()
    def test_kill_skips_recycled_pid(self):
        with patch("agent_loop._is_claude_process", return_value=False):
            with patch("agent_loop.os.kill") as mock_kill:
                agent_loop._kill_agent({"pid": 1234})
                mock_kill.assert_not_called()
 class TestStartAgent(unittest.TestCase):
    def _make_mock_proc(self, pid=42):
@@ -174,7 +200,8 @@ class TestMain(unittest.TestCase):
            return 55
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(10)]), \
             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
@@ -200,7 +227,8 @@ class TestMain(unittest.TestCase):
            captured["remove"] = remove
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(7)]), \
             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
             patch("agent_loop._start_agent", return_value=99), \
@@ -213,7 +241,8 @@ class TestMain(unittest.TestCase):
    def test_no_ready_issues_does_nothing(self):
        """main() exits cleanly with 0 when there are no ready issues."""
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             patch("agent_loop._set_labels") as mock_labels, \
             patch("agent_loop._start_agent") as mock_start:
@@ -232,7 +261,8 @@ class TestMain(unittest.TestCase):
            return 77
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(42)]), \
             patch("agent_loop._set_labels"), \
             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
@@ -256,21 +286,89 @@ class TestPendingCi(unittest.TestCase):
            "type": kind,
        }
    def _open_pr(self, branch: str = "issue-10-fix") -> dict:
        return {"number": 5, "head": {"ref": branch}, "created_at": "2026-01-01T00:00:00+00:00"}
    def _find_pr_open(self, branch, state="open"):
        if state == "open":
            return self._open_pr(branch)
        return None
    def test_closes_issue_when_ci_passes_after_agent_finishes(self):
-        """After issue agent finishes, loop closes the issue once CI is green."""
+        """After issue agent finishes, loop merges the PR and closes the issue once CI is green."""
        # First call: PR found open. Second call (post-merge verification): PR closed.
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "success"}), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._merge_pr") as mock_merge, \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._clear_state"):
            result = agent_loop._run_loop()
        self.assertEqual(result, 0)
        mock_merge.assert_called_once_with(5)
        mock_close.assert_called_once_with(10)
-    def test_does_not_close_issue_when_ci_fails(self):
+    def test_ci_passed_output_includes_ci_run_url(self):
-        """After issue agent finishes, loop must NOT close the issue if CI failed."""
+        """'CI passed' line includes the CI run URL when a run is available."""
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "failure"}), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 4145144, "status": "success"}), \
             patch("agent_loop._merge_pr"), \
             patch("agent_loop._close_issue"), \
             patch("agent_loop._clear_state"), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        output = buf.getvalue()
        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144", output)
        self.assertIn("https://codeberg.org/guettli/sharedinbox/issues/10", output)
    def test_already_merged_pr_closes_issue_without_ci_url(self):
        """When the PR was already merged, the issue is closed and no CI run URL appears."""
        def find_pr(branch, state="open"):
            if state == "closed":
                return {"number": 5, "merged": True}
            return None
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
             patch("agent_loop._find_pr_for_branch", side_effect=find_pr), \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._clear_state"), \
             contextlib.redirect_stdout(buf):
            result = agent_loop._run_loop()
        output = buf.getvalue()
        self.assertEqual(result, 0)
        mock_close.assert_called_once_with(10)
        self.assertIn("already merged", output)
        self.assertNotIn("/actions/runs/", output)
    def test_no_pr_found_sets_question_label(self):
        """When no open or merged PR exists for the pending branch, set State/Question."""
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
             patch("agent_loop._find_pr_for_branch", return_value=None), \
             patch("agent_loop._set_labels") as mock_labels, \
             patch("agent_loop._comment_issue") as mock_comment, \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._clear_state"):
            result = agent_loop._run_loop()
        self.assertEqual(result, 0)
        mock_close.assert_not_called()
        mock_labels.assert_called_once_with(
            10,
            add=[agent_loop.LABEL_QUESTION],
            remove=[agent_loop.LABEL_IN_PROGRESS],
        )
        mock_comment.assert_called_once()
        self.assertIn("issue-10-fix", mock_comment.call_args[0][1])
    def test_does_not_close_issue_when_ci_fails(self):
        """After issue agent finishes, loop must NOT close the issue if CI failed on PR branch."""
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "failure"}), \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._start_agent", return_value=55), \
             patch("agent_loop._write_state"), \
@@ -281,7 +379,7 @@ class TestPendingCi(unittest.TestCase):
        mock_close.assert_not_called()
    def test_saves_pending_ci_state_while_ci_running(self):
-        """When CI is still running after agent finishes, pending issue is preserved."""
+        """When CI is still running on PR branch after agent finishes, pending issue is preserved."""
        written = {}
        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
@@ -290,7 +388,8 @@ class TestPendingCi(unittest.TestCase):
            written["kind"] = kind
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "running"}), \
+             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "running"}), \
             patch("agent_loop._write_state", side_effect=fake_write_state), \
             patch("agent_loop._clear_state"):
            result = agent_loop._run_loop()
@@ -301,7 +400,7 @@ class TestPendingCi(unittest.TestCase):
        self.assertIsNone(written.get("pid"))
    def test_ci_fix_preserves_pending_issue_in_state(self):
-        """When CI fails after agent finishes, ci-fix state includes the pending issue."""
+        """When CI fails on PR branch after agent finishes, ci-fix state includes the pending issue."""
        written = {}
        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
@@ -310,7 +409,8 @@ class TestPendingCi(unittest.TestCase):
            written["kind"] = kind
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "failure"}), \
+             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "failure"}), \
             patch("agent_loop._start_agent", return_value=55), \
             patch("agent_loop._write_state", side_effect=fake_write_state), \
             patch("agent_loop._clear_state"):
@@ -321,14 +421,17 @@ class TestPendingCi(unittest.TestCase):
        self.assertEqual(written.get("kind"), "ci-fix")
    def test_closes_issue_after_ci_fix_and_ci_passes(self):
-        """After ci-fix agent finishes and CI passes, the pending issue is closed."""
+        """After ci-fix agent finishes and CI passes on PR branch, the pending issue is closed."""
        with patch("agent_loop._read_state", return_value=self._dead_state(10, "ci-fix")), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "success"}), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._merge_pr") as mock_merge, \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._clear_state"):
            result = agent_loop._run_loop()
        self.assertEqual(result, 0)
        mock_merge.assert_called_once_with(5)
        mock_close.assert_called_once_with(10)
    def test_no_pending_issue_ci_fix_without_issue(self):
@@ -337,7 +440,8 @@ class TestPendingCi(unittest.TestCase):
            "pid": 999999999, "issue": None, "started_at": "2026-01-01T00:00:00+00:00",
            "type": "ci-fix",
        }), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "success"}), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._ready_issues", return_value=[]), \
             patch("agent_loop._clear_state"):
@@ -353,7 +457,8 @@ class TestOutputFormat(unittest.TestCase):
    def test_output_starts_with_header(self):
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
@@ -364,7 +469,8 @@ class TestOutputFormat(unittest.TestCase):
    def test_no_agent_loop_prefix_in_output(self):
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
@@ -374,7 +480,8 @@ class TestOutputFormat(unittest.TestCase):
        run = {"id": 4145144, "status": "running"}
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=run), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=run), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144",
@@ -384,7 +491,8 @@ class TestOutputFormat(unittest.TestCase):
        issue = {"number": 128, "title": "Fix something", "body": "", "labels": []}
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[issue]), \
             patch("agent_loop._set_labels"), \
             patch("agent_loop._start_agent", return_value=99), \
@@ -396,6 +504,47 @@ class TestOutputFormat(unittest.TestCase):
        self.assertIn("Fix something", output)
 class TestLatestMainCiRun(unittest.TestCase):
    """_latest_main_ci_run() must return only ci.yml push-to-main runs."""
    def _ci_run(self, run_id, status="success"):
        return {"event": "push", "prettyref": "main", "workflow_id": "ci.yml",
                "status": status, "id": run_id}
    def _deploy_run(self, run_id, status="success"):
        return {"event": "push", "prettyref": "main", "workflow_id": "deploy.yml",
                "status": status, "id": run_id}
    def test_skips_deploy_run_returns_ci_run(self):
        # Forgejo reports deploy.yml schedule runs as event=push/prettyref=main;
        # must be excluded by workflow_id filter.
        runs = [self._deploy_run(1), self._ci_run(2)]
        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
            result = agent_loop._latest_main_ci_run()
        self.assertIsNotNone(result)
        self.assertEqual(result["id"], 2)
    def test_returns_none_when_only_deploy_runs_exist(self):
        runs = [self._deploy_run(1)]
        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
            result = agent_loop._latest_main_ci_run()
        self.assertIsNone(result)
    def test_returns_none_when_only_schedule_runs_exist(self):
        runs = [{"event": "schedule", "prettyref": "main", "workflow_id": "deploy.yml",
                 "status": "success", "id": 1}]
        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
            result = agent_loop._latest_main_ci_run()
        self.assertIsNone(result)
    def test_returns_ci_push_to_main_run(self):
        runs = [self._ci_run(42, status="running")]
        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
            result = agent_loop._latest_main_ci_run()
        self.assertIsNotNone(result)
        self.assertEqual(result["id"], 42)
 class TestLatestCiRunForBranch(unittest.TestCase):
    """Tests for _latest_ci_run_for_branch — Forgejo API field mapping."""
@@ -462,5 +611,138 @@ class TestLatestCiRunForBranch(unittest.TestCase):
        self.assertEqual(result["id"], 10)
 class TestFindSessionUuid(unittest.TestCase):
    """Tests for _find_session_uuid()."""
    def _write_jsonl(self, directory: Path, filename: str, entries: list) -> Path:
        path = directory / filename
        with path.open("w") as fh:
            for entry in entries:
                fh.write(json.dumps(entry) + "\n")
        return path
    def test_returns_uuid_for_matching_session_name(self):
        with tempfile.TemporaryDirectory() as tmpdir:
            projects_dir = Path(tmpdir)
            self._write_jsonl(projects_dir, "abc123.jsonl", [
                {"type": "agent-name", "agentName": "issue-91", "sessionId": "uuid-abc-123"},
            ])
            orig = agent_loop.CLAUDE_PROJECTS_DIR
            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
            try:
                result = agent_loop._find_session_uuid("issue-91")
            finally:
                agent_loop.CLAUDE_PROJECTS_DIR = orig
        self.assertEqual(result, "uuid-abc-123")
    def test_returns_none_when_name_does_not_match(self):
        with tempfile.TemporaryDirectory() as tmpdir:
            projects_dir = Path(tmpdir)
            self._write_jsonl(projects_dir, "abc123.jsonl", [
                {"type": "agent-name", "agentName": "issue-99", "sessionId": "uuid-abc-123"},
            ])
            orig = agent_loop.CLAUDE_PROJECTS_DIR
            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
            try:
                result = agent_loop._find_session_uuid("issue-91")
            finally:
                agent_loop.CLAUDE_PROJECTS_DIR = orig
        self.assertIsNone(result)
    def test_returns_none_when_directory_missing(self):
        orig = agent_loop.CLAUDE_PROJECTS_DIR
        agent_loop.CLAUDE_PROJECTS_DIR = Path("/nonexistent/path/that/does/not/exist")
        try:
            result = agent_loop._find_session_uuid("issue-91")
        finally:
            agent_loop.CLAUDE_PROJECTS_DIR = orig
        self.assertIsNone(result)
    def test_returns_none_when_no_agent_name_entry(self):
        with tempfile.TemporaryDirectory() as tmpdir:
            projects_dir = Path(tmpdir)
            self._write_jsonl(projects_dir, "abc123.jsonl", [
                {"type": "message", "content": "hello"},
            ])
            orig = agent_loop.CLAUDE_PROJECTS_DIR
            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
            try:
                result = agent_loop._find_session_uuid("issue-91")
            finally:
                agent_loop.CLAUDE_PROJECTS_DIR = orig
        self.assertIsNone(result)
    def test_scans_multiple_files_to_find_match(self):
        with tempfile.TemporaryDirectory() as tmpdir:
            projects_dir = Path(tmpdir)
            self._write_jsonl(projects_dir, "aaa.jsonl", [
                {"type": "agent-name", "agentName": "issue-10", "sessionId": "uuid-10"},
            ])
            self._write_jsonl(projects_dir, "bbb.jsonl", [
                {"type": "agent-name", "agentName": "issue-91", "sessionId": "uuid-91"},
            ])
            orig = agent_loop.CLAUDE_PROJECTS_DIR
            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
            try:
                result = agent_loop._find_session_uuid("issue-91")
            finally:
                agent_loop.CLAUDE_PROJECTS_DIR = orig
        self.assertEqual(result, "uuid-91")
 class TestRunLoopResumeCommand(unittest.TestCase):
    """Tests that _run_loop() shows a UUID-based resume command when agent is running."""
    def _alive_state(self, session_name="issue-91"):
        return {
            "pid": os.getpid(),  # own PID is always alive
            "issue": 91,
            "started_at": "2026-05-23T12:00:00+00:00",
            "type": "issue",
            "session_name": session_name,
        }
    def test_resume_shows_uuid_when_found(self):
        buf = io.StringIO()
        fake_uuid = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
        with patch("agent_loop._read_state", return_value=self._alive_state()), \
             patch("agent_loop._agent_alive", return_value=True), \
             patch("agent_loop._agent_age_seconds", return_value=600), \
             patch("agent_loop._find_session_uuid", return_value=fake_uuid), \
             patch("agent_loop._git_summary", return_value=""), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        output = buf.getvalue()
        self.assertIn(f"claude --resume {fake_uuid}", output)
    def test_resume_shows_list_hint_when_uuid_not_found(self):
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=self._alive_state()), \
             patch("agent_loop._agent_alive", return_value=True), \
             patch("agent_loop._agent_age_seconds", return_value=600), \
             patch("agent_loop._find_session_uuid", return_value=None), \
             patch("agent_loop._git_summary", return_value=""), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        output = buf.getvalue()
        self.assertIn("scripts/agent_loop.py list", output)
        # Must NOT show the session name as a valid resume argument.
        self.assertNotIn("claude --resume issue-91", output)
    def test_resume_not_shown_when_no_session_name(self):
        state = self._alive_state()
        del state["session_name"]
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=state), \
             patch("agent_loop._agent_alive", return_value=True), \
             patch("agent_loop._agent_age_seconds", return_value=600), \
             patch("agent_loop._find_session_uuid", return_value=None), \
             patch("agent_loop._git_summary", return_value=""), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        output = buf.getvalue()
        self.assertNotIn("Resume:", output)
 if __name__ == "__main__":
    unittest.main()
@@ -0,0 +1,200 @@
 #!/usr/bin/env python3
 """Tests for deploy_playstore.py."""
 import os
 import sys
 import unittest
 from pathlib import Path
 from unittest.mock import MagicMock, call, patch
 sys.path.insert(0, str(Path(__file__).parent))
 import deploy_playstore
 def _make_session(
    edit_id="edit-42",
    version_code=7,
    upload_side_effects=None,
 ):
    """Return a mock AuthorizedSession with sensible defaults."""
    session = MagicMock()
    # POST /edits → create edit
    edit_resp = MagicMock()
    edit_resp.json.return_value = {"id": edit_id}
    session.post.return_value = edit_resp
    # POST resumable-init → Location header
    init_resp = MagicMock()
    init_resp.headers = {"Location": "https://upload.example.com/session"}
    # PUT upload → bundle JSON
    upload_resp = MagicMock()
    upload_resp.json.return_value = {"versionCode": version_code}
    if upload_side_effects is not None:
        # Use side_effect list: first call is edit create, rest are upload inits
        # We override the PUT side effects via _upload_aab_resumable mock instead
        pass
    return session, init_resp, upload_resp
 class TestMainEnvChecks(unittest.TestCase):
    def test_missing_env_exits(self):
        with patch.dict(os.environ, {}, clear=True):
            with self.assertRaises(SystemExit) as ctx:
                deploy_playstore.main()
        self.assertEqual(ctx.exception.code, 1)
    def test_missing_aab_exits(self):
        fake_config = '{"type": "service_account"}'
        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": fake_config}):
            with patch("deploy_playstore.os.path.exists", return_value=False):
                with self.assertRaises(SystemExit) as ctx:
                    deploy_playstore.main()
        self.assertEqual(ctx.exception.code, 1)
 class TestMainHappyPath(unittest.TestCase):
    def _run_main(self, fake_config='{"type":"service_account"}'):
        mock_session = MagicMock()
        # POST for edit create and commit
        post_responses = [
            MagicMock(**{"json.return_value": {"id": "edit-42"}}),  # create edit
            MagicMock(),  # commit
        ]
        mock_session.post.side_effect = post_responses
        # PUT for track update
        mock_session.put.return_value = MagicMock()
        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": fake_config}):
            with patch("deploy_playstore.os.path.exists", return_value=True):
                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
                    with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
                        with patch(
                            "deploy_playstore._upload_aab_resumable",
                            return_value={"versionCode": 7},
                        ):
                            deploy_playstore.main()
        return mock_session
    def test_creates_edit(self):
        session = self._run_main()
        create_call = session.post.call_args_list[0]
        self.assertIn("/edits", create_call[0][0])
    def test_commits_edit(self):
        session = self._run_main()
        commit_call = session.post.call_args_list[1]
        self.assertIn(":commit", commit_call[0][0])
    def test_updates_track(self):
        session = self._run_main()
        track_call = session.put.call_args_list[0]
        self.assertIn("/tracks/", track_call[0][0])
 class TestUploadRetry(unittest.TestCase):
    def _run_main(self, upload_side_effects, sleep_mock=None):
        mock_session = MagicMock()
        post_responses = [
            MagicMock(**{"json.return_value": {"id": "edit-1"}}),
            MagicMock(),
        ]
        mock_session.post.side_effect = post_responses
        mock_session.put.return_value = MagicMock()
        patches = [
            patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}),
            patch("deploy_playstore.os.path.exists", return_value=True),
            patch("deploy_playstore.service_account.Credentials.from_service_account_info"),
            patch("deploy_playstore.AuthorizedSession", return_value=mock_session),
            patch("deploy_playstore._upload_aab_resumable", side_effect=upload_side_effects),
            patch("deploy_playstore.time.sleep"),
        ]
        for p in patches:
            p.start()
        try:
            deploy_playstore.main()
        finally:
            for p in patches:
                p.stop()
    def test_succeeds_on_first_attempt(self):
        with patch("deploy_playstore._upload_aab_resumable", return_value={"versionCode": 5}) as mock_upload:
            with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
                with patch("deploy_playstore.os.path.exists", return_value=True):
                    with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
                        mock_session = MagicMock()
                        mock_session.post.side_effect = [
                            MagicMock(**{"json.return_value": {"id": "e1"}}),
                            MagicMock(),
                        ]
                        mock_session.put.return_value = MagicMock()
                        with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
                            deploy_playstore.main()
            mock_upload.assert_called_once()
    def test_retries_once_on_error_then_succeeds(self):
        self._run_main([ValueError("transient"), {"versionCode": 9}])
    def test_raises_after_all_attempts_exhausted(self):
        with self.assertRaises(RuntimeError) as ctx:
            self._run_main([ValueError("err"), ValueError("err"), ValueError("err")])
        self.assertIn(str(deploy_playstore._MAX_UPLOAD_ATTEMPTS), str(ctx.exception))
    def test_backoff_delays_are_10s_then_20s(self):
        mock_session = MagicMock()
        mock_session.post.side_effect = [
            MagicMock(**{"json.return_value": {"id": "e1"}}),
            MagicMock(),
        ]
        mock_session.put.return_value = MagicMock()
        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
            with patch("deploy_playstore.os.path.exists", return_value=True):
                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
                    with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
                        with patch(
                            "deploy_playstore._upload_aab_resumable",
                            side_effect=[ValueError("e"), ValueError("e"), {"versionCode": 3}],
                        ):
                            with patch("deploy_playstore.time.sleep") as mock_sleep:
                                deploy_playstore.main()
        mock_sleep.assert_has_calls([call(10), call(20)])
 class TestUploadAabResumable(unittest.TestCase):
    def test_initiates_and_uploads(self):
        mock_session = MagicMock()
        init_resp = MagicMock()
        init_resp.headers = {"Location": "https://upload.example.com/sess"}
        upload_resp = MagicMock()
        upload_resp.json.return_value = {"versionCode": 42}
        mock_session.post.return_value = init_resp
        mock_session.put.return_value = upload_resp
        import tempfile
        with tempfile.NamedTemporaryFile(delete=False) as f:
            f.write(b"fake-aab-content")
            aab_path = f.name
        try:
            result = deploy_playstore._upload_aab_resumable(
                mock_session, "com.example.app", "edit-1", aab_path
            )
        finally:
            os.unlink(aab_path)
        self.assertEqual(result["versionCode"], 42)
        mock_session.post.assert_called_once()
        mock_session.put.assert_called_once()
        put_call = mock_session.put.call_args
        self.assertEqual(put_call[0][0], "https://upload.example.com/sess")
 if __name__ == "__main__":
    unittest.main()
@@ -0,0 +1,153 @@
 #!/usr/bin/env bash
 # Tests for scripts/secrets-encrypt.sh and scripts/secrets-decrypt.sh.
 # Run directly: bash scripts/test_secrets.sh
 # Requires: age, age-keygen
 set -euo pipefail
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 PASS=0
 FAIL=0
 _assert() {
    local name="$1" expected="$2" actual="$3"
    if [ "$actual" = "$expected" ]; then
        PASS=$((PASS + 1))
    else
        echo "FAIL: $name"
        echo "  expected: $(printf '%s' "$expected" | head -c 80)"
        echo "  actual:   $(printf '%s' "$actual"   | head -c 80)"
        FAIL=$((FAIL + 1))
    fi
 }
 _assert_contains() {
    local name="$1" needle="$2" haystack="$3"
    if printf '%s' "$haystack" | grep -qF -- "$needle"; then
        PASS=$((PASS + 1))
    else
        echo "FAIL: $name"
        echo "  expected to contain: $needle"
        echo "  actual: $(printf '%s' "$haystack" | head -c 200)"
        FAIL=$((FAIL + 1))
    fi
 }
 if ! command -v age >/dev/null 2>&1 || ! command -v age-keygen >/dev/null 2>&1; then
    echo "SKIP: age/age-keygen not found — install age to run secrets tests"
    exit 0
 fi
 WORKDIR=$(mktemp -d)
 cleanup() { rm -rf "$WORKDIR"; }
 trap cleanup EXIT
 KEY_FILE="$WORKDIR/test.key"
 SECRETS_ENV="$WORKDIR/secrets.env"
 SECRETS_AGE="$WORKDIR/secrets.age"
 GITHUB_ENV_FILE="$WORKDIR/github.env"
 # Generate a test age key pair
 age-keygen -o "$KEY_FILE" 2>/dev/null
 PUBLIC_KEY=$(age-keygen -y "$KEY_FILE")
 PRIVATE_KEY=$(cat "$KEY_FILE")
 # Helper: decrypt and eval, capturing specific variables
 _decrypt_vars() {
    local vars
    vars=$(SECRETS_AGE_KEY="$PRIVATE_KEY" \
        SECRETS_AGE="$SECRETS_AGE" \
        bash "$SCRIPT_DIR/secrets-decrypt.sh")
    eval "$vars"
 }
 # --- simple values ---
 cat > "$SECRETS_ENV" << 'EOF'
 SIMPLE_VAR=hello
 QUOTED_DOUBLE="world"
 QUOTED_SINGLE='literal'
 EMPTY_VAR=
 # comment line — should be ignored
 NUMERIC=42
 EOF
 AGE_PUBLIC_KEY="$PUBLIC_KEY" \
    SECRETS_ENV="$SECRETS_ENV" \
    SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-encrypt.sh"
 _decrypt_vars
 _assert "simple value"         "hello"   "${SIMPLE_VAR:-}"
 _assert "double-quoted value"  "world"   "${QUOTED_DOUBLE:-}"
 _assert "single-quoted value"  "literal" "${QUOTED_SINGLE:-}"
 _assert "empty value"          ""        "${EMPTY_VAR:-}"
 _assert "numeric value"        "42"      "${NUMERIC:-}"
 unset SIMPLE_VAR QUOTED_DOUBLE QUOTED_SINGLE EMPTY_VAR NUMERIC
 # --- multi-line value with \n escape sequences ---
 # Use a made-up key format to avoid triggering the detect-private-key pre-commit hook.
 printf '%s\n' \
    'SSH_KEY="FAKE-KEY-HEADER\nfakekey\nFAKE-KEY-FOOTER"' \
    'SIDE=plain' \
    > "$SECRETS_ENV"
 rm -f "$SECRETS_AGE"
 AGE_PUBLIC_KEY="$PUBLIC_KEY" \
    SECRETS_ENV="$SECRETS_ENV" \
    SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-encrypt.sh"
 _decrypt_vars
 _assert_contains "multi-line: header present" "FAKE-KEY-HEADER" "${SSH_KEY:-}"
 _assert_contains "multi-line: body present"   "fakekey"         "${SSH_KEY:-}"
 _assert_contains "multi-line: footer present" "FAKE-KEY-FOOTER" "${SSH_KEY:-}"
 _assert "variable alongside multi-line" "plain" "${SIDE:-}"
 unset SSH_KEY SIDE
 # --- GITHUB_ENV output uses heredoc syntax ---
 printf '%s\n' 'CI_SECRET=supersecret' > "$SECRETS_ENV"
 rm -f "$SECRETS_AGE" "$GITHUB_ENV_FILE"
 AGE_PUBLIC_KEY="$PUBLIC_KEY" \
    SECRETS_ENV="$SECRETS_ENV" \
    SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-encrypt.sh"
 GITHUB_ENV="$GITHUB_ENV_FILE" \
    SECRETS_AGE_KEY="$PRIVATE_KEY" \
    SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-decrypt.sh"
 _assert_contains "GITHUB_ENV contains key"   "CI_SECRET"   "$(cat "$GITHUB_ENV_FILE")"
 _assert_contains "GITHUB_ENV contains value" "supersecret" "$(cat "$GITHUB_ENV_FILE")"
 # --- missing secrets.age exits non-zero with a helpful message ---
 ERR=$(SECRETS_AGE="$WORKDIR/nonexistent.age" \
    SECRETS_AGE_KEY="$PRIVATE_KEY" \
    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
 _assert "missing secrets.age: exits non-zero" "1" "$GOT"
 _assert_contains "missing secrets.age: error mentions file" "secrets.age" "$ERR"
 # --- missing key exits non-zero ---
 ERR=$(SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
 _assert "missing key: exits non-zero" "1" "$GOT"
 # --- wrong key fails decryption ---
 OTHER_KEY="$WORKDIR/other.key"
 age-keygen -o "$OTHER_KEY" 2>/dev/null
 ERR=$(SECRETS_AGE_KEY=$(cat "$OTHER_KEY") \
    SECRETS_AGE="$SECRETS_AGE" \
    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
 _assert "wrong key: exits non-zero" "1" "$GOT"
 # --- encrypt without secrets.env exits non-zero ---
 ERR=$(AGE_PUBLIC_KEY="$PUBLIC_KEY" \
    SECRETS_ENV="$WORKDIR/missing_secrets.env" \
    SECRETS_AGE="$WORKDIR/out.age" \
    bash "$SCRIPT_DIR/secrets-encrypt.sh" 2>&1) && GOT=0 || GOT=$?
 _assert "encrypt without secrets.env: exits non-zero" "1" "$GOT"
 _assert_contains "encrypt without secrets.env: error mentions file" "secrets.env" "$ERR"
 echo ""
 echo "Results: $PASS passed, $FAIL failed"
 [ "$FAIL" -eq 0 ] || exit 1
@@ -0,0 +1,28 @@
 # Copy this file to secrets.env and fill in real values.
 # Then encrypt to secrets.age: scripts/secrets-encrypt.sh
 #
 # secrets.env  — plaintext, git-ignored
 # secrets.age  — encrypted, committed to the repository
 # .age-public-key — age public key, committed (not secret)
 #
 # Multi-line values (SSH keys, certificates) must be stored as a single line
 # with literal \n for newlines, wrapped in double quotes. Example:
 #   SSH_PRIVATE_KEY="<header line>\n<base64 body lines>\n<footer line>"
 #
 # One-time setup:
 #   age-keygen -o ~/.config/age/sharedinbox.key
 #   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
 #   # Store the private key content in CI as SECRETS_AGE_KEY secret.
 ANDROID_KEYSTORE_BASE64=
 ANDROID_KEYSTORE_PASSWORD=
 PLAY_STORE_CONFIG_JSON=
 SSH_PRIVATE_KEY=
 SSH_KNOWN_HOSTS=
 SSH_USER=
 SSH_HOST=
 ANDROID_APK_SCP_HOST=
 ANDROID_APK_SCP_USER=
 ANDROID_APK_SCP_PATH=
 FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY=
 FIREBASE_PROJECT_ID=
@@ -1,6 +1,8 @@
 import 'dart:async';
 import 'package:flutter/services.dart' show MissingPluginException;
 import 'package:mockito/annotations.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -30,6 +32,40 @@ void main() {
    // This is hard to test without real loops, but we can verify it doesn't crash.
    manager.syncNow('unknown');
  });
  // Regression test for issue #200: when flutter_secure_storage throws
  // MissingPluginException (channel unavailable on the device), the IMAP sync
  // loop must stop permanently instead of retrying indefinitely with backoff.
  test(
      'MissingPluginException from secure storage stops IMAP sync loop permanently',
      () async {
    final syncLog = FakeSyncLogRepository();
    final m = AccountSyncManager(
      _AccountRepositoryWithMissingPlugin(),
      FakeMailboxRepositoryWithInbox(),
      FakeEmailRepository(),
      syncLog: syncLog,
    );
    m.start();
    // Allow the first sync cycle to run and fail.
    await Future<void>.delayed(const Duration(milliseconds: 100));
    expect(syncLog.logs, hasLength(1));
    expect(syncLog.logs.first.success, isFalse);
    // Kicking the loop should have no effect once it has stopped permanently.
    m.syncNow('1');
    await Future<void>.delayed(const Duration(milliseconds: 100));
    // Before the fix: kick triggers a retry → 2 log entries.
    // After the fix: loop is permanently stopped → still exactly 1 entry.
    expect(syncLog.logs, hasLength(1));
    m.dispose();
  });
 }
 class FakeEmailRepository implements EmailRepository {
@@ -187,3 +223,34 @@ class FakeMailboxRepositoryWithInbox implements MailboxRepository {
  @override
  Future<void> clearForResync(String accountId) async {}
 }
 class _AccountRepositoryWithMissingPlugin implements AccountRepository {
  static const _account = Account(
    id: '1',
    displayName: 'Test',
    email: 'test@example.com',
  );
  @override
  Stream<List<Account>> observeAccounts() => Stream.value([_account]);
  @override
  Future<Account?> getAccount(String id) async => _account;
  @override
  Future<String> getPassword(String accountId) => Future.error(
        MissingPluginException(
          'No implementation found for method read on channel '
          'plugins.it.nomads.com/flutter_secure_storage',
        ),
      );
  @override
  Future<void> addAccount(Account account, String password) async {}
  @override
  Future<void> updateAccount(Account account, {String? password}) async {}
  @override
  Future<void> removeAccount(String id) async {}
 }
@@ -0,0 +1,156 @@
 import 'dart:async';
 import 'dart:io';
 import 'package:fake_async/fake_async.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_test/flutter_test.dart';
 import 'package:path_provider_platform_interface/path_provider_platform_interface.dart';
 import 'package:plugin_platform_interface/plugin_platform_interface.dart';
 import 'package:sharedinbox/data/db/database.dart';
 // Fake PathProviderPlatform that always throws PlatformException(channel-error)
 // to simulate the Pigeon channel not being ready at startup (issue #166).
 class _UnavailablePathProvider extends Fake
    with MockPlatformInterfaceMixin
    implements PathProviderPlatform {
  @override
  Future<String?> getApplicationSupportPath() async {
    throw PlatformException(
      code: 'channel-error',
      message: 'Simulated: path_provider channel not ready',
    );
  }
 }
 // Fake PathProviderPlatform that fails the first [failCount] calls, then
 // returns a fixed path.  Used to exercise the retry loop in
 // _resolveDatabasePath() without waiting for real timers.
 class _SucceedAfterNPathProvider extends Fake
    with MockPlatformInterfaceMixin
    implements PathProviderPlatform {
  _SucceedAfterNPathProvider({required this.failCount});
  final int failCount;
  int _callCount = 0;
  @override
  Future<String?> getApplicationSupportPath() async {
    _callCount++;
    if (_callCount <= failCount) {
      throw PlatformException(
        code: 'channel-error',
        message: 'Simulated: path_provider channel not ready',
      );
    }
    return '/tmp/test_app_support';
  }
 }
 void main() {
  TestWidgetsFlutterBinding.ensureInitialized();
  // Regression test for https://codeberg.org/guettli/sharedinbox/issues/166:
  // On some slow Android devices the path_provider Pigeon channel is not ready
  // when initDatabasePath() runs before runApp(). initDatabasePath() must
  // absorb the PlatformException and let the app start; _resolveDatabasePath()
  // then retries with back-off on first DB access.
  test(
    'initDatabasePath completes without throwing when path_provider is unavailable',
    () async {
      final prev = PathProviderPlatform.instance;
      PathProviderPlatform.instance = _UnavailablePathProvider();
      addTearDown(() => PathProviderPlatform.instance = prev);
      // Must not throw — the exception is swallowed so the app can continue.
      await expectLater(initDatabasePath(), completes);
    },
  );
  // Tests for _resolveDatabasePath() — the lazy retry path called on first DB
  // access when initDatabasePath() already failed.  fake_async lets us advance
  // the back-off timers without waiting real-world milliseconds.
  test(
    '_resolveDatabasePath retries and eventually succeeds after transient failures',
    () {
      resetDatabasePathForTesting();
      final prev = PathProviderPlatform.instance;
      // Fail 3 times, succeed on the 4th call.  The delays in
      // _resolveDatabasePath are [200, 500, 1000, 2000, 4000] ms, so three
      // failures cost 200+500+1000 = 1700 ms before the fourth attempt.
      PathProviderPlatform.instance = _SucceedAfterNPathProvider(failCount: 3);
      addTearDown(() {
        PathProviderPlatform.instance = prev;
        resetDatabasePathForTesting();
      });
      fakeAsync((fake) {
        String? result;
        unawaited(resolveDatabasePathForTesting().then((r) => result = r));
        // Advance fake time through the three back-off delays.
        fake.elapse(const Duration(milliseconds: 200 + 500 + 1000 + 1));
        expect(result, isNotNull);
        expect(result, endsWith('sharedinbox.db'));
      });
    },
  );
  test(
    '_resolveDatabasePath throws PlatformException after exhausting all retries',
    () {
      resetDatabasePathForTesting();
      final prev = PathProviderPlatform.instance;
      PathProviderPlatform.instance = _UnavailablePathProvider();
      addTearDown(() {
        PathProviderPlatform.instance = prev;
        resetDatabasePathForTesting();
      });
      fakeAsync((fake) {
        Object? caughtError;
        unawaited(
          resolveDatabasePathForTesting().catchError((Object e) {
            caughtError = e;
            return ''; // ignored; satisfies the Future<String> return type
          }),
        );
        // Advance past all five back-off delays: 200+500+1000+2000+4000 ms.
        fake.elapse(
          const Duration(milliseconds: 200 + 500 + 1000 + 2000 + 4000 + 1),
        );
        expect(caughtError, isA<PlatformException>());
        expect(
          (caughtError! as PlatformException).message,
          contains('cannot open database'),
        );
      });
    },
    // The Android fallback runs only on Android, so on the host machine the
    // exception is still thrown after all retries.  Skip on Android to avoid
    // depending on /data/user/0/... being absent in the test environment.
    skip: Platform.isAndroid,
  );
  // Regression test for issue #192: _androidFallbackPath must return null when
  // the process cmdline does not look like an Android package name (e.g. on
  // the host test machine where the process is the Dart executable).
  test(
    '_androidFallbackPath returns null when process name is not a package name',
    () async {
      // On non-Android platforms the host process cmdline is a file-system path
      // (starts with '/'), which the fallback correctly rejects.  On Android
      // the process IS named after the package — the fallback is free to
      // succeed or return null depending on the device state; we do not assert
      // here so as not to constrain Android behaviour.
      if (!Platform.isAndroid) {
        final result = await androidFallbackPathForTesting();
        expect(result, isNull);
      }
    },
  );
 }
@@ -151,6 +151,10 @@ void main() {
    expect(clipboardText, contains('Dark Mode'));
    expect(clipboardText, contains('IMAP Accounts'));
    expect(clipboardText, contains('JMAP Accounts'));
    expect(
      clipboardText,
      contains('[sharedinbox.de](https://sharedinbox.de)'),
    );
  });
  testWidgets('AboutScreen create-issue button opens Codeberg URL', (
@@ -23,7 +23,7 @@ void main() {
      expect(find.byKey(const Key('scanEncryptedButton')), findsOneWidget);
    });
-    testWidgets('shows 20-minute expiry hint', (tester) async {
+    testWidgets('shows expiry countdown hint', (tester) async {
      await tester.pumpWidget(
        buildApp(
          initialLocation: '/accounts/receive',
@@ -32,8 +32,106 @@ void main() {
      );
      await tester.pumpAndSettle();
-      expect(find.textContaining('20 minutes'), findsOneWidget);
+      expect(find.textContaining('expires in'), findsOneWidget);
    });
    testWidgets(
      'step 2 button shows text-input fallback on platforms without camera',
      (tester) async {
        await tester.pumpWidget(
          buildApp(
            initialLocation: '/accounts/receive',
            overrides: baseOverrides(),
          ),
        );
        await tester.pumpAndSettle();
        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
        await tester.pumpAndSettle();
        // On Linux (desktop, no camera) the text fallback field must appear.
        expect(find.byKey(const Key('encryptedCodeField')), findsOneWidget);
      },
    );
    testWidgets(
      'step 2 — valid encrypted QR imports account via text fallback',
      (tester) async {
        // Pre-generate a key pair so we can encrypt a QR code with the same
        // material the screen will use for decryption.
        final material = await ShareEncryptionService.generateKeyPair();
        final repo = FakeShareKeyRepository(material: material);
        const account = Account(
          id: 'src-1',
          displayName: 'Alice',
          email: 'alice@example.com',
          imapHost: 'imap.example.com',
          smtpHost: 'smtp.example.com',
        );
        final encryptedQr = await ShareEncryptionService.encryptAccounts(
          recipientKeyId: material.keyId,
          recipientPublicKeyBytes: material.publicKeyBytes,
          accounts: [
            AccountPayload(
              accountJson: account.toJson(),
              password: 'secret',
            ),
          ],
        );
        await tester.pumpWidget(
          buildApp(
            initialLocation: '/accounts/receive',
            overrides: baseOverrides(shareKeyRepository: repo),
          ),
        );
        await tester.pumpAndSettle(); // key generation completes
        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
        await tester.pumpAndSettle();
        await tester.enterText(
          find.byKey(const Key('encryptedCodeField')),
          encryptedQr,
        );
        await tester.tap(find.text('Import'));
        await tester.pumpAndSettle();
        expect(
          find.text('Imported 1 account successfully.'),
          findsOneWidget,
        );
      },
    );
    testWidgets(
      'step 2 — invalid encrypted QR shows error and returns to pub-key step',
      (tester) async {
        await tester.pumpWidget(
          buildApp(
            initialLocation: '/accounts/receive',
            overrides: baseOverrides(),
          ),
        );
        await tester.pumpAndSettle();
        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
        await tester.pumpAndSettle();
        await tester.enterText(
          find.byKey(const Key('encryptedCodeField')),
          'not-a-valid-qr-code',
        );
        await tester.tap(find.text('Import'));
        await tester.pumpAndSettle();
        // Screen returns to the pub-key step with an error message visible.
        expect(find.byKey(const Key('pubKeyQrCode')), findsOneWidget);
        expect(find.textContaining('Import failed:'), findsWidgets);
      },
    );
  });
  group('AccountSendScreen', () {
@@ -1,5 +1,6 @@
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:flutter_test/flutter_test.dart';
 import 'package:go_router/go_router.dart';
@@ -1,4 +1,5 @@
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_test/flutter_test.dart';
 import 'package:mockito/mockito.dart';
 import 'package:package_info_plus/package_info_plus.dart';
@@ -76,6 +77,128 @@ void main() {
    expect(mock.launchedUrl, isNot(contains('Stack%20Trace')));
  });
  testWidgets(
    'CrashScreen copy-to-clipboard includes version and platform info',
    (tester) async {
      tester.view.physicalSize = const Size(800, 1200);
      tester.view.devicePixelRatio = 1.0;
      addTearDown(() => tester.view.resetPhysicalSize());
      String? clipboardText;
      tester.binding.defaultBinaryMessenger.setMockMethodCallHandler(
        SystemChannels.platform,
        (MethodCall call) async {
          if (call.method == 'Clipboard.setData') {
            clipboardText =
                (call.arguments as Map<dynamic, dynamic>)['text'] as String?;
          }
          return null;
        },
      );
      addTearDown(
        () => tester.binding.defaultBinaryMessenger
            .setMockMethodCallHandler(SystemChannels.platform, null),
      );
      const exception = 'TestException: clipboard test';
      final stackTrace = StackTrace.current;
      await tester.pumpWidget(
        MaterialApp(
          home: CrashScreen(exception: exception, stackTrace: stackTrace),
        ),
      );
      await tester.tap(find.text('Copy to Clipboard'));
      await tester.pump();
      await tester.pump();
      await tester.pumpAndSettle();
      expect(clipboardText, isNotNull);
      expect(clipboardText, contains('App Version: 1.0.0+42'));
      expect(clipboardText, contains('Build Mode:'));
      expect(clipboardText, contains('Platform:'));
      expect(clipboardText, contains('Dart:'));
      expect(clipboardText, contains('Timestamp:'));
      expect(clipboardText, contains('TestException: clipboard test'));
      // GIT_HASH is empty in test builds — no Git Commit line expected
      expect(clipboardText, isNot(contains('Git Commit:')));
    },
  );
  testWidgets(
    'CrashScreen shows git hash as clickable link above stacktrace',
    (tester) async {
      tester.view.physicalSize = const Size(800, 1200);
      tester.view.devicePixelRatio = 1.0;
      addTearDown(() => tester.view.resetPhysicalSize());
      final mock = MockUrlLauncher();
      UrlLauncherPlatform.instance = mock;
      const exception = 'TestException: git hash test';
      final stackTrace = StackTrace.current;
      const testHash = 'abc1234';
      await tester.pumpWidget(
        CrashScreen(
          exception: exception,
          stackTrace: stackTrace,
          gitHash: testHash,
        ),
      );
      // Git hash link should be present
      final gitLinkFinder = find.textContaining('Git Commit: abc1234');
      expect(gitLinkFinder, findsOneWidget);
      // Link must appear above the stack trace
      final stackTraceFinder = find.text('Stack Trace:');
      expect(
        tester.getTopLeft(gitLinkFinder).dy,
        lessThan(tester.getTopLeft(stackTraceFinder).dy),
      );
      // Tapping the link should open the Codeberg commit URL
      await tester.tap(gitLinkFinder);
      await tester.pumpAndSettle();
      expect(
        mock.launchedUrl,
        equals('https://codeberg.org/guettli/sharedinbox/commit/abc1234'),
      );
    },
  );
  testWidgets(
    'CrashScreen shows version, build mode, and platform in the UI',
    (tester) async {
      tester.view.physicalSize = const Size(800, 1200);
      tester.view.devicePixelRatio = 1.0;
      addTearDown(() => tester.view.resetPhysicalSize());
      const exception = 'TestException: info row test';
      final stackTrace = StackTrace.current;
      await tester.pumpWidget(
        MaterialApp(
          home: CrashScreen(exception: exception, stackTrace: stackTrace),
        ),
      );
      await tester.pumpAndSettle();
      // Info row shows app version (from mock), build mode, and platform OS.
      expect(find.textContaining('1.0.0+42'), findsWidgets);
      // In test builds kDebugMode is true.
      expect(find.textContaining('debug'), findsOneWidget);
      // Platform OS is always present (linux in CI, android/ios on device).
      expect(
        find.textContaining(RegExp(r'linux|android|ios|windows|macos')),
        findsWidgets,
      );
    },
  );
  testWidgets(
    'CrashScreen used as root widget — buttons work without ScaffoldMessenger crash',
    (tester) async {
@@ -3,7 +3,7 @@ import 'dart:convert';
 import 'dart:io';
 import 'package:flutter/material.dart';
-import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:flutter_test/flutter_test.dart';
 import 'package:path_provider_platform_interface/path_provider_platform_interface.dart';
@@ -1,5 +1,5 @@
 import 'package:flutter/material.dart';
-import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:flutter_test/flutter_test.dart';
 import 'package:sharedinbox/core/models/email.dart';
@@ -6,6 +6,7 @@
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/models/account.dart';
@@ -19,6 +20,7 @@ import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
 import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
 import 'package:sharedinbox/core/services/managesieve_probe_service.dart';
@@ -77,11 +79,13 @@ class FakeAccountRepository implements AccountRepository {
 }
 class FakeShareKeyRepository implements ShareKeyRepository {
  FakeShareKeyRepository({ShareKeyMaterial? material}) : _material = material;
  ShareKeyMaterial? _material;
  @override
  Future<ShareKeyMaterial> createKeyPair() async {
-    _material = await ShareEncryptionService.generateKeyPair();
+    _material ??= await ShareEncryptionService.generateKeyPair();
    return _material!;
  }
@@ -473,10 +477,18 @@ Widget buildApp({
  );
  return ProviderScope(
-    // Always neutralise the ManageSieve probe so widget tests never open a
+    // Defaults come first so tests can override them via [overrides].
-    // real socket. Tests that need to assert on probe behaviour should supply
+    //
-    // their own override before this default in [overrides].
+    // syncHealthProvider and syncLogRepositoryProvider are backed by Drift
    // StreamQueries. When a StreamProvider that wraps a Drift query is disposed,
    // Drift schedules a Timer.run() for cache debouncing. Flutter's test
    // framework then fails the test with "A Timer is still pending". Replacing
    // these with simple synchronous streams avoids the pending-timer assertion.
    overrides: [
      syncHealthProvider.overrideWith((ref, _) => Stream.value(null)),
      syncLogRepositoryProvider.overrideWithValue(
        const NoOpSyncLogRepository(),
      ),
      ...overrides,
      manageSieveProbeServiceProvider.overrideWith(
        (ref) => _NoOpManageSieveProbeService(),
@@ -501,6 +513,7 @@ List<Override> baseOverrides({
  List<Mailbox>? mailboxes,
  DiscoveryResult? discovery,
  Exception? connectionError,
  ShareKeyRepository? shareKeyRepository,
 }) =>
    [
      accountRepositoryProvider
@@ -515,7 +528,9 @@ List<Override> baseOverrides({
      connectionTestServiceProvider.overrideWithValue(
        FakeConnectionTestService(error: connectionError),
      ),
-      shareKeyRepositoryProvider.overrideWithValue(FakeShareKeyRepository()),
+      shareKeyRepositoryProvider.overrideWithValue(
        shareKeyRepository ?? FakeShareKeyRepository(),
      ),
    ];
 // ---------------------------------------------------------------------------
Author	SHA1	Message	Date
Thomas SharedInboxandClaude Sonnet 4.6	839a3c63f9	feat: keep secrets in sync via age-encrypted master key (#208 ) Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:32:27 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	a167ebd0a3	feat: add build mode, Dart version, timestamp to crash report (#205 ) Show app version, build mode, and platform OS in the crash screen UI so users can report bugs without needing to copy first. The clipboard report now also includes Build Mode (debug/release/profile), Dart runtime version, and a UTC timestamp to aid post-crash diagnosis. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:06:32 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	881a240155	fix: probe scanner method channel to detect MissingPluginException (#204 ) The previous pre-flight check called ctrl.start() without ctrl.attach(), causing MobileScannerController to time out after 500 ms with controllerNotAttached on every device — the scanner never worked even when the plugin was present. Replace with a direct invokeMethod('state') probe on the scanner channel. MissingPluginException (thrown when the plugin is not registered) is the exact error from the crash report; all other errors are surfaced by the MobileScanner widget's own error builder. Also add widget tests for the AccountReceiveScreen step-2 import flow (text fallback, successful import, invalid-QR error) which were previously untested. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 15:47:21 +02:00
Thomas SharedInbox	117b546b2c	feat: show live countdown with seconds on receive account screen (#203 ) Replace the static "expires in 20 minutes" label with a StatefulWidget that ticks every second and displays the remaining time as MM:SS.	2026-05-24 15:11:56 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	d9b8748631	fix: filter _latest_main_ci_run by workflow_id == ci.yml Forgejo reports deploy.yml (scheduled/dispatch) runs with event=push and prettyref=main, identical to ci.yml push runs. The event-only filter was insufficient — adding workflow_id == "ci.yml" prevents deploy.yml runs from blocking or triggering false CI fix agents. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 15:07:00 +02:00
Bot of Thomas Güttler	50ae7df8a3	fix: fall back to text input when mobile_scanner plugin is unavailable (#202 ) (#219 )	2026-05-24 14:55:07 +02:00
Bot of Thomas Güttler	7dd5800064	perf: cache Linux engine artifacts via flutter precache --linux (#129 ) (#218 )	2026-05-24 14:30:07 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	77e581299d	fix: filter out schedule/deploy workflow runs in CI checks _latest_main_ci_run() was using event != pull_request which still matched deploy.yml schedule runs when their prettyref == "main", blocking the loop from picking up new issues. _latest_ci_run_for_branch() had the same issue: the else branch matched any non-pull_request event including schedule runs. Both functions now explicitly filter for event == "push" only. Tests updated: rename _latest_ci_run → _latest_main_ci_run, mock _open_issue_prs to prevent real API calls in unit tests, and update _find_pr_for_branch side_effect to reflect the upstream post-merge PR-still-open verification check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 14:08:13 +02:00
Bot of Thomas Güttler	37eca207c6	fix: pin SSH host key via known_hosts instead of StrictHostKeyChecking=no (#161 ) (#181 )	2026-05-24 13:00:04 +02:00
Bot of Thomas Güttler	5925cee4f2	fix: show git hash as clickable link above stacktrace (#201 ) (#211 )	2026-05-24 12:56:27 +02:00
Bot of Thomas Güttler	a8603edfc3	fix: verify PID belongs to claude before SIGKILL (#160 ) (#163 )	2026-05-24 12:55:08 +02:00
Bot of Thomas Güttler	0293cb5845	fix: stop retrying on MissingPluginException from flutter_secure_storage (#200 ) (#209 )	2026-05-24 08:50:06 +02:00
Bot of Thomas Güttler	30bcc8a314	fix: skip CI jobs when unrelated files change (#144 ) (#207 )	2026-05-24 08:30:10 +02:00
Bot of Thomas Güttler	ac0e16adcb	feat: about page - sharedinbox.de heading link and git commit row (#199 ) (#206 )	2026-05-24 08:10:07 +02:00
Thomas SharedInbox	3f946dfca0	fix: switch Play Store upload from httplib2 to requests The Play Store AAB upload was failing with httplib2.error.RedirectMissingLocation when Google's API returned a redirect during the resumable upload initiation. Switched from google-api-python-client (which uses httplib2 internally) to pure requests-based AuthorizedSession, which handles redirects correctly. Closes #198	2026-05-24 07:52:12 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	c517f604e0	test: update deploy_playstore tests for requests-based transport The previous tests patched google_auth_httplib2 and googleapiclient which no longer exist in the new implementation. Rewrite to mock AuthorizedSession and _upload_aab_resumable, covering the same scenarios: happy path, retry on transient errors, backoff delays, and exhausted attempts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 07:40:17 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	7d393ec818	fix: switch Play Store upload from httplib2 to requests httplib2 treats 308 Resume Incomplete responses (used by Google's resumable upload API) as redirects and raises RedirectMissingLocation when the response lacks a Location header. Switch to google.auth.transport.requests.AuthorizedSession + direct HTTP calls so the upload uses the requests library, which handles 308 correctly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 07:32:22 +02:00
Bot of Thomas Güttler	5c38357033	fix: limit dagger-data volume growth by pruning named caches (#193 ) (#197 )	2026-05-24 06:00:14 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	7715190cbf	fix: retry AAB upload on RedirectMissingLocation with exponential backoff Adds a 3-attempt retry loop around the resumable AAB upload that catches httplib2.error.RedirectMissingLocation (a transient network error) and retries with exponential backoff (10s, 20s). A fresh MediaFileUpload is created on each attempt because resumable upload objects cannot be reused after failure. Also adds TestUploadRetry covering the retry path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 05:30:24 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	80cde04d87	fix: retry AAB upload on RedirectMissingLocation with exponential backoff (#186 ) Wrap the resumable bundle upload in a loop of up to _MAX_UPLOAD_ATTEMPTS (3) attempts. On httplib2.error.RedirectMissingLocation, recreate MediaFileUpload (resumable uploads cannot reuse the same object) and wait 10 s / 20 s before retrying. After all attempts are exhausted, raise RuntimeError chained to the last exception. Add tests covering the retry path, backoff delays, fresh MediaFileUpload on each attempt, and exhaustion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 04:59:05 +02:00
Bot of Thomas Güttler	83060bc1bf	fix: add timeout and retries to Play Store upload (#185 ) (#195 )	2026-05-24 04:45:07 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	fb6f2cca68	fix: add timeout and retries to Play Store upload (#185 ) Switch deploy_playstore.py from requests/AuthorizedSession to the googleapiclient.discovery client with google-auth-httplib2, so that AuthorizedHttp(timeout=300) enforces a hard socket timeout on all requests and num_retries=3 on every .execute() call enables automatic retries for transient failures. Update flake.nix and ci/main.go to install the new dependencies (google-api-python-client, google-auth-httplib2, httplib2) instead of the old google-auth + requests pair. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 04:38:36 +02:00
Bot of Thomas Güttler	71ccf24d0c	fix: survive permanently broken path_provider channel on Android (#192 ) (#194 )	2026-05-24 03:50:07 +02:00
Bot of Thomas Güttler	4f6f1d9437	fix: migrate to Riverpod 3.x and update dependencies (#175 ) (#190 )	2026-05-23 19:50:11 +02:00
Bot of Thomas Güttler	833e8d49b0	fix: remove continue-on-error from CI workflows (#172 ) (#189 )	2026-05-23 19:05:08 +02:00
Bot of Thomas Güttler	6adba9b001	perf: parallelize APK deploy and reduce fetch-depth in deploy.yml (#171 ) (#188 )	2026-05-23 18:55:08 +02:00
Bot of Thomas Güttler	11d9805fca	test: cover _resolveDatabasePath retry logic (#167 ) (#187 )	2026-05-23 18:35:15 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	3019fdf145	refactor(deploy_cron): trigger Forgejo Actions workflow via fgj instead of deploying locally Replace local `task publish-website` invocation with `fgj actions workflow run website.yml` so the deploy runs in CI rather than on the local machine. Remove failure-tracking state files and issue-creation logic — Forgejo Actions handles its own reporting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-23 17:42:20 +02:00
Bot of Thomas Güttler	14342f6472	fix: use exact grep patterns for build_runner and flutter pub get (#136 ) (#159 )	2026-05-23 17:25:08 +02:00
Bot of Thomas Güttler	b86c1a5c69	fix: verify Hugo binary SHA-256 checksum after download (#162 ) (#182 )	2026-05-23 17:10:11 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	6e22683f5b	fix(crash_screen): remove duplicate gitLine definition left by rebase conflict resolution Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-23 17:02:39 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	dc181d0d85	fix: add git hash to crash screen and extend DB path retries (#179 ) Two issues from #179: - crash_screen.dart now reads GIT_HASH compile-time constant and includes 'Git Commit: <hash>' in both the on-screen UI and the copied report, so crash reports always show the exact build that crashed. - _resolveDatabasePath() retry delays extended from [100, 300, 600] ms (total ~1 s, 4 attempts) to [200, 500, 1000, 2000, 4000] ms (total ~7.7 s, 6 attempts) to handle slow/non-standard Android devices where the path_provider Pigeon channel takes several seconds to become ready. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-23 16:53:07 +02:00
Bot of Thomas Güttler	e37d8066cb	fix: prevent Gradle daemon hang in Android test build (#155 ) (#178 )	2026-05-23 15:45:08 +02:00
Bot of Thomas Güttler	1b1f9788fd	docs: explain why continue-on-error is intentional on deploy steps (#154 ) (#177 )	2026-05-23 15:30:14 +02:00
Bot of Thomas Güttler	19d8d282ba	fix: show UUID in agent-loop resume command (#152 ) (#176 )	2026-05-23 15:20:08 +02:00
Bot of Thomas Güttler	aa59dbb852	feat: show CI run link in 'CI passed' message (#151 ) (#174 )	2026-05-23 15:05:07 +02:00
Bot of Thomas Güttler guettli Thomas SharedInbox	826488192d	fix: update flutter packages (#148 ) (#165 ) ## Summary - Upgrades 9 direct dependencies and their transitive peers to resolve the CI warning: "38 packages have newer versions incompatible with dependency constraints" - Reduces incompatible-version count from 38 → 21 (the remaining 21 are either deliberately pinned, constrained by transitive dep ceilings, or require a separate riverpod 2→3 migration) - Adapts two source files to breaking API changes in the upgraded packages: - `notification_service.dart`: `flutter_local_notifications` 21.x changed positional args to named params (`initialize(settings:…)`, `show(id:…, title:…, body:…, notificationDetails:…)`) - `compose_screen.dart`: `file_picker` 12.x removed `FilePicker.platform` static getter; calls are now `FilePicker.pickFiles()` ## Packages changed \| Package \| Before \| After \| \|---\|---\|---\| \| `go_router` \| ^14.8.1 \| ^17.2.3 \| \| `flutter_local_notifications` \| ^18.0.1 \| ^21.0.0 \| \| `file_picker` \| ^8.0.0 \| ^12.0.0-beta.4 \| \| `mobile_scanner` \| ^5.0.0 \| ^7.2.0 \| \| `package_info_plus` \| ^8.0.0 \| ^10.1.0 \| \| `share_plus` \| ^12.0.2 \| ^13.1.0 \| \| `sqlite3_flutter_libs` \| ^0.5.28 \| ^0.6.0+eol \| \| `flutter_lints` \| ^4.0.0 \| ^6.0.0 \| \| `flutter_secure_storage` \| 10.2.0 \| 10.3.0 (patch) \| ## Test plan - [x] `flutter analyze` — no issues - [x] Unit tests (324 passed) - [x] Widget tests (116 passed) - [ ] CI full check suite 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de> Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/165	2026-05-23 14:58:54 +02:00
Bot of Thomas Güttler	d683da9c59	docs: credential security options — four solutions for keeping production secrets off Codeberg (#141 ) (#173 )	2026-05-23 14:50:12 +02:00
Bot of Thomas Güttler guettli Thomas SharedInbox	77fc6964f6	fix: extend path_provider retry budget on slow Android devices (#166 ) (#169 ) ## Summary - Increases the retry delays in `_resolveDatabasePath()` from `[100, 300, 600]` ms (~1 s) to `[200, 500, 1000, 2000]` ms (~3.7 s). - Adds a regression test (`test/unit/database_path_test.dart`) that verifies `initDatabasePath()` does not throw when the `path_provider` channel is unavailable. ## Root cause On some slow Android devices (e.g. the Motorola reported in #166), the `path_provider` Pigeon channel is not ready even several seconds after `runApp()` returns. The previous back-off budget of ~1 s was not enough, causing `_resolveDatabasePath()` to exhaust all retries and throw a `PlatformException`, crashing the app with the message shown in the issue. ## Test plan - [ ] `flutter test test/unit/database_path_test.dart` passes (new regression test) - [ ] `flutter test test/unit/` — all 325 unit tests pass - [ ] `flutter analyze` — no issues Fixes #166 Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de> Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/169	2026-05-23 14:40:17 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	47824c5711	Handle transient git fetch failures gracefully Exit cleanly instead of crashing so the next cron run retries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-23 14:13:14 +02:00
Bot of Thomas Güttler	a6c231f293	feat: show git commit link on crash screen (#150 ) (#170 )	2026-05-23 13:45:08 +02:00