plan: refresh plan for issue #539

test(search): cover sort order of searchEmailsStructured and getEmailsByAddress (#534 )
feat(detail): drop AppBar subject, surface Mark as spam icon (#531 )
2026-06-08 06:19:17 +00:00 · 2026-06-07 20:24:25 +02:00 · 2026-06-07 20:05:57 +02:00 · 2026-06-07 19:45:22 +02:00 · 2026-06-07 14:02:01 +02:00 · 2026-06-07 06:59:00 +02:00
179 changed files with 14310 additions and 4181 deletions
@@ -4,14 +4,18 @@
 # In systemd service:
 #    ExecStartPre=docker build -t forgejo-act-runner:latest /etc/forgejo/runner
 #    ExecStart=/usr/local/bin/forgejo-runner daemon --config /etc/forgejo/config.yml
 FROM ghcr.io/catthehacker/ubuntu:go-24.04
 # Infrastructure tools required by CI workflows
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    stunnel4 \
+    jq \
    netcat-openbsd \
    && rm -rf /var/lib/apt/lists/*
 # SOPS
 RUN curl -fsSL -o /usr/local/bin/sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
    && chmod +x /usr/local/bin/sops
 # Dagger CLI — pinned to match the engine version on the runner host
 RUN curl -fsSL https://dl.dagger.io/dagger/install.sh \
    | DAGGER_VERSION=0.20.8 BIN_DIR=/usr/local/bin sh
@@ -0,0 +1,20 @@
 name: Chaos Monkey
 on:
  schedule:
    - cron: '0 3 * * *'
  workflow_dispatch:
 jobs:
  chaos-monkey-backend:
    name: Chaos Monkey (backend)
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v4
      - name: Setup Dagger Remote Engine
        env:
          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Run backend chaos monkey
        run: task chaos-monkey-backend
@@ -1,40 +1,39 @@
 name: CI
 on:
  push:
-    branches: [main]
+    branches:
      - main
  pull_request:
-
+concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  check:
    name: Full Project Check
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
-      - uses: actions/checkout@v4
+      - name: Print runner wait time
-        with:
+        env:
-          fetch-depth: 50
+          FORGEJO_TOKEN: ${{ github.token }}
-
+          RUN_NUMBER: ${{ github.run_number }}
      - name: Check runner tools
        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          runner_start=$(date +%s)
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          created=$(curl -sf --max-time 30 \
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
+            -H "Authorization: token $FORGEJO_TOKEN" \
-
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
-      - name: Setup Dagger Remote Engine (via stunnel)
+            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
      - name: Setup Dagger Remote Engine
        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Run Full Check Suite
        env:
          DAGGER_NO_NAG: "1"
        run: task check-dagger
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
@@ -6,208 +6,311 @@ on:
  workflow_dispatch:
 jobs:
-  test-android-firebase:
+  check-changes:
-    name: Android Instrumented Tests (Firebase Test Lab)
+    name: Detect Changed Files
    runs-on: ubuntu-latest
-    timeout-minutes: 60
+    timeout-minutes: 5
    outputs:
      android: ${{ steps.diff.outputs.android }}
      linux: ${{ steps.diff.outputs.linux }}
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 1
+          fetch-depth: 0
-      - name: Check runner tools
+      - name: Detect Android and Linux changes
        id: diff
        shell: bash
        env:
          FORGEJO_TOKEN: ${{ github.token }}
        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          # On workflow_dispatch always build everything
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
+            echo "android=true" >> "$GITHUB_OUTPUT"
            echo "linux=true"   >> "$GITHUB_OUTPUT"
            exit 0
          fi
-      - name: Setup Dagger Remote Engine (via stunnel)
+          HEAD_SHA=$(git rev-parse HEAD)
        env:
          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
-      - name: Run Android Tests on Firebase Test Lab
+          # Find the most recent successful "Build & Deploy to Play Store" task. Forgejo's API
-        env:
+          # does not expose per-run jobs (/runs/{id}/jobs returns 404), so query /actions/tasks
-          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
+          # (per-job records) directly and filter for the task we care about. Filtering at the
-          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
+          # task level also distinguishes runs where the Play Store job actually ran from runs
-          DAGGER_NO_NAG: "1"
+          # where it was skipped — at the run level both show status=success.
-        run: task test-android-firebase
+          LAST_DEPLOYED_SHA=$(python3 - << 'PYEOF'
          import json, os, sys, urllib.request
          token = os.environ.get("FORGEJO_TOKEN", "")
          server = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
          repo = os.environ.get("GITHUB_REPOSITORY", "")
          url = f"{server}/api/v1/repos/{repo}/actions/tasks?status=success&limit=100"
          req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
          try:
              with urllib.request.urlopen(req, timeout=60) as r:
                  data = json.loads(r.read())
              for t in data.get("workflow_runs", []):
                  if (t.get("workflow_id") == "deploy.yml"
                      and t.get("name") == "Build & Deploy to Play Store"
                      and t.get("status") == "success"):
                      print(t.get("head_sha") or "")
                      sys.exit(0)
              print("")
          except Exception as e:
              print(f"::error::LAST_DEPLOYED_SHA lookup failed ({type(e).__name__}: {e})")
              print("")
          PYEOF
          )
-      - name: Cleanup TLS credentials
+          if [ -z "$LAST_DEPLOYED_SHA" ]; then
-        if: always()
+            echo "::warning::Could not determine last successfully deployed SHA — deploying all targets as a precaution"
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
+            echo "android=true" >> "$GITHUB_OUTPUT"
            echo "linux=true"   >> "$GITHUB_OUTPUT"
            exit 0
          fi
          if [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
            echo "::notice::All deploys SKIPPED — HEAD $HEAD_SHA was already successfully deployed"
            echo "android=false" >> "$GITHUB_OUTPUT"
            echo "linux=false"   >> "$GITHUB_OUTPUT"
            echo "skip_reason=commit $HEAD_SHA was already successfully deployed" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          # Diff from the last successfully deployed commit to catch all changes since
          # that deploy, not just the most recent commit. Deploy all targets when the
          # SHA is not in local history (shallow clone or very old deploy).
          if git cat-file -e "$LAST_DEPLOYED_SHA" 2>/dev/null; then
            echo "Diffing from last deployed SHA $LAST_DEPLOYED_SHA"
            CHANGED=$(git diff --name-only "$LAST_DEPLOYED_SHA" HEAD 2>/dev/null \
              || git show --name-only --format= HEAD)
          else
            echo "::warning::Last deployed SHA $LAST_DEPLOYED_SHA not in local history — deploying all targets as a precaution"
            echo "android=true" >> "$GITHUB_OUTPUT"
            echo "linux=true"   >> "$GITHUB_OUTPUT"
            exit 0
          fi
          echo "Changed files:"
          echo "$CHANGED"
          android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/|scripts/deploy_playstore\.py)'
          linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'
          if echo "$CHANGED" | grep -qE "$android_re"; then
            echo "android=true" >> "$GITHUB_OUTPUT"
            echo "Android deploy: TRIGGERED (android-relevant files changed)"
            echo "::notice::Android deploy TRIGGERED — android-relevant files changed since $LAST_DEPLOYED_SHA"
          else
            echo "android=false" >> "$GITHUB_OUTPUT"
            echo "Android deploy: SKIPPED (no android-relevant files changed)"
            echo "::notice::Android deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no android-relevant changes"
          fi
          if echo "$CHANGED" | grep -qE "$linux_re"; then
            echo "linux=true" >> "$GITHUB_OUTPUT"
            echo "Linux deploy: TRIGGERED (linux-relevant files changed)"
            echo "::notice::Linux deploy TRIGGERED — linux-relevant files changed since $LAST_DEPLOYED_SHA"
          else
            echo "linux=false" >> "$GITHUB_OUTPUT"
            echo "Linux deploy: SKIPPED (no linux-relevant files changed)"
            echo "::notice::Linux deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no linux-relevant changes"
          fi
  deploy-playstore:
    name: Build & Deploy to Play Store
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.android == 'true'
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 1
+          fetch-depth: 100
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Publish Android to Play Store
        env:
          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          DAGGER_NO_NAG: "1"
        run: task publish-android
-      - name: Cleanup TLS credentials
+      - name: Verify Play Store deployment
-        if: always()
+        run: |
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
+          python3 -m venv /tmp/playstore-venv
          /tmp/playstore-venv/bin/pip install google-auth requests --quiet
          /tmp/playstore-venv/bin/python3 scripts/verify_playstore_deploy.py
  deploy-apk:
    name: Build & Deploy APK to Server
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.android == 'true'
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 1
+          fetch-depth: 100
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Build & Deploy APK to server
        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          DAGGER_NO_NAG: "1"
        run: task deploy-apk
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
  build-linux:
    name: Build Linux Release
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.linux == 'true'
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 1
+          fetch-depth: 100
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Build & Deploy Linux to server
        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task deploy-linux
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
  publish-website:
    name: Publish Website Build History
    runs-on: ubuntu-latest
    needs: [build-linux, deploy-playstore, deploy-apk]
    if: |
      always() &&
      (needs.build-linux.result == 'success' || needs.deploy-playstore.result == 'success' || needs.deploy-apk.result == 'success')
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine (via stunnel)
        env:
          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Generate build history and deploy website
        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task publish-website
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
  label-deploy-health:
    name: Update Deploy Health Label
    runs-on: ubuntu-latest
-    needs: [test-android-firebase, deploy-playstore, deploy-apk, build-linux]
+    needs: [deploy-playstore, deploy-apk, build-linux]
-    if: always() && vars.DEPLOY_HEALTH_ISSUE != ''
+    if: |
      always() && vars.DEPLOY_HEALTH_ISSUE != '' && (
        needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'failure' ||
        needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'failure' ||
        needs.build-linux.result == 'success' || needs.build-linux.result == 'failure'
      )
    timeout-minutes: 5
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - name: Set CI/Full-Pass or CI/Full-Fail label on tracking issue
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          FORGEJO_URL: ${{ github.server_url }}
          DEPLOY_HEALTH_ISSUE: ${{ vars.DEPLOY_HEALTH_ISSUE }}
-          ALL_SUCCEEDED: ${{ needs.test-android-firebase.result == 'success' && needs.deploy-playstore.result == 'success' && needs.deploy-apk.result == 'success' && needs.build-linux.result == 'success' }}
+          ALL_SUCCEEDED: ${{ (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
        run: |
          python3 - << 'PYEOF'
          import os, json, urllib.request, urllib.error
@@ -0,0 +1,156 @@
 name: Firebase Tests
 on:
  schedule:
    - cron: '0 3 * * *'   # once per day at 3 AM
  workflow_dispatch:
 jobs:
  check-changes:
    name: Detect Firebase-Relevant Changes
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      has_changes: ${{ steps.diff.outputs.has_changes }}
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Detect Firebase-relevant changes in last 24 hours
        id: diff
        shell: bash
        run: |
          # On workflow_dispatch always run
          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          SINCE=$(date -u -d '24 hours ago' '+%Y-%m-%dT%H:%M:%S')
          CHANGED=$(git log --since="$SINCE" --name-only --format= -- \
            'android/' 'integration_test/' 'lib/' 'pubspec.yaml' 'pubspec.lock' 'drift_schemas/' \
            | sort -u | grep -v '^$')
          if [ -n "$CHANGED" ]; then
            echo "Firebase-relevant files changed since $SINCE:"
            echo "$CHANGED"
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
          else
            echo "No Firebase-relevant changes in the last 24 hours — skipping tests"
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
          fi
  test-android-firebase:
    name: Android Instrumented Tests (Firebase Test Lab)
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.has_changes == 'true'
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine
        env:
          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Run Android Tests on Firebase Test Lab
        env:
          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
          DAGGER_NO_NAG: "1"
        run: task test-android-firebase
      - name: Create issue on test failure
        if: failure()
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          FORGEJO_URL: ${{ github.server_url }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: |
          python3 - << 'PYEOF'
          import os, json, urllib.request, urllib.error
          token = os.environ["FORGEJO_TOKEN"]
          url_base = os.environ["FORGEJO_URL"].rstrip("/")
          run_url = os.environ["RUN_URL"]
          headers = {"Authorization": f"token {token}", "Content-Type": "application/json"}
          api = f"{url_base}/api/v1/repos/guettli/sharedinbox"
          def api_get(path):
              req = urllib.request.Request(f"{api}{path}", headers=headers)
              with urllib.request.urlopen(req) as r:
                  return json.loads(r.read())
          def api_post(path, body):
              data = json.dumps(body).encode()
              req = urllib.request.Request(f"{api}{path}", data=data, headers=headers, method="POST")
              with urllib.request.urlopen(req) as r:
                  return json.loads(r.read())
          repo_labels = api_get("/labels")
          label_map = {l["name"]: l["id"] for l in repo_labels}
          label_ids = [label_map["Ready"]] if "Ready" in label_map else []
          title = "Firebase Tests failed — find root cause and fix"
          body = (
              "Firebase instrumented tests failed in the daily run.\n\n"
              f"**Failed run:** {run_url}\n\n"
              "## Steps to resolve\n\n"
              "1. **Find the root cause**: Check the test run logs linked above and identify which test(s) failed and why.\n"
              "2. **Fix if possible**: If the failure is caused by a code bug, create a fix. If it is a flaky or infrastructure issue, document the findings.\n"
              "3. Close this issue once the root cause is resolved and the tests pass.\n"
          )
          issue = api_post("/issues", {
              "title": title,
              "body": body,
              "labels": label_ids,
          })
          print(f"Created issue #{issue['number']}: {issue['html_url']}")
          PYEOF
@@ -0,0 +1,30 @@
 name: Renovate
 on:
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:
 jobs:
  renovate:
    name: Renovate
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4
      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine
        env:
          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
        run: scripts/setup_dagger_remote.sh
      - name: Run Renovate
        env:
          DAGGER_NO_NAG: "1"
        run: task renovate
@@ -1,6 +1,8 @@
-name: Deploy Website
+name: Update Website
 on:
  schedule:
    - cron: '0 * * * *'   # every hour on the hour
  push:
    branches: [main]
    paths:
@@ -10,23 +12,142 @@ on:
  workflow_dispatch:
 jobs:
-  deploy:
+  check-changes:
-    name: Build & Deploy Website
+    name: Detect Website Changes
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      has_changes: ${{ steps.diff.outputs.has_changes }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Detect website changes since last deploy
        id: diff
        shell: bash
        env:
          FORGEJO_TOKEN: ${{ github.token }}
        run: |
          # On push or workflow_dispatch always deploy
          if [ "$GITHUB_EVENT_NAME" != "schedule" ]; then
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          HEAD_SHA=$(git rev-parse HEAD)
          # Find the most recent successful "Build & Update Website" task. Forgejo's API
          # does not expose per-run jobs (/runs/{id}/jobs returns 404), so query /actions/tasks
          # (per-job records) directly and filter for the task we care about. Filtering at the
          # task level also distinguishes runs where the deploy job actually ran from runs
          # where it was skipped — at the run level both show status=success.
          LAST_DEPLOYED_SHA=$(python3 - << 'PYEOF'
          import json, os, sys, urllib.request
          token = os.environ.get("FORGEJO_TOKEN", "")
          server = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
          repo = os.environ.get("GITHUB_REPOSITORY", "")
          url = f"{server}/api/v1/repos/{repo}/actions/tasks?status=success&limit=100"
          req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
          try:
              with urllib.request.urlopen(req, timeout=60) as r:
                  data = json.loads(r.read())
              for t in data.get("workflow_runs", []):
                  if (t.get("workflow_id") == "website.yml"
                      and t.get("name") == "Build & Update Website"
                      and t.get("status") == "success"):
                      print(t.get("head_sha") or "")
                      sys.exit(0)
              print("")
          except Exception as e:
              print(f"::error::LAST_DEPLOYED_SHA lookup failed ({type(e).__name__}: {e})")
              print("")
          PYEOF
          )
          if [ -z "$LAST_DEPLOYED_SHA" ]; then
            echo "::warning::Could not determine last successfully deployed SHA — deploying as a precaution"
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          if [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
            echo "::notice::Website deploy SKIPPED — HEAD $HEAD_SHA was already successfully deployed"
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          # Diff from last successfully deployed commit to catch all changes since
          # that deploy, not just the most recent commit.
          if git cat-file -e "$LAST_DEPLOYED_SHA" 2>/dev/null; then
            echo "Diffing from last deployed SHA $LAST_DEPLOYED_SHA"
            CHANGED=$(git diff --name-only "$LAST_DEPLOYED_SHA" HEAD 2>/dev/null \
              || git show --name-only --format= HEAD)
          else
            echo "::warning::Last deployed SHA $LAST_DEPLOYED_SHA not in local history — deploying as a precaution"
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          echo "Changed files:"
          echo "$CHANGED"
          website_re='^(website/|scripts/website-verify\.sh|\.forgejo/workflows/website\.yml)'
          if echo "$CHANGED" | grep -qE "$website_re"; then
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            echo "::notice::Website deploy TRIGGERED — website-relevant files changed since $LAST_DEPLOYED_SHA"
          else
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
            echo "::notice::Website deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no website-relevant changes"
          fi
  deploy:
    name: Build & Update Website
    runs-on: ubuntu-latest
    timeout-minutes: 60
    needs: [check-changes]
    if: needs.check-changes.outputs.has_changes == 'true'
    steps:
      - name: Print runner wait time
        env:
          FORGEJO_TOKEN: ${{ github.token }}
          RUN_NUMBER: ${{ github.run_number }}
        run: |
          runner_start=$(date +%s)
          created=$(curl -sf --max-time 30 \
            -H "Authorization: token $FORGEJO_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runs?run_number=$RUN_NUMBER" \
            | python3 -c "import sys,json;rs=json.load(sys.stdin).get('workflow_runs',[]);print(rs[0]['created'] if rs else '')" 2>/dev/null) || true
          if [ -n "$created" ]; then
            queued_epoch=$(date -d "$created" +%s)
            wait_seconds=$((runner_start - queued_epoch))
            echo "Runner wait time: ${wait_seconds}s (queued at $created)"
          else
            echo "Runner wait time: unknown (API lookup failed)"
          fi
      - uses: actions/checkout@v4
        with:
          submodules: recursive
-      - name: Build & Deploy Website
+      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
      - name: Setup Dagger Remote Engine
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
-          SSH_USER: ${{ secrets.SSH_USER }}
+        run: scripts/setup_dagger_remote.sh
-          SSH_HOST: ${{ secrets.SSH_HOST }}
+
-        run: task website-deploy
+      - name: Build & Update Website
        env:
          DAGGER_NO_NAG: "1"
        run: task publish-website
      - name: Verify Website
        env:
-          SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
+          SSH_HOST: ${{ env.WEBSITE_SSH_HOST }}
        run: scripts/website-verify.sh
@@ -10,6 +10,7 @@ jobs:
    # Disabled until a self-hosted runner with label "windows-runner" is registered.
    name: Build & Deploy Windows (Nightly)
    runs-on: windows-runner
    timeout-minutes: 90
    if: false
    steps:
@@ -1,3 +1,3 @@
 {
-  "flutter": "3.41.6"
+  "flutter": "3.44.0"
 }
@@ -1,249 +0,0 @@
 name: CI
 on:
  push:
    branches: [main]
  pull_request:
 jobs:
  analyze-and-test:
    name: Analyze & unit test
    runs-on: sharedinbox-runner
    steps:
      - uses: actions/checkout@v4
      - uses: subosito/flutter-action@v2
        with:
          flutter-version: "3.41.6"
          channel: stable
          cache: true
      - name: Install dependencies
        run: flutter pub get
      - name: Generate Drift code
        run: flutter pub run build_runner build --delete-conflicting-outputs
      - name: Check formatting
        run: dart format --set-exit-if-changed .
      - name: Analyze
        run: flutter analyze --fatal-infos
      - name: Unit + widget tests with coverage
        run: flutter test test/unit/ test/widget/ --coverage
      - name: Coverage gate
        run: dart run scripts/check_coverage.dart
  integration:
    name: Integration tests (Stalwart)
    runs-on: sharedinbox-runner
    # Run integration tests only on push to main, not on every PR.
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v14
      - uses: DeterminateSystems/magic-nix-cache-action@v8
      - name: Cache FVM Flutter SDK
        uses: actions/cache@v4
        with:
          path: ~/.fvm
          key: fvm-${{ hashFiles('.fvm/fvm_config.json') }}
      - name: Cache pub packages
        uses: actions/cache@v4
        with:
          path: ~/.pub-cache
          key: pub-${{ hashFiles('pubspec.lock') }}
          restore-keys: pub-
      - name: Run integration tests
        run: |
          nix develop --command bash -c "
            fvm install --skip-pub-get &&
            fvm flutter pub get &&
            fvm flutter pub run build_runner build --delete-conflicting-outputs &&
            stalwart-dev/test.sh
          "
  integration-ui:
    name: UI Integration tests (Stalwart + Xvfb)
    runs-on: sharedinbox-runner
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@v14
      - uses: DeterminateSystems/magic-nix-cache-action@v8
      - name: Install Flutter Linux build dependencies
        run: |
          sudo apt-get update -q
          sudo apt-get install -y --no-install-recommends \
            libgtk-3-dev pkg-config cmake ninja-build clang \
            libsecret-1-dev
      - name: Cache FVM Flutter SDK
        uses: actions/cache@v4
        with:
          path: ~/.fvm
          key: fvm-${{ hashFiles('.fvm/fvm_config.json') }}
      - name: Cache pub packages
        uses: actions/cache@v4
        with:
          path: ~/.pub-cache
          key: pub-${{ hashFiles('pubspec.lock') }}
          restore-keys: pub-
      - name: Cache Linux debug build
        uses: actions/cache@v4
        with:
          path: |
            build/linux
            .dart_tool/flutter_build
          key: linux-debug-${{ hashFiles('pubspec.lock', 'lib/**/*.dart', 'integration_test/**/*.dart') }}
          restore-keys: linux-debug-
      - name: Run UI integration tests
        run: |
          nix develop --command bash -c "
            fvm install --skip-pub-get &&
            fvm flutter pub get &&
            fvm flutter pub run build_runner build --delete-conflicting-outputs &&
            stalwart-dev/integration_ui_test.sh
          "
  build-linux:
    name: Build Linux desktop
    runs-on: sharedinbox-runner
    needs: analyze-and-test
    steps:
      - uses: actions/checkout@v4
      - name: Install GTK3, build tools and libsecret
        run: |
          sudo apt-get update -q
          sudo apt-get install -y --no-install-recommends \
            libgtk-3-dev pkg-config cmake ninja-build clang \
            libsecret-1-dev
      - uses: subosito/flutter-action@v2
        with:
          flutter-version: "3.41.6"
          channel: stable
          cache: true
      - name: Install dependencies
        run: flutter pub get
      - name: Generate Drift code
        run: flutter pub run build_runner build --delete-conflicting-outputs
      - name: Build Linux release
        run: flutter build linux --release
  deploy:
    name: Deploy Linux build & publish website
    runs-on: sharedinbox-runner
    needs: build-linux
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    env:
      SSH_HOST: ${{ secrets.SSH_HOST }}
      SSH_USER: ${{ secrets.SSH_USER }}
    steps:
      - uses: actions/checkout@v4
      - name: Install build & deploy dependencies
        run: |
          sudo apt-get update -q
          sudo apt-get install -y --no-install-recommends \
            libgtk-3-dev pkg-config cmake ninja-build clang \
            libsecret-1-dev hugo rsync
      - uses: subosito/flutter-action@v2
        with:
          flutter-version: "3.41.6"
          channel: stable
          cache: true
      - name: Cache pub packages
        uses: actions/cache@v4
        with:
          path: ~/.pub-cache
          key: pub-${{ hashFiles('pubspec.lock') }}
          restore-keys: pub-
      - name: Install dependencies
        run: flutter pub get
      - name: Generate Drift code
        run: flutter pub run build_runner build --delete-conflicting-outputs
      - name: Generate changelog
        run: |
          mkdir -p assets
          git log -n 50 \
            --pretty=format:'* %ad [%h](https://codeberg.org/guettli/sharedinbox/commit/%H): %s' \
            --date=short > assets/changelog.txt
      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
      - name: Build Linux release
        run: |
          HASH=$(git rev-parse --short HEAD)
          flutter build linux --release --no-pub --dart-define=GIT_HASH=$HASH
      - name: Deploy Linux build to server
        run: |
          HASH=$(git rev-parse --short HEAD)
          DATE_PATH=$(date -u +%Y/%m/%d)
          REMOTE_DIR="public_html/builds/$DATE_PATH"
          TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
          tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
          scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
          DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
          EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" \
            "cat public_html/latest.json 2>/dev/null || echo '{}'")
          WINDOWS_URL=$(echo "$EXISTING" | \
            python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
            2>/dev/null || true)
          if [ -n "$WINDOWS_URL" ]; then
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          else
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          fi
      - name: Generate build history pages
        run: python3 scripts/generate_build_history.py
      - name: Build website
        env:
          HUGO_PARAMS_GITVERSION: ${{ github.sha }}
        run: hugo --source website --minify
      - name: Deploy website
        run: |
          rsync -avz --delete \
            --exclude='*.apk' \
            --exclude='*.tar.gz' \
            -e "ssh -o StrictHostKeyChecking=no" \
            website/public/ \
            "$SSH_USER@$SSH_HOST:public_html/"
@@ -1,5 +1,6 @@
 # --- Flutter/Dart ---
 coverage/
 screenshots/
 .dart_tool/
 .dart-tool/
 .packages
@@ -28,7 +29,8 @@ android/.gradle/
 android/local.properties
 android/app/google-services.json
 android/key.properties
-android/app/src/main/java/io/flutter/plugins/
+# android/app/src/main/java/io/flutter/plugins/ intentionally tracked so that
 # GeneratedPluginRegistrant.java (catch Throwable) is committed and used by CI.
 .android/
 Android/
 .gradle/
@@ -10,6 +10,11 @@ repos:
      - id: end-of-file-fixer
      - id: trailing-whitespace
  - repo: https://github.com/guettli/sync-branch
    rev: v0.0.11
    hooks:
      - id: sync-branch
  - repo: local
    hooks:
      - id: check-no-binary
@@ -27,18 +32,24 @@ repos:
      - id: dart-check
        name: dart format (autofix) + check-fast (parallel)
        language: system
-        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command scripts/pre_commit_check.sh'
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command dagger call --progress=plain -q -m ci --source=. check-fast'
        pass_filenames: false
        always_run: true
      - id: ci-no-direct-dagger
        name: check for direct dagger calls in workflows (use Task instead)
        language: system
-        entry: "bash -c 'git grep \"dagger call\" .forgejo/workflows/ && echo \"ERROR: Direct dagger calls found in workflows. Use Taskfile instead.\" && exit 1 || exit 0'"
+        entry: "bash -c 'git --no-pager grep \"dagger call\" .forgejo/workflows/ && echo \"ERROR: Direct dagger calls found in workflows. Use Taskfile instead.\" && exit 1 || exit 0'"
        pass_filenames: false
        always_run: true
      - id: dagger-progress-plain
        name: ensure all dagger calls use --progress=plain
        language: system
-        entry: "bash -c 'git grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
+        entry: "bash -c 'git --no-pager grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
        pass_filenames: false
        always_run: true
      - id: ci-image-exists
        name: verify container images in ci/main.go are reachable
        language: system
        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-ci-images'
        pass_filenames: false
        files: ^(ci/main\.go|\.fvmrc)$
@@ -8,32 +8,45 @@ CLI tool `fgj` is available to query issues/PRs/actions.
 ## Issue Label Workflow
-We use issues, follow this label state machine:
+Automation is handled by [agentloop](https://github.com/guettli/agentloop) running every 5 minutes via cron. Add a label to trigger an agent:
- **State/Ready** — Issue is available to pick up
+| Label | Trigger | Outcome |
- **State/InProgress** — Set this when you start working on an issue
+|---|---|---|
- **State/Question** — Set this when you hit a blocker or need clarification
+| `loop/plan` | Planning agent reads the issue and writes an implementation plan as a comment | Issue moves to `loop/plan-done` |
 | `loop/code` | Coding agent implements the change, creates a branch + PR | Issue routes to `loop/merge` |
 | `loop/merge` | Merge agent rebases, waits for CI, and merges the PR | Issue moves to `loop/merge-done` |
-List open issues ready to pick up:
+**State machine:**
-```bash
+```
-fgj issue list --json --state open | jq '[.[] | select(.labels[].name == "State/Ready")] | .[] | {number, title, html_url}'
+loop/plan  →  loop/plan-in-process  →  loop/plan-done
                                     ↘  NeedSupervisor  (on failure)
 loop/code  →  loop/code-in-process  →  loop/merge (via route)
                                     ↘  NeedSupervisor  (on failure)
 loop/merge →  loop/merge-in-process →  loop/merge-done
                                     ↘  NeedSupervisor  (on failure)
 ```
-Rules:
+**Rules:**
- Never start work on an issue without `State/Ready`
+- Only issues authored by allowed users are picked up (guettli, guettlibot, guettlibot2, forgejo-actions).
- When working via the agent loop: `State/Ready` → `State/InProgress` is set automatically
+- An issue with `NeedSupervisor` needs human attention — investigate, fix, then re-label.
-  by `agent_loop.py` before the agent starts — do **not** set it yourself.
+- The merge agent merges the PR automatically once CI is green. A human still reviews the PR before it merges if branch protection requires a review.
- When working manually: switch to `State/InProgress` as your **first action**:
+- Planning agents only post a comment — they do NOT write code or open PRs.
-  ```bash
+- `loop/*` labels are managed by agentloop — do not set them manually while an agent is active.
-  fgj issue edit <NUMBER> --remove-label "State/Ready" --add-label "State/InProgress"
+
-  ```
+**Typical lifecycle for a new feature:**
- If blocked, replace current state label with `State/Question` and leave a comment explaining the blocker
+
- When done and CI is green, close the issue:
+```
-  ```bash
+1. Create issue
-  fgj issue close <NUMBER>
+2. Add label loop/plan   → agent writes plan as comment
-  ```
+3. Review plan, request changes or approve
 4. Add label loop/code   → agent implements + opens PR + hands off to merge
 5. (Optional) Review PR before it merges
 6. Merge agent waits for CI and merges the PR automatically
 ```
 ## Code conventions
@@ -39,7 +39,7 @@ WorkingDirectory=/home/dagger-svc
 # Replace 1003 with the actual UID of dagger-svc
 Environment=DOCKER_HOST=unix:///run/user/1003/podman/podman.sock
 Environment=XDG_RUNTIME_DIR=/run/user/1003
-ExecStart=/usr/bin/nix run github:dagger/nix/v0.11.4#dagger -- engine --addr tcp://0.0.0.0:8080
+ExecStart=/usr/bin/nix run github:dagger/nix/v0.20.8#dagger -- engine --addr tcp://0.0.0.0:8080
 Restart=always
 [Install]
@@ -188,3 +188,5 @@ Using SSH to `localhost` is preferred over complex X11/Wayland permission hacks.
 ## Daily Workflow
 Refer to the [README.md](./README.md#daily-workflow) for common development tasks and commands.
 <!-- agentloop code test passed -->
@@ -0,0 +1,72 @@
 ## Background
 The issue is real but the proposed mechanism (predicted-mail table + Message-ID match at next sync) is more complex than needed. Two IMAP facilities cover this directly:
 - **RFC 4315 / 6851 — `UIDPLUS` + `MOVE` response code `COPYUID`**: the server returns the destination UID(s) inline with the `MOVE` (or `COPY`+`EXPUNGE`) response. `enough_mail`'s `GenericImapResult.responseCodeCopyUid` already parses this (`/data/home/.pub-cache/hosted/pub.dev/enough_mail-2.1.7/lib/src/imap/response.dart:53`). Stalwart and every modern IMAP server advertise UIDPLUS. We currently throw this away — `client.uidMove(...)` is called for its side effect and the result is ignored (`lib/data/repositories/email_repository_impl.dart:2320,2335,2354`).
 - **Fallback — `UID SEARCH HEADER Message-ID …`**: bounded, deterministic, works on every IMAP server. Needed only when `responseCodeCopyUid` is missing.
 The undo path already attempts a Message-ID recovery (`lib/core/services/undo_service.dart:78-84`), and `findEmailByMessageId` exists (`lib/data/repositories/email_repository_impl.dart:1899`), so the building blocks are in place; we just need to remap on the write path instead of guessing on the read path.
 There is also a latent race: the row is optimistically moved (`mailbox_path = dest`) before the server flush, but the row still carries the source UID. If `_reconcileDeletedImap` runs against the **destination** mailbox between the optimistic write and the flush, it will not find that UID on the server and will hard-delete the row (`lib/data/repositories/email_repository_impl.dart:758-761`).
 ## Goal
 After an IMAP move, the local email row keeps tracking the same physical message under its new UID, without orphaning, without re-fetching, and without breaking UndoLog references.
 ## Concrete changes
 ### 1. Capture the new UID inside the flush
 `lib/data/repositories/email_repository_impl.dart` — `_applyPendingChangeImap`, cases `move`, `snooze`, `unsnooze`:
 - Capture the `GenericImapResult` returned by `client.uidMove(...)`.
 - Read `result.responseCodeCopyUid`. If non-null, zip `sourceSequence` ↔ `targetSequence` to map `oldUid → newUid`.
 - If null (no UIDPLUS), look up the row's `messageId`. If present: `client.selectMailboxByPath(dest)` then `client.uidSearchMessages(searchCriteria: 'HEADER Message-ID "<id>"')` and take the highest UID. If `messageId` is also missing, log a warning and leave the row to be reconciled out on the next pass (worst case: cache miss, body refetch).
 - For each old/new pair, call a new helper `_remapEmailAfterMove(row, newUid, destPath)`.
 ### 2. New helper `_remapEmailAfterMove` (same file)
 Composes `newId = "accountId:destPath:newUid"`, then in one Drift transaction:
 - `UPDATE email_bodies SET email_id = newId WHERE email_id = oldId`
 - `UPDATE emails SET id = newId, uid = newUid, mailbox_path = destPath WHERE id = oldId`
 - Patch any `threads.email_ids_json` containing `oldId` (reuse the JSON helper from the v41 migration path, or just rebuild affected threads via `_updateThread`).
 - `UPDATE pending_changes SET resource_id = newId WHERE resource_id = oldId` (in case multiple mutations are queued).
 - Call `UndoRepository.remapEmailId(oldId, newId)` (new method, see §3).
 `PRAGMA defer_foreign_keys = ON` for the transaction, mirroring the v41 migration pattern.
 ### 3. UndoLog remap
 - `lib/data/repositories/undo_repository_impl.dart`: add `Future<void> remapEmailId(String oldId, String newId)` that loads each `undo_actions` row, rewrites `emailIds[]` entries equal to `oldId` and `originalEmails[].id` entries equal to `oldId`, and re-saves.
 - `lib/core/repositories/undo_repository.dart`: add the interface method.
 - Inject `UndoRepository` into `EmailRepositoryImpl` via DI (already a singleton in `lib/di.dart`) so `_remapEmailAfterMove` can call it.
 - The fallback path in `UndoService.undo` (the Message-ID lookup) becomes a defensive backstop and can stay as-is.
 ### 4. Reconciliation guard
 `_reconcileDeletedImap` (`lib/data/repositories/email_repository_impl.dart:731`): before deleting a row whose UID is absent from the server, query `pending_changes` for a `move`/`snooze`/`unsnooze` row with `resource_id = row.id`. If one exists, skip the delete — the row is mid-flight. Since flush always runs before sync (`SYNC.md:199-200`) the race is narrow but real on retries when flush failed mid-cycle.
 ### 5. Tests
 - `test/unit/fake_imap.dart`: make `uidMove` return a `GenericImapResult` whose `responseCode` is a configurable `"COPYUID <validity> <src> <dest>"` string; add a UIDPLUS-off mode that returns no response code and serves `uidSearchMessages` with a HEADER predicate.
 - New `test/unit/repositories/email_repository_move_test.dart`:
  - Enqueue a move → flush → assert `emails`, `email_bodies`, `threads`, `pending_changes`, `undo_actions` all carry the new id.
  - Same with UIDPLUS-off + HEADER-search fallback.
  - Move with no Message-ID and no COPYUID → row is unchanged, warning logged, next reconciliation does not delete it because pending change is still queued.
 - New test in the same file: `_reconcileDeletedImap` skips a row that has a queued `move`.
 - Extend `test/integration/concurrent_sync_test.dart` (or sibling file) with a real Stalwart move-then-sync-then-undo cycle: assert the row keeps its body, the new UID matches what `UID SEARCH` returns, and undo restores it to the source mailbox.
 ### 6. Docs
 - `SYNC.md` §3: note that IMAP moves remap the local id from the `COPYUID` response (UIDPLUS) or `UID SEARCH HEADER Message-ID` fallback, so `email_bodies` and `undo_actions` stay valid across moves.
 - `DB-SYNC.md` IMAP bullets: add "IMAP move remap: local row keeps its body/undo references via `COPYUID` (RFC 4315) or Message-ID header search."
 ## Non-goals
 - No new "predicted mail" table — `COPYUID` + header search is reliable and stateless.
 - No change to JMAP moves (JMAP IDs are mailbox-independent).
 - No change to `uidValidity` handling — orthogonal.
 - No CONDSTORE/QRESYNC — already listed as future work in `DB-SYNC.md`.
 ## Open question for review
 Should the fallback header-search be best-effort-quiet (current plan) or should it surface a `FailedMutation` when both `COPYUID` and `Message-ID` are missing? I lean quiet because the next full sync will still pull the message under its new UID — we'd just lose the cached body and any queued mutations on top of it. Happy to escalate to `FailedMutation` if you'd rather make the data loss visible.
@@ -1,59 +0,0 @@
 # Implementation Plan: Secure WebView for HTML Emails (#21)
 ## Goal
 Replace the current `flutter_html` based rendering with a hardened WebView-based approach to improve rendering fidelity while strictly enforcing security and privacy.
 ## 1. Dependency Management
 - **Core**: `webview_flutter` (v4+)
 - **Linux Platform**: `webview_flutter_linux` (Official community-supported or WebKitGTK based implementation). *Note: I will verify the exact package name during implementation.*
 - **Utilities**: `url_launcher` (existing) for opening links in the system browser.
 ## 2. Secure WebView Component (`lib/ui/widgets/secure_email_webview.dart`)
 Create a new widget `SecureEmailWebView` that encapsulates the `WebViewWidget` and its controller.
 ### Configuration & Hardening
 - **Disable JavaScript**: `controller.setJavaScriptMode(JavaScriptMode.disabled)`.
 - **Background**: Match the application theme (e.g., transparent or surface color).
 - **Security Headers/CSP**: Inject a Content Security Policy via `<meta>` tag in the HTML wrapper:
  - `default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:;` (Blocks all external assets by default).
 ### Image Blocking Logic
 - **Initial State**: Block remote images by injecting a CSP that restricts `img-src` to `data:` and local schemes.
 - **Toggle Mechanism**:
  - Provide a "Load Remote Images" button in the Flutter UI.
  - When triggered, re-render the HTML with an updated CSP: `img-src * data:;`.
 ### Link Interception & Phishing Protection
 - Implement `NavigationDelegate.onNavigationRequest`.
 - **Process**:
  1. Intercept any URL that doesn't start with `about:blank` or `data:`.
  2. Block the navigation in the WebView.
  3. Trigger a Flutter `showDialog` for confirmation.
 - **Phishing Protection Dialog**:
  - Show the full URL.
  - **Bold the FQDN**: Parse the URL using `Uri.parse`.
    - Example: `https://`**`important-bank.com`**`/login`
  - "Open in Browser" button uses `url_launcher`.
 ## 3. Integration Plan
 ### Step 1: Initialization
 Modify `lib/main.dart` to initialize the Linux WebView platform (using `webview_flutter_linux` or similar) during app startup.
 ### Step 2: Replace Renderer in Screens
 - **EmailDetailScreen**: Replace `Html(...)` with `SecureEmailWebView(html: body.htmlBody!)`.
 - **ThreadDetailScreen**: Replace `Html(...)` with `SecureEmailWebView(html: body.htmlBody!)`.
 - Remove `flutter_html` imports and dependencies once migration is complete.
 ## 4. Verification & Security Audit
 - **Manual Tests**:
  - Open emails with complex HTML layouts.
  - Verify images are blocked initially.
  - Verify "Load images" works.
  - Click various links (http, https, mailto) and verify the confirmation dialog and FQDN bolding.
 - **Security Check**:
  - Verify that `<script>` tags are not executed.
  - Verify no network requests for external images occur before user consent (via DevTools or proxy).
 ## 5. Potential Challenges
 - **Linux WebView Stability**: WebKitGTK on Linux can sometimes have rendering or sizing issues in Flutter.
 - **Scrolling**: Ensuring the WebView integrates smoothly into the `ListView` of the email detail screen (might require fixed height or `SizedBox`).
@@ -1,46 +0,0 @@
 # Snooze Feature Plan
 ## Goal
 Allow users to snooze emails, moving them to a special folder and bringing them back to the Inbox at a specified time. Snooze data must be stored in the account (IMAP/JMAP) for cross-device synchronization.
 ## Technical Approach
 ### 1. Metadata Storage (Account Sync)
 - **Keyword format:** `snz:<ISO8601_TIMESTAMP>` (e.g., `snz:2026-05-10T15:00:00Z`).
 - **JMAP:** Use `keywords`.
 - **IMAP:** Use User Flags (keywords).
 ### 2. Database Changes
 - **Migration v22:**
    - `Emails` table:
        - `snoozedUntil` (DateTime, nullable)
        - `snoozedFromMailboxPath` (String, nullable) - to remember where to move it back (usually INBOX).
    - Index on `snoozedUntil`.
 ### 3. Repository Updates (`EmailRepository`)
 - New method: `Future<void> snoozeEmail(String emailId, DateTime until)`
    - Optimistically update local DB.
    - Enqueue `snooze` change.
 - New method: `Future<int> wakeUpEmails(String accountId)`
    - Find local rows where `snoozedUntil <= now`.
    - Enqueue `move` back to original mailbox.
    - Clear snooze metadata.
 ### 4. Sync Loop Integration
 - In `AccountSyncManager`, call `wakeUpEmails(accountId)` at the start of each sync cycle.
 - Update IMAP/JMAP sync logic to parse `snz:` keywords and update local `snoozedUntil` / `snoozedFromMailboxPath`.
 ### 5. UI Implementation
 - **Snooze Picker:** A dialog with options like "Later today", "Tomorrow morning", "Next week", "Custom".
 - **Action:** Add "Snooze" icon to `EmailListScreen` selection bar and `EmailDetailScreen`.
 - **Mailbox:** Ensure a "Snoozed" mailbox exists (create if missing).
 ## Implementation Steps
 1. [ ] Database migration and model updates.
 2. [ ] Repository implementation for `snoozeEmail` and `wakeUpEmails`.
 3. [ ] Update flush logic for IMAP and JMAP to handle `snooze` mutations.
 4. [ ] Update sync logic to parse snooze keywords.
 5. [ ] Integrate `wakeUpEmails` into the sync loop.
 6. [ ] UI: Snooze picker dialog.
 7. [ ] UI: Add Snooze action to list and detail screens.
 8. [ ] Testing and validation.
@@ -37,6 +37,8 @@ tasks:
    run: once
    deps: [_nix-check]
    preconditions:
      - sh: '[ "$(id -u)" != "0" ]'
        msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
      - sh: test -n "${IN_NIX_SHELL}"
        msg: "Not in nix dev shell. Run: nix develop"
    cmds:
@@ -56,6 +58,14 @@ tasks:
    cmds:
      - echo "Setup complete."
  generate-icons:
    desc: Rasterise icon.svg → icon.png and regenerate all platform launcher icons
    deps: [_pub-get]
    cmds:
      - rsvg-convert -w 1024 -h 1024 icon.svg -o icon.png
      - rsvg-convert -w 512  -h 512  icon.svg -o playstore/icon.png
      - fvm flutter pub run flutter_launcher_icons
  generate-changelog:
    desc: Generate assets/changelog.txt from git history
    cmds:
@@ -96,34 +106,19 @@ tasks:
      - scripts/silent_on_success.sh fvm flutter pub run build_runner build --delete-conflicting-outputs
  codegen:
-    desc: Generate Drift DB code (run after any schema change)
+    desc: Generate Drift DB code via Dagger (exports generated files back to host)
    deps: [_preflight, _pub-get]
    sources:
      - lib/**/*.dart
      - pubspec.yaml
    generates:
      - lib/**/*.g.dart
    cmds:
-      - fvm flutter pub run build_runner build --delete-conflicting-outputs
+      - dagger call --progress=plain -q -m ci --source=. codegen -o .
  analyze:
-    desc: Static analysis (flutter analyze)
+    desc: Static analysis via Dagger (dart analyze --fatal-infos)
    deps: [_preflight, _codegen]
    sources:
      - lib/**/*.dart
      - test/**/*.dart
      - pubspec.yaml
      - analysis_options.yaml
    cmds:
-      - scripts/run_analyze.sh
+      - dagger call --progress=plain -q -m ci --source=. analyze
  format:
-    desc: Format all Dart source files
+    desc: Format all Dart source files via Dagger (writes back to host)
    deps: [_preflight]
    sources:
      - "**/*.dart"
    cmds:
-      - fvm dart format lib test
+      - dagger call --progress=plain -q -m ci --source=. format-write -o .
  check-mocks:
    desc: Fail if any *.mocks.dart file is out of date (re-runs build_runner)
@@ -136,13 +131,9 @@ tasks:
      - scripts/check_mocks_fresh.sh
  analyze-fix:
-    desc: Auto-fix lint issues with dart fix --apply
+    desc: Auto-fix lint issues via Dagger (dart fix --apply, writes back to host)
    deps: [_preflight]
    sources:
      - lib/**/*.dart
      - test/**/*.dart
    cmds:
-      - fvm dart fix --apply
+      - dagger call --progress=plain -q -m ci --source=. analyze-fix -o .
  test:
    desc: Unit tests + coverage gate (fails if any non-excluded lib/ file is missing)
@@ -177,17 +168,17 @@ tasks:
  test-backend:
    desc: Backend tests against a local Stalwart mail server (via Dagger)
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-backend
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-backend
  integration-ui:
    desc: UI E2E tests on Linux via Xvfb — headless, no emulator needed (via Dagger)
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-integration
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-integration
  sync-reliability:
    desc: Run sync reliability runner (via Dagger)
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-sync-reliability
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-sync-reliability
  test-android-firebase:
    desc: Build Android debug APKs and run instrumented tests on Firebase Test Lab (via Dagger)
@@ -202,7 +193,7 @@ tasks:
  ci-graph:
    desc: Print a Mermaid diagram of the CI pipeline — paste into mermaid.live or any Markdown renderer
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. graph
+      - timeout --kill-after=10 60 dagger call --progress=plain -q -m ci --source=. graph
  stalwart:
    desc: Start a Stalwart instance for local development (via Dagger)
@@ -215,14 +206,16 @@ tasks:
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
  build-android-bundle:
    desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
    cmds:
      - mkdir -p build/app/outputs/bundle/release
-      - dagger call --progress=plain -q -m ci --source=. build-android-release -o build/app/outputs/bundle/release/app-release.aab
+      - HASH=$(git rev-parse --short HEAD) && timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. build-android-release --commit-hash "$HASH" -o build/app/outputs/bundle/release/app-release.aab
  upload-android-bundle:
    desc: Upload AAB from build/ to Play Store via Dagger
@@ -232,10 +225,11 @@ tasks:
      - sh: test -f build/app/outputs/bundle/release/app-release.aab
        msg: "AAB not found — run build-android-bundle first"
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. upload-to-play-store --aab build/app/outputs/bundle/release/app-release.aab --play-store-config env:PLAY_STORE_CONFIG_JSON
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. upload-to-play-store --aab build/app/outputs/bundle/release/app-release.aab --play-store-config env:PLAY_STORE_CONFIG_JSON
  publish-android:
    desc: Build cached AAB, stamp versionCode, sign, and publish to Play Store via Dagger
    deps: [generate-changelog]
    preconditions:
      - sh: test -n "$PLAY_STORE_CONFIG_JSON"
        msg: "PLAY_STORE_CONFIG_JSON is not set"
@@ -244,24 +238,31 @@ tasks:
      - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
        msg: "ANDROID_KEYSTORE_PASSWORD is not set"
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --commit-hash "$HASH"
  deploy-apk:
    desc: Build and deploy Android APK via Dagger
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
      - sh: test -n "$ANDROID_KEYSTORE_BASE64"
        msg: "ANDROID_KEYSTORE_BASE64 is not set"
      - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
        msg: "ANDROID_KEYSTORE_PASSWORD is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
  publish-website:
    desc: Build and publish website via Dagger
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - HASH=$(git rev-parse --short HEAD) && timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
  check-dagger:
    desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -284,8 +285,13 @@ tasks:
          for attempt in 1 2 3; do
            run_dagger "$@" && return 0
            RC=$?
-            if [ "$attempt" -lt 3 ] && grep -qE "connection reset|context canceled|connection refused" "$DAGGER_OUT"; then
+            if [ "$attempt" -lt 3 ] && { grep -qE "connection reset|context deadline exceeded|connection refused|invalid return status code" "$DAGGER_OUT" || [ "$RC" -eq 2 ]; }; then
              echo "$(_ts) dagger: network error on attempt $attempt/3, retrying..." >&2
            elif [ "$attempt" -lt 3 ] && grep -q "No space left on device" "$DAGGER_OUT"; then
              echo "$(_ts) dagger: disk space error on attempt $attempt/3, pruning Dagger cache..." >&2
              timeout 120 dagger query '{ engine { localCache { prune(targetSpace: "20gb") } } }' 2>/dev/null || true
              echo "$(_ts) dagger: waiting 90s for freed space to settle..." >&2
              sleep 90
            else
              return "$RC"
            fi
@@ -304,7 +310,16 @@ tasks:
          rm -f "$PORTFILE" "$DAGGER_OUT" "$RC_FILE"
        }
        trap cleanup EXIT
-        until [ -s "$PORTFILE" ]; do sleep 0.05; done
+        until [ -s "$PORTFILE" ]; do
          sleep 0.05
          if ! kill -0 "$RECV_PID" 2>/dev/null; then
            echo "$(_ts) otel-receiver.py died before writing port file; falling back to plain run" >&2
            retry_dagger dagger call --progress=plain -q -m ci --source=. check
            RC=$?
            rm -f "$PORTFILE" "$DAGGER_OUT" "$RC_FILE"
            exit $RC
          fi
        done
        PORT=$(cat "$PORTFILE")
        retry_dagger env \
          OTEL_EXPORTER_OTLP_ENDPOINT="http://127.0.0.1:$PORT" \
@@ -315,6 +330,20 @@ tasks:
        wait "$RECV_PID" 2>/dev/null || true
        exit $RC
  dagger-prune:
    desc: Prune the Dagger engine cache (keeps named volumes unless total exceeds 75 GB, then targets 50 GB)
    cmds:
      - |
        dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }'
  renovate:
    desc: Run Renovate bot against the repository via Dagger
    preconditions:
      - sh: test -n "$RENOVATE_FORGEJO_TOKEN"
        msg: "RENOVATE_FORGEJO_TOKEN is not set"
    cmds:
      - timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. renovate --renovate-token env:RENOVATE_FORGEJO_TOKEN
  integration-android:
    desc: UI integration tests on a connected Android emulator (Stalwart on host, emulator reaches it via 10.0.2.2)
    deps: [_preflight, _android-sdk-check, _android-avd-setup]
@@ -362,28 +391,48 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
        tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+        scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
        # Merge with any existing latest.json so we don't overwrite the windows key
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        WINDOWS_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" 2>/dev/null || true)
        if [ -n "$WINDOWS_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $TARBALL and updated latest.json"
  deploy-bugreport:
    desc: Deploy the Go bugreport server by restarting the systemd service (it pulls latest code from Codeberg)
    preconditions:
      - sh: test -n "$SSH_USER"
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        ssh "root@$SSH_HOST" "systemctl restart bugreport"
        echo "Restarted bugreport service on $SSH_HOST to pull latest code from Codeberg"
  build-windows-release:
    desc: Build the Windows desktop app (release) — must run on a Windows machine with MSVC
    deps: [_pub-get, generate-changelog]
@@ -405,24 +454,28 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        ZIPFILE="sharedinbox-windows-x64-$HASH.zip"
        cd build/windows/x64/runner && zip -r /tmp/$ZIPFILE Release/ && cd -
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
+        scp /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$ZIPFILE"
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        LINUX_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('linux',''))" 2>/dev/null || true)
        if [ -n "$LINUX_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$LINUX_URL\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $ZIPFILE and updated latest.json"
@@ -476,18 +529,10 @@ tasks:
    cmds:
      - ANDROID_HOME=${ANDROID_HOME:-$HOME/Android/Sdk} fvm flutter build apk --release --no-pub --dart-define=GIT_HASH=$(git rev-parse --short HEAD) | grep -Ev "was tree-shaken|Tree-shaking can be disabled"
  deploy-android-bundle:
    desc: Build release AAB and upload to Play Store internal track (local/fvm)
    deps: [build-android-bundle-local]
    preconditions:
      - sh: test -n "$PLAY_STORE_CONFIG_JSON"
        msg: "PLAY_STORE_CONFIG_JSON is not set"
    cmds:
      - python3 scripts/deploy_playstore.py
  build-android-bundle-local:
    desc: Build a release App Bundle (AAB) locally via fvm (not Dagger)
    deps: [_preflight, _android-sdk-check, _codegen, generate-changelog]
    dotenv: [".env"]
    method: timestamp
    sources:
      - lib/**/*.dart
@@ -496,7 +541,14 @@ tasks:
    generates:
      - build/app/outputs/bundle/release/app-release.aab
    cmds:
-      - ANDROID_HOME=${ANDROID_HOME:-$HOME/Android/Sdk} fvm flutter build appbundle --release --no-pub --build-number $(date +%s) --build-name $(date +%y%m%d-%H%M) --dart-define=GIT_HASH=$(git rev-parse --short HEAD) | grep -Ev "was tree-shaken|Tree-shaking can be disabled"
+      - sops exec-env secrets.enc.yaml 'bash scripts/build_android_bundle_local.sh'
  deploy-android-bundle:
    desc: Build release AAB and upload to Play Store internal track (local/fvm)
    deps: [build-android-bundle-local]
    dotenv: [".env"]
    cmds:
      - sops exec-env secrets.enc.yaml 'python3 scripts/deploy_playstore.py'
  deploy-android:
    desc: Build release APK and upload via scp to $ANDROID_APK_SCP_USER@$ANDROID_APK_SCP_HOST:$ANDROID_APK_SCP_PATH
@@ -523,7 +575,7 @@ tasks:
  run:
    desc: Run the app on Linux desktop
-    deps: [_preflight, _linux-deps-check, _pub-get]
+    deps: [_preflight, _linux-deps-check, _pub-get, _codegen]
    cmds:
      - fvm flutter run -d linux --no-pub
@@ -572,14 +624,18 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        APK_NAME="sharedinbox-mua-$HASH.apk"
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no \
+        scp \
          build/app/outputs/flutter-apk/app-release.apk \
          "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$APK_NAME"
        echo "Uploaded $APK_NAME to $REMOTE_DIR"
@@ -608,18 +664,23 @@ tasks:
  website-deploy:
    desc: Deploy the website via rsync to public_html
    deps: [website-build]
    preconditions:
      - sh: test -n "$SSH_KNOWN_HOSTS"
        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
        mkdir -p ~/.ssh
        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        rsync -avz --delete \
          --exclude='*.apk' \
          --exclude='*.tar.gz' \
          -e "ssh -o StrictHostKeyChecking=no" \
          website/public/ \
          ${SSH_USER}@${SSH_HOST}:public_html/
  check-fast:
-    desc: Pre-commit checks — analyze + unit+widget tests + coverage gate (no build, no integration)
+    desc: Pre-commit checks via Dagger (format, analyze, mocks, coverage — no integration or backend)
-    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks]
+    cmds:
      - dagger call --progress=plain -q -m ci --source=. check-fast
  check-layers:
    desc: Enforce architecture — ui/ must not import data/ (only core/ interfaces allowed)
@@ -646,6 +707,11 @@ tasks:
        fi
        echo "Hygiene check passed."
  check-ci-images:
    desc: Verify that all container images referenced in ci/main.go are reachable
    cmds:
      - scripts/check_ci_images.sh
  _integrations:
    internal: true
    run: once
@@ -658,6 +724,17 @@ tasks:
    cmds:
      - scripts/ci_logs.sh "{{.RUN}}" "{{.JOB}}"
  screenshots:
    desc: Generate Play Store promotional screenshots (30 golden files — 3 devices × 2 themes × 5 scenes)
    deps: [_preflight, _codegen]
    cmds:
      - fvm flutter test test/screenshot_automation_test.dart --update-goldens
  chaos-monkey-backend:
    desc: Chaos monkey — random IMAP/SMTP ops against Stalwart (via Dagger, headless)
    cmds:
      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. chaos-monkey-backend
  check:
    desc: Full check suite — unit tests first, then integration (merges coverage), then gate
    deps: [analyze, build-linux, test]
@@ -4,7 +4,6 @@ gradle-wrapper.jar
 /gradlew
 /gradlew.bat
 /local.properties
 GeneratedPluginRegistrant.java
 .cxx/
 # Remember to never publicly share your keystore.
@@ -16,19 +16,23 @@ android {
        isCoreLibraryDesugaringEnabled = true
    }
-    kotlinOptions {
+    kotlin {
-        jvmTarget = JavaVersion.VERSION_17.toString()
+        compilerOptions {
            jvmTarget = org.jetbrains.kotlin.gradle.dsl.JvmTarget.JVM_17
        }
    }
-    signingConfigs {
+    val ksPath: String? = System.getenv("ANDROID_KEYSTORE_PATH")
-        create("release") {
+
-            // Hardcoded alias matching t.sh
+    if (ksPath != null) {
-            keyAlias = "upload"
+        signingConfigs {
-            // Use the same password for both key and keystore
+            create("release") {
-            val pass = System.getenv("ANDROID_KEYSTORE_PASSWORD")
+                keyAlias = "upload"
-            storePassword = pass
+                val pass = System.getenv("ANDROID_KEYSTORE_PASSWORD") ?: ""
-            keyPassword = pass
+                storePassword = pass
-            storeFile = file("upload-keystore.jks")
+                keyPassword = pass
                storeFile = file(ksPath)
            }
        }
    }
@@ -44,14 +48,9 @@ android {
    buildTypes {
        release {
-            // Use the signing config defined above for release builds.
+            if (ksPath != null) {
-            // If the keystore file exists (e.g. in CI or manually placed), sign it.
+                signingConfig = signingConfigs.getByName("release")
            signingConfig = if (signingConfigs.getByName("release").storeFile?.exists() == true) {
                signingConfigs.getByName("release")
            } else {
                signingConfigs.getByName("debug")
            }
            isMinifyEnabled = false
            isShrinkResources = false
            ndk {
@@ -67,7 +66,7 @@ flutter {
 dependencies {
    // Required for flutter_local_notifications and other plugins that need Java 8+ APIs on API < 26.
-    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.4")
+    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.5")
    // integration_test is a dev dependency; the Flutter plugin loader adds it as
    // debugImplementation only, but GeneratedPluginRegistrant.java (in src/main)
    // references its class in all variants. Make it available for release compilation
@@ -0,0 +1,89 @@
 package io.flutter.plugins;
 import androidx.annotation.Keep;
 import androidx.annotation.NonNull;
 import io.flutter.Log;
 import io.flutter.embedding.engine.FlutterEngine;
 /**
 * Generated file. Do not edit.
 * This file is generated by the Flutter tool based on the
 * plugins that support the Android platform.
 */
@Keep
 public final class GeneratedPluginRegistrant {
  private static final String TAG = "GeneratedPluginRegistrant";
  public static void registerWith(@NonNull FlutterEngine flutterEngine) {
    try {
      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.device_info.DeviceInfoPlusPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin device_info_plus, dev.fluttercommunity.plus.device_info.DeviceInfoPlusPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new com.mr.flutter.plugin.filepicker.FilePickerPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin file_picker, com.mr.flutter.plugin.filepicker.FilePickerPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin flutter_local_notifications, com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin flutter_plugin_android_lifecycle, io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin flutter_secure_storage, com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new dev.flutter.plugins.integration_test.IntegrationTestPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin integration_test, dev.flutter.plugins.integration_test.IntegrationTestPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new dev.steenbakker.mobile_scanner.MobileScannerPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin mobile_scanner, dev.steenbakker.mobile_scanner.MobileScannerPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new com.crazecoder.openfile.OpenFilePlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin open_filex, com.crazecoder.openfile.OpenFilePlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin package_info_plus, dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new io.flutter.plugins.pathprovider.PathProviderPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin path_provider_android, io.flutter.plugins.pathprovider.PathProviderPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.share.SharePlusPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin share_plus, dev.fluttercommunity.plus.share.SharePlusPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new io.flutter.plugins.urllauncher.UrlLauncherPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin url_launcher_android, io.flutter.plugins.urllauncher.UrlLauncherPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new io.flutter.plugins.webviewflutter.WebViewFlutterPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin webview_flutter_android, io.flutter.plugins.webviewflutter.WebViewFlutterPlugin", e);
    }
    try {
      flutterEngine.getPlugins().add(new dev.fluttercommunity.workmanager.WorkmanagerPlugin());
    } catch (Exception e) {
      Log.e(TAG, "Error registering plugin workmanager_android, dev.fluttercommunity.workmanager.WorkmanagerPlugin", e);
    }
  }
 }
@@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.5.1-all.zip
@@ -19,8 +19,8 @@ pluginManagement {
 plugins {
    id("dev.flutter.flutter-plugin-loader") version "1.0.0"
-    id("com.android.application") version "8.11.1" apply false
+    id("com.android.application") version "9.2.1" apply false
-    id("org.jetbrains.kotlin.android") version "2.2.20" apply false
+    id("org.jetbrains.kotlin.android") version "2.4.0" apply false
 }
 include(":app")
@@ -2,52 +2,4 @@ module dagger/ci
 go 1.26.2
-require (
+require golang.org/x/sync v0.20.0
 	dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72
 	github.com/Khan/genqlient v0.8.1
 	github.com/dagger/otel-go v1.43.0
 	github.com/vektah/gqlparser/v2 v2.5.33
 	go.opentelemetry.io/otel v1.43.0
 	go.opentelemetry.io/otel/trace v1.43.0
 )
 require (
 	github.com/99designs/gqlgen v0.17.90 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/sosodev/duration v1.4.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.17.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.17.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 // indirect
 	go.opentelemetry.io/otel/log v0.17.0 // indirect
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.43.0
 	go.opentelemetry.io/otel/sdk/log v0.17.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 )
 replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0
 replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0
 replace go.opentelemetry.io/otel/log => go.opentelemetry.io/otel/log v0.16.0
 replace go.opentelemetry.io/otel/sdk/log => go.opentelemetry.io/otel/sdk/log v0.16.0
@@ -1,97 +1,2 @@
 dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72 h1:s39e07WvaUU6tLhpojK8ZEIoIbOSn5hHOJra0waenxQ=
 dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72/go.mod h1:ZXg8+pQZaZUC8rAw4V/gPP8aKvKARIJZ+pfcV+RC1es=
 github.com/99designs/gqlgen v0.17.90 h1:wSv6blm/PoplU6QoNw83EcQpNtC0HX3/+44vITJOzpk=
 github.com/99designs/gqlgen v0.17.90/go.mod h1:GqYrEwYsqCG8VaOsq2kJUCUKwAE1T+u2i+Nj7NtXiVI=
 github.com/Khan/genqlient v0.8.1 h1:wtOCc8N9rNynRLXN3k3CnfzheCUNKBcvXmVv5zt6WCs=
 github.com/Khan/genqlient v0.8.1/go.mod h1:R2G6DzjBvCbhjsEajfRjbWdVglSH/73kSivC9TLWVjU=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
 github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/dagger/otel-go v1.43.0 h1:AYCnAamWmxtSxigWPTgC+8EWqiWPcDZEegh8y05gdJ8=
 github.com/dagger/otel-go v1.43.0/go.mod h1:83CTuXi70zcx1kaym5buqmb7RNzg1E9dEiQSFyLbLdU=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sosodev/duration v1.4.0 h1:35ed0KiVFriGHHzZZJaZLgmTEEICIyt8Sx0RQfj9IjE=
 github.com/sosodev/duration v1.4.0/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/vektah/gqlparser/v2 v2.5.33 h1:lRp8aIeNUNbimf/axZd7ETg24q06hBtPaas+TcvI/7E=
 github.com/vektah/gqlparser/v2 v2.5.33/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
 go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0 h1:ZVg+kCXxd9LtAaQNKBxAvJ5NpMf7LpvEr4MIZqb0TMQ=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0/go.mod h1:hh0tMeZ75CCXrHd9OXRYxTlCAdxcXioWHFIpYw2rZu8=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0 h1:djrxvDxAe44mJUrKataUbOhCKhR3F8QCyWucO16hTQs=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0/go.mod h1:dt3nxpQEiSoKvfTVxp3TUg5fHPLhKtbcnN3Z1I1ePD0=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 h1:VO3BL6OZXRQ1yQc8W6EVfJzINeJ35BkiHx4MYfoQf44=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0/go.mod h1:qRDnJ2nv3CQXMK2HUd9K9VtvedsPAce3S+/4LZHjX/s=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 h1:MMrOAN8H1FrvDyq9UJ4lu5/+ss49Qgfgb7Zpm0m8ABo=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0/go.mod h1:Na+2NNASJtF+uT4NxDe0G+NQb+bUgdPDfwxY/6JmS/c=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 h1:ao6Oe+wSebTlQ1OEht7jlYTzQKE+pnx/iNywFvTbuuI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0/go.mod h1:u3T6vz0gh/NVzgDgiwkgLxpsSF6PaPmo2il0apGJbls=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 h1:mq/Qcf28TWz719lE3/hMB4KkyDuLJIvgJnFGcd0kEUI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0/go.mod h1:yk5LXEYhsL2htyDNJbEq7fWzNEigeEdV5xBF/Y+kAv0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 h1:inYW9ZhgqiDqh6BioM7DVHHzEGVq76Db5897WLGZ5Go=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0/go.mod h1:Izur+Wt8gClgMJqO/cZ8wdeeMryJ/xxiOVgFSSfpDTY=
 go.opentelemetry.io/otel/log v0.16.0 h1:DeuBPqCi6pQwtCK0pO4fvMB5eBq6sNxEnuTs88pjsN4=
 go.opentelemetry.io/otel/log v0.16.0/go.mod h1:rWsmqNVTLIA8UnwYVOItjyEZDbKIkMxdQunsIhpUMes=
 go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
 go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
 go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
 go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
 go.opentelemetry.io/otel/sdk/log v0.16.0 h1:e/b4bdlQwC5fnGtG3dlXUrNOnP7c8YLVSpSfEBIkTnI=
 go.opentelemetry.io/otel/sdk/log v0.16.0/go.mod h1:JKfP3T6ycy7QEuv3Hj8oKDy7KItrEkus8XJE6EoSzw4=
 go.opentelemetry.io/otel/sdk/log/logtest v0.16.0 h1:/XVkpZ41rVRTP4DfMgYv1nEtNmf65XPPyAdqV90TMy4=
 go.opentelemetry.io/otel/sdk/log/logtest v0.16.0/go.mod h1:iOOPgQr5MY9oac/F5W86mXdeyWZGleIx3uXO98X2R6Y=
 go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
 go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
 go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
 go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
 golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
 golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
 google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
 google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"dagger/ci/internal/dagger"
 	"encoding/json"
 	"fmt"
 	"time"
@@ -148,16 +149,33 @@ if __name__ == "__main__":
 `
 type Ci struct {
-	Source *dagger.Directory
+	Source         *dagger.Directory
 	FlutterVersion string
 }
 func New(
 	ctx context.Context,
 	// +defaultPath=".."
 	source *dagger.Directory,
-) *Ci {
+) (*Ci, error) {
 	fvmrcContents, err := source.File(".fvmrc").Contents(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read .fvmrc: %w", err)
 	}
 	var fvmrc struct {
 		Flutter string `json:"flutter"`
 	}
 	if err := json.Unmarshal([]byte(fvmrcContents), &fvmrc); err != nil {
 		return nil, fmt.Errorf("failed to parse .fvmrc: %w", err)
 	}
 	if fvmrc.Flutter == "" {
 		return nil, fmt.Errorf(".fvmrc is missing the 'flutter' field")
 	}
 	return &Ci{
 		FlutterVersion: fvmrc.Flutter,
 		Source: source.Filter(dagger.DirectoryFilterOpts{
 			Include: []string{
 				".fvmrc",
 				"lib/",
 				"test/",
 				"assets/",
@@ -173,7 +191,7 @@ func New(
 				"website/",
 			},
 		}),
-	}
+	}, nil
 }
 // toolchain returns the Flutter+Android toolchain without any mutable cache mounts.
@@ -181,7 +199,7 @@ func New(
 // Used as the base for pubGetLayer so flutter pub get is execution-cached between runs.
 func (m *Ci) toolchain() *dagger.Container {
 	return dag.Container().
-		From("ghcr.io/cirruslabs/flutter:3.41.6").
+		From("ghcr.io/cirruslabs/flutter:"+m.FlutterVersion).
 		WithExec([]string{"apt-get", "-qq", "update"}).
 		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld"}).
 		WithExec([]string{"useradd", "-m", "-s", "/bin/bash", "ci"}).
@@ -195,7 +213,8 @@ func (m *Ci) toolchain() *dagger.Container {
 		WithUser("ci").
 		WithExec([]string{"/bin/sh", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`})
+				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`}).
 		WithExec([]string{"flutter", "precache", "--linux", "--no-android", "--no-ios"})
 }
 // Base is the Flutter toolchain container with mutable cache mounts attached.
@@ -285,6 +304,21 @@ func (m *Ci) firebaseSrc() *dagger.Directory {
 	})
 }
 // androidBase wraps setup(androidSrc()) with the Gradle named-cache so that
 // Gradle dependencies survive across Dagger execution-cache misses.
 func (m *Ci) androidBase() *dagger.Container {
 	return m.setup(m.androidSrc()).
 		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"),
 			dagger.ContainerWithMountedCacheOpts{Owner: "ci"})
 }
 // firebaseBase wraps setup(firebaseSrc()) with the Gradle named-cache.
 func (m *Ci) firebaseBase() *dagger.Container {
 	return m.setup(m.firebaseSrc()).
 		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"),
 			dagger.ContainerWithMountedCacheOpts{Owner: "ci"})
 }
 // linuxSrc is the source subset for Linux builds and integration tests.
 func (m *Ci) linuxSrc() *dagger.Directory {
 	return m.Source.Filter(dagger.DirectoryFilterOpts{
@@ -318,12 +352,23 @@ func (m *Ci) Hugo() *dagger.Container {
 }
 // Deploy container for rsync/ssh
-func (m *Ci) Deployer(sshKey *dagger.Secret) *dagger.Container {
+func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
-		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
+		// Create .ssh with strict permissions before Dagger mounts anything there,
-		WithEnvVariable("RSYNC_RSH", "ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519")
+		// so the directory is 700 (not Dagger's default 755).
 		WithExec([]string{"sh", "-c", "mkdir -p /root/.ssh && chmod 700 /root/.ssh"}).
 		// Mount the raw key outside .ssh so Dagger cannot override the directory
 		// permissions we just set above.
 		WithMountedSecret("/tmp/id_ed25519.raw", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
 		// Normalise with Python3: strip CRLF/bare-CR, ensure trailing newline.
 		// Using Python3 (not tr) changes the Dagger cache key so stale cached
 		// results from the old tr-based step are not reused.
 		WithExec([]string{"python3", "-c",
 			"import os; raw=open('/tmp/id_ed25519.raw','rb').read(); key=raw.replace(b'\\r\\n',b'\\n').replace(b'\\r',b'\\n'); key=key if key.endswith(b'\\n') else key+b'\\n'; open('/root/.ssh/id_ed25519','wb').write(key); os.chmod('/root/.ssh/id_ed25519',0o600)"}).
 		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }
 // Stalwart mail server service for backend and integration tests.
@@ -343,7 +388,7 @@ func (m *Ci) Stalwart() *dagger.Service {
 	return dag.Container().
 		From("stalwartlabs/stalwart:v0.14.1").
 		WithFile("/etc/stalwart/config.toml.orig", config).
-		WithExec([]string{"/bin/sh", "-c", "sed -e 's/hostname = \"localhost\"/hostname = \"stalwart\"/' -e 's/bind     = \\[\"0.0.0.0:\\([0-9]*\\)\"\\]/bind     = [\"0.0.0.0:\\1\", \"[::]:\\1\"]/g' /etc/stalwart/config.toml.orig > /etc/stalwart/config.toml"}).
+		WithExec([]string{"/bin/sh", "-c", "sed -e 's/hostname = \"localhost\"/hostname = \"stalwart\"/' /etc/stalwart/config.toml.orig > /etc/stalwart/config.toml"}).
 		WithDirectory("/tmp/stalwart", dataDir).
 		WithExposedPort(8080). // JMAP
 		WithExposedPort(1430). // IMAP
@@ -395,33 +440,91 @@ func (m *Ci) Format(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }
-// CheckMocks verifies that generated mocks are up to date.
+// FormatWrite formats Dart files and exports the modified /src directory.
-// It snapshots the committed source (including any stale *.mocks.dart) before
+func (m *Ci) FormatWrite() *dagger.Directory {
-// running build_runner, so git diff detects real staleness instead of always
+	return m.setup(m.checkSrc()).
-// comparing two freshly-generated outputs.
+		WithExec([]string{"dart", "format", "lib", "test"}).
-func (m *Ci) CheckMocks(ctx context.Context) (string, error) {
+		Directory("/src")
-	return m.pubGetLayer().
+}
-		WithDirectory("/src", m.checkSrc(), dagger.ContainerWithDirectoryOpts{Owner: "ci"}).
+
-		WithWorkdir("/src").
+// Analyze runs static analysis with dart analyze --fatal-infos.
-		WithExec([]string{"git", "init"}).
+func (m *Ci) Analyze(ctx context.Context) (string, error) {
-		WithExec([]string{"git", "config", "user.email", "ci@sharedinbox.de"}).
+	return m.setup(m.checkSrc()).
-		WithExec([]string{"git", "config", "user.name", "CI"}).
+		WithExec([]string{"dart", "analyze", "--fatal-infos"}).
 		WithExec([]string{"git", "add", "."}).
 		WithExec([]string{"git", "commit", "-q", "-m", "baseline"}).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter pub run build_runner build --delete-conflicting-outputs >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -vE '^\[.*s\] \|' "$tmp" || true`}).
 		WithExec([]string{"/bin/bash", "-c", "CHANGED=$(find . -name '*.mocks.dart' | xargs -r git diff --exit-code); if [ $? -ne 0 ]; then echo \"ERROR: Mocks are out of date\"; exit 1; fi; echo \"Mocks are up to date.\""}).
 		Stdout(ctx)
 }
-// Coverage runs unit tests with coverage gate.
+// Codegen runs build_runner and exports the modified /src directory.
 func (m *Ci) Codegen() *dagger.Directory {
 	return m.codegenBase().Directory("/src")
 }
 // AnalyzeFix runs dart fix --apply and exports the modified /src directory.
 func (m *Ci) AnalyzeFix() *dagger.Directory {
 	return m.setup(m.checkSrc()).
 		WithExec([]string{"dart", "fix", "--apply"}).
 		Directory("/src")
 }
 // CheckFast runs fast checks (hygiene, layers, format, analyze, mocks, coverage) in parallel.
 func (m *Ci) CheckFast(ctx context.Context) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, 15*time.Minute)
 	defer cancel()
 	var eg errgroup.Group
 	eg.Go(func() error {
 		_, err := m.CheckHygiene(ctx)
 		return err
 	})
 	eg.Go(func() error {
 		_, err := m.CheckLayers(ctx)
 		return err
 	})
 	eg.Go(func() error {
 		_, err := m.Format(ctx)
 		return err
 	})
 	eg.Go(func() error {
 		_, err := m.Analyze(ctx)
 		return err
 	})
 	eg.Go(func() error {
 		_, err := m.CheckGenerated(ctx)
 		return err
 	})
 	eg.Go(func() error {
 		_, err := m.Coverage(ctx)
 		return err
 	})
 	if err := eg.Wait(); err != nil {
 		return "", err
 	}
 	return "All fast checks passed!", nil
 }
 // CheckGenerated verifies that all generated files (*.g.dart, *.mocks.dart) are up to date.
 // It reuses the codegenBase() output instead of running build_runner a second time,
 // diffing committed generated files against the freshly built ones.
 func (m *Ci) CheckGenerated(ctx context.Context) (string, error) {
 	fresh := m.codegenBase().Directory("/src")
 	return m.pubGetLayer().
 		WithDirectory("/committed", m.checkSrc(), dagger.ContainerWithDirectoryOpts{Owner: "ci"}).
 		WithDirectory("/generated", fresh, dagger.ContainerWithDirectoryOpts{Owner: "ci"}).
 		WithExec([]string{"/bin/bash", "-c",
 			`stale=$(find /committed -name '*.g.dart' -o -name '*.mocks.dart' | ` +
 				`while IFS= read -r f; do rel="${f#/committed/}"; diff -q "$f" "/generated/$rel" >/dev/null 2>&1 || echo "$rel"; done); ` +
 				`if [ -n "$stale" ]; then ` +
 				`echo "ERROR: Generated files are out of date — run: dart run build_runner build"; echo "$stale"; exit 1; ` +
 				`else echo "Generated files are up to date."; fi`}).
 		Stdout(ctx)
 }
 // Coverage runs unit and widget tests with coverage gate.
 func (m *Ci) Coverage(ctx context.Context) (string, error) {
 	return m.setup(m.checkSrc()).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`flutter test test/unit --coverage --reporter expanded --no-pub >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
+				`flutter test test/unit test/widget --exclude-tags golden --coverage --reporter expanded --no-pub >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
 		WithExec([]string{"dart", "scripts/check_coverage.dart"}).
 		Stdout(ctx)
@@ -432,7 +535,7 @@ func (m *Ci) TestBackend(ctx context.Context) (string, error) {
 	return m.WithStalwart(m.setup(m.backendSrc())).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`flutter test --concurrency=1 --reporter expanded --no-pub test/backend >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
+				`flutter test --concurrency=1 --reporter expanded --no-pub --exclude-tags=nightly test/backend >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
 		Stdout(ctx)
 }
@@ -458,49 +561,77 @@ func (m *Ci) TestSyncReliability(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }
 // ChaosMonkeyBackend runs random IMAP/SMTP operations against Stalwart to surface crashes.
 func (m *Ci) ChaosMonkeyBackend(ctx context.Context) (string, error) {
 	return m.WithStalwart(m.setup(m.backendSrc())).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter test test/backend/chaos_monkey_test.dart --reporter expanded --concurrency=1 --no-pub --tags=nightly >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
 		Stdout(ctx)
 }
 // Check runs the full check suite.
 func (m *Ci) Check(ctx context.Context) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Minute)
 	defer cancel()
-	if _, err := m.CheckHygiene(ctx); err != nil {
+	// Run cheap structural checks in parallel for faster fail detection.
-		return "Hygiene check failed", err
+	var fastEg errgroup.Group
-	}
+	fastEg.Go(func() error {
-	if _, err := m.CheckLayers(ctx); err != nil {
+		_, err := m.CheckHygiene(ctx)
-		return "Layer check failed", err
+		return err
 	})
 	fastEg.Go(func() error {
 		_, err := m.CheckLayers(ctx)
 		return err
 	})
 	if err := fastEg.Wait(); err != nil {
 		return "", err
 	}
-	checkSetup := m.setup(m.checkSrc())
+	// Run format, analyze, generated-code check, and coverage in parallel —
-
+	// they all share the same setup base and have no dependencies on each other.
-	if _, err := checkSetup.WithExec([]string{"dart", "format", "--output=none", "--set-exit-if-changed", "lib", "test"}).Stdout(ctx); err != nil {
+	var analyze, mocks, coverage string
-		return "Format check failed", err
+	var checkEg errgroup.Group
-	}
+	checkEg.Go(func() error {
-
+		setup := m.setup(m.checkSrc())
-	analyze, err := checkSetup.WithExec([]string{"dart", "analyze", "--fatal-infos"}).Stdout(ctx)
+		_, err := setup.WithExec([]string{"dart", "format", "--output=none", "--set-exit-if-changed", "lib", "test"}).Stdout(ctx)
-	if err != nil {
+		return err
-		return analyze, err
+	})
-	}
+	checkEg.Go(func() error {
-
+		setup := m.setup(m.checkSrc())
-	mocks, err := m.CheckMocks(ctx)
+		var err error
-	if err != nil {
+		analyze, err = setup.WithExec([]string{"dart", "analyze", "--fatal-infos"}).Stdout(ctx)
-		return mocks, err
+		return err
-	}
+	})
-
+	checkEg.Go(func() error {
-	coverage, err := m.Coverage(ctx)
+		var err error
-	if err != nil {
+		mocks, err = m.CheckGenerated(ctx)
-		return coverage, err
+		return err
 	})
 	checkEg.Go(func() error {
 		var err error
 		coverage, err = m.Coverage(ctx)
 		return err
 	})
 	if err := checkEg.Wait(); err != nil {
 		return "", err
 	}
 	// Use errgroup.Group (not WithContext) so a failing test does not cancel its
 	// sibling via context — which would surface as "context canceled" in dagger
 	// output and trigger spurious retries in check-dagger.
 	var testBackend, testIntegration string
-	eg, egCtx := errgroup.WithContext(ctx)
+	var eg errgroup.Group
 	eg.Go(func() error {
 		var e error
-		testBackend, e = m.TestBackend(egCtx)
+		testBackend, e = m.TestBackend(ctx)
 		return e
 	})
 	eg.Go(func() error {
 		var e error
-		testIntegration, e = m.TestIntegration(egCtx)
+		testIntegration, e = m.TestIntegration(ctx)
 		return e
 	})
 	if err := eg.Wait(); err != nil {
@@ -514,6 +645,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 func (m *Ci) GenerateBuildHistory(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
@@ -525,7 +657,7 @@ func (m *Ci) GenerateBuildHistory(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "openssh-client"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithExec([]string{"chmod", "700", "/root/.ssh"}).
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("SSH_USER", sshUser).
 		WithEnvVariable("SSH_HOST", sshHost).
 		WithDirectory("/src", scriptSource).
@@ -538,18 +670,25 @@ func (m *Ci) GenerateBuildHistory(
 func (m *Ci) BuildWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	// +optional
 	commitHash string,
 ) *dagger.Directory {
-	buildHistory := m.GenerateBuildHistory(ctx, sshKey, sshUser, sshHost)
+	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)
 	websiteSource := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"website/"},
 	}).WithDirectory("website/content/builds", buildHistory)
-	return m.Hugo().
+	hugo := m.Hugo().
 		WithDirectory("/src", websiteSource).
-		WithWorkdir("/src/website").
+		WithWorkdir("/src/website")
 	if commitHash != "" {
 		hugo = hugo.WithEnvVariable("HUGO_PARAMS_GITVERSION", commitHash)
 	}
 	return hugo.
 		WithExec([]string{"hugo", "--minify"}).
 		Directory("public")
 }
@@ -558,12 +697,15 @@ func (m *Ci) BuildWebsite(
 func (m *Ci) PublishWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	// +optional
 	commitHash string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost, commitHash)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
 		WithExec([]string{"rsync", "-avz", "--delete",
 			"--exclude=*.apk", "--exclude=*.tar.gz",
@@ -579,9 +721,17 @@ func (m *Ci) BuildLinux() *dagger.Directory {
 }
 // BuildLinuxRelease builds the Linux release bundle.
-func (m *Ci) BuildLinuxRelease() *dagger.Directory {
+func (m *Ci) BuildLinuxRelease(
 	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
 	// +optional
 	commitHash string,
 ) *dagger.Directory {
 	args := []string{"flutter", "build", "linux", "--release"}
 	if commitHash != "" {
 		args = append(args, "--dart-define=GIT_HASH="+commitHash)
 	}
 	return m.setup(m.linuxSrc()).
-		WithExec([]string{"flutter", "build", "linux", "--release"}).
+		WithExec(args).
 		Directory("build/linux/x64/release/bundle")
 }
@@ -589,36 +739,49 @@ func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 func (m *Ci) DeployLinux(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
 ) (string, error) {
-	bundle := m.BuildLinuxRelease()
+	bundle := m.BuildLinuxRelease(commitHash)
 	datePath := time.Now().Format("2006/01/02")
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	tarball := fmt.Sprintf("sharedinbox-linux-amd64-%s.tar.gz", commitHash)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/bundle", bundle).
 		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("tar -czf /tmp/%s -C /bundle .", tarball)}).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
 		Stdout(ctx)
 }
 // setupKeystore decodes the base64 keystore into the android build container.
 func (m *Ci) setupKeystore(keystoreBase64 *dagger.Secret, keystorePassword *dagger.Secret) *dagger.Container {
-	return m.setup(m.androidSrc()).
+	return m.androidBase().
 		WithSecretVariable("ANDROID_KEYSTORE_BASE64", keystoreBase64).
 		WithSecretVariable("ANDROID_KEYSTORE_PASSWORD", keystorePassword).
-		WithExec([]string{"/bin/sh", "-c", `echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > android/app/upload-keystore.jks`})
+		WithExec([]string{"/bin/sh", "-c", `echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > /tmp/upload-keystore.jks`}).
 		WithEnvVariable("ANDROID_KEYSTORE_PATH", "/tmp/upload-keystore.jks")
 }
 // BuildAndroidApk builds a release APK signed with the upload key.
-func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *dagger.Secret, buildNumber string) *dagger.File {
+func (m *Ci) BuildAndroidApk(
 	keystoreBase64 *dagger.Secret,
 	keystorePassword *dagger.Secret,
 	buildNumber string,
 	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
 	// +optional
 	commitHash string,
 ) *dagger.File {
 	args := []string{"flutter", "build", "apk", "--release", "--no-pub", "--build-number", buildNumber}
 	if commitHash != "" {
 		args = append(args, "--dart-define=GIT_HASH="+commitHash)
 	}
 	return m.setupKeystore(keystoreBase64, keystorePassword).
-		WithExec([]string{"flutter", "build", "apk", "--release", "--no-pub", "--build-number", buildNumber}).
+		WithExec(args).
 		File("build/app/outputs/flutter-apk/app-release.apk")
 }
@@ -626,6 +789,7 @@ func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *da
 func (m *Ci) DeployApk(
 	ctx context.Context,
 	sshKey *dagger.Secret,
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -633,24 +797,23 @@ func (m *Ci) DeployApk(
 	keystorePassword *dagger.Secret,
 	buildNumber string,
 ) (string, error) {
-	apk := m.BuildAndroidApk(keystoreBase64, keystorePassword, buildNumber)
+	apk := m.BuildAndroidApk(keystoreBase64, keystorePassword, buildNumber, commitHash)
 	datePath := time.Now().Format("2006/01/02")
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	apkName := fmt.Sprintf("sharedinbox-mua-%s.apk", commitHash)
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithFile("/tmp/app.apk", apk).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
 		Stdout(ctx)
 }
 // BuildAndroidDebugApks builds the debug app APK and the androidTest APK needed for Firebase Test Lab.
 // Returns a flat directory with app-debug.apk and app-debug-androidTest.apk.
 func (m *Ci) BuildAndroidDebugApks() *dagger.Directory {
-	built := m.setup(m.firebaseSrc()).
+	built := m.firebaseBase().
 		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"), dagger.ContainerWithMountedCacheOpts{Owner: "ci"}).
 		WithExec([]string{"flutter", "build", "apk", "--debug", "--no-pub"}).
 		WithWorkdir("/src/android").
 		// --no-daemon avoids connecting to a stale daemon whose registry file was
@@ -709,9 +872,17 @@ func (m *Ci) TestAndroidFirebase(
 // BuildAndroidRelease builds the AAB with a fixed build-number so Dagger can cache it.
 // versionCode and signing are applied separately via StampAndroidVersionCode + SignAndroidBundle.
-func (m *Ci) BuildAndroidRelease() *dagger.File {
+func (m *Ci) BuildAndroidRelease(
-	return m.setup(m.androidSrc()).
+	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
-		WithExec([]string{"flutter", "build", "appbundle", "--release", "--no-pub", "--build-number", "1"}).
+	// +optional
 	commitHash string,
 ) *dagger.File {
 	args := []string{"flutter", "build", "appbundle", "--release", "--no-pub", "--build-number", "1"}
 	if commitHash != "" {
 		args = append(args, "--dart-define=GIT_HASH="+commitHash)
 	}
 	return m.androidBase().
 		WithExec(args).
 		File("build/app/outputs/bundle/release/app-release.aab")
 }
@@ -739,7 +910,7 @@ func (m *Ci) UploadToPlayStore(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "curl"}).
 		WithMountedCache("/root/.cache/pip", dag.CacheVolume("pip-cache")).
-		WithExec([]string{"pip", "install", "requests", "google-auth"}).
+		WithExec([]string{"pip", "install", "google-auth", "requests"}).
 		WithFile("/src/build/app/outputs/bundle/release/app-release.aab", aab).
 		WithFile("/src/scripts/deploy_playstore.py", scriptSource.File("scripts/deploy_playstore.py")).
 		WithSecretVariable("PLAY_STORE_CONFIG_JSON", playStoreConfig).
@@ -783,14 +954,41 @@ func (m *Ci) PublishAndroid(
 	playStoreConfig *dagger.Secret,
 	keystoreBase64 *dagger.Secret,
 	keystorePassword *dagger.Secret,
 	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
 	// +optional
 	commitHash string,
 ) (string, error) {
 	versionCode := int(time.Now().Unix())
-	aab := m.BuildAndroidRelease()
+	aab := m.BuildAndroidRelease(commitHash)
 	stamped := m.StampAndroidVersionCode(aab, versionCode)
 	signed := m.SignAndroidBundle(stamped, keystoreBase64, keystorePassword)
 	return m.UploadToPlayStore(ctx, signed, playStoreConfig)
 }
 // Renovate runs Renovate bot against the repository on Forgejo/Codeberg.
 func (m *Ci) Renovate(ctx context.Context, renovateToken *dagger.Secret) (string, error) {
 	// Codeberg's GET /pulls?state=all&limit=100 times out with a 504, but limit=10
 	// completes in ~9 s. Patch the compiled pr-cache.js to use 10 instead of the
 	// hardcoded 20/100 values before launching renovate.
 	const patchCmd = `for f in \
 			/usr/local/renovate/dist/modules/platform/forgejo/pr-cache.js \
 			/usr/local/renovate/dist/modules/platform/gitea/pr-cache.js; do \
 		sed -i 's/limit: this\.items\.length ? 20 : 100/limit: this.items.length ? 10 : 10/' "$f" && echo "patched $f"; \
 		done`
 	return dag.Container().
 		From("renovate/renovate:43").
 		WithSecretVariable("RENOVATE_TOKEN", renovateToken).
 		WithEnvVariable("RENOVATE_PLATFORM", "forgejo").
 		WithEnvVariable("RENOVATE_ENDPOINT", "https://codeberg.org").
 		WithEnvVariable("RENOVATE_REPOSITORIES", "guettli/sharedinbox").
 		WithEnvVariable("LOG_LEVEL", "info").
 		WithUser("root").
 		WithExec([]string{"/bin/sh", "-c", patchCmd}).
 		WithUser("ubuntu").
 		WithExec([]string{"renovate"}).
 		Stdout(ctx)
 }
 // Graph returns a Mermaid diagram of the CI pipeline structure.
 // Paste the output into any Mermaid renderer (codeberg, github, mermaid.live)
 // or save it as a .md file to get a rendered diagram.
@@ -799,12 +997,12 @@ func (m *Ci) PublishAndroid(
 //
 //	dagger call --progress=plain -q -m ci --source=. graph
 func (m *Ci) Graph() string {
-	return `# CI Pipeline Graph
+	return fmt.Sprintf(`# CI Pipeline Graph
-` + "```" + `mermaid
+`+"```"+`mermaid
 flowchart TD
    subgraph dagger ["Dagger · Check pipeline"]
-        toolchain["toolchain\nflutter:3.41.6 + NDK + apt"]
+        toolchain["toolchain\nflutter:%s + NDK + apt + precache"]`, m.FlutterVersion) + `
        pubGet["pubGetLayer\nflutter pub get"]
        codegen["codegenBase\nbuild_runner build\n(shared cache)"]
        stalwart(["Stalwart service\nIMAP · JMAP · SMTP · Sieve"])
@@ -814,7 +1012,7 @@ flowchart TD
        pubGet --> hygiene["CheckHygiene"]
        pubGet --> layers["CheckLayers"]
-        pubGet --> mocks["CheckMocks\n(own build_runner run)"]
+        pubGet --> mocks["CheckGenerated\n(own build_runner run)"]
        codegen --> fmt["Format"]
        codegen --> analyze["Analyze"]
@@ -835,16 +1033,25 @@ flowchart TD
        integration --> check
    end
-    subgraph forgejo ["Codeberg CI · .forgejo/workflows/ci.yml"]
+    subgraph forgejo_ci ["Codeberg CI · ci.yml (push/PR, source paths only)"]
        ciCheck["check"]
-        buildLinux["build-linux\n(main only)"]
+    end
        deployPS["deploy-playstore\n(main only)"]
        pubWeb["publish-website\n(main only)"]
-        ciCheck --> buildLinux
+    subgraph forgejo_deploy ["Codeberg CI · deploy.yml (hourly schedule + workflow_dispatch)"]
-        ciCheck --> deployPS
+        detectChanges["check-changes\ndetect android / linux diff"]
        buildLinux["build-linux\n(linux changed)"]
        deployPS["deploy-playstore\n(android changed)"]
        deployApk["deploy-apk\n(android changed)"]
        fbTest["test-android-firebase\n(android changed)"]
        pubWeb["publish-website\n(any build succeeded)"]
        detectChanges --> buildLinux
        detectChanges --> deployPS
        detectChanges --> deployApk
        detectChanges --> fbTest
        buildLinux  --> pubWeb
        deployPS    --> pubWeb
        deployApk   --> pubWeb
    end
    check -- "task check-dagger" --> ciCheck
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
 # Load .env into environment
@@ -13,7 +14,7 @@ export SSH_PRIVATE_KEY=$(cat "$HOME/.ssh/id_ed25519")
 # Add nix profile and nix store tools (task, dagger) to PATH
 export PATH="$HOME/.nix-profile/bin:$PATH"
-for pkg in "*go-task-*/bin/task" "*dagger-*/bin/dagger"; do
+for pkg in "*go-task-*/bin/task" "*dagger-*/bin/dagger" "*fgj-*/bin/fgj"; do
    bin=$(ls -d /nix/store/$pkg 2>/dev/null | sort -V | tail -1)
    [ -n "$bin" ] && export PATH="$(dirname "$bin"):$PATH"
 done
@@ -4,6 +4,28 @@ This file contains tasks which got implemented.
 Tasks get moved from next.md to done.md
 ## Tasks (2026-05-29)
 - **Merge PR #307 — user preferences and configurable navigation (Issue #315)**: Confirmed that
  all features from PR #307 (issue #299) were already merged into main via separate PRs:
  - Configurable menu bar position (bottom/top) for mailbox view — merged via #298/#303
  - Configurable back button position for single mail view — merged via #299/#307 features in #300
  - Configurable "after mail action" (next message / return to mailbox) — merged via #300/#308
  - Archive button with `resolveMailboxByRole` helper — merged via #287/#291, #286/#290
  - User preferences DB schema (v34–v36: `user_preferences` table) — in main
  - PR #307 and issue #299 closed.
  - Issue #315 closed.
 ## Tasks (2026-05-26)
 - **Renovate Bot (Issue #257)**: Renovate Bot runs daily via Forgejo Actions to keep
  dependencies up to date. All required components are in main:
  - `renovate.json` — Renovate configuration covering pub, Dockerfile, and Forgejo Actions
  - `ci/main.go` — `Renovate()` Dagger function using Forgejo platform and Codeberg endpoint
  - `.forgejo/workflows/renovate.yml` — daily cron (06:00 UTC) workflow
  - `Taskfile.yml` — `renovate` task
  - Issue #257 closed.
 ## Tasks (2026-05-11)
 - **Stabilize Email List UI during Selection (Issue #14)**: Prevented layout shifts when entering
@@ -48,11 +48,28 @@
            chmod +x $out/bin/fgj
          '';
        };
        # The dagger/nix flake pins 0.20.8, whose Nix wrapper is a broken self-exec
        # loop.  Fetch 0.21.4 directly so the pre-commit dart-check hook can run.
        dagger021 = pkgs.stdenv.mkDerivation {
          pname = "dagger";
          version = "0.21.4";
          src = pkgs.fetchurl {
            url = "https://dl.dagger.io/dagger/releases/0.21.4/dagger_v0.21.4_linux_amd64.tar.gz";
            sha256 = "0wlnbr4g5069755131yjp2a6alacn64f1c8b27xn0cbynq3zicjd";
          };
          sourceRoot = ".";
          installPhase = ''
            mkdir -p $out/bin
            cp dagger $out/bin/dagger
            chmod +x $out/bin/dagger
          '';
        };
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            # Dagger CLI
-            dagger.packages.${system}.dagger
+            dagger021
            # Go compiler — for Dagger development
            go
@@ -94,16 +111,22 @@
            sqlite
            # python3 base + Google Play API client (for scripts/deploy_playstore.py)
            (python3.withPackages (ps: with ps; [
-              google-auth
+              google-api-python-client
-              requests
+              google-auth-httplib2
              httplib2
            ]))  # used by stalwart-dev/start and deploy_playstore.py
            fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
            skopeo   # inspect OCI image manifests without pulling layers (used by check-ci-images)
            librsvg  # rsvg-convert — SVG→PNG for generate-icons task
          ]);
          shellHook = ''
            # nix develop --command does not set IN_NIX_SHELL; set it so _preflight passes in CI
            export IN_NIX_SHELL=1
            # Point Dagger client at the running engine socket
            export DAGGER_HOST=unix:///run/dagger/engine.sock
            # Disable Flutter telemetry inside dev shell
            export FLUTTER_SUPPRESS_ANALYTICS=true
@@ -0,0 +1,3 @@
 module codeberg.org/guettli/sharedinbox
 go 1.22
@@ -0,0 +1,25 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="512" height="512" shape-rendering="geometricPrecision">
  <!-- White Background -->
  <rect width="512" height="512" fill="white"/>
  <!-- 6 Concentric Rainbow Rings (Tunnel Vision Geometry) -->
  <g fill-rule="evenodd" stroke="black" stroke-width="2.5">
    <!-- Red -->
    <path fill="#FF0000" d="M256,256 m-242,0 a242,242 0 1,0 484,0 a242,242 0 1,0 -484,0 Z M256,256 m-190,0 a190,190 0 1,0 380,0 a190,190 0 1,0 -380,0 Z" />
    <!-- Orange -->
    <path fill="#FF8C00" d="M256,256 m-170,0 a170,170 0 1,0 340,0 a170,170 0 1,0 -340,0 Z M256,256 m-131,0 a131,131 0 1,0 262,0 a131,131 0 1,0 -262,0 Z" />
    <!-- Yellow -->
    <path fill="#FFD700" d="M256,256 m-115,0 a115,115 0 1,0 230,0 a115,115 0 1,0 -230,0 Z M256,256 m-85,0 a85,85 0 1,0 170,0 a85,85 0 1,0 -170,0 Z" />
    <!-- Green -->
    <path fill="#22AA00" d="M256,256 m-73,0 a73,73 0 1,0 146,0 a73,73 0 1,0 -146,0 Z M256,256 m-51,0 a51,51 0 1,0 102,0 a51,51 0 1,0 -102,0 Z" />
    <!-- Blue -->
    <path fill="#0055FF" d="M256,256 m-41,0 a41,41 0 1,0 82,0 a41,41 0 1,0 -82,0 Z M256,256 m-24,0 a24,24 0 1,0 48,0 a24,24 0 1,0 -48,0 Z" />
    <!-- Purple -->
    <path fill="#8B00FF" d="M256,256 m-16,0 a16,16 0 1,0 32,0 a16,16 0 1,0 -32,0 Z M256,256 m-3,0 a3,3 0 1,0 6,0 a3,3 0 1,0 -6,0 Z" />
  </g>
 </svg>
@@ -317,7 +317,7 @@ void main() {
      // ── Check Sent folder ──────────────────────────────────────────────────
      // Use the drawer to switch folders (no back button on Linux desktop).
-      await tester.tap(find.byTooltip('Open navigation menu'));
+      await tester.tap(find.byTooltip('Open folders'));
      await tester.pumpAndSettle();
      await tester.tap(find.text('Sent'));
      await tester.pumpAndSettle();
@@ -331,7 +331,7 @@ void main() {
      expect(find.text(subject), findsOneWidget);
      // ── Check Inbox ────────────────────────────────────────────────────────
-      await tester.tap(find.byTooltip('Open navigation menu'));
+      await tester.tap(find.byTooltip('Open folders'));
      await tester.pumpAndSettle();
      await tester.tap(find.text('INBOX'));
      await tester.pumpAndSettle();
@@ -0,0 +1 @@
 const int dbSchemaVersion = 41;
@@ -0,0 +1,88 @@
 enum FilterField {
  from_,
  to,
  cc,
  subject,
  size;
  String get label => switch (this) {
        FilterField.from_ => 'From',
        FilterField.to => 'To',
        FilterField.cc => 'CC',
        FilterField.subject => 'Subject',
        FilterField.size => 'Size (bytes)',
      };
  List<FilterComparison> get allowedComparisons => switch (this) {
        FilterField.size => [FilterComparison.over, FilterComparison.under],
        _ => [
            FilterComparison.contains,
            FilterComparison.is_,
            FilterComparison.matches,
          ],
      };
 }
 enum FilterComparison {
  contains,
  is_,
  matches,
  over,
  under;
  String get label => switch (this) {
        FilterComparison.contains => 'contains',
        FilterComparison.is_ => 'is',
        FilterComparison.matches => 'matches',
        FilterComparison.over => 'over',
        FilterComparison.under => 'under',
      };
 }
 enum FilterOperator { and_, or_ }
 sealed class FilterNode {}
 final class FilterLeaf extends FilterNode {
  FilterLeaf({
    required this.field,
    required this.comparison,
    required this.value,
  });
  final FilterField field;
  final FilterComparison comparison;
  final String value;
  FilterLeaf copyWith({
    FilterField? field,
    FilterComparison? comparison,
    String? value,
  }) =>
      FilterLeaf(
        field: field ?? this.field,
        comparison: comparison ?? this.comparison,
        value: value ?? this.value,
      );
 }
 final class FilterGroup extends FilterNode {
  FilterGroup({required this.operator, required this.children});
  final FilterOperator operator;
  final List<FilterNode> children;
  bool get isEmpty => children.isEmpty;
  FilterGroup copyWith({
    FilterOperator? operator,
    List<FilterNode>? children,
  }) =>
      FilterGroup(
        operator: operator ?? this.operator,
        children: children ?? this.children,
      );
  static FilterGroup empty() =>
      FilterGroup(operator: FilterOperator.and_, children: []);
 }
@@ -0,0 +1,358 @@
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 /// Converts a Sieve script (RFC 5228 subset) to a [FilterGroup] + actions,
 /// suitable for display in the visual filter editor.
 ///
 /// Returns null if the script uses features outside the supported subset.
 class FilterSieveConverter {
  ({FilterGroup group, List<SieveAction> actions})? parse(String script) {
    try {
      final s = _Sc(script);
      s.skip();
      if (s.peekWord() == 'require') {
        s.readWord();
        s.skip();
        _parseStringOrList(s);
        s.skip();
        s.expectChar(';');
        s.skip();
      }
      if (s.peekWord() != 'if') return null;
      s.readWord();
      s.skip();
      final node = _parseTest(s);
      if (node == null) return null;
      s.skip();
      s.expectChar('{');
      s.skip();
      final actions = <SieveAction>[];
      while (s.peek() != '}' && !s.isAtEnd) {
        final action = _parseAction(s);
        if (action == null) return null;
        actions.add(action);
        s.skip();
      }
      s.expectChar('}');
      final group = switch (node) {
        final FilterGroup g => g,
        final FilterLeaf l =>
          FilterGroup(operator: FilterOperator.and_, children: [l]),
      };
      return (group: group, actions: actions);
    } catch (_) {
      return null;
    }
  }
  FilterNode? _parseTest(_Sc s) {
    s.skip();
    final word = s.peekWord()?.toLowerCase();
    if (word == null) return null;
    if (word == 'allof' || word == 'anyof') {
      s.readWord();
      s.skip();
      s.expectChar('(');
      final op = word == 'allof' ? FilterOperator.and_ : FilterOperator.or_;
      final children = <FilterNode>[];
      while (true) {
        s.skip();
        if (s.peek() == ')') break;
        final child = _parseTest(s);
        if (child == null) return null;
        children.add(child);
        s.skip();
        if (s.peek() == ',') s.advance();
      }
      s.expectChar(')');
      return FilterGroup(operator: op, children: children);
    }
    return _parseSingleTest(s);
  }
  FilterLeaf? _parseSingleTest(_Sc s) {
    s.skip();
    final word = s.peekWord()?.toLowerCase();
    if (word == null) return null;
    if (word == 'address') {
      s.readWord();
      s.skip();
      final matchType = s.readTaggedArg();
      s.skip();
      final headers = _parseStringOrList(s);
      s.skip();
      final values = _parseStringOrList(s);
      final field = switch (headers.firstOrNull?.toLowerCase()) {
        'from' => FilterField.from_,
        'to' => FilterField.to,
        'cc' => FilterField.cc,
        _ => null,
      };
      if (field == null) return null;
      final comp = _comp(matchType);
      if (comp == null) return null;
      return FilterLeaf(
        field: field,
        comparison: comp,
        value: values.firstOrNull ?? '',
      );
    }
    if (word == 'header') {
      s.readWord();
      s.skip();
      final matchType = s.readTaggedArg();
      s.skip();
      final headers = _parseStringOrList(s);
      s.skip();
      final values = _parseStringOrList(s);
      if (headers.firstOrNull?.toLowerCase() != 'subject') return null;
      final comp = _comp(matchType);
      if (comp == null) return null;
      return FilterLeaf(
        field: FilterField.subject,
        comparison: comp,
        value: values.firstOrNull ?? '',
      );
    }
    if (word == 'size') {
      s.readWord();
      s.skip();
      final compTag = s.readTaggedArg();
      s.skip();
      final numStr = s.readDigits();
      final comp = switch (compTag.toLowerCase()) {
        ':over' => FilterComparison.over,
        ':under' => FilterComparison.under,
        _ => null,
      };
      if (comp == null) return null;
      return FilterLeaf(
        field: FilterField.size,
        comparison: comp,
        value: numStr,
      );
    }
    return null;
  }
  FilterComparison? _comp(String tag) => switch (tag.toLowerCase()) {
        ':contains' => FilterComparison.contains,
        ':is' => FilterComparison.is_,
        ':matches' => FilterComparison.matches,
        _ => null,
      };
  SieveAction? _parseAction(_Sc s) {
    s.skip();
    final word = s.peekWord()?.toLowerCase();
    if (word == null) return null;
    if (word == 'fileinto') {
      s.readWord();
      s.skip();
      final folder = _parseString(s);
      s.skip();
      s.expectChar(';');
      return FileIntoAction(folder);
    }
    if (word == 'keep') {
      s.readWord();
      s.skip();
      s.expectChar(';');
      return KeepAction();
    }
    if (word == 'discard') {
      s.readWord();
      s.skip();
      s.expectChar(';');
      return DiscardAction();
    }
    if (word == 'setflag' || word == 'addflag') {
      s.readWord();
      s.skip();
      final flags = _parseStringOrList(s);
      s.skip();
      s.expectChar(';');
      if (flags.any(
        (f) => f.toLowerCase() == r'\seen' || f.toLowerCase() == r'\\seen',
      )) {
        return MarkAsSeenAction();
      }
      return FlagAction(flags);
    }
    return null;
  }
  List<String> _parseStringOrList(_Sc s) {
    s.skip();
    if (s.peek() == '[') {
      s.advance();
      final items = <String>[];
      while (true) {
        s.skip();
        if (s.peek() == ']') {
          s.advance();
          break;
        }
        items.add(_parseString(s));
        s.skip();
        if (s.peek() == ',') s.advance();
      }
      return items;
    }
    return [_parseString(s)];
  }
  String _parseString(_Sc s) {
    s.skip();
    return s.readQuotedString();
  }
 }
 // Minimal scanner for the supported Sieve subset.
 class _Sc {
  _Sc(this._src);
  final String _src;
  int _pos = 0;
  bool get isAtEnd => _pos >= _src.length;
  String? peek() => isAtEnd ? null : _src[_pos];
  String advance() {
    if (isAtEnd) throw _ScanErr('Unexpected end');
    return _src[_pos++];
  }
  void skip() {
    while (!isAtEnd) {
      final ch = _src[_pos];
      if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
        _pos++;
      } else if (ch == '#') {
        while (!isAtEnd && _src[_pos] != '\n') {
          _pos++;
        }
      } else if (_pos + 1 < _src.length && ch == '/' && _src[_pos + 1] == '*') {
        _pos += 2;
        while (_pos + 1 < _src.length) {
          if (_src[_pos] == '*' && _src[_pos + 1] == '/') {
            _pos += 2;
            break;
          }
          _pos++;
        }
      } else {
        break;
      }
    }
  }
  String? peekWord() {
    if (isAtEnd) return null;
    final ch = _src[_pos];
    if ('{}();[],'.contains(ch)) return ch;
    if (ch == ':') {
      var end = _pos + 1;
      while (end < _src.length && _wc(_src[end])) {
        end++;
      }
      return _src.substring(_pos, end).toLowerCase();
    }
    if (_wc(ch)) {
      var end = _pos + 1;
      while (end < _src.length && _wc(_src[end])) {
        end++;
      }
      return _src.substring(_pos, end).toLowerCase();
    }
    return null;
  }
  String readWord() {
    final start = _pos;
    final ch = _src[_pos];
    if ('{}();[],'.contains(ch)) {
      _pos++;
      return ch;
    }
    if (ch == ':') {
      _pos++;
      while (!isAtEnd && _wc(_src[_pos])) {
        _pos++;
      }
    } else {
      while (!isAtEnd && _wc(_src[_pos])) {
        _pos++;
      }
    }
    return _src.substring(start, _pos).toLowerCase();
  }
  String readTaggedArg() {
    if (!isAtEnd && _src[_pos] == ':') return readWord();
    throw _ScanErr('Expected tagged arg at $_pos');
  }
  String readDigits() {
    final start = _pos;
    while (!isAtEnd && _dig(_src[_pos])) {
      _pos++;
    }
    if (_pos == start) throw _ScanErr('Expected digits at $_pos');
    return _src.substring(start, _pos);
  }
  String readQuotedString() {
    if (isAtEnd || _src[_pos] != '"') throw _ScanErr('Expected " at $_pos');
    _pos++;
    final buf = StringBuffer();
    while (!isAtEnd) {
      final ch = _src[_pos];
      if (ch == '"') {
        _pos++;
        return buf.toString();
      }
      if (ch == '\\' && _pos + 1 < _src.length) {
        _pos++;
        buf.write(_src[_pos]);
        _pos++;
      } else {
        buf.write(ch);
        _pos++;
      }
    }
    throw _ScanErr('Unterminated string');
  }
  void expectChar(String ch) {
    skip();
    if (isAtEnd || _src[_pos] != ch) {
      throw _ScanErr(
        'Expected "$ch" at $_pos, got ${isAtEnd ? "EOF" : _src[_pos]}',
      );
    }
    _pos++;
  }
  static bool _wc(String ch) {
    final c = ch.codeUnitAt(0);
    return (c >= 0x41 && c <= 0x5A) ||
        (c >= 0x61 && c <= 0x7A) ||
        (c >= 0x30 && c <= 0x39) ||
        c == 0x5F ||
        c == 0x2D;
  }
  static bool _dig(String ch) {
    final c = ch.codeUnitAt(0);
    return c >= 0x30 && c <= 0x39;
  }
 }
 class _ScanErr implements Exception {
  _ScanErr(this.message);
  final String message;
 }
@@ -192,6 +192,22 @@ class EmailThread {
    required this.accountId,
    required this.mailboxPath,
  });
  /// Wraps a single [Email] as a one-message thread for uniform rendering.
  factory EmailThread.fromEmail(Email e) => EmailThread(
        threadId: e.threadId ?? e.id,
        subject: e.subject,
        participants: e.from,
        latestDate: e.sentAt ?? e.receivedAt,
        messageCount: 1,
        hasUnread: !e.isSeen,
        isFlagged: e.isFlagged,
        latestEmailId: e.id,
        preview: e.preview,
        emailIds: [e.id],
        accountId: e.accountId,
        mailboxPath: e.mailboxPath,
      );
 }
 class EmailAddress {
@@ -0,0 +1,17 @@
 class EmailNote {
  final String id; // UUID (X-SharedInbox-Note-Id)
  final String accountId;
  final String messageId; // RFC 2822 Message-ID (X-SharedInbox-Note-For)
  final String noteText;
  final String serverId; // IMAP UID (as string) or JMAP email ID
  final DateTime createdAt;
  const EmailNote({
    required this.id,
    required this.accountId,
    required this.messageId,
    required this.noteText,
    required this.serverId,
    required this.createdAt,
  });
 }
@@ -0,0 +1,31 @@
 enum MenuPosition { bottom, top }
 enum AfterMailViewAction { nextMessage, showMailbox }
 enum PrefetchMode {
  disabled,
  wifiOnly,
  always;
  static PrefetchMode fromString(String? value) {
    return PrefetchMode.values.firstWhere(
      (e) => e.name == value,
      orElse: () => PrefetchMode.wifiOnly,
    );
  }
 }
 class UserPreferences {
  const UserPreferences({
    this.menuPosition = MenuPosition.bottom,
    this.mailViewButtonPosition = MenuPosition.bottom,
    this.afterMailViewAction = AfterMailViewAction.nextMessage,
    this.prefetchMode = PrefetchMode.wifiOnly,
    this.bodyCacheLimitMb = 100,
  });
  final MenuPosition menuPosition;
  final MenuPosition mailViewButtonPosition;
  final AfterMailViewAction afterMailViewAction;
  final PrefetchMode prefetchMode;
  final int bodyCacheLimitMb;
 }
@@ -1,3 +1,4 @@
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/models/email.dart';
 abstract class EmailRepository {
@@ -15,6 +16,10 @@ abstract class EmailRepository {
    int limit = 50,
  });
  /// Returns threads from the INBOX mailbox of every account, sorted by latest
  /// message date descending. Inbox mailboxes are identified by role = 'inbox'.
  Stream<List<EmailThread>> observeAllInboxThreads({int limit = 50});
  /// Returns all emails belonging to [threadId] in [mailboxPath].
  Stream<List<Email>> observeEmailsInThread(
    String accountId,
@@ -54,9 +59,15 @@ abstract class EmailRepository {
  );
  /// Searches the local DB across all mailboxes of [accountId] (or all accounts
-  /// if null) by subject and preview. Fast, works offline.
+  /// if null) by subject, preview, and notes. Fast, works offline.
  Future<List<Email>> searchEmailsGlobal(String? accountId, String query);
  /// Searches the local DB using a structured [FilterGroup]. Fast, works offline.
  Future<List<Email>> searchEmailsStructured(
    String? accountId,
    FilterGroup filter,
  );
  /// Returns all locally cached emails in any mailbox of [accountId] (or all
  /// accounts if null) whose from, to, or cc fields contain [address].
  Future<List<Email>> getEmailsByAddress(String? accountId, String address);
@@ -11,4 +11,17 @@ abstract class MailboxRepository {
  /// Deletes all locally-cached mailbox rows for [accountId].
  Future<void> clearForResync(String accountId);
  /// Creates a new mailbox named [name] for [accountId] and tags it with
  /// [role] in the local database. For JMAP accounts the role is also sent
  /// to the server. Returns the newly created [Mailbox].
  Future<Mailbox> createMailboxWithRole(
    String accountId,
    String name,
    String role,
  );
  /// Creates a new mailbox named [name] for [accountId] without a special role.
  /// Returns the newly created [Mailbox].
  Future<Mailbox> createMailbox(String accountId, String name);
 }
@@ -0,0 +1,15 @@
 import 'package:sharedinbox/core/models/note.dart';
 abstract class NoteRepository {
  /// Stream of notes for an email, keyed by [messageId] (stable across moves).
  Stream<List<EmailNote>> observeNotes(String accountId, String messageId);
  /// Fetches notes from the server into the local cache.
  Future<void> syncNotes(String accountId, String messageId);
  /// Creates a new note on the server and caches it locally.
  Future<void> addNote(String accountId, String messageId, String text);
  /// Deletes a note from the server and removes it from the local cache.
  Future<void> deleteNote(String noteId);
 }
@@ -19,6 +19,8 @@ class SyncLogEntry {
    required this.id,
    required this.result,
    this.errorMessage,
    this.stackTrace,
    this.isPermanent = false,
    required this.protocol,
    required this.emailsFetched,
    required this.emailsSkipped,
@@ -34,6 +36,8 @@ class SyncLogEntry {
  final int id;
  final String result; // 'ok' or 'error'
  final String? errorMessage;
  final String? stackTrace;
  final bool isPermanent;
  final String protocol; // 'imap' or 'jmap'
  final int emailsFetched;
  final int emailsSkipped;
@@ -54,6 +58,8 @@ abstract class SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
    String? stackTrace,
    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -81,6 +87,8 @@ class NoOpSyncLogRepository implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
    String? stackTrace,
    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -0,0 +1,14 @@
 import 'package:sharedinbox/core/models/user_preferences.dart';
 abstract class UserPreferencesRepository {
  Stream<UserPreferences> observePreferences();
  Future<void> updateMenuPosition(MenuPosition position);
  Future<void> updateMailViewButtonPosition(MenuPosition position);
  Future<void> updateAfterMailViewAction(AfterMailViewAction action);
  Future<void> updatePrefetchMode(PrefetchMode mode);
  Future<void> updateBodyCacheLimitMb(int mb);
  Stream<List<String>> observeTrustedImageSenders();
  Future<void> addTrustedImageSender(String senderEmail);
  Future<void> removeTrustedImageSender(String senderEmail);
 }
@@ -0,0 +1,82 @@
 import 'package:drift/drift.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/repositories/email_repository_impl.dart';
 /// Prefetches email bodies in the background and enforces a local cache size
 /// limit by evicting the oldest cached bodies when the limit is exceeded.
 class BodyCacheService {
  BodyCacheService(this._db, this._accountRepo);
  final AppDatabase _db;
  final AccountRepository _accountRepo;
  static const _batchSize = 20;
  Future<void> run() async {
    final prefs = await (_db.select(
      _db.userPreferences,
    )).getSingleOrNull();
    final limitMb = prefs?.bodyCacheLimitMb ?? 100;
    final limitBytes = limitMb * 1024 * 1024;
    await _evictIfNeeded(limitBytes);
    final candidates = await _fetchCandidates();
    if (candidates.isEmpty) return;
    final emailRepo = EmailRepositoryImpl(_db, _accountRepo);
    for (final emailId in candidates) {
      final currentSize = await _getCacheSizeBytes();
      if (currentSize >= limitBytes) break;
      try {
        await emailRepo.getEmailBody(emailId);
      } catch (_) {
        // Skip emails that fail to fetch.
      }
    }
  }
  Future<void> _evictIfNeeded(int limitBytes) async {
    final currentSize = await _getCacheSizeBytes();
    if (currentSize <= limitBytes) return;
    final bodies = await (_db.select(_db.emailBodies)
          ..where((t) => t.cachedAt.isNotNull())
          ..orderBy([(t) => OrderingTerm.asc(t.cachedAt)]))
        .get();
    var remaining = currentSize;
    for (final body in bodies) {
      if (remaining <= limitBytes) break;
      final bodySize =
          (body.textBody?.length ?? 0) + (body.htmlBody?.length ?? 0);
      await (_db.delete(_db.emailBodies)
            ..where((t) => t.emailId.equals(body.emailId)))
          .go();
      remaining -= bodySize;
    }
  }
  Future<int> _getCacheSizeBytes() async {
    final result = await _db
        .customSelect(
          "SELECT COALESCE(SUM(LENGTH(COALESCE(text_body, '')) + LENGTH(COALESCE(html_body, ''))), 0) AS total FROM email_bodies",
        )
        .getSingle();
    return result.read<int>('total');
  }
  Future<List<String>> _fetchCandidates() async {
    final rows = await _db.customSelect(
      'SELECT e.id FROM emails e '
      'LEFT JOIN email_bodies eb ON eb.email_id = e.id '
      'WHERE eb.email_id IS NULL '
      'ORDER BY e.received_at DESC '
      'LIMIT ?',
      variables: [Variable.withInt(_batchSize)],
    ).get();
    return rows.map((r) => r.read<String>('id')).toList();
  }
 }
@@ -92,8 +92,9 @@ class ShareEncryptionService {
  ) {
    if (!s.startsWith(_pubKeyPrefix)) return null;
    try {
-      final data =
+      final data = Uint8List.fromList(
-          Uint8List.fromList(base64.decode(s.substring(_pubKeyPrefix.length)));
+        base64.decode(s.substring(_pubKeyPrefix.length)),
      );
      if (data.length != _keyIdLen + _pubKeyLen) return null;
      return (
        keyId: data.sublist(0, _keyIdLen),
@@ -1,6 +1,7 @@
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 import 'package:sharedinbox/core/sieve/sieve_conditions.dart';
 import 'package:sharedinbox/core/sieve/sieve_rule.dart';
 import 'package:sharedinbox/core/utils/glob_match.dart';
 /// A lightweight email representation used by [SieveInterpreter].
 /// Header names are lower-cased.
@@ -102,17 +103,11 @@ class SieveInterpreter {
    return switch (matchType) {
      ':contains' => k.isEmpty || v.contains(k),
      ':is' => v == k,
-      ':matches' => _globMatch(v, k),
+      ':matches' => globMatch(v, k),
      _ => false,
    };
  }
  bool _globMatch(String value, String pattern) {
    final regexStr =
        RegExp.escape(pattern).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
    return RegExp('^$regexStr\$').hasMatch(value);
  }
  void _applyActions(List<SieveAction> actions, SieveExecutionContext ctx) {
    for (final action in actions) {
      switch (action) {
@@ -466,9 +466,7 @@ class _Scanner {
  String readTaggedArg() {
    if (!isAtEnd && _src[_pos] == ':') return readWord();
-    throw SieveParseException(
+    throw SieveParseException('Expected tagged argument at position $_pos');
      'Expected tagged argument at position $_pos',
    );
  }
  String? peekSizeUnit() {
@@ -480,9 +478,7 @@ class _Scanner {
  String readDigits() {
    if (isAtEnd || !_isDigit(_src[_pos])) {
-      throw SieveParseException(
+      throw SieveParseException('Expected number at position $_pos');
        'Expected number at position $_pos',
      );
    }
    final start = _pos;
    while (!isAtEnd && _isDigit(_src[_pos])) {
@@ -493,9 +489,7 @@ class _Scanner {
  String readQuotedString() {
    if (_src[_pos] != '"') {
-      throw SieveParseException(
+      throw SieveParseException('Expected " at position $_pos');
        'Expected " at position $_pos',
      );
    }
    _pos++; // skip opening quote
    final buf = StringBuffer();
@@ -0,0 +1,100 @@
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 /// Serialises a [FilterGroup] + list of [SieveAction]s to a Sieve script
 /// (RFC 5228 subset).
 class SieveSerializer {
  String serialize(FilterGroup filter, List<SieveAction> actions) {
    final buf = StringBuffer();
    final requires = _collectRequires(actions);
    if (requires.isNotEmpty) {
      buf.writeln(
        'require [${requires.map((r) => '"$r"').join(', ')}];',
      );
    }
    if (filter.isEmpty) {
      for (final a in actions) {
        buf.writeln(_serializeAction(a));
      }
      return buf.toString();
    }
    buf.write('if ');
    buf.write(_serializeNode(filter));
    buf.writeln(' {');
    for (final a in actions) {
      buf.writeln('    ${_serializeAction(a)}');
    }
    buf.writeln('}');
    return buf.toString();
  }
  List<String> _collectRequires(List<SieveAction> actions) {
    final req = <String>[];
    for (final a in actions) {
      if (a is FileIntoAction && !req.contains('fileinto')) req.add('fileinto');
      if ((a is FlagAction || a is MarkAsSeenAction) &&
          !req.contains('imap4flags')) {
        req.add('imap4flags');
      }
    }
    return req;
  }
  String _serializeNode(FilterNode node) => switch (node) {
        final FilterLeaf leaf => _serializeLeaf(leaf),
        final FilterGroup group => _serializeGroup(group),
      };
  String _serializeGroup(FilterGroup group) {
    if (group.isEmpty) return 'true';
    if (group.children.length == 1) return _serializeNode(group.children.first);
    final op = group.operator == FilterOperator.and_ ? 'allof' : 'anyof';
    final parts = group.children.map(_serializeNode).join(',\n    ');
    return '$op(\n    $parts\n)';
  }
  String _serializeLeaf(FilterLeaf leaf) => switch (leaf.field) {
        FilterField.from_ ||
        FilterField.to ||
        FilterField.cc =>
          _serializeAddressLeaf(leaf),
        FilterField.subject => _serializeHeaderLeaf(leaf),
        FilterField.size => _serializeSizeLeaf(leaf),
      };
  String _serializeAddressLeaf(FilterLeaf leaf) {
    final header = switch (leaf.field) {
      FilterField.from_ => 'from',
      FilterField.to => 'to',
      FilterField.cc => 'cc',
      _ => throw StateError('not an address field'),
    };
    return 'address ${_matchType(leaf.comparison)} "$header" "${_esc(leaf.value)}"';
  }
  String _serializeHeaderLeaf(FilterLeaf leaf) =>
      'header ${_matchType(leaf.comparison)} "subject" "${_esc(leaf.value)}"';
  String _serializeSizeLeaf(FilterLeaf leaf) {
    final comp = leaf.comparison == FilterComparison.over ? ':over' : ':under';
    return 'size $comp ${leaf.value}';
  }
  String _matchType(FilterComparison comp) => switch (comp) {
        FilterComparison.contains => ':contains',
        FilterComparison.is_ => ':is',
        FilterComparison.matches => ':matches',
        _ => ':contains',
      };
  String _serializeAction(SieveAction action) => switch (action) {
        final FileIntoAction a => 'fileinto "${_esc(a.folder)}";',
        KeepAction() => 'keep;',
        DiscardAction() => 'discard;',
        MarkAsSeenAction() => r'setflag "\\Seen";',
        final FlagAction a =>
          'addflag [${a.flags.map((f) => '"${_esc(f)}"').join(', ')}];',
      };
  String _esc(String s) => s.replaceAll(r'\', r'\\').replaceAll('"', r'\"');
 }
@@ -1,6 +1,7 @@
 import 'dart:async';
 import 'package:enough_mail/enough_mail.dart' as imap;
 import 'package:flutter/services.dart' show MissingPluginException;
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart' show SyncEmailsResult;
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -259,6 +260,8 @@ class _AccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
            stackTrace: st.toString(),
            isPermanent: isPermanent,
            protocol: 'imap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -294,6 +297,7 @@ class _AccountSync implements _SyncLoop {
  bool _isPermanentError(Object e) {
    if (isTlsConfigError(e)) return true;
    if (e is MissingPluginException) return true;
    final s = e.toString().toLowerCase();
    // enough_mail doesn't always have typed exceptions for auth, so we check strings.
    return s.contains('invalid credentials') ||
@@ -511,6 +515,8 @@ class _JmapAccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
            stackTrace: st.toString(),
            isPermanent: isPermanent,
            protocol: 'jmap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -546,6 +552,7 @@ class _JmapAccountSync implements _SyncLoop {
  bool _isPermanentError(Object e) {
    if (isTlsConfigError(e)) return true;
    if (e is MissingPluginException) return true;
    final s = e.toString().toLowerCase();
    return s.contains('invalid credentials') ||
        s.contains('authentication failed') ||
@@ -6,11 +6,14 @@ import 'package:drift/drift.dart';
 import 'package:drift/native.dart';
 import 'package:enough_mail/enough_mail.dart' as imap;
 import 'package:flutter/services.dart';
 import 'package:flutter/widgets.dart';
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
 import 'package:sharedinbox/core/models/account.dart' as model;
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/services/body_cache_service.dart';
 import 'package:sharedinbox/core/services/notification_service.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
@@ -20,13 +23,21 @@ import 'package:sharedinbox/data/storage/flutter_secure_storage_impl.dart';
 import 'package:workmanager/workmanager.dart';
 const _kTaskName = 'si_bg_sync';
 const _kPrefetchTaskName = 'si_bg_prefetch';
 const _kResourceType = 'background_check';
@pragma('vm:entry-point')
 void callbackDispatcher() {
-  Workmanager().executeTask((_, __) async {
+  // Required so that path_provider and other plugins are available in this
  // background isolate (issue #192).
  WidgetsFlutterBinding.ensureInitialized();
  Workmanager().executeTask((taskName, __) async {
    try {
-      await _doBackgroundSync();
+      if (taskName == _kPrefetchTaskName) {
        await _doBodyPrefetch();
      } else {
        await _doBackgroundSync();
      }
    } catch (_) {}
    return true;
  });
@@ -51,6 +62,31 @@ Future<void> registerBackgroundSync() async {
  }
 }
 /// Registers (or cancels) the body-prefetch WorkManager task based on [mode].
 /// Call on app startup and whenever the user changes the prefetch preference.
 Future<void> registerBodyPrefetchTask(PrefetchMode mode) async {
  try {
    if (mode == PrefetchMode.disabled) {
      await Workmanager().cancelByUniqueName(_kPrefetchTaskName);
      return;
    }
    final networkType = mode == PrefetchMode.wifiOnly
        ? NetworkType.unmetered
        : NetworkType.connected;
    await Workmanager().registerPeriodicTask(
      _kPrefetchTaskName,
      _kPrefetchTaskName,
      frequency: const Duration(hours: 1),
      constraints: Constraints(networkType: networkType),
      existingWorkPolicy: ExistingPeriodicWorkPolicy.replace,
    );
  } on PlatformException {
    // Ignore — WorkManager unavailable.
  } on MissingPluginException {
    // Ignore — plugin not registered.
  } catch (_) {}
 }
 Future<void> _doBackgroundSync() async {
  final dir = await getApplicationSupportDirectory();
  final db = AppDatabase(
@@ -72,6 +108,22 @@ Future<void> _doBackgroundSync() async {
  }
 }
 Future<void> _doBodyPrefetch() async {
  final dir = await getApplicationSupportDirectory();
  final db = AppDatabase(
    NativeDatabase(File(p.join(dir.path, 'sharedinbox.db'))),
  );
  try {
    final accountRepo = AccountRepositoryImpl(
      db,
      const FlutterSecureStorageImpl(),
    );
    await BodyCacheService(db, accountRepo).run();
  } finally {
    await db.close();
  }
 }
 Future<void> _checkAccount(
  AppDatabase db,
  AccountRepository accountRepo,
@@ -35,10 +35,7 @@ String injectInlineImages(String html, imap.MimeMessage msg) {
        .replaceAll('src="cid:$bareCid"', 'src="$dataUri"')
        .replaceAll("src='cid:$bareCid'", "src='$dataUri'")
        .replaceAll('src="cid:${bareCid.toLowerCase()}"', 'src="$dataUri"')
-        .replaceAll(
+        .replaceAll("src='cid:${bareCid.toLowerCase()}'", "src='$dataUri'");
          "src='cid:${bareCid.toLowerCase()}'",
          "src='$dataUri'",
        );
  }
  return result;
 }
@@ -0,0 +1,9 @@
 /// Returns true if [value] matches the glob [pattern].
 ///
 /// Supports `*` (any number of characters) and `?` (exactly one character).
 /// The comparison is case-insensitive, which is appropriate for email addresses.
 bool globMatch(String value, String pattern) {
  final regexStr =
      RegExp.escape(pattern).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
  return RegExp('^$regexStr\$', caseSensitive: false).hasMatch(value);
 }
@@ -6,6 +6,8 @@ import 'package:drift/native.dart';
 import 'package:flutter/services.dart';
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
 import 'package:sharedinbox/core/db_schema_version.dart';
 import 'package:sqlite3/sqlite3.dart' show Database;
 part 'database.g.dart';
@@ -192,6 +194,9 @@ class SyncLogs extends Table {
  DateTimeColumn get finishedAt => dateTime()();
  // Added in schema v13: raw protocol log when account.verbose == true.
  TextColumn get protocolLog => text().nullable()();
  // Added in schema v33: stack trace and permanent flag for error entries.
  TextColumn get errorStackTrace => text().nullable()();
  BoolColumn get isPermanent => boolean().withDefault(const Constant(false))();
 }
 /// Per-mailbox breakdown for a single sync cycle.
@@ -303,6 +308,71 @@ class LocalSieveApplied extends Table {
  Set<Column> get primaryKey => {accountId, messageId};
 }
 /// Senders for whom remote images are loaded automatically.
 /// Per-device/per-user — not tied to any email account.
@DataClassName('ImageTrustedSenderRow')
 class ImageTrustedSenders extends Table {
  TextColumn get senderEmail => text()();
  DateTimeColumn get addedAt => dateTime()();
  @override
  Set<Column> get primaryKey => {senderEmail};
 }
 /// Per-email notes stored server-side (IMAP Notes folder / JMAP Notes mailbox).
 /// Keyed by the RFC 2822 Message-ID header so notes survive folder moves.
 // Added in schema v39.
@DataClassName('EmailNoteRow')
 class EmailNotes extends Table {
  // UUID matching the X-SharedInbox-Note-Id custom header on the server.
  TextColumn get id => text()();
  TextColumn get accountId =>
      text().references(Accounts, #id, onDelete: KeyAction.cascade)();
  // X-SharedInbox-Note-For value — stable across IMAP folder moves.
  TextColumn get messageId => text()();
  TextColumn get noteText => text()();
  // IMAP UID (as string) or JMAP email ID of the note message on the server.
  TextColumn get serverId => text()();
  DateTimeColumn get createdAt => dateTime()();
  @override
  Set<Column> get primaryKey => {id};
 }
 /// Records the first time the user ran each app version (identified by GIT_HASH).
 /// Added in schema v40.
@DataClassName('InstalledVersionRow')
 class InstalledVersions extends Table {
  TextColumn get gitHash => text()();
  DateTimeColumn get installedAt => dateTime()();
  @override
  Set<Column> get primaryKey => {gitHash};
 }
 /// App-wide user preferences, stored as a singleton row (id always 1).
@DataClassName('UserPreferencesRow')
 class UserPreferences extends Table {
  IntColumn get id => integer()();
  // 'bottom' (default) | 'top'
  TextColumn get menuPosition => text().withDefault(const Constant('bottom'))();
  // Added in schema v35: 'bottom' (default) | 'top'
  TextColumn get mailViewButtonPosition =>
      text().withDefault(const Constant('bottom'))();
  // Added in schema v36: 'nextMessage' (default) | 'showMailbox'
  TextColumn get afterMailViewAction =>
      text().withDefault(const Constant('nextMessage'))();
  // Added in schema v38: 'disabled' | 'wifiOnly' (default) | 'always'
  TextColumn get prefetchMode =>
      text().withDefault(const Constant('wifiOnly'))();
  // Added in schema v38: max cache size for offline email bodies, in megabytes.
  IntColumn get bodyCacheLimitMb =>
      integer().withDefault(const Constant(100))();
  @override
  Set<Column> get primaryKey => {id};
 }
 // ── Database ──────────────────────────────────────────────────────────────────
@DriftDatabase(
@@ -323,13 +393,17 @@ class LocalSieveApplied extends Table {
    LocalSieveScripts,
    LocalSieveApplied,
    ShareKeys,
    UserPreferences,
    ImageTrustedSenders,
    EmailNotes,
    InstalledVersions,
  ],
 )
 class AppDatabase extends _$AppDatabase {
  AppDatabase([QueryExecutor? executor]) : super(executor ?? _openConnection());
  @override
-  int get schemaVersion => 32;
+  int get schemaVersion => dbSchemaVersion;
  Future<void> _createEmailFts() async {
    await customStatement('''
@@ -570,8 +644,172 @@ class AppDatabase extends _$AppDatabase {
          if (from < 32) {
            await m.createTable(localSieveApplied);
          }
          if (from >= 7 && from < 33) {
            await m.addColumn(syncLogs, syncLogs.errorStackTrace);
            await m.addColumn(syncLogs, syncLogs.isPermanent);
          }
          if (from < 34) {
            await m.createTable(userPreferences);
          }
          if (from >= 34 && from < 35) {
            await m.addColumn(
              userPreferences,
              userPreferences.mailViewButtonPosition,
            );
          }
          if (from >= 34 && from < 36) {
            await m.addColumn(
              userPreferences,
              userPreferences.afterMailViewAction,
            );
          }
          if (from < 37) {
            await m.createTable(imageTrustedSenders);
          }
          if (from >= 34 && from < 38) {
            await m.addColumn(userPreferences, userPreferences.prefetchMode);
            await m.addColumn(
              userPreferences,
              userPreferences.bodyCacheLimitMb,
            );
          }
          if (from < 39) {
            await m.createTable(emailNotes);
          }
          if (from < 40) {
            await m.createTable(installedVersions);
          }
          if (from < 41) {
            // Fix IMAP email IDs to include mailboxPath, preventing UID
            // collisions across mailboxes (IMAP UIDs are mailbox-scoped).
            // New format: "accountId:mailboxPath:uid" (was "accountId:uid").
            //
            // defer_foreign_keys defers the email_bodies→emails FK check
            // to COMMIT so the two tables can be updated sequentially inside
            // the migration transaction without a transient FK violation.
            await customStatement('PRAGMA defer_foreign_keys = ON');
            // 1. Remap email_bodies.email_id before emails.id changes.
            await customStatement('''
              UPDATE email_bodies
              SET email_id = (
                SELECT e.account_id || ':' || e.mailbox_path || ':' || CAST(e.uid AS TEXT)
                FROM emails e
                JOIN accounts a ON a.id = e.account_id
                WHERE e.id = email_bodies.email_id
                  AND a.account_type = 'imap'
              )
              WHERE EXISTS (
                SELECT 1 FROM emails e
                JOIN accounts a ON a.id = e.account_id
                WHERE e.id = email_bodies.email_id
                  AND a.account_type = 'imap'
              )
            ''');
            // 2. Update emails.thread_id where it was set to the email's own
            //    id (fallback for messages with no Message-ID header).
            await customStatement('''
              UPDATE emails
              SET thread_id = account_id || ':' || mailbox_path || ':' || CAST(uid AS TEXT)
              WHERE account_id IN (SELECT id FROM accounts WHERE account_type = 'imap')
                AND thread_id = id
            ''');
            // 3. Update the primary key on emails.
            await customStatement('''
              UPDATE emails
              SET id = account_id || ':' || mailbox_path || ':' || CAST(uid AS TEXT)
              WHERE account_id IN (
                SELECT id FROM accounts WHERE account_type = 'imap'
              )
            ''');
            // 5. Rebuild threads for IMAP accounts from the updated email rows.
            //    The threads table stores denormalised data (latest_email_id,
            //    email_ids_json) that references email IDs, so it is simpler to
            //    delete and reconstruct than to patch the JSON in SQL.
            await customStatement('''
              DELETE FROM threads
              WHERE account_id IN (SELECT id FROM accounts WHERE account_type = 'imap')
            ''');
            final imapAccounts = await (select(accounts)
                  ..where((t) => t.accountType.equals('imap')))
                .get();
            for (final acct in imapAccounts) {
              final emailRows = await (select(emails)
                    ..where((t) => t.accountId.equals(acct.id)))
                  .get();
              final groups = <String, List<Email>>{};
              for (final row in emailRows) {
                final key = '${row.mailboxPath}:${row.threadId ?? row.id}';
                groups.putIfAbsent(key, () => []).add(row);
              }
              for (final threadEmails in groups.values) {
                threadEmails.sort((a, b) {
                  final da = a.sentAt ?? a.receivedAt;
                  final db = b.sentAt ?? b.receivedAt;
                  return da.compareTo(db);
                });
                final latest = threadEmails.last;
                final seen = <String>{};
                final participants = <Map<String, dynamic>>[];
                for (final e in threadEmails) {
                  final from = jsonDecode(e.fromJson) as List<dynamic>;
                  for (final a in from.cast<Map<String, dynamic>>()) {
                    final email = a['email'] as String;
                    if (seen.add(email)) {
                      participants.add({'name': a['name'], 'email': email});
                    }
                  }
                }
                await into(threads).insert(
                  ThreadsCompanion.insert(
                    id: latest.threadId ?? latest.id,
                    accountId: latest.accountId,
                    mailboxPath: latest.mailboxPath,
                    subject: Value(latest.subject),
                    latestDate: latest.sentAt ?? latest.receivedAt,
                    messageCount: Value(threadEmails.length),
                    hasUnread: Value(threadEmails.any((e) => !e.isSeen)),
                    isFlagged: Value(threadEmails.any((e) => e.isFlagged)),
                    participantsJson: Value(jsonEncode(participants)),
                    preview: Value(latest.preview),
                    latestEmailId: latest.id,
                    emailIdsJson: Value(
                      jsonEncode(threadEmails.map((e) => e.id).toList()),
                    ),
                  ),
                );
              }
            }
          }
        },
      );
  /// Inserts a row for [gitHash] the first time that version is seen.
  /// Subsequent calls for the same hash are silently ignored so the original
  /// install timestamp is preserved.
  Future<void> recordInstalledVersionIfNew(String gitHash) async {
    if (gitHash.isEmpty) return;
    await into(installedVersions).insert(
      InstalledVersionsCompanion.insert(
        gitHash: gitHash,
        installedAt: DateTime.now(),
      ),
      mode: InsertMode.insertOrIgnore,
    );
  }
  Future<Map<String, DateTime>> loadInstalledVersions() async {
    final rows = await select(installedVersions).get();
    return {for (final r in rows) r.gitHash: r.installedAt};
  }
 }
 // Resolved once in main() via initDatabasePath() before runApp().
@@ -609,6 +847,17 @@ Future<String> _resolveDatabasePath() async {
      await Future<void>.delayed(Duration(milliseconds: ms));
    }
  }
  // On Android, path_provider can be permanently broken on some devices
  // regardless of how long we wait (issue #192).  Derive the path from
  // /proc/self/cmdline (the Android process name == package name) without
  // a platform channel as a last resort so the app can still open its DB.
  if (Platform.isAndroid) {
    final fallback = await _androidFallbackPath();
    if (fallback != null) {
      _dbPath = fallback;
      return _dbPath!;
    }
  }
  throw PlatformException(
    code: 'channel-error',
    message: 'path_provider unavailable after ${delays.length + 1} attempts — '
@@ -616,23 +865,73 @@ Future<String> _resolveDatabasePath() async {
  );
 }
-// These two functions are only called from unit tests (database_path_test.dart).
+// Reads /proc/self/cmdline to extract the Android package name, then
 // constructs the standard app files-dir path without a platform channel.
 // Returns null when the path cannot be determined or created.
 Future<String?> _androidFallbackPath() async {
  try {
    final bytes = await File('/proc/self/cmdline').readAsBytes();
    final end = bytes.indexOf(0);
    final packageName = String.fromCharCodes(
      end >= 0 ? bytes.sublist(0, end) : bytes,
    ).trim();
    // A valid Android package name contains dots but not slashes.
    if (packageName.isEmpty ||
        !packageName.contains('.') ||
        packageName.contains('/')) {
      return null;
    }
    for (final base in [
      '/data/user/0/$packageName/files',
      '/data/data/$packageName/files',
    ]) {
      try {
        await Directory(base).create(recursive: true);
        return p.join(base, 'sharedinbox.db');
      } catch (_) {
        continue;
      }
    }
    return null;
  } catch (_) {
    return null;
  }
 }
 // These functions are only called from unit tests (database_path_test.dart).
 // They expose internals that cannot be reached via the public API.
 Future<String> resolveDatabasePathForTesting() => _resolveDatabasePath();
 void resetDatabasePathForTesting() => _dbPath = null;
 Future<String?> androidFallbackPathForTesting() => _androidFallbackPath();
 /// Configures PRAGMAs on a newly opened SQLite connection.
 ///
 /// busy_timeout must come first so subsequent statements retry on SQLITE_BUSY
 /// instead of immediately failing.
 ///
 /// journal_mode = WAL is wrapped in a try/catch because a concurrent
 /// WorkManager background task may already have the DB open when the app
 /// starts.  SQLITE_BUSY_SNAPSHOT (extended code 261, primary code 5) is
 /// returned in that situation; it only occurs when the DB is already in WAL
 /// mode, so the pragma would be a no-op anyway and it is safe to continue.
 void _setupPragmas(Database db) {
  db.execute('PRAGMA busy_timeout = 5000;');
  try {
    db.execute('PRAGMA journal_mode = WAL;');
  } on SqliteException catch (e) {
    // resultCode strips the extended bits: both SQLITE_BUSY (5) and
    // SQLITE_BUSY_SNAPSHOT (261) reduce to 5.  Re-throw anything else.
    if (e.resultCode != 5) rethrow;
  }
 }
 LazyDatabase _openConnection() {
  return LazyDatabase(() async {
    final file = File(await _resolveDatabasePath());
-    return NativeDatabase.createInBackground(
+    return NativeDatabase.createInBackground(file, setup: _setupPragmas);
      file,
      setup: (db) {
        // WAL lets readers and writers proceed concurrently (different account
        // sync loops share the same DB).  busy_timeout makes SQLite retry for
        // up to 5 s instead of immediately returning SQLITE_BUSY.
        db.execute('PRAGMA journal_mode = WAL;');
        db.execute('PRAGMA busy_timeout = 5000;');
      },
    );
  });
 }
 // Exposed so tests can run the exact production setup logic on a raw
 // sqlite3 connection (same pattern as resolveDatabasePathForTesting).
 void setupPragmasForTesting(Database db) => _setupPragmas(db);
@@ -9,8 +9,9 @@ class LocalSieveRepository {
  final AppDatabase _db;
  Future<List<SieveScript>> listScripts(String accountId) async {
-    final rows = await (_db.select(_db.localSieveScripts)
+    final rows = await (_db.select(
-          ..where((t) => t.accountId.equals(accountId)))
+      _db.localSieveScripts,
    )..where((t) => t.accountId.equals(accountId)))
        .get();
    return rows
        .map(
@@ -26,10 +27,9 @@ class LocalSieveRepository {
  Future<String> getScriptContent(String accountId, String blobId) async {
    final rowId = int.parse(blobId);
-    final row = await (_db.select(_db.localSieveScripts)
+    final row = await (_db.select(
-          ..where(
+      _db.localSieveScripts,
-            (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
+    )..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
          ))
        .getSingleOrNull();
    if (row == null) throw Exception('Local script not found: $blobId');
    return row.content;
@@ -44,9 +44,7 @@ class LocalSieveRepository {
    if (id != null) {
      final rowId = int.parse(id);
      await (_db.update(_db.localSieveScripts)
-            ..where(
+            ..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
              (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
            ))
          .write(
        LocalSieveScriptsCompanion(
          name: Value(name),
@@ -78,10 +76,9 @@ class LocalSieveRepository {
  Future<void> deleteScript(String accountId, String scriptId) async {
    final rowId = int.parse(scriptId);
-    await (_db.delete(_db.localSieveScripts)
+    await (_db.delete(
-          ..where(
+      _db.localSieveScripts,
-            (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
+    )..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
          ))
        .go();
  }
@@ -92,9 +89,7 @@ class LocalSieveRepository {
          .write(const LocalSieveScriptsCompanion(isActive: Value(false)));
      final rowId = int.parse(scriptId);
      await (_db.update(_db.localSieveScripts)
-            ..where(
+            ..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
              (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
            ))
          .write(const LocalSieveScriptsCompanion(isActive: Value(true)));
    });
  }
@@ -9,11 +9,8 @@ import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 class DraftRepositoryImpl implements DraftRepository {
-  DraftRepositoryImpl(
+  DraftRepositoryImpl(this._db, this._accounts, {ImapConnectFn? imapConnect})
-    this._db,
+      : _imapConnect = imapConnect;
    this._accounts, {
    ImapConnectFn? imapConnect,
  }) : _imapConnect = imapConnect;
  final AppDatabase _db;
  final AccountRepository _accounts;
@@ -124,10 +121,7 @@ class DraftRepositoryImpl implements DraftRepository {
    }
  }
-  Future<void> _syncWithServer(
+  Future<void> _syncWithServer(imap.ImapClient client, String accountId) async {
    imap.ImapClient client,
    String accountId,
  ) async {
    // Create/select the Drafts folder.
    try {
      await client.createMailbox('Drafts');
@@ -162,8 +156,9 @@ class DraftRepositoryImpl implements DraftRepository {
          ? uidList.first.toString()
          : null;
      if (uid != null) {
-        await (_db.update(_db.drafts)..where((t) => t.id.equals(row.id)))
+        await (_db.update(_db.drafts)..where((t) => t.id.equals(row.id))).write(
-            .write(DraftsCompanion(imapServerId: Value(uid)));
+          DraftsCompanion(imapServerId: Value(uid)),
        );
      }
    }
@@ -9,6 +9,7 @@ import 'package:http/http.dart' as http;
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/models/account.dart' as account_model;
 import 'package:sharedinbox/core/models/email.dart' as model;
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -95,6 +96,26 @@ class EmailRepositoryImpl implements EmailRepository {
        .map((rows) => rows.map(_threadRowToModel).toList());
  }
  @override
  Stream<List<model.EmailThread>> observeAllInboxThreads({int limit = 50}) {
    final query = _db.select(_db.threads).join([
      innerJoin(
        _db.mailboxes,
        _db.mailboxes.accountId.equalsExp(_db.threads.accountId) &
            _db.mailboxes.path.equalsExp(_db.threads.mailboxPath),
      ),
    ]);
    query
      ..where(_db.mailboxes.role.equals('inbox'))
      ..orderBy([OrderingTerm.desc(_db.threads.latestDate)])
      ..limit(limit);
    return query.watch().map(
          (rows) => rows
              .map((row) => _threadRowToModel(row.readTable(_db.threads)))
              .toList(),
        );
  }
  model.EmailThread _threadRowToModel(ThreadRow row) {
    List<model.EmailAddress> parseAddresses(String json) {
      final list = jsonDecode(json) as List<dynamic>;
@@ -156,6 +177,7 @@ class EmailRepositoryImpl implements EmailRepository {
      return;
    }
    if (threadEmails.isEmpty) return;
    final latest = threadEmails.last;
    // Collect unique participants across the whole thread.
@@ -237,7 +259,12 @@ class EmailRepositoryImpl implements EmailRepository {
    try {
      await client.selectMailboxByPath(emailRow.mailboxPath);
      final fetch = await client.uidFetchMessage(emailRow.uid, '(BODY.PEEK[])');
-      final msg = fetch.messages.first;
+      final msg = fetch.messages.firstOrNull;
      if (msg == null) {
        throw StateError(
          'IMAP server returned no message for UID ${emailRow.uid}.',
        );
      }
      final textBody = msg.decodeTextPlainPart();
      final rawHtml = msg.decodeTextHtmlPart();
      final htmlBody =
@@ -325,13 +352,7 @@ class EmailRepositoryImpl implements EmailRepository {
          ],
          'fetchHTMLBodyValues': true,
          'fetchTextBodyValues': true,
-          'bodyProperties': [
+          'bodyProperties': ['partId', 'type', 'name', 'size', 'subParts'],
            'partId',
            'type',
            'name',
            'size',
            'subParts',
          ],
        },
        '0',
      ],
@@ -540,7 +561,7 @@ class EmailRepositoryImpl implements EmailRepository {
    for (final msg in result.messages) {
      final uid = msg.uid;
      if (uid == null) continue;
-      final emailId = '${account.id}:$uid';
+      final emailId = '${account.id}:$mailboxPath:$uid';
      await (_db.update(_db.emails)..where((t) => t.id.equals(emailId))).write(
        EmailsCompanion(
          isSeen: Value(msg.flags?.contains(r'\Seen') ?? false),
@@ -595,7 +616,7 @@ class EmailRepositoryImpl implements EmailRepository {
          continue;
        }
        bytes += msg.size ?? 0;
-        final emailId = '${account.id}:$uid';
+        final emailId = '${account.id}:$mailboxPath:$uid';
        final msgId = envelope.messageId?.trim();
        final inReplyTo = envelope.inReplyTo?.trim();
        final refs = msg.getHeaderValue('References')?.trim();
@@ -1949,8 +1970,9 @@ class EmailRepositoryImpl implements EmailRepository {
        .getSingleOrNull();
    final inboxPath = inboxMailbox?.path ?? 'INBOX';
-    final alreadyApplied = await (_db.select(_db.localSieveApplied)
+    final alreadyApplied = await (_db.select(
-          ..where((t) => t.accountId.equals(accountId)))
+      _db.localSieveApplied,
    )..where((t) => t.accountId.equals(accountId)))
        .get();
    final appliedIds = alreadyApplied.map((r) => r.messageId).toSet();
@@ -2050,7 +2072,9 @@ class EmailRepositoryImpl implements EmailRepository {
            ..limit(1))
          .getSingleOrNull();
      if (destMailbox == null) {
-        log('Sieve: JMAP mailbox "$folder" not found for account ${account.id}');
+        log(
          'Sieve: JMAP mailbox "$folder" not found for account ${account.id}',
        );
        return;
      }
      destPath = destMailbox.path;
@@ -2808,11 +2832,13 @@ class EmailRepositoryImpl implements EmailRepository {
      // Content-Transfer-Encoding) and getPart() can decode the part correctly.
      // A partial BODY.PEEK[n] fetch omits those headers, causing
      // decodeContentBinary() to return raw base64 instead of decoded bytes.
-      final fetch = await client.uidFetchMessage(
+      final fetch = await client.uidFetchMessage(emailRow.uid, 'BODY.PEEK[]');
-        emailRow.uid,
+      final msg = fetch.messages.firstOrNull;
-        'BODY.PEEK[]',
+      if (msg == null) {
-      );
+        throw StateError(
-      final msg = fetch.messages.first;
+          'IMAP server returned no message for UID ${emailRow.uid}.',
        );
      }
      final part = msg.getPart(attachment.fetchPartId) ?? msg;
      final bytes = part.decodeContentBinary();
      if (bytes == null) {
@@ -2874,11 +2900,14 @@ class EmailRepositoryImpl implements EmailRepository {
    );
    try {
      await client.selectMailboxByPath(emailRow.mailboxPath);
-      final fetch = await client.uidFetchMessage(
+      final fetch = await client.uidFetchMessage(emailRow.uid, 'BODY.PEEK[]');
-        emailRow.uid,
+      final msg = fetch.messages.firstOrNull;
-        'BODY.PEEK[]',
+      if (msg == null) {
-      );
+        throw StateError(
-      return fetch.messages.first.renderMessage();
+          'IMAP server returned no message for UID ${emailRow.uid}.',
        );
      }
      return msg.renderMessage();
    } finally {
      await client.logout();
    }
@@ -2894,9 +2923,9 @@ class EmailRepositoryImpl implements EmailRepository {
    final sql = accountId != null
        ? 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
-            ' WHERE email_fts MATCH ? AND e.account_id = ? ORDER BY rank LIMIT 50'
+            ' WHERE email_fts MATCH ? AND e.account_id = ? ORDER BY e.received_at DESC LIMIT 50'
        : 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
-            ' WHERE email_fts MATCH ? ORDER BY rank LIMIT 50';
+            ' WHERE email_fts MATCH ? ORDER BY e.received_at DESC LIMIT 50';
    final variables = accountId != null
        ? [Variable<String>(ftsQuery), Variable<String>(accountId)]
        : [Variable<String>(ftsQuery)];
@@ -2906,18 +2935,151 @@ class EmailRepositoryImpl implements EmailRepository {
    final emailRows = await Future.wait(
      queryRows.map((r) => _db.emails.mapFromRow(r)),
    );
    final noteRows = await _searchEmailsByNotes(accountId, null, query);
    final seen = <String>{};
    final merged = <model.Email>[];
    for (final e in [...emailRows.map(_toModel), ...noteRows]) {
      if (seen.add(e.id)) merged.add(e);
    }
    merged.sort((a, b) => b.receivedAt.compareTo(a.receivedAt));
    return merged;
  }
  /// Returns emails whose associated notes contain all words from [query].
  /// Optionally filtered by [accountId] and [mailboxPath].
  Future<List<model.Email>> _searchEmailsByNotes(
    String? accountId,
    String? mailboxPath,
    String query,
  ) async {
    final words =
        query.trim().split(RegExp(r'\s+')).where((w) => w.isNotEmpty).toList();
    if (words.isEmpty) return [];
    final noteConditions = words.map((_) => 'n.note_text LIKE ?').join(' AND ');
    final likeVars = words.map((w) => Variable<String>('%$w%')).toList();
    final extraConditions = StringBuffer();
    final extraVars = <Variable<String>>[];
    if (accountId != null) {
      extraConditions.write(' AND e.account_id = ?');
      extraVars.add(Variable<String>(accountId));
    }
    if (mailboxPath != null) {
      extraConditions.write(' AND e.mailbox_path = ?');
      extraVars.add(Variable<String>(mailboxPath));
    }
    final sql = 'SELECT DISTINCT e.* FROM emails e'
        ' JOIN email_notes n ON n.message_id = e.message_id'
        ' AND n.account_id = e.account_id'
        ' WHERE $noteConditions$extraConditions'
        ' ORDER BY e.received_at DESC LIMIT 50';
    final rows = await _db.customSelect(
      sql,
      variables: [...likeVars, ...extraVars],
      readsFrom: {_db.emails, _db.emailNotes},
    ).get();
    final emailRows =
        await Future.wait(rows.map((r) => _db.emails.mapFromRow(r)));
    return emailRows.map(_toModel).toList();
  }
  @override
  Future<List<model.Email>> searchEmailsStructured(
    String? accountId,
    FilterGroup filter,
  ) async {
    final rows = await (_db.select(_db.emails)
          ..where((t) {
            final fe = _filterGroup(filter, t);
            if (accountId == null) return fe;
            return t.accountId.equals(accountId) & fe;
          })
          ..orderBy([(t) => OrderingTerm.desc(t.receivedAt)])
          ..limit(100))
        .get();
    return rows.map(_toModel).toList();
  }
  Expression<bool> _filterGroup(FilterGroup group, $EmailsTable t) {
    if (group.isEmpty) return const Constant(true);
    final exprs = group.children.map((c) => _filterNode(c, t)).toList();
    return switch (group.operator) {
      FilterOperator.and_ => exprs.reduce((a, b) => a & b),
      FilterOperator.or_ => exprs.reduce((a, b) => a | b),
    };
  }
  Expression<bool> _filterNode(FilterNode node, $EmailsTable t) =>
      switch (node) {
        final FilterLeaf l => _filterLeaf(l, t),
        final FilterGroup g => _filterGroup(g, t),
      };
  Expression<bool> _filterLeaf(FilterLeaf leaf, $EmailsTable t) {
    final val = leaf.value.toLowerCase();
    return switch (leaf.field) {
      FilterField.from_ => _jsonLike(t.fromJson, leaf.comparison, val),
      FilterField.to => _jsonLike(t.toAddresses, leaf.comparison, val),
      FilterField.cc => _jsonLike(t.ccJson, leaf.comparison, val),
      FilterField.subject => _textLike(t.subject, leaf.comparison, val),
      // Size is not stored in the local cache; skip silently.
      FilterField.size => const Constant(true),
    };
  }
  Expression<bool> _jsonLike(
    GeneratedColumn<String> col,
    FilterComparison comp,
    String val,
  ) =>
      switch (comp) {
        FilterComparison.contains => col.like('%$val%'),
        FilterComparison.is_ => col.like('%"email":"$val"%'),
        FilterComparison.matches => col.like(_globToLike(val)),
        _ => const Constant(true),
      };
  Expression<bool> _textLike(
    GeneratedColumn<String> col,
    FilterComparison comp,
    String val,
  ) =>
      switch (comp) {
        FilterComparison.contains => col.like('%$val%'),
        FilterComparison.is_ => col.like(val),
        FilterComparison.matches => col.like(_globToLike(val)),
        _ => const Constant(true),
      };
  static String _globToLike(String glob) {
    final buf = StringBuffer();
    for (var i = 0; i < glob.length; i++) {
      final ch = glob[i];
      if (ch == '%' || ch == '_') {
        buf.write('\\$ch');
      } else if (ch == '*') {
        buf.write('%');
      } else if (ch == '?') {
        buf.write('_');
      } else {
        buf.write(ch);
      }
    }
    return buf.toString();
  }
  /// Converts a user query string into an FTS5 match expression.
  /// Each whitespace-separated word becomes a prefix term (word*) so that
  /// partial words still match. Special FTS5 characters are stripped.
  static String _toFtsQuery(String query) {
    final words = query
        .trim()
-        .split(RegExp(r'\s+'))
+        .split(RegExp(r'[^\w]+'))
        .where((w) => w.isNotEmpty)
        .map((w) => w.replaceAll(RegExp(r'[^\w]'), ''))
        .where((w) => w.isNotEmpty)
        .toList();
    if (words.isEmpty) return '';
@@ -2955,6 +3117,20 @@ class EmailRepositoryImpl implements EmailRepository {
  }) async {
    if (query.length < 2) return [];
    final pattern = '%${query.toLowerCase()}%';
    // Addresses we deliberately wrote to (sent folder) should appear before
    // addresses that happened to email us (inbox/other folders).
    final sentMailboxes = await (_db.select(_db.mailboxes)
          ..where((t) {
            Expression<bool> cond = t.role.equals('sent');
            if (accountId != null) {
              cond = t.accountId.equals(accountId) & cond;
            }
            return cond;
          }))
        .get();
    final sentPaths = {for (final m in sentMailboxes) m.path};
    final rows = await (_db.select(_db.emails)
          ..where((t) {
            Expression<bool> cond = const Constant(true);
@@ -2969,11 +3145,22 @@ class EmailRepositoryImpl implements EmailRepository {
          ..limit(100))
        .get();
    // Two passes: sent-folder rows first (prioritise recipients we chose),
    // then other rows (senders who contacted us).
    final sortedRows = [
      ...rows.where((r) => sentPaths.contains(r.mailboxPath)),
      ...rows.where((r) => !sentPaths.contains(r.mailboxPath)),
    ];
    final seen = <String>{};
    final results = <model.EmailAddress>[];
    final lowerQuery = query.toLowerCase();
-    for (final row in rows) {
+    for (final row in sortedRows) {
-      for (final jsonStr in [row.fromJson, row.toAddresses, row.ccJson]) {
+      final isSent = sentPaths.contains(row.mailboxPath);
      final fields = isSent
          ? [row.toAddresses, row.ccJson, row.fromJson]
          : [row.fromJson, row.toAddresses, row.ccJson];
      for (final jsonStr in fields) {
        final list = jsonDecode(jsonStr) as List<dynamic>;
        for (final e in list) {
          final map = e as Map<String, dynamic>;
@@ -2994,68 +3181,42 @@ class EmailRepositoryImpl implements EmailRepository {
  }
  @override
  // Results are limited to emails already synced into the local SQLite FTS5
  // index; call syncEmails first to ensure the index is up-to-date.
  Future<List<model.Email>> searchEmails(
    String accountId,
    String mailboxPath,
    String query,
  ) async {
-    final account = (await _accounts.getAccount(accountId))!;
+    final ftsQuery = _toFtsQuery(query);
-    final password = await _accounts.getPassword(accountId);
+    if (ftsQuery.isEmpty) return [];
-    final client = await _imapConnect(
+
-      account,
+    const sql = 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
-      _effectiveUsername(account),
+        ' WHERE email_fts MATCH ? AND e.account_id = ? AND e.mailbox_path = ?'
-      password,
+        ' ORDER BY e.received_at DESC LIMIT 50';
    final variables = [
      Variable<String>(ftsQuery),
      Variable<String>(accountId),
      Variable<String>(mailboxPath),
    ];
    final queryRows = await _db
        .customSelect(sql, variables: variables, readsFrom: {_db.emails}).get();
    final emailRows = await Future.wait(
      queryRows.map((r) => _db.emails.mapFromRow(r)),
    );
    try {
      await client.selectMailboxByPath(mailboxPath);
      final terms =
          query.split(RegExp(r'\s+')).where((t) => t.isNotEmpty).toList();
      final searchCriteria = terms.map((term) {
        final escaped = term.replaceAll('"', '\\"');
        return 'OR SUBJECT "$escaped" TEXT "$escaped"';
      }).join(' ');
      final result = await client.uidSearchMessages(
        searchCriteria: searchCriteria,
      );
      final uids = result.matchingSequence?.toList() ?? [];
      if (uids.isEmpty) return [];
-      final fetch = await client.uidFetchMessages(
+    final noteRows = await _searchEmailsByNotes(accountId, mailboxPath, query);
-        imap.MessageSequence.fromIds(uids, isUid: true),
+
-        '(UID FLAGS ENVELOPE)',
+    final seen = <String>{};
-      );
+    final merged = <model.Email>[];
-      return fetch.messages
+    for (final e in [...emailRows.map(_toModel), ...noteRows]) {
-          .where((msg) => msg.uid != null && msg.envelope != null)
+      if (seen.add(e.id)) merged.add(e);
          .map((msg) {
        final envelope = msg.envelope!;
        final uid = msg.uid!;
        final emailId = '$accountId:$uid';
        return model.Email(
          id: emailId,
          accountId: accountId,
          mailboxPath: mailboxPath,
          uid: uid,
          subject: envelope.subject,
          sentAt: envelope.date,
          receivedAt: envelope.date ?? DateTime.now(),
          from: _toAddressList(envelope.from),
          to: _toAddressList(envelope.to),
          cc: _toAddressList(envelope.cc),
          isSeen: msg.flags?.contains(r'\Seen') ?? false,
          isFlagged: msg.flags?.contains(r'\Flagged') ?? false,
          hasAttachment: msg.hasAttachments(),
        );
      }).toList();
    } finally {
      await client.logout();
    }
    merged.sort((a, b) => b.receivedAt.compareTo(a.receivedAt));
    return merged;
  }
  List<model.EmailAddress> _toAddressList(List<imap.MailAddress>? addresses) =>
      (addresses ?? const [])
          .map((a) => model.EmailAddress(name: a.personalName, email: a.email))
          .toList();
  // ── Helpers ────────────────────────────────────────────────────────────────
  /// Computes a stable threadId from RFC 2822 headers.
@@ -3252,14 +3413,17 @@ class EmailRepositoryImpl implements EmailRepository {
    await _db.customStatement('PRAGMA foreign_keys = OFF');
    try {
      await _db.transaction(() async {
-        await (_db.delete(_db.emails)
+        await (_db.delete(
-              ..where((t) => t.accountId.equals(accountId)))
+          _db.emails,
        )..where((t) => t.accountId.equals(accountId)))
            .go();
-        await (_db.delete(_db.pendingChanges)
+        await (_db.delete(
-              ..where((t) => t.accountId.equals(accountId)))
+          _db.pendingChanges,
        )..where((t) => t.accountId.equals(accountId)))
            .go();
-        await (_db.delete(_db.syncStates)
+        await (_db.delete(
-              ..where((t) => t.accountId.equals(accountId)))
+          _db.syncStates,
        )..where((t) => t.accountId.equals(accountId)))
            .go();
      });
    } finally {
@@ -79,6 +79,15 @@ class MailboxRepositoryImpl implements MailboxRepository {
    );
    try {
      final mailboxes = await client.listMailboxes(recursive: true);
      // Pre-load existing DB roles so we can preserve manually-set roles for
      // folders the server doesn't tag with a special-use attribute.
      final existingRows = await (_db.select(
        _db.mailboxes,
      )..where((t) => t.accountId.equals(account.id)))
          .get();
      final existingRoles = {for (final r in existingRows) r.id: r.role};
      for (final mb in mailboxes) {
        final path = mb.path;
        final id = '${account.id}:$path';
@@ -96,6 +105,12 @@ class MailboxRepositoryImpl implements MailboxRepository {
          log('STATUS skipped for $path: $e');
        }
        // Use the server-assigned role when available; fall back to the
        // existing DB role so that manually-created folders (e.g. a user
        // who just created their Archive folder) keep their role across syncs
        // when the IMAP server does not expose a special-use attribute.
        final role = _imapRole(mb) ?? existingRoles[id];
        await _db.into(_db.mailboxes).insertOnConflictUpdate(
              MailboxesCompanion.insert(
                id: id,
@@ -104,7 +119,7 @@ class MailboxRepositoryImpl implements MailboxRepository {
                name: mb.name,
                unreadCount: Value(unread),
                totalCount: Value(total),
-                role: Value(_imapRole(mb)),
+                role: Value(role),
              ),
            );
      }
@@ -306,8 +321,127 @@ class MailboxRepositoryImpl implements MailboxRepository {
  @override
  Future<void> clearForResync(String accountId) async {
-    await (_db.delete(_db.mailboxes)
+    await (_db.delete(
-          ..where((t) => t.accountId.equals(accountId)))
+      _db.mailboxes,
    )..where((t) => t.accountId.equals(accountId)))
        .go();
  }
  @override
  Future<model.Mailbox> createMailboxWithRole(
    String accountId,
    String name,
    String role,
  ) async {
    final account = (await _accounts.getAccount(accountId))!;
    final password = await _accounts.getPassword(accountId);
    switch (account.type) {
      case account_model.AccountType.imap:
        return _createMailboxWithRoleImap(account, password, name, role);
      case account_model.AccountType.jmap:
        return _createMailboxWithRoleJmap(account, password, name, role);
    }
  }
  @override
  Future<model.Mailbox> createMailbox(String accountId, String name) async {
    final account = (await _accounts.getAccount(accountId))!;
    final password = await _accounts.getPassword(accountId);
    switch (account.type) {
      case account_model.AccountType.imap:
        return _createMailboxWithRoleImap(account, password, name, null);
      case account_model.AccountType.jmap:
        return _createMailboxWithRoleJmap(account, password, name, null);
    }
  }
  Future<model.Mailbox> _createMailboxWithRoleImap(
    account_model.Account account,
    String password,
    String name,
    String? role,
  ) async {
    final client = await _imapConnect(
      account,
      _effectiveUsername(account),
      password,
    );
    try {
      await client.createMailbox(name);
    } finally {
      await client.logout();
    }
    final id = '${account.id}:$name';
    await _db.into(_db.mailboxes).insertOnConflictUpdate(
          MailboxesCompanion.insert(
            id: id,
            accountId: account.id,
            path: name,
            name: name,
            role: Value(role),
          ),
        );
    final row = await (_db.select(
      _db.mailboxes,
    )..where((t) => t.id.equals(id)))
        .getSingle();
    return _toModel(row);
  }
  Future<model.Mailbox> _createMailboxWithRoleJmap(
    account_model.Account account,
    String password,
    String name,
    String? role,
  ) async {
    final jmapUrl = account.jmapUrl;
    if (jmapUrl == null || jmapUrl.isEmpty) {
      throw Exception('JMAP account ${account.id} has no jmapUrl');
    }
    final jmap = await JmapClient.connect(
      httpClient: _httpClient,
      jmapUrl: Uri.parse(jmapUrl),
      username: _effectiveUsername(account),
      password: password,
    );
    final responses = await jmap.call([
      [
        'Mailbox/set',
        {
          'accountId': jmap.accountId,
          'create': {
            'new-mailbox': {
              'name': name,
              if (role != null) 'role': role,
            },
          },
        },
        '0',
      ],
    ]);
    final result = _responseArgs(responses, 0, 'Mailbox/set');
    final created = result['created'] as Map<String, dynamic>?;
    final newId =
        (created?['new-mailbox'] as Map<String, dynamic>?)?['id'] as String?;
    if (newId == null) {
      throw Exception(
        'Failed to create mailbox "$name": server returned no ID',
      );
    }
    final dbId = '${account.id}:$newId';
    await _db.into(_db.mailboxes).insertOnConflictUpdate(
          MailboxesCompanion.insert(
            id: dbId,
            accountId: account.id,
            path: newId,
            name: name,
            role: Value(role),
          ),
        );
    final row = await (_db.select(
      _db.mailboxes,
    )..where((t) => t.id.equals(dbId)))
        .getSingle();
    return _toModel(row);
  }
 }
@@ -0,0 +1,570 @@
 import 'dart:math' as math;
 import 'package:drift/drift.dart';
 import 'package:enough_mail/enough_mail.dart' as imap;
 import 'package:http/http.dart' as http;
 import 'package:sharedinbox/core/models/account.dart' as account_model;
 import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/note_repository.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 import 'package:sharedinbox/data/jmap/jmap_client.dart';
 const _notesFolder = 'Notes';
 const _headerNoteFor = 'X-SharedInbox-Note-For';
 const _headerNoteId = 'X-SharedInbox-Note-Id';
 class NoteRepositoryImpl implements NoteRepository {
  NoteRepositoryImpl(
    this._db,
    this._accounts, {
    ImapConnectFn imapConnect = connectImap,
    http.Client? httpClient,
  })  : _imapConnect = imapConnect,
        _httpClient = httpClient ?? http.Client();
  final AppDatabase _db;
  final AccountRepository _accounts;
  final ImapConnectFn _imapConnect;
  final http.Client _httpClient;
  String _effectiveUsername(account_model.Account account) =>
      account.username.isNotEmpty ? account.username : account.email;
  // ── Observe (local cache) ─────────────────────────────────────────────────
  @override
  Stream<List<EmailNote>> observeNotes(String accountId, String messageId) {
    return (_db.select(_db.emailNotes)
          ..where(
            (t) =>
                t.accountId.equals(accountId) & t.messageId.equals(messageId),
          )
          ..orderBy([(t) => OrderingTerm.asc(t.createdAt)]))
        .watch()
        .map((rows) => rows.map(_toModel).toList());
  }
  // ── Sync (server → local cache) ──────────────────────────────────────────
  @override
  Future<void> syncNotes(String accountId, String messageId) async {
    final account = await _accounts.getAccount(accountId);
    if (account == null) return;
    final password = await _accounts.getPassword(accountId);
    switch (account.type) {
      case account_model.AccountType.imap:
        await _syncNotesImap(account, password, messageId);
      case account_model.AccountType.jmap:
        await _syncNotesJmap(account, password, messageId);
    }
  }
  Future<void> _syncNotesImap(
    account_model.Account account,
    String password,
    String messageId,
  ) async {
    final client = await _imapConnect(
      account,
      _effectiveUsername(account),
      password,
    );
    try {
      try {
        await client.selectMailboxByPath(_notesFolder);
      } catch (_) {
        // Notes folder doesn't exist — nothing to sync.
        return;
      }
      final escaped = messageId.replaceAll('\\', '\\\\').replaceAll('"', '\\"');
      final searchResult = await client.uidSearchMessages(
        searchCriteria: 'HEADER $_headerNoteFor "$escaped"',
      );
      final uids = searchResult.matchingSequence?.toList() ?? [];
      if (uids.isEmpty) {
        await (_db.delete(_db.emailNotes)
              ..where(
                (t) =>
                    t.accountId.equals(account.id) &
                    t.messageId.equals(messageId),
              ))
            .go();
        return;
      }
      final seq = imap.MessageSequence.fromIds(uids, isUid: true);
      final fetch = await client.uidFetchMessages(seq, '(UID BODY.PEEK[])');
      final fetchedIds = <String>{};
      for (final msg in fetch.messages) {
        final uid = msg.uid;
        if (uid == null) continue;
        final noteId = msg.getHeaderValue(_headerNoteId)?.trim();
        if (noteId == null || noteId.isEmpty) continue;
        fetchedIds.add(noteId);
        await _db.into(_db.emailNotes).insertOnConflictUpdate(
              EmailNotesCompanion.insert(
                id: noteId,
                accountId: account.id,
                messageId: messageId,
                noteText: msg.decodeTextPlainPart() ?? '',
                serverId: uid.toString(),
                createdAt: msg.decodeDate() ?? DateTime.now(),
              ),
            );
      }
      // Remove stale local notes (deleted on the server).
      final local = await (_db.select(_db.emailNotes)
            ..where(
              (t) =>
                  t.accountId.equals(account.id) &
                  t.messageId.equals(messageId),
            ))
          .get();
      for (final note in local) {
        if (!fetchedIds.contains(note.id)) {
          await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(note.id)))
              .go();
        }
      }
    } finally {
      await client.logout();
    }
  }
  Future<void> _syncNotesJmap(
    account_model.Account account,
    String password,
    String messageId,
  ) async {
    final jmapUrl = account.jmapUrl;
    if (jmapUrl == null || jmapUrl.isEmpty) return;
    final jmap = await JmapClient.connect(
      httpClient: _httpClient,
      jmapUrl: Uri.parse(jmapUrl),
      username: _effectiveUsername(account),
      password: password,
    );
    final mailboxId = await _findNotesMailboxJmap(jmap);
    if (mailboxId == null) {
      await (_db.delete(_db.emailNotes)
            ..where(
              (t) =>
                  t.accountId.equals(account.id) &
                  t.messageId.equals(messageId),
            ))
          .go();
      return;
    }
    final queryResp = await jmap.call([
      [
        'Email/query',
        {
          'accountId': jmap.accountId,
          'filter': {'inMailbox': mailboxId},
        },
        '0',
      ],
    ]);
    final ids = List<String>.from(
      (_responseArgs(queryResp, 0, 'Email/query')['ids'] as List? ?? []),
    );
    if (ids.isEmpty) {
      await (_db.delete(_db.emailNotes)
            ..where(
              (t) =>
                  t.accountId.equals(account.id) &
                  t.messageId.equals(messageId),
            ))
          .go();
      return;
    }
    final getResp = await jmap.call([
      [
        'Email/get',
        {
          'accountId': jmap.accountId,
          'ids': ids,
          'properties': [
            'id',
            'receivedAt',
            'textBody',
            'bodyValues',
            'header:$_headerNoteFor:asText',
            'header:$_headerNoteId:asText',
          ],
          'fetchTextBodyValues': true,
        },
        '0',
      ],
    ]);
    final list =
        _responseArgs(getResp, 0, 'Email/get')['list'] as List<dynamic>;
    final fetchedIds = <String>{};
    for (final e in list) {
      final m = e as Map<String, dynamic>;
      final noteFor = (m['header:$_headerNoteFor:asText'] as String?)?.trim();
      if (noteFor != messageId) continue;
      final noteId = (m['header:$_headerNoteId:asText'] as String?)?.trim();
      if (noteId == null || noteId.isEmpty) continue;
      final jmapEmailId = m['id'] as String;
      final bodyValues = m['bodyValues'] as Map<String, dynamic>? ?? {};
      final textBodyParts = m['textBody'] as List<dynamic>? ?? [];
      var noteText = '';
      if (textBodyParts.isNotEmpty) {
        final partId =
            (textBodyParts.first as Map<String, dynamic>)['partId'] as String?;
        if (partId != null) {
          noteText = (bodyValues[partId] as Map<String, dynamic>?)?['value']
                  as String? ??
              '';
        }
      }
      final createdAt =
          DateTime.tryParse(m['receivedAt'] as String? ?? '') ?? DateTime.now();
      fetchedIds.add(noteId);
      await _db.into(_db.emailNotes).insertOnConflictUpdate(
            EmailNotesCompanion.insert(
              id: noteId,
              accountId: account.id,
              messageId: messageId,
              noteText: noteText,
              serverId: jmapEmailId,
              createdAt: createdAt,
            ),
          );
    }
    // Remove stale local notes.
    final local = await (_db.select(_db.emailNotes)
          ..where(
            (t) =>
                t.accountId.equals(account.id) & t.messageId.equals(messageId),
          ))
        .get();
    for (final note in local) {
      if (!fetchedIds.contains(note.id)) {
        await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(note.id)))
            .go();
      }
    }
  }
  // ── Add ───────────────────────────────────────────────────────────────────
  @override
  Future<void> addNote(
    String accountId,
    String messageId,
    String text,
  ) async {
    final account = await _accounts.getAccount(accountId);
    if (account == null) return;
    final password = await _accounts.getPassword(accountId);
    final noteId = _generateId();
    switch (account.type) {
      case account_model.AccountType.imap:
        await _addNoteImap(account, password, messageId, noteId, text);
      case account_model.AccountType.jmap:
        await _addNoteJmap(account, password, messageId, noteId, text);
    }
  }
  Future<void> _addNoteImap(
    account_model.Account account,
    String password,
    String messageId,
    String noteId,
    String text,
  ) async {
    final client = await _imapConnect(
      account,
      _effectiveUsername(account),
      password,
    );
    try {
      try {
        await client.createMailbox(_notesFolder);
      } catch (_) {
        // Already exists.
      }
      final builder = imap.MessageBuilder()
        ..subject = 'Note'
        ..text = text;
      builder.addHeader(_headerNoteFor, messageId);
      builder.addHeader(_headerNoteId, noteId);
      final mime = builder.buildMimeMessage();
      final appendResult = await client.appendMessage(
        mime,
        targetMailboxPath: _notesFolder,
      );
      final uidList =
          appendResult.responseCodeAppendUid?.targetSequence.toList();
      final serverId = (uidList != null && uidList.isNotEmpty)
          ? uidList.first.toString()
          : '';
      await _db.into(_db.emailNotes).insertOnConflictUpdate(
            EmailNotesCompanion.insert(
              id: noteId,
              accountId: account.id,
              messageId: messageId,
              noteText: text,
              serverId: serverId,
              createdAt: DateTime.now(),
            ),
          );
    } finally {
      await client.logout();
    }
  }
  Future<void> _addNoteJmap(
    account_model.Account account,
    String password,
    String messageId,
    String noteId,
    String text,
  ) async {
    final jmapUrl = account.jmapUrl;
    if (jmapUrl == null || jmapUrl.isEmpty) {
      throw Exception('JMAP account ${account.id} has no jmapUrl');
    }
    final jmap = await JmapClient.connect(
      httpClient: _httpClient,
      jmapUrl: Uri.parse(jmapUrl),
      username: _effectiveUsername(account),
      password: password,
    );
    final mailboxId = await _findOrCreateNotesMailboxJmap(jmap);
    const bodyPartId = '1';
    final setResp = await jmap.call([
      [
        'Email/set',
        {
          'accountId': jmap.accountId,
          'create': {
            'new-note': {
              'mailboxIds': {mailboxId: true},
              'subject': 'Note',
              'keywords': {r'$seen': true},
              'headers': [
                {'name': _headerNoteFor, 'value': ' $messageId'},
                {'name': _headerNoteId, 'value': ' $noteId'},
              ],
              'bodyValues': {
                bodyPartId: {
                  'value': text,
                  'isEncodingProblem': false,
                  'isTruncated': false,
                },
              },
              'textBody': [
                {'partId': bodyPartId, 'type': 'text/plain'},
              ],
            },
          },
        },
        '0',
      ],
    ]);
    final result = _responseArgs(setResp, 0, 'Email/set');
    final created = result['created'] as Map<String, dynamic>?;
    final newEmail = created?['new-note'] as Map<String, dynamic>?;
    final jmapEmailId = newEmail?['id'] as String? ?? '';
    await _db.into(_db.emailNotes).insertOnConflictUpdate(
          EmailNotesCompanion.insert(
            id: noteId,
            accountId: account.id,
            messageId: messageId,
            noteText: text,
            serverId: jmapEmailId,
            createdAt: DateTime.now(),
          ),
        );
  }
  // ── Delete ────────────────────────────────────────────────────────────────
  @override
  Future<void> deleteNote(String noteId) async {
    final noteRow = await (_db.select(_db.emailNotes)
          ..where((t) => t.id.equals(noteId)))
        .getSingleOrNull();
    if (noteRow == null) return;
    final account = await _accounts.getAccount(noteRow.accountId);
    if (account == null) {
      await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteId)))
          .go();
      return;
    }
    final password = await _accounts.getPassword(account.id);
    switch (account.type) {
      case account_model.AccountType.imap:
        await _deleteNoteImap(account, password, noteRow);
      case account_model.AccountType.jmap:
        await _deleteNoteJmap(account, password, noteRow);
    }
  }
  Future<void> _deleteNoteImap(
    account_model.Account account,
    String password,
    EmailNoteRow noteRow,
  ) async {
    final client = await _imapConnect(
      account,
      _effectiveUsername(account),
      password,
    );
    try {
      try {
        await client.selectMailboxByPath(_notesFolder);
        final uid = int.tryParse(noteRow.serverId);
        if (uid != null) {
          final seq = imap.MessageSequence.fromId(uid, isUid: true);
          await client.uidMarkDeleted(seq);
          await client.uidExpunge(seq);
        }
      } catch (_) {
        // Notes folder gone or message already deleted — clean up locally.
      }
    } finally {
      await client.logout();
    }
    await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteRow.id)))
        .go();
  }
  Future<void> _deleteNoteJmap(
    account_model.Account account,
    String password,
    EmailNoteRow noteRow,
  ) async {
    final jmapUrl = account.jmapUrl;
    if (jmapUrl == null || jmapUrl.isEmpty) return;
    final jmap = await JmapClient.connect(
      httpClient: _httpClient,
      jmapUrl: Uri.parse(jmapUrl),
      username: _effectiveUsername(account),
      password: password,
    );
    if (noteRow.serverId.isNotEmpty) {
      await jmap.call([
        [
          'Email/set',
          {
            'accountId': jmap.accountId,
            'destroy': [noteRow.serverId],
          },
          '0',
        ],
      ]);
    }
    await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteRow.id)))
        .go();
  }
  // ── JMAP helpers ──────────────────────────────────────────────────────────
  Future<String?> _findNotesMailboxJmap(JmapClient jmap) async {
    final resp = await jmap.call([
      [
        'Mailbox/get',
        {'accountId': jmap.accountId, 'ids': null},
        '0',
      ],
    ]);
    final list = _responseArgs(resp, 0, 'Mailbox/get')['list'] as List<dynamic>;
    for (final m in list) {
      final map = m as Map<String, dynamic>;
      if (map['name'] == _notesFolder) return map['id'] as String?;
    }
    return null;
  }
  Future<String> _findOrCreateNotesMailboxJmap(JmapClient jmap) async {
    final existing = await _findNotesMailboxJmap(jmap);
    if (existing != null) return existing;
    final resp = await jmap.call([
      [
        'Mailbox/set',
        {
          'accountId': jmap.accountId,
          'create': {
            'new-notes': {'name': _notesFolder},
          },
        },
        '0',
      ],
    ]);
    final result = _responseArgs(resp, 0, 'Mailbox/set');
    final created = result['created'] as Map<String, dynamic>?;
    final newMailbox = created?['new-notes'] as Map<String, dynamic>?;
    return newMailbox?['id'] as String? ?? _notesFolder;
  }
  Map<String, dynamic> _responseArgs(
    List<dynamic> responses,
    int index,
    String expectedMethod,
  ) {
    final triple = responses[index] as List<dynamic>;
    final method = triple[0] as String;
    if (method == 'error') {
      final err = triple[1] as Map<String, dynamic>;
      throw JmapException('$expectedMethod error: ${err['type']}');
    }
    return triple[1] as Map<String, dynamic>;
  }
  EmailNote _toModel(EmailNoteRow row) => EmailNote(
        id: row.id,
        accountId: row.accountId,
        messageId: row.messageId,
        noteText: row.noteText,
        serverId: row.serverId,
        createdAt: row.createdAt,
      );
  // Generates a random UUID v4.
  static String _generateId() {
    final rng = math.Random.secure();
    final bytes = List<int>.generate(16, (_) => rng.nextInt(256));
    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant 1
    final hex = bytes.map((b) => b.toRadixString(16).padLeft(2, '0')).join();
    return '${hex.substring(0, 8)}-${hex.substring(8, 12)}'
        '-${hex.substring(12, 16)}-${hex.substring(16, 20)}'
        '-${hex.substring(20)}';
  }
 }
@@ -24,8 +24,9 @@ class SearchHistoryRepositoryImpl implements SearchHistoryRepository {
    await _db.transaction(() async {
      // Remove existing entry for same query (deduplication).
-      await (_db.delete(_db.searchHistoryEntries)
+      await (_db.delete(
-            ..where((t) => t.query.equals(trimmed)))
+        _db.searchHistoryEntries,
      )..where((t) => t.query.equals(trimmed)))
          .go();
      await _db.into(_db.searchHistoryEntries).insert(
@@ -43,8 +44,9 @@ class SearchHistoryRepositoryImpl implements SearchHistoryRepository {
          .get();
      if (keepIds.isNotEmpty) {
-        await (_db.delete(_db.searchHistoryEntries)
+        await (_db.delete(
-              ..where((t) => t.id.isNotIn(keepIds)))
+          _db.searchHistoryEntries,
        )..where((t) => t.id.isNotIn(keepIds)))
            .go();
      }
    });
@@ -40,8 +40,9 @@ class ShareKeyRepositoryImpl implements ShareKeyRepository {
    await _pruneExpired();
    final keyIdHex = _hex(keyId);
-    final row = await (_db.select(_db.shareKeys)
+    final row = await (_db.select(
-          ..where((t) => t.id.equals(keyIdHex)))
+      _db.shareKeys,
    )..where((t) => t.id.equals(keyIdHex)))
        .getSingleOrNull();
    if (row == null) return null;
@@ -55,10 +56,9 @@ class ShareKeyRepositoryImpl implements ShareKeyRepository {
  }
  Future<void> _pruneExpired() async {
-    await (_db.delete(_db.shareKeys)
+    await (_db.delete(
-          ..where(
+      _db.shareKeys,
-            (t) => t.expiresAt.isSmallerThanValue(DateTime.now().toUtc()),
+    )..where((t) => t.expiresAt.isSmallerThanValue(DateTime.now().toUtc())))
          ))
        .go();
  }
@@ -13,6 +13,8 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
    String? stackTrace,
    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -30,6 +32,8 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
              accountId: accountId,
              result: success ? 'ok' : 'error',
              errorMessage: Value(errorMessage),
              errorStackTrace: Value(stackTrace),
              isPermanent: Value(isPermanent),
              protocol: Value(protocol),
              itemsSynced: Value(emailsFetched),
              emailsSkipped: Value(emailsSkipped),
@@ -75,6 +79,8 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
            id: r.id,
            result: r.result,
            errorMessage: r.errorMessage,
            stackTrace: r.errorStackTrace,
            isPermanent: r.isPermanent,
            protocol: r.protocol,
            emailsFetched: r.itemsSynced,
            emailsSkipped: r.emailsSkipped,
@@ -0,0 +1,117 @@
 import 'package:drift/drift.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart' as pref;
 import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
 import 'package:sharedinbox/data/db/database.dart';
 class UserPreferencesRepositoryImpl implements UserPreferencesRepository {
  UserPreferencesRepositoryImpl(this._db);
  final AppDatabase _db;
  static const _rowId = 1;
  @override
  Stream<pref.UserPreferences> observePreferences() {
    return (_db.select(
      _db.userPreferences,
    )..where((t) => t.id.equals(_rowId)))
        .watchSingleOrNull()
        .map(_rowToModel);
  }
  @override
  Future<void> updateMenuPosition(pref.MenuPosition position) async {
    await _db.into(_db.userPreferences).insertOnConflictUpdate(
          UserPreferencesCompanion(
            id: const Value(_rowId),
            menuPosition: Value(position.name),
          ),
        );
  }
  @override
  Future<void> updateMailViewButtonPosition(pref.MenuPosition position) async {
    await _db.into(_db.userPreferences).insertOnConflictUpdate(
          UserPreferencesCompanion(
            id: const Value(_rowId),
            mailViewButtonPosition: Value(position.name),
          ),
        );
  }
  @override
  Future<void> updateAfterMailViewAction(
    pref.AfterMailViewAction action,
  ) async {
    await _db.into(_db.userPreferences).insertOnConflictUpdate(
          UserPreferencesCompanion(
            id: const Value(_rowId),
            afterMailViewAction: Value(action.name),
          ),
        );
  }
  @override
  Future<void> updatePrefetchMode(pref.PrefetchMode mode) async {
    await _db.into(_db.userPreferences).insertOnConflictUpdate(
          UserPreferencesCompanion(
            id: const Value(_rowId),
            prefetchMode: Value(mode.name),
          ),
        );
  }
  @override
  Future<void> updateBodyCacheLimitMb(int mb) async {
    await _db.into(_db.userPreferences).insertOnConflictUpdate(
          UserPreferencesCompanion(
            id: const Value(_rowId),
            bodyCacheLimitMb: Value(mb),
          ),
        );
  }
  @override
  Stream<List<String>> observeTrustedImageSenders() {
    return (_db.select(_db.imageTrustedSenders)
          ..orderBy([(t) => OrderingTerm.desc(t.addedAt)]))
        .watch()
        .map((rows) => rows.map((r) => r.senderEmail).toList());
  }
  @override
  Future<void> addTrustedImageSender(String senderEmail) async {
    await _db.into(_db.imageTrustedSenders).insertOnConflictUpdate(
          ImageTrustedSendersCompanion(
            senderEmail: Value(senderEmail.toLowerCase()),
            addedAt: Value(DateTime.now()),
          ),
        );
  }
  @override
  Future<void> removeTrustedImageSender(String senderEmail) async {
    await (_db.delete(_db.imageTrustedSenders)
          ..where((t) => t.senderEmail.equals(senderEmail.toLowerCase())))
        .go();
  }
  static pref.UserPreferences _rowToModel(UserPreferencesRow? row) {
    if (row == null) return const pref.UserPreferences();
    return pref.UserPreferences(
      menuPosition: pref.MenuPosition.values.firstWhere(
        (e) => e.name == row.menuPosition,
        orElse: () => pref.MenuPosition.bottom,
      ),
      mailViewButtonPosition: pref.MenuPosition.values.firstWhere(
        (e) => e.name == row.mailViewButtonPosition,
        orElse: () => pref.MenuPosition.bottom,
      ),
      afterMailViewAction: pref.AfterMailViewAction.values.firstWhere(
        (e) => e.name == row.afterMailViewAction,
        orElse: () => pref.AfterMailViewAction.nextMessage,
      ),
      prefetchMode: pref.PrefetchMode.fromString(row.prefetchMode),
      bodyCacheLimitMb: row.bodyCacheLimitMb,
    );
  }
 }
@@ -4,15 +4,19 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:http/http.dart' as http;
 import 'package:sharedinbox/core/models/account.dart' as model;
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/draft_repository.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
 import 'package:sharedinbox/core/repositories/note_repository.dart';
 import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/core/repositories/undo_repository.dart';
 import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
 import 'package:sharedinbox/core/services/managesieve_probe_service.dart';
@@ -21,7 +25,8 @@ import 'package:sharedinbox/core/services/undo_service.dart';
 import 'package:sharedinbox/core/storage/secure_storage.dart';
 import 'package:sharedinbox/core/sync/account_sync_manager.dart';
 import 'package:sharedinbox/core/sync/reliability_runner.dart';
-import 'package:sharedinbox/data/db/database.dart' hide Email, EmailBody;
+import 'package:sharedinbox/data/db/database.dart'
    hide Email, EmailBody, UserPreferences;
 import 'package:sharedinbox/data/db/local_sieve_repository.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 import 'package:sharedinbox/data/jmap/sieve_repository.dart';
@@ -29,10 +34,12 @@ import 'package:sharedinbox/data/repositories/account_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/draft_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/email_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/mailbox_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/note_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/search_history_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/share_key_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/sync_log_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/undo_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/user_preferences_repository_impl.dart';
 import 'package:sharedinbox/data/storage/flutter_secure_storage_impl.dart';
 /// Swappable IMAP connection factory — override in tests to use plaintext.
@@ -97,8 +104,9 @@ final undoRepositoryProvider = Provider<UndoRepository>((ref) {
  return UndoRepositoryImpl(ref.watch(dbProvider));
 });
-final searchHistoryRepositoryProvider =
+final searchHistoryRepositoryProvider = Provider<SearchHistoryRepository>((
-    Provider<SearchHistoryRepository>((ref) {
+  ref,
 ) {
  return SearchHistoryRepositoryImpl(ref.watch(dbProvider));
 });
@@ -131,8 +139,10 @@ final syncHealthProvider =
      .watchSingleOrNull();
 });
-final isSyncingProvider =
+final isSyncingProvider = StreamProvider.autoDispose.family<bool, String>((
-    StreamProvider.autoDispose.family<bool, String>((ref, accountId) {
+  ref,
  accountId,
 ) {
  return ref.watch(syncManagerProvider).watchSyncing(accountId);
 });
@@ -181,8 +191,9 @@ final manageSieveProbeServiceProvider = Provider<ManageSieveProbeService>((
  return ManageSieveProbeService(ref.watch(accountRepositoryProvider));
 });
-final undoServiceProvider =
+final undoServiceProvider = NotifierProvider<UndoService, List<UndoAction>>(
-    NotifierProvider<UndoService, List<UndoAction>>(UndoService.new);
+  UndoService.new,
 );
 /// Loads email header + body and marks the email as seen.
 /// Owned by [EmailDetailScreen]; decouples data loading from the widget tree.
@@ -203,10 +214,38 @@ class EmailDetailNotifier extends AsyncNotifier<(Email?, EmailBody)> {
      repo.getEmailBody(_emailId),
    ]);
    unawaited(repo.setFlag(_emailId, seen: true));
    final header = results[0] as Email?;
    if (header != null) {
      unawaited(_prefetchNextEmailBody(repo, header));
    }
    return (results[0] as Email?, results[1] as EmailBody);
  }
  Future<void> _prefetchNextEmailBody(
    EmailRepository repo,
    Email header,
  ) async {
    final prefs = ref.read(userPreferencesProvider).value;
    final action =
        prefs?.afterMailViewAction ?? AfterMailViewAction.nextMessage;
    if (action != AfterMailViewAction.nextMessage) return;
    final threads =
        await repo.observeThreads(header.accountId, header.mailboxPath).first;
    final currentIndex = threads.indexWhere(
      (t) => t.emailIds.contains(_emailId),
    );
    if (currentIndex < 0 || currentIndex + 1 >= threads.length) return;
    final nextId = threads[currentIndex + 1].latestEmailId;
    await repo.getEmailBody(nextId);
  }
 }
 final allAccountsProvider = StreamProvider<List<model.Account>>((ref) {
  return ref.watch(accountRepositoryProvider).observeAccounts();
 });
 final accountByIdProvider =
    StreamProvider.autoDispose.family<model.Account?, String>((ref, accountId) {
  return ref.watch(accountRepositoryProvider).observeAccounts().map(
@@ -227,3 +266,41 @@ final accountConnectionStatusProvider =
      .read(connectionTestServiceProvider)
      .testConnection(account, password);
 });
 final userPreferencesRepositoryProvider = Provider<UserPreferencesRepository>((
  ref,
 ) {
  return UserPreferencesRepositoryImpl(ref.watch(dbProvider));
 });
 final userPreferencesProvider = StreamProvider.autoDispose<UserPreferences>((
  ref,
 ) {
  return ref.watch(userPreferencesRepositoryProvider).observePreferences();
 });
 final trustedImageSendersProvider =
    StreamProvider.autoDispose<List<String>>((ref) {
  return ref
      .watch(userPreferencesRepositoryProvider)
      .observeTrustedImageSenders();
 });
 final noteRepositoryProvider = Provider<NoteRepository>((ref) {
  return NoteRepositoryImpl(
    ref.watch(dbProvider),
    ref.watch(accountRepositoryProvider),
    imapConnect: ref.watch(imapConnectProvider),
  );
 });
 final installedVersionsProvider = FutureProvider<Map<String, DateTime>>((ref) {
  return ref.watch(dbProvider).loadInstalledVersions();
 });
 /// Stream of notes for a specific email, identified by (accountId, messageId).
 final notesProvider =
    StreamProvider.autoDispose.family<List<EmailNote>, (String, String)>(
  (ref, params) =>
      ref.watch(noteRepositoryProvider).observeNotes(params.$1, params.$2),
 );
@@ -5,19 +5,30 @@ import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_riverpod/misc.dart' show Override;
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/services/notification_service.dart';
 import 'package:sharedinbox/core/sync/background_sync.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/router.dart';
 import 'package:sharedinbox/ui/screens/crash_screen.dart';
 import 'package:stack_trace/stack_trace.dart' as stack_trace;
-void main({List<Override> overrides = const []}) async {
+void main({List<Override> overrides = const []}) {
  unawaited(
    runZonedGuarded(
      () async {
        WidgetsFlutterBinding.ensureInitialized();
        // Dart's async machinery propagates stack traces in chain format
        // (with '===== asynchronous gap =====' separators). Flutter's
        // StackFrame parser asserts on those lines, so strip them first.
        FlutterError.demangleStackTrace = (StackTrace s) {
          if (s is stack_trace.Chain) return s.toTrace().vmTrace;
          if (s is stack_trace.Trace) return s.vmTrace;
          return s;
        };
        // Catch errors during build (e.g. layout exceptions) and show CrashScreen.
        ErrorWidget.builder = (details) => CrashScreen(
              exception: details.exception,
@@ -39,19 +50,35 @@ void main({List<Override> overrides = const []}) async {
        if (Platform.isAndroid) {
          await initNotifications();
          await registerBackgroundSync();
          await _registerPrefetchTaskFromStoredPrefs();
        }
        runApp(
          ProviderScope(overrides: overrides, child: const SharedInboxApp()),
        );
      },
-      (error, stack) {
+      // This handler runs in the parent zone — runApp cannot be called here.
-        // Catch unhandled async errors.
+      // Framework errors are already handled by FlutterError.onError above.
-        runApp(CrashScreen(exception: error, stackTrace: stack));
+      (error, stack) => FlutterError.reportError(
-      },
+        FlutterErrorDetails(exception: error, stack: stack),
      ),
    ),
  );
 }
 /// Reads the stored prefetch preference and registers the WorkManager task
 /// with the correct network constraint for it. Opens and immediately closes
 /// a temporary DB connection; safe because initDatabasePath() has already run.
 Future<void> _registerPrefetchTaskFromStoredPrefs() async {
  final db = AppDatabase();
  try {
    final row = await db.select(db.userPreferences).getSingleOrNull();
    final mode = PrefetchMode.fromString(row?.prefetchMode);
    await registerBodyPrefetchTask(mode);
  } finally {
    await db.close();
  }
 }
 class SharedInboxApp extends ConsumerStatefulWidget {
  const SharedInboxApp({super.key});
@@ -59,6 +86,8 @@ class SharedInboxApp extends ConsumerStatefulWidget {
  ConsumerState<SharedInboxApp> createState() => _SharedInboxAppState();
 }
 const _kGitHash = String.fromEnvironment('GIT_HASH');
 class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
  @override
  void initState() {
@@ -66,6 +95,11 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
    // Start background IMAP sync once — runs for the lifetime of the app.
    ref.read(syncManagerProvider).start();
    ref.read(reliabilityRunnerProvider).start();
    if (_kGitHash.isNotEmpty) {
      unawaited(
        ref.read(dbProvider).recordInstalledVersionIfNew(_kGitHash),
      );
    }
  }
  @override
@@ -75,6 +109,7 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
      theme: ThemeData(
        colorScheme: ColorScheme.fromSeed(seedColor: Colors.indigo),
        useMaterial3: true,
        splashFactory: NoSplash.splashFactory,
      ),
      darkTheme: ThemeData(
        colorScheme: ColorScheme.fromSeed(
@@ -82,6 +117,7 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
          brightness: Brightness.dark,
        ),
        useMaterial3: true,
        splashFactory: NoSplash.splashFactory,
      ),
      routerConfig: router,
    );
@@ -1,6 +1,7 @@
 import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/models/sieve_script.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/ui/screens/about_screen.dart';
 import 'package:sharedinbox/ui/screens/account_list_screen.dart';
@@ -8,7 +9,9 @@ import 'package:sharedinbox/ui/screens/account_receive_screen.dart';
 import 'package:sharedinbox/ui/screens/account_send_screen.dart';
 import 'package:sharedinbox/ui/screens/add_account_screen.dart';
 import 'package:sharedinbox/ui/screens/address_emails_screen.dart';
 import 'package:sharedinbox/ui/screens/bug_report_screen.dart';
 import 'package:sharedinbox/ui/screens/changelog_screen.dart';
 import 'package:sharedinbox/ui/screens/combined_inbox_screen.dart';
 import 'package:sharedinbox/ui/screens/compose_screen.dart';
 import 'package:sharedinbox/ui/screens/edit_account_screen.dart';
 import 'package:sharedinbox/ui/screens/email_detail_screen.dart';
@@ -19,15 +22,22 @@ import 'package:sharedinbox/ui/screens/sieve_script_edit_screen.dart';
 import 'package:sharedinbox/ui/screens/sieve_scripts_screen.dart';
 import 'package:sharedinbox/ui/screens/sync_log_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/trusted_image_senders_screen.dart';
 import 'package:sharedinbox/ui/screens/undo_log_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/undo_log_screen.dart';
 import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 import 'package:sharedinbox/ui/widgets/undo_shell.dart';
 final router = GoRouter(
-  initialLocation: '/accounts',
+  initialLocation: '/inbox',
  routes: [
    ShellRoute(
      builder: (ctx, state, child) => UndoShell(child: child),
      routes: [
        GoRoute(
          path: '/inbox',
          builder: (ctx, state) => const CombinedInboxScreen(),
        ),
        GoRoute(
          path: '/accounts',
          builder: (ctx, state) => const AccountListScreen(),
@@ -47,6 +57,14 @@ final router = GoRouter(
            GoRoute(
              path: 'undo-log',
              builder: (ctx, state) => const UndoLogScreen(),
              routes: [
                GoRoute(
                  path: ':actionId',
                  builder: (ctx, state) => UndoLogDetailScreen(
                    action: state.extra as UndoAction,
                  ),
                ),
              ],
            ),
            GoRoute(
              path: 'changelog',
@@ -56,6 +74,16 @@ final router = GoRouter(
              path: 'about',
              builder: (ctx, state) => const AboutScreen(),
            ),
            GoRoute(
              path: 'preferences',
              builder: (ctx, state) => const UserPreferencesScreen(),
            ),
            GoRoute(
              path: 'trusted-senders',
              builder: (ctx, state) => TrustedImageSendersScreen(
                highlightedSender: state.extra as String?,
              ),
            ),
            GoRoute(
              path: ':accountId/edit',
              builder: (ctx, state) => EditAccountScreen(
@@ -159,6 +187,12 @@ final router = GoRouter(
            );
          },
        ),
        GoRoute(
          path: '/bug-report',
          builder: (ctx, state) => BugReportScreen(
            emailId: state.uri.queryParameters['emailId'],
          ),
        ),
      ],
    ),
  ],
@@ -1,13 +1,14 @@
 import 'dart:async';
 import 'dart:io';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/utils/about_markdown.dart';
 import 'package:url_launcher/url_launcher.dart';
 class AboutScreen extends ConsumerStatefulWidget {
@@ -19,53 +20,22 @@ class AboutScreen extends ConsumerStatefulWidget {
 class _AboutScreenState extends ConsumerState<AboutScreen> {
  final Future<PackageInfo> _packageInfoFuture = PackageInfo.fromPlatform();
  late final Future<String?> _deviceModelFuture;
  late final Stream<List<Account>> _accountsStream;
-
+  String? _deviceModel;
  static const _gitHash = String.fromEnvironment('GIT_HASH');
  @override
  void initState() {
    super.initState();
    _accountsStream = ref.read(accountRepositoryProvider).observeAccounts();
    _deviceModelFuture = getDeviceModel();
    unawaited(
      _deviceModelFuture.then((model) {
        if (mounted) setState(() => _deviceModel = model);
      }),
    );
  }
  String _buildMarkdown(
    BuildContext context,
    PackageInfo? pkg,
    int imapCount,
    int jmapCount,
  ) {
    final size = MediaQuery.of(context).size;
    final pixelRatio = MediaQuery.of(context).devicePixelRatio;
    final physW = (size.width * pixelRatio).toInt();
    final physH = (size.height * pixelRatio).toInt();
    final version =
        pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
    final versionDisplay = _gitHash.isNotEmpty
        ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
        : version;
    final osName = _capitalize(Platform.operatingSystem);
    final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
    return '## sharedinbox.de\n\n'
        '| Property | Value |\n'
        '|----------|-------|\n'
        '| App Version | $versionDisplay |\n'
        '| Platform | ${Platform.operatingSystem} |\n'
        '| $osName Version | ${Platform.operatingSystemVersion} |\n'
        '| Resolution | ${physW}x$physH px'
        ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
        ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
        '| Dart Version | ${Platform.version.split(' ').first} |\n'
        '| Processors | ${Platform.numberOfProcessors} |\n'
        '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
        '| IMAP Accounts | $imapCount |\n'
        '| JMAP Accounts | $jmapCount |\n';
  }
  static String _capitalize(String s) =>
      s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
  Future<void> _copyToClipboard(
    BuildContext context,
    int imapCount,
@@ -75,10 +45,20 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
    String? deviceModel;
    try {
      deviceModel = await _deviceModelFuture;
    } catch (_) {}
    if (!context.mounted) return;
    await Clipboard.setData(
      ClipboardData(
-        text: _buildMarkdown(context, pkg, imapCount, jmapCount),
+        text: buildAboutMarkdown(
          context: context,
          pkg: pkg,
          imapCount: imapCount,
          jmapCount: jmapCount,
          deviceModel: deviceModel,
        ),
      ),
    );
    if (context.mounted) {
@@ -91,6 +71,32 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    }
  }
  Future<void> _launchUrl(BuildContext context, Uri url) async {
    try {
      final launched = await launchUrl(
        url,
        mode: LaunchMode.externalApplication,
      );
      if (!launched && context.mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          const SnackBar(
            duration: Duration(seconds: 5),
            content: Text('Could not open browser.'),
          ),
        );
      }
    } catch (e) {
      if (context.mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
            duration: const Duration(seconds: 5),
            content: Text('Error: $e'),
          ),
        );
      }
    }
  }
  Future<void> _createIssue(
    BuildContext context,
    int imapCount,
@@ -100,16 +106,28 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
    String? deviceModel;
    try {
      deviceModel = await _deviceModelFuture;
    } catch (_) {}
    if (!context.mounted) return;
    final body = Uri.encodeComponent(
-      _buildMarkdown(context, pkg, imapCount, jmapCount),
+      buildAboutMarkdown(
        context: context,
        pkg: pkg,
        imapCount: imapCount,
        jmapCount: jmapCount,
        deviceModel: deviceModel,
      ),
    );
    final url = Uri.parse(
      'https://codeberg.org/guettli/sharedinbox/issues/new?body=$body',
    );
    try {
-      final launched =
+      final launched = await launchUrl(
-          await launchUrl(url, mode: LaunchMode.externalApplication);
+        url,
        mode: LaunchMode.externalApplication,
      );
      if (!launched && context.mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          const SnackBar(
@@ -153,21 +171,17 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
                      return const Center(child: CircularProgressIndicator());
                    }
                    return Markdown(
-                      data: _buildMarkdown(
+                      data: buildAboutMarkdown(
-                        context,
+                        context: context,
-                        snapshot.data,
+                        pkg: snapshot.data,
-                        imapCount,
+                        imapCount: imapCount,
-                        jmapCount,
+                        jmapCount: jmapCount,
                        deviceModel: _deviceModel,
                      ),
                      selectable: true,
                      onTapLink: (text, href, title) {
                        if (href != null) {
-                          unawaited(
+                          unawaited(_launchUrl(context, Uri.parse(href)));
                            launchUrl(
                              Uri.parse(href),
                              mode: LaunchMode.externalApplication,
                            ),
                          );
                        }
                      },
                    );
@@ -184,22 +198,30 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
                    Expanded(
                      child: OutlinedButton.icon(
                        icon: const Icon(Icons.copy),
-                        label: const Text('Copy to clipboard'),
+                        label: const Text('Copy info'),
                        onPressed: () => unawaited(
                          _copyToClipboard(context, imapCount, jmapCount),
                        ),
                      ),
                    ),
-                    const SizedBox(width: 8),
+                    const SizedBox(width: 4),
                    Expanded(
-                      child: FilledButton.icon(
+                      child: OutlinedButton.icon(
-                        icon: const Icon(Icons.bug_report),
+                        icon: const Icon(Icons.bug_report_outlined),
-                        label: const Text('Create issue'),
+                        label: const Text('Public issue'),
                        onPressed: () => unawaited(
                          _createIssue(context, imapCount, jmapCount),
                        ),
                      ),
                    ),
                    const SizedBox(width: 4),
                    Expanded(
                      child: FilledButton.icon(
                        icon: const Icon(Icons.feedback_outlined),
                        label: const Text('Report bug'),
                        onPressed: () => context.push('/bug-report'),
                      ),
                    ),
                  ],
                ),
              ),
@@ -1,4 +1,5 @@
 import 'dart:async';
 import 'dart:convert';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
@@ -66,6 +67,14 @@ class AccountListScreen extends ConsumerWidget {
                unawaited(context.push('/accounts/about'));
              },
            ),
            ListTile(
              leading: const Icon(Icons.settings),
              title: const Text('Preferences'),
              onTap: () {
                Navigator.pop(context); // Close drawer
                unawaited(context.push('/accounts/preferences'));
              },
            ),
          ],
        ),
      ),
@@ -111,20 +120,80 @@ class _AccountTile extends ConsumerWidget {
    final health = ref.watch(syncHealthProvider(account.id));
    final typeLabel = account.type == AccountType.jmap ? 'JMAP' : 'IMAP';
-    return ListTile(
+    return Column(
-      leading: const Icon(Icons.account_circle),
+      crossAxisAlignment: CrossAxisAlignment.start,
-      title: Text(account.displayName),
+      children: [
-      subtitle: Column(
+        ListTile(
-        crossAxisAlignment: CrossAxisAlignment.start,
+          leading: const Icon(Icons.account_circle),
-        children: [
+          title: Text(account.displayName),
-          Text('${account.email}\n$typeLabel'),
+          subtitle: Text('${account.email}\n$typeLabel'),
-          const SizedBox(height: 4),
+          isThreeLine: true,
-          health.when(
+          trailing: Row(
            mainAxisSize: MainAxisSize.min,
            children: [
              status.when(
                loading: () => const SizedBox(
                  width: 20,
                  height: 20,
                  child: CircularProgressIndicator(strokeWidth: 2),
                ),
                data: (_) =>
                    const Icon(Icons.check_circle, color: Colors.green),
                error: (e, _) => Tooltip(
                  message: e.toString(),
                  child: const Icon(Icons.error_outline, color: Colors.red),
                ),
              ),
              PopupMenuButton<_AccountAction>(
                onSelected: (action) => _onAction(context, action),
                itemBuilder: (_) => [
                  const PopupMenuItem(
                    value: _AccountAction.syncLog,
                    child: Text('Sync log'),
                  ),
                  const PopupMenuItem(
                    value: _AccountAction.verifySync,
                    child: Text('Verify sync health'),
                  ),
                  const PopupMenuItem(
                    value: _AccountAction.forceSync,
                    child: Text('Force full sync'),
                  ),
                  const PopupMenuItem(
                    value: _AccountAction.edit,
                    child: Text('Edit'),
                  ),
                  if (_sieveSupported(account))
                    const PopupMenuItem(
                      value: _AccountAction.emailFiltersRemote,
                      child: Text('Server email filters'),
                    ),
                  const PopupMenuItem(
                    value: _AccountAction.emailFiltersLocal,
                    child: Text('Local email filters'),
                  ),
                  const PopupMenuItem(
                    value: _AccountAction.send,
                    child: Text('Send accounts'),
                  ),
                  const PopupMenuDivider(),
                  const PopupMenuItem(
                    value: _AccountAction.delete,
                    child: Text('Delete'),
                  ),
                ],
              ),
            ],
          ),
          onTap: () => context.push('/accounts/${account.id}/mailboxes'),
        ),
        Padding(
          padding: const EdgeInsets.fromLTRB(72, 0, 16, 8),
          child: health.when(
            data: (h) {
              if (h == null) return const Text('Sync health: Not verified yet');
              final date = h.lastVerifiedAt.toLocal().toString().split('.')[0];
              return Row(
                mainAxisSize: MainAxisSize.min,
                children: [
                  const Text('Sync health: '),
                  Icon(
@@ -133,7 +202,13 @@ class _AccountTile extends ConsumerWidget {
                    color: h.isHealthy ? Colors.green : Colors.orange,
                  ),
                  const SizedBox(width: 4),
-                  Text(h.isHealthy ? 'Healthy' : 'Discrepancies found'),
+                  Expanded(
                    child: Text(
                      h.isHealthy
                          ? 'Healthy'
                          : _formatDiscrepancies(h.discrepancySummary),
                    ),
                  ),
                  Text(' ($date)', style: const TextStyle(fontSize: 10)),
                ],
              );
@@ -141,66 +216,8 @@ class _AccountTile extends ConsumerWidget {
            loading: () => const Text('Sync health: checking...'),
            error: (e, _) => Text('Sync health error: $e'),
          ),
-        ],
+        ),
-      ),
+      ],
      isThreeLine: true,
      trailing: Row(
        mainAxisSize: MainAxisSize.min,
        children: [
          status.when(
            loading: () => const SizedBox(
              width: 20,
              height: 20,
              child: CircularProgressIndicator(strokeWidth: 2),
            ),
            data: (_) => const Icon(Icons.check_circle, color: Colors.green),
            error: (e, _) => Tooltip(
              message: e.toString(),
              child: const Icon(Icons.error_outline, color: Colors.red),
            ),
          ),
          PopupMenuButton<_AccountAction>(
            onSelected: (action) => _onAction(context, action),
            itemBuilder: (_) => [
              const PopupMenuItem(
                value: _AccountAction.syncLog,
                child: Text('Sync log'),
              ),
              const PopupMenuItem(
                value: _AccountAction.verifySync,
                child: Text('Verify sync health'),
              ),
              const PopupMenuItem(
                value: _AccountAction.forceSync,
                child: Text('Force full sync'),
              ),
              const PopupMenuItem(
                value: _AccountAction.edit,
                child: Text('Edit'),
              ),
              if (_sieveSupported(account))
                const PopupMenuItem(
                  value: _AccountAction.emailFiltersRemote,
                  child: Text('Server email filters'),
                ),
              const PopupMenuItem(
                value: _AccountAction.emailFiltersLocal,
                child: Text('Local email filters'),
              ),
              const PopupMenuItem(
                value: _AccountAction.send,
                child: Text('Send accounts'),
              ),
              const PopupMenuDivider(),
              const PopupMenuItem(
                value: _AccountAction.delete,
                child: Text('Delete'),
              ),
            ],
          ),
        ],
      ),
      onTap: () => context.push('/accounts/${account.id}/mailboxes'),
    );
  }
@@ -293,6 +310,30 @@ class _AccountTile extends ConsumerWidget {
  }
 }
 String _formatDiscrepancies(String? summary) {
  if (summary == null) return 'Discrepancies found';
  try {
    final decoded = jsonDecode(summary) as Map<String, dynamic>;
    var missingLocally = 0;
    var missingOnServer = 0;
    var flagMismatches = 0;
    for (final v in decoded.values) {
      final m = v as Map<String, dynamic>;
      missingLocally += (m['missingLocally'] as int? ?? 0);
      missingOnServer += (m['missingOnServer'] as int? ?? 0);
      flagMismatches += (m['flagMismatches'] as int? ?? 0);
    }
    final parts = <String>[];
    if (missingLocally > 0) parts.add('missing locally: $missingLocally');
    if (missingOnServer > 0) parts.add('missing on server: $missingOnServer');
    if (flagMismatches > 0) parts.add('flag mismatches: $flagMismatches');
    if (parts.isEmpty) return 'Discrepancies found';
    return 'Discrepancies found (${parts.join(', ')})';
  } catch (_) {
    return 'Discrepancies found';
  }
 }
 class _OnboardingView extends StatelessWidget {
  const _OnboardingView();
@@ -32,11 +32,15 @@ enum _Step { generatingKey, showingPubKey, scanning, importing, done, error }
 class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  _Step _step = _Step.generatingKey;
  ShareKeyMaterial? _keyMaterial;
  DateTime? _keyExpiresAt;
  String? _pubKeyQr;
  String? _errorMessage;
  bool _scannerActive = false;
  MobileScannerController? _scannerController;
  // True when the scanner plugin fails to initialise at runtime (e.g.
  // MissingPluginException on some Android builds).
  bool _scannerFailed = false;
  @override
  void initState() {
@@ -61,6 +65,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
      );
      setState(() {
        _keyMaterial = material;
        _keyExpiresAt = DateTime.now().toUtc().add(const Duration(minutes: 20));
        _pubKeyQr = qr;
        _step = _Step.showingPubKey;
      });
@@ -76,8 +81,37 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
    setState(() {
      _step = _Step.scanning;
      _scannerActive = true;
      _scannerController = MobileScannerController();
    });
    if (_cameraScanSupported()) {
      unawaited(_initScanner());
    }
  }
  // Pre-flight: probe the scanner's permission-state method to verify the
  // plugin is registered.  MissingPluginException is thrown on Android builds
  // where the plugin is not linked (issue #204).  All other exceptions mean
  // the plugin exists but something else failed — the MobileScanner widget
  // will surface those via its own error builder.
  Future<void> _initScanner() async {
    bool available = false;
    try {
      await const MethodChannel(
        'dev.steenbakker.mobile_scanner/scanner/method',
      ).invokeMethod<int>('state');
      available = true;
    } on MissingPluginException {
      // Plugin not registered on this device; text fallback will be shown.
    } catch (_) {
      // Plugin registered but state check failed; let the scanner widget
      // handle it via its errorBuilder.
      available = true;
    }
    if (!mounted) return;
    if (available) {
      setState(() => _scannerController = MobileScannerController());
    } else {
      setState(() => _scannerFailed = true);
    }
  }
  Future<void> _onScanned(String rawValue) async {
@@ -185,11 +219,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
            ),
          ),
        _Step.done => const Center(
-            child: Icon(
+            child: Icon(Icons.check_circle, size: 64, color: Colors.green),
              Icons.check_circle,
              size: 64,
              color: Colors.green,
            ),
          ),
        _Step.error => Center(
            child: Padding(
@@ -244,7 +274,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
            },
          ),
          const SizedBox(height: 8),
-          const _ExpiryHint(),
+          _ExpiryHint(expiresAt: _keyExpiresAt!),
          const SizedBox(height: 32),
          if (_errorMessage != null) ...[
            Text(
@@ -266,11 +296,14 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  }
  Widget _buildScannerView(BuildContext context) {
-    // On platforms where the camera scanner is not available (Linux desktop),
+    // Fall back to text input when the platform has no camera support or when
-    // fall back to a text-input field.
+    // the scanner plugin fails to initialise at runtime (MissingPluginException).
-    if (!_cameraScanSupported()) {
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
    if (_scannerController == null) {
      return const Center(child: CircularProgressIndicator());
    }
    return Stack(
      children: [
@@ -371,8 +404,37 @@ bool _cameraScanSupported() =>
    Platform.isMacOS ||
    Platform.isWindows;
-class _ExpiryHint extends StatelessWidget {
+class _ExpiryHint extends StatefulWidget {
-  const _ExpiryHint();
+  const _ExpiryHint({required this.expiresAt});
  final DateTime expiresAt;
  @override
  State<_ExpiryHint> createState() => _ExpiryHintState();
 }
 class _ExpiryHintState extends State<_ExpiryHint> {
  late Timer _timer;
  @override
  void initState() {
    super.initState();
    _timer = Timer.periodic(const Duration(seconds: 1), (_) => setState(() {}));
  }
  @override
  void dispose() {
    _timer.cancel();
    super.dispose();
  }
  String _formatRemaining() {
    final remaining = widget.expiresAt.difference(DateTime.now().toUtc());
    if (remaining.isNegative) return 'expired';
    final minutes = remaining.inMinutes;
    final seconds = remaining.inSeconds % 60;
    return '${minutes.toString().padLeft(2, '0')}:${seconds.toString().padLeft(2, '0')}';
  }
  @override
  Widget build(BuildContext context) {
@@ -382,7 +444,7 @@ class _ExpiryHint extends StatelessWidget {
        Icon(Icons.timer_outlined, size: 14, color: Colors.grey[600]),
        const SizedBox(width: 4),
        Text(
-          'This key expires in 20 minutes',
+          'This key expires in ${_formatRemaining()}',
          style: TextStyle(fontSize: 12, color: Colors.grey[600]),
        ),
      ],
@@ -45,12 +45,42 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  bool _scannerActive = true;
  MobileScannerController? _scannerController;
  // True when the scanner plugin fails to initialise at runtime (e.g.
  // MissingPluginException on some Android builds).
  bool _scannerFailed = false;
  @override
  void initState() {
    super.initState();
    if (_cameraScanSupported()) {
-      _scannerController = MobileScannerController();
+      unawaited(_initScanner());
    }
  }
  // Pre-flight: probe the scanner's permission-state method to verify the
  // plugin is registered.  MissingPluginException is thrown on Android builds
  // where the plugin is not linked (issue #204).  All other exceptions mean
  // the plugin exists but something else failed — the MobileScanner widget
  // will surface those via its own error builder.
  Future<void> _initScanner() async {
    bool available = false;
    try {
      await const MethodChannel(
        'dev.steenbakker.mobile_scanner/scanner/method',
      ).invokeMethod<int>('state');
      available = true;
    } on MissingPluginException {
      // Plugin not registered on this device; text fallback will be shown.
    } catch (_) {
      // Plugin registered but state check failed; let the scanner widget
      // handle it via its errorBuilder.
      available = true;
    }
    if (!mounted) return;
    if (available) {
      setState(() => _scannerController = MobileScannerController());
    } else {
      setState(() => _scannerFailed = true);
    }
  }
@@ -128,10 +158,7 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
    for (final account in selected) {
      final password = await repo.getPassword(account.id);
      payloads.add(
-        AccountPayload(
+        AccountPayload(accountJson: account.toJson(), password: password),
          accountJson: account.toJson(),
          password: password,
        ),
      );
    }
@@ -178,9 +205,12 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  }
  Widget _buildScanStep(BuildContext context) {
-    if (!_cameraScanSupported()) {
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
    if (_scannerController == null) {
      return const Center(child: CircularProgressIndicator());
    }
    return Stack(
      children: [
@@ -328,9 +358,7 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
              unawaited(Clipboard.setData(ClipboardData(text: _encryptedQr!)));
              ScaffoldMessenger.of(context).showSnackBar(
                const SnackBar(
-                  content: Text(
+                  content: Text('Encrypted code copied to clipboard'),
                    'Encrypted code copied to clipboard',
                  ),
                ),
              );
            },
@@ -0,0 +1,635 @@
 import 'dart:async';
 import 'dart:convert';
 import 'package:file_picker/file_picker.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:http/http.dart' as http;
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/utils/about_markdown.dart';
 const _bugReportApiUrl = String.fromEnvironment(
  'BUG_REPORT_API_URL',
  defaultValue: 'https://sharedinbox.de/api/v1/bug-reports',
 );
 class BugReportScreen extends ConsumerStatefulWidget {
  const BugReportScreen({super.key, this.emailId});
  final String? emailId;
  @override
  ConsumerState<BugReportScreen> createState() => _BugReportScreenState();
 }
 class _BugReportScreenState extends ConsumerState<BugReportScreen> {
  final _formKey = GlobalKey<FormState>();
  final _descriptionController = TextEditingController();
  final _emailController = TextEditingController();
  final Future<PackageInfo> _packageInfoFuture = PackageInfo.fromPlatform();
  late final Future<String?> _deviceModelFuture = getDeviceModel();
  final List<PlatformFile> _attachments = [];
  bool _includeEmail = false;
  bool _includeSyncLog = false;
  bool _submitting = false;
  Email? _attachedEmail;
  List<Account> _accounts = [];
  String? _selectedAccountId;
  String? _deviceModel;
  bool _loadingEmail = false;
  @override
  void initState() {
    super.initState();
    unawaited(_loadInitialData());
  }
  @override
  void dispose() {
    _descriptionController.dispose();
    _emailController.dispose();
    super.dispose();
  }
  Future<void> _loadInitialData() async {
    setState(() => _loadingEmail = true);
    try {
      _deviceModel = await _deviceModelFuture;
      _accounts =
          await ref.read(accountRepositoryProvider).observeAccounts().first;
      if (widget.emailId != null) {
        final email =
            await ref.read(emailRepositoryProvider).getEmail(widget.emailId!);
        if (mounted && email != null) {
          _attachedEmail = email;
          _selectedAccountId = email.accountId;
          final fromStr =
              email.from.isNotEmpty ? email.from.first.toString() : 'unknown';
          final subjectStr = email.subject ?? '(no subject)';
          _descriptionController.text =
              'Problem with email from $fromStr: "$subjectStr"\n\n';
        }
      }
      if (_selectedAccountId == null && _accounts.isNotEmpty) {
        _selectedAccountId = _accounts.first.id;
      }
      if (_selectedAccountId != null) {
        final matching =
            _accounts.where((a) => a.id == _selectedAccountId).firstOrNull;
        if (matching != null) {
          _emailController.text = matching.email;
        }
      }
    } catch (_) {}
    if (mounted) {
      setState(() => _loadingEmail = false);
    }
  }
  int get _totalAttachmentSize {
    return _attachments.fold(0, (sum, f) => sum + f.size);
  }
  String _formatSize(int bytes) {
    if (bytes < 1024) return '$bytes B';
    if (bytes < 1024 * 1024) return '${(bytes / 1024).toStringAsFixed(1)} KB';
    return '${(bytes / (1024 * 1024)).toStringAsFixed(2)} MB';
  }
  Future<void> _pickAttachments() async {
    try {
      final result = await FilePicker.pickFiles();
      if (result == null) return;
      final newFiles =
          result.files.where((PlatformFile f) => f.path != null).toList();
      if (!mounted) return;
      setState(() {
        _attachments.addAll(newFiles);
      });
    } catch (e) {
      if (mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(content: Text('Failed to pick files: $e')),
        );
      }
    }
  }
  void _removeAttachment(int index) {
    setState(() {
      _attachments.removeAt(index);
    });
  }
  String _serializeSyncLogs(List<SyncLogEntry> entries) {
    final sb = StringBuffer();
    for (final entry in entries.take(50)) {
      sb.writeln('ID: ${entry.id}');
      sb.writeln('Started: ${entry.startedAt.toIso8601String()}');
      sb.writeln('Finished: ${entry.finishedAt.toIso8601String()}');
      sb.writeln('Result: ${entry.result}');
      if (entry.errorMessage != null) {
        sb.writeln('Error: ${entry.errorMessage}');
      }
      if (entry.stackTrace != null) {
        sb.writeln('StackTrace:\n${entry.stackTrace}');
      }
      sb.writeln('Protocol: ${entry.protocol}');
      sb.writeln(
        'Fetched: ${entry.emailsFetched}, Skipped: ${entry.emailsSkipped}',
      );
      if (entry.protocolLog != null) {
        sb.writeln('Protocol Log:\n${entry.protocolLog}');
      }
      sb.writeln('---');
    }
    return sb.toString();
  }
  Future<void> _submitReport() async {
    if (!_formKey.currentState!.validate()) return;
    final totalSize = _totalAttachmentSize;
    if (totalSize > 20 * 1024 * 1024) {
      ScaffoldMessenger.of(context).showSnackBar(
        const SnackBar(
          content: Text(
            'Total attachments size exceeds the 20 MB limit. Please remove some files.',
          ),
          backgroundColor: Colors.red,
        ),
      );
      return;
    }
    setState(() => _submitting = true);
    try {
      final client = ref.read(httpClientProvider);
      final uri = Uri.parse(_bugReportApiUrl);
      final request = http.MultipartRequest('POST', uri);
      // Description
      request.fields['description'] = _descriptionController.text;
      // Email Data if from email view
      if (_attachedEmail != null) {
        final emailMap = {
          'id': _attachedEmail!.id,
          'subject': _attachedEmail!.subject,
          'from': _attachedEmail!.from.map((e) => e.toString()).toList(),
          'date': _attachedEmail!.sentAt?.toIso8601String() ??
              _attachedEmail!.receivedAt.toIso8601String(),
          'preview': _attachedEmail!.preview,
        };
        request.fields['email_data'] = jsonEncode(emailMap);
      }
      // Contact Email
      if (_includeEmail) {
        request.fields['email'] = _emailController.text;
      }
      // About Info
      PackageInfo? pkg;
      try {
        pkg = await _packageInfoFuture;
      } catch (_) {}
      final imapCount =
          _accounts.where((a) => a.type == AccountType.imap).length;
      final jmapCount =
          _accounts.where((a) => a.type == AccountType.jmap).length;
      if (!mounted) return;
      final aboutInfo = buildAboutMarkdown(
        context: context,
        pkg: pkg,
        imapCount: imapCount,
        jmapCount: jmapCount,
        deviceModel: _deviceModel,
      );
      request.fields['about_info'] = aboutInfo;
      // Sync Log
      if (_includeSyncLog && _selectedAccountId != null) {
        final syncLogs = await ref
            .read(syncLogRepositoryProvider)
            .observeSyncLogs(_selectedAccountId!)
            .first;
        request.fields['sync_log'] = _serializeSyncLogs(syncLogs);
      }
      // Attachments
      for (final file in _attachments) {
        final multipartFile = await http.MultipartFile.fromPath(
          'attachments[]',
          file.path!,
          filename: file.name,
        );
        request.files.add(multipartFile);
      }
      final streamedResponse = await client.send(request);
      final response = await http.Response.fromStream(streamedResponse);
      if (!mounted) return;
      if (response.statusCode == 201) {
        final resData = jsonDecode(response.body) as Map<String, dynamic>;
        final reportId = resData['id'] as String;
        _showSuccessDialog(reportId);
      } else if (response.statusCode == 429) {
        final retryAfter = response.headers['retry-after'] ?? '6';
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
            content: Text('Rate limited. Please retry in $retryAfter seconds.'),
            backgroundColor: Colors.orange,
          ),
        );
      } else {
        String errorMsg =
            'Failed to submit report. Server returned status: ${response.statusCode}';
        try {
          final resData = jsonDecode(response.body) as Map<String, dynamic>;
          if (resData['error'] != null) {
            errorMsg = resData['error'] as String;
          }
        } catch (_) {}
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
            content: Text(errorMsg),
            backgroundColor: Colors.red,
          ),
        );
      }
    } catch (e) {
      if (mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
            content: Text('An error occurred: $e'),
            backgroundColor: Colors.red,
          ),
        );
      }
    } finally {
      if (mounted) {
        setState(() => _submitting = false);
      }
    }
  }
  void _showSuccessDialog(String reportId) {
    unawaited(
      showDialog<void>(
        context: context,
        barrierDismissible: false,
        builder: (context) {
          return AlertDialog(
            title: const Text('Bug Report Submitted'),
            content: SingleChildScrollView(
              child: ListBody(
                children: [
                  const Text('Thank you for helping us improve SharedInbox!'),
                  const SizedBox(height: 12),
                  Text(
                    'Your Report ID is:\n$reportId',
                    style: const TextStyle(fontWeight: FontWeight.bold),
                    textAlign: TextAlign.center,
                  ),
                  const SizedBox(height: 12),
                  const Text(
                    'Your report is handled confidentially and has not been posted to the public issue tracker.',
                  ),
                ],
              ),
            ),
            actions: [
              TextButton(
                onPressed: () {
                  Navigator.of(context).pop(); // Dismiss dialog
                  context.pop(); // Go back to previous screen
                },
                child: const Text('Close'),
              ),
            ],
          );
        },
      ),
    );
  }
  @override
  Widget build(BuildContext context) {
    final theme = Theme.of(context);
    final totalSize = _totalAttachmentSize;
    const sizeLimit = 20 * 1024 * 1024;
    final approachingLimit = totalSize > 15 * 1024 * 1024;
    return Scaffold(
      appBar: AppBar(
        title: const Text('Report a Bug'),
      ),
      body: _loadingEmail
          ? const Center(child: CircularProgressIndicator())
          : Form(
              key: _formKey,
              child: ListView(
                padding: const EdgeInsets.all(16.0),
                children: [
                  // Confidentiality info card
                  Card(
                    elevation: 0,
                    color: theme.colorScheme.secondaryContainer
                        .withValues(alpha: 0.4),
                    shape: RoundedRectangleBorder(
                      side: BorderSide(
                        color:
                            theme.colorScheme.secondary.withValues(alpha: 0.4),
                      ),
                      borderRadius: BorderRadius.circular(12),
                    ),
                    child: Padding(
                      padding: const EdgeInsets.all(16.0),
                      child: Row(
                        children: [
                          Icon(
                            Icons.lock_outline,
                            color: theme.colorScheme.secondary,
                          ),
                          const SizedBox(width: 16),
                          const Expanded(
                            child: Text(
                              'Your report is handled confidentially and will not be posted to the public issue tracker.',
                              style: TextStyle(height: 1.3),
                            ),
                          ),
                        ],
                      ),
                    ),
                  ),
                  const SizedBox(height: 20),
                  // Description Text Field
                  TextFormField(
                    controller: _descriptionController,
                    autofocus: true,
                    maxLines: 8,
                    minLines: 4,
                    decoration: const InputDecoration(
                      labelText: 'What went wrong?',
                      alignLabelWithHint: true,
                      border: OutlineInputBorder(),
                      helperText:
                          'Please describe the problem and how to reproduce it.',
                    ),
                    validator: (value) {
                      if (value == null || value.trim().isEmpty) {
                        return 'Please enter a description.';
                      }
                      return null;
                    },
                  ),
                  const SizedBox(height: 20),
                  // Email info chip if email is attached
                  if (_attachedEmail != null) ...[
                    Card(
                      elevation: 0,
                      color: theme.colorScheme.surfaceContainerHighest,
                      child: Padding(
                        padding: const EdgeInsets.symmetric(
                          horizontal: 12.0,
                          vertical: 8.0,
                        ),
                        child: Row(
                          children: [
                            Icon(
                              Icons.email_outlined,
                              size: 20,
                              color: theme.colorScheme.primary,
                            ),
                            const SizedBox(width: 12),
                            const Expanded(
                              child: Text(
                                'The current email metadata will be attached automatically.',
                                style: TextStyle(fontSize: 13),
                              ),
                            ),
                          ],
                        ),
                      ),
                    ),
                    const SizedBox(height: 16),
                  ],
                  // Attachments Section
                  Text(
                    'Attachments',
                    style: theme.textTheme.titleMedium,
                  ),
                  const SizedBox(height: 8),
                  Row(
                    crossAxisAlignment: CrossAxisAlignment.start,
                    children: [
                      OutlinedButton.icon(
                        onPressed: _submitting ? null : _pickAttachments,
                        icon: const Icon(Icons.add_a_photo_outlined),
                        label: const Text('Add screenshots'),
                      ),
                      const SizedBox(width: 16),
                      const Expanded(
                        child: Text(
                          'Screenshots help us understand the problem faster.',
                          style: TextStyle(fontSize: 12, color: Colors.grey),
                        ),
                      ),
                    ],
                  ),
                  if (_attachments.isNotEmpty) ...[
                    const SizedBox(height: 12),
                    SizedBox(
                      height: 48,
                      child: ListView.builder(
                        scrollDirection: Axis.horizontal,
                        itemCount: _attachments.length,
                        itemBuilder: (context, index) {
                          final file = _attachments[index];
                          return Padding(
                            padding: const EdgeInsets.only(right: 8.0),
                            child: InputChip(
                              label: Text(
                                '${file.name} (${_formatSize(file.size)})',
                              ),
                              onDeleted: _submitting
                                  ? null
                                  : () => _removeAttachment(index),
                            ),
                          );
                        },
                      ),
                    ),
                    const SizedBox(height: 8),
                    Row(
                      children: [
                        Text(
                          'Total Attachment Size: ${_formatSize(totalSize)} / ${_formatSize(sizeLimit)}',
                          style: TextStyle(
                            fontSize: 12,
                            color: totalSize > sizeLimit
                                ? Colors.red
                                : approachingLimit
                                    ? Colors.orange
                                    : Colors.grey,
                            fontWeight: approachingLimit
                                ? FontWeight.bold
                                : FontWeight.normal,
                          ),
                        ),
                        if (totalSize > sizeLimit) ...[
                          const SizedBox(width: 8),
                          const Icon(
                            Icons.error_outline,
                            size: 16,
                            color: Colors.red,
                          ),
                        ],
                      ],
                    ),
                  ],
                  const SizedBox(height: 24),
                  // Email opt-in
                  CheckboxListTile(
                    title: const Text('Include my email for follow-up'),
                    value: _includeEmail,
                    onChanged: _submitting
                        ? null
                        : (val) {
                            setState(() => _includeEmail = val ?? false);
                          },
                    controlAffinity: ListTileControlAffinity.leading,
                    contentPadding: EdgeInsets.zero,
                  ),
                  if (_includeEmail) ...[
                    Padding(
                      padding: const EdgeInsets.only(bottom: 16.0),
                      child: TextFormField(
                        controller: _emailController,
                        keyboardType: TextInputType.emailAddress,
                        decoration: const InputDecoration(
                          labelText: 'Contact Email Address',
                          border: OutlineInputBorder(),
                        ),
                        validator: (value) {
                          if (_includeEmail &&
                              (value == null || value.trim().isEmpty)) {
                            return 'Please enter an email address.';
                          }
                          return null;
                        },
                      ),
                    ),
                  ],
                  // Sync log opt-in
                  if (_selectedAccountId != null) ...[
                    CheckboxListTile(
                      title: const Text('Include recent sync log'),
                      subtitle: const Text(
                        'Helps diagnose connection and protocol issues.',
                      ),
                      value: _includeSyncLog,
                      onChanged: _submitting
                          ? null
                          : (val) {
                              setState(() => _includeSyncLog = val ?? false);
                            },
                      controlAffinity: ListTileControlAffinity.leading,
                      contentPadding: EdgeInsets.zero,
                    ),
                    const SizedBox(height: 12),
                  ],
                  // System info section
                  FutureBuilder<PackageInfo>(
                    future: _packageInfoFuture,
                    builder: (context, snapshot) {
                      final imapCount = _accounts
                          .where((a) => a.type == AccountType.imap)
                          .length;
                      final jmapCount = _accounts
                          .where((a) => a.type == AccountType.jmap)
                          .length;
                      final aboutMd = buildAboutMarkdown(
                        context: context,
                        pkg: snapshot.data,
                        imapCount: imapCount,
                        jmapCount: jmapCount,
                        deviceModel: _deviceModel,
                      );
                      return Card(
                        elevation: 0,
                        shape: RoundedRectangleBorder(
                          side: BorderSide(
                            color: theme.dividerColor.withValues(alpha: 0.1),
                          ),
                          borderRadius: BorderRadius.circular(8),
                        ),
                        child: ExpansionTile(
                          title: const Text(
                            'System Info (attached automatically)',
                            style: TextStyle(fontSize: 14),
                          ),
                          children: [
                            Padding(
                              padding: const EdgeInsets.all(12.0),
                              child: Align(
                                alignment: Alignment.topLeft,
                                child: MarkdownBody(data: aboutMd),
                              ),
                            ),
                          ],
                        ),
                      );
                    },
                  ),
                  const SizedBox(height: 32),
                  // Submit Button
                  FilledButton(
                    onPressed: _submitting ? null : _submitReport,
                    child: Padding(
                      padding: const EdgeInsets.symmetric(vertical: 12.0),
                      child: _submitting
                          ? const SizedBox(
                              height: 20,
                              width: 20,
                              child: CircularProgressIndicator(
                                strokeWidth: 2,
                                color: Colors.white,
                              ),
                            )
                          : const Text(
                              'Send Bug Report',
                              style: TextStyle(fontSize: 16),
                            ),
                    ),
                  ),
                ],
              ),
            ),
    );
  }
 }
@@ -1,21 +1,91 @@
 import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart' show rootBundle;
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:url_launcher/url_launcher.dart';
-class ChangeLogScreen extends StatelessWidget {
+class ChangeLogScreen extends ConsumerWidget {
  const ChangeLogScreen({super.key});
  static const _months = [
    'Jan',
    'Feb',
    'Mar',
    'Apr',
    'May',
    'Jun',
    'Jul',
    'Aug',
    'Sep',
    'Oct',
    'Nov',
    'Dec',
  ];
  static String _formatInstallDate(DateTime dt) {
    final h = dt.hour.toString().padLeft(2, '0');
    final m = dt.minute.toString().padLeft(2, '0');
    final month = _months[dt.month - 1];
    return '$h:$m, ${dt.day} $month ${dt.year}';
  }
  static const _repoUrl = 'https://codeberg.org/guettli/sharedinbox';
  static final _issueRefPattern = RegExp(r'#(\d+)');
  static String _linkifyIssueRefs(String text) {
    return text.replaceAllMapped(
      _issueRefPattern,
      (m) => '[#${m[1]}]($_repoUrl/issues/${m[1]})',
    );
  }
  // Changelog lines have the form:
  //   * 2026-06-05 [abc1234](https://...): subject
  // This pattern captures the short hash inside the markdown link.
  static final _hashPattern = RegExp(r'\[([0-9a-f]{6,12})\]\(');
  static String _injectInstallMarkers(
    String changelog,
    Map<String, DateTime> versions,
  ) {
    if (versions.isEmpty) return changelog;
    final lines = changelog.split('\n');
    final buf = StringBuffer();
    for (final line in lines) {
      final match = _hashPattern.firstMatch(line);
      if (match != null) {
        final lineHash = match.group(1)!;
        for (final entry in versions.entries) {
          final stored = entry.key;
          final matches = stored == lineHash ||
              stored.startsWith(lineHash) ||
              lineHash.startsWith(stored);
          if (!matches) continue;
          buf.write(
            '\n---\n\n**Installed: ${_formatInstallDate(entry.value)}**\n\n',
          );
          break;
        }
      }
      buf.writeln(line);
    }
    return buf.toString();
  }
  @override
-  Widget build(BuildContext context) {
+  Widget build(BuildContext context, WidgetRef ref) {
    final installedVersions = ref.watch(installedVersionsProvider);
    return Scaffold(
      appBar: AppBar(title: const Text('ChangeLog')),
      body: FutureBuilder<String>(
-        future: rootBundle.loadString('assets/changelog.txt'),
+        future:
            DefaultAssetBundle.of(context).loadString('assets/changelog.txt'),
        builder: (context, snapshot) {
-          if (snapshot.connectionState == ConnectionState.waiting) {
+          if (snapshot.connectionState == ConnectionState.waiting ||
              installedVersions.isLoading) {
            return const Center(child: CircularProgressIndicator());
          }
          if (snapshot.hasError) {
@@ -23,9 +93,12 @@ class ChangeLogScreen extends StatelessWidget {
              child: Text('Error loading changelog: ${snapshot.error}'),
            );
          }
-          final content = snapshot.data ?? 'No changelog entries found.';
+          final raw = snapshot.data ?? 'No changelog entries found.';
          final content = _linkifyIssueRefs(raw);
          final versions = installedVersions.value ?? {};
          final annotated = _injectInstallMarkers(content, versions);
          return Markdown(
-            data: content,
+            data: annotated,
            onTapLink: (text, href, title) {
              if (href != null) {
                unawaited(
@@ -0,0 +1,422 @@
 import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/email_thread_tile.dart';
 class CombinedInboxScreen extends ConsumerStatefulWidget {
  const CombinedInboxScreen({super.key});
  @override
  ConsumerState<CombinedInboxScreen> createState() =>
      _CombinedInboxScreenState();
 }
 class _CombinedInboxScreenState extends ConsumerState<CombinedInboxScreen> {
  static const _pageSize = 50;
  int _limit = _pageSize;
  // Thread-level selection (key = threadId).
  final Set<String> _selectedThreadIds = {};
  // Last-emitted thread list, used to resolve emailIds for batch operations.
  List<EmailThread> _currentThreads = [];
  bool get _selecting => _selectedThreadIds.isNotEmpty;
  void _toggleThreadSelection(EmailThread thread) {
    setState(() {
      if (_selectedThreadIds.contains(thread.threadId)) {
        _selectedThreadIds.remove(thread.threadId);
      } else {
        _selectedThreadIds.add(thread.threadId);
      }
    });
  }
  void _clearSelection() => setState(() => _selectedThreadIds.clear());
  void _selectAll() {
    setState(
      () => _selectedThreadIds.addAll(_currentThreads.map((t) => t.threadId)),
    );
  }
  @override
  Widget build(BuildContext context) {
    final accountsAsync = ref.watch(allAccountsProvider);
    return accountsAsync.when(
      loading: () => const Scaffold(
        body: Center(child: CircularProgressIndicator()),
      ),
      error: (e, _) => Scaffold(
        body: Center(child: Text('Error: $e')),
      ),
      data: (accounts) {
        if (accounts.isEmpty) {
          WidgetsBinding.instance.addPostFrameCallback((_) {
            if (context.mounted) context.go('/accounts');
          });
          return const Scaffold(
            body: Center(child: CircularProgressIndicator()),
          );
        }
        final accountNames = {
          for (final a in accounts) a.id: a.displayName,
        };
        final showAccount = accounts.length > 1;
        return Scaffold(
          appBar: _buildAppBar(accounts),
          drawer: _selecting ? null : _buildDrawer(context, accounts),
          bottomNavigationBar: _selecting ? _selectionBottomBar() : null,
          body: _buildBody(accountNames, showAccount),
          floatingActionButton: _selecting
              ? null
              : FloatingActionButton(
                  onPressed: () => context.push('/compose'),
                  child: const Icon(Icons.edit),
                ),
        );
      },
    );
  }
  PreferredSizeWidget _buildAppBar(List<Account> accounts) {
    if (_selecting) {
      return AppBar(
        leading: IconButton(
          icon: const Icon(Icons.close),
          onPressed: _clearSelection,
        ),
        title: Text('${_selectedThreadIds.length} selected'),
        actions: [
          IconButton(
            icon: const Icon(Icons.select_all),
            tooltip: 'Select all',
            onPressed: _selectAll,
          ),
        ],
      );
    }
    return AppBar(
      title: const Text('Combined Inbox'),
      actions: [
        IconButton(
          icon: const Icon(Icons.search),
          tooltip: 'Search',
          onPressed: () => context.push('/search'),
        ),
        IconButton(
          icon: const Icon(Icons.sync),
          tooltip: 'Sync all',
          onPressed: () {
            for (final a in accounts) {
              ref.read(syncManagerProvider).syncNow(a.id);
            }
          },
        ),
      ],
    );
  }
  Widget _selectionBottomBar() {
    return BottomAppBar(
      child: Row(
        mainAxisAlignment: MainAxisAlignment.spaceEvenly,
        children: [
          IconButton(
            icon: const Icon(Icons.archive),
            tooltip: 'Archive',
            onPressed: _batchArchive,
          ),
          IconButton(
            icon: const Icon(Icons.delete),
            tooltip: 'Delete',
            onPressed: _batchDelete,
          ),
        ],
      ),
    );
  }
  Widget _buildDrawer(BuildContext context, List<Account> accounts) {
    return Drawer(
      child: ListView(
        padding: EdgeInsets.zero,
        children: [
          const DrawerHeader(
            decoration: BoxDecoration(color: Colors.blueGrey),
            child: Text(
              'sharedinbox.de',
              style: TextStyle(color: Colors.white, fontSize: 24),
            ),
          ),
          ListTile(
            leading: const Icon(Icons.manage_accounts),
            title: const Text('Accounts'),
            onTap: () {
              Navigator.pop(context);
              context.go('/accounts');
            },
          ),
          ListTile(
            leading: const Icon(Icons.person_add),
            title: const Text('Add account'),
            onTap: () {
              Navigator.pop(context);
              unawaited(context.push('/accounts/add'));
            },
          ),
          const Divider(),
          for (final account in accounts)
            ListTile(
              leading: const Icon(Icons.inbox),
              title: Text(account.displayName),
              subtitle: Text(account.email),
              onTap: () {
                Navigator.pop(context);
                unawaited(context.push('/accounts/${account.id}/mailboxes'));
              },
            ),
          const Divider(),
          ListTile(
            leading: const Icon(Icons.settings),
            title: const Text('Preferences'),
            onTap: () {
              Navigator.pop(context);
              unawaited(context.push('/accounts/preferences'));
            },
          ),
          ListTile(
            leading: const Icon(Icons.history),
            title: const Text('Undo Log'),
            onTap: () {
              Navigator.pop(context);
              unawaited(context.push('/accounts/undo-log'));
            },
          ),
          ListTile(
            leading: const Icon(Icons.info_outline),
            title: const Text('About'),
            onTap: () {
              Navigator.pop(context);
              unawaited(context.push('/accounts/about'));
            },
          ),
        ],
      ),
    );
  }
  Widget _buildBody(Map<String, String> accountNames, bool showAccount) {
    final emailRepo = ref.watch(emailRepositoryProvider);
    return RefreshIndicator(
      onRefresh: () async {
        final accounts = ref.read(allAccountsProvider).value ?? [];
        for (final a in accounts) {
          ref.read(syncManagerProvider).syncNow(a.id);
        }
      },
      child: StreamBuilder<List<EmailThread>>(
        stream: emailRepo.observeAllInboxThreads(limit: _limit),
        builder: (ctx, snap) {
          if (!snap.hasData) {
            return const Center(child: CircularProgressIndicator());
          }
          final threads = snap.data!;
          _currentThreads = threads;
          if (threads.isEmpty) {
            return ListView(
              children: const [
                SizedBox(
                  height: 300,
                  child: Center(child: Text('No emails')),
                ),
              ],
            );
          }
          return _buildThreadList(threads, accountNames, showAccount);
        },
      ),
    );
  }
  Widget _buildThreadList(
    List<EmailThread> threads,
    Map<String, String> accountNames,
    bool showAccount,
  ) {
    final hasMore = threads.length == _limit;
    return ListView.builder(
      itemCount: threads.length + (hasMore ? 1 : 0),
      itemBuilder: (ctx, i) {
        if (i == threads.length) {
          return TextButton(
            onPressed: () => setState(() => _limit += _pageSize),
            child: const Text('Load more'),
          );
        }
        final t = threads[i];
        return EmailThreadTile(
          thread: t,
          isSelected: _selectedThreadIds.contains(t.threadId),
          isSelecting: _selecting,
          showAccount: showAccount,
          accountName: accountNames[t.accountId],
          onTap: _selecting
              ? () => _toggleThreadSelection(t)
              : t.messageCount > 1
                  ? () => context.push(
                        '/accounts/${t.accountId}/mailboxes'
                        '/${Uri.encodeComponent(t.mailboxPath)}'
                        '/threads/${Uri.encodeComponent(t.threadId)}',
                      )
                  : () => context.push(
                        '/accounts/${t.accountId}/mailboxes'
                        '/${Uri.encodeComponent(t.mailboxPath)}'
                        '/emails/${Uri.encodeComponent(t.latestEmailId)}',
                      ),
          onLongPress: () => _toggleThreadSelection(t),
          onDismissed: (direction) => _onSwipeDismissed(t, direction),
        );
      },
    );
  }
  Future<void> _onSwipeDismissed(
    EmailThread t,
    DismissDirection direction,
  ) async {
    final repo = ref.read(emailRepositoryProvider);
    final originalEmails = (await Future.wait(
      t.emailIds.map((id) => repo.getEmail(id)),
    ))
        .whereType<Email>()
        .toList();
    if (direction == DismissDirection.startToEnd) {
      final archive = await ref
          .read(mailboxRepositoryProvider)
          .findMailboxByRole(t.accountId, 'archive');
      if (!mounted || archive == null) return;
      for (final id in t.emailIds) {
        await repo.moveEmail(id, archive.path);
      }
      final action = UndoAction(
        id: DateTime.now().toIso8601String(),
        accountId: t.accountId,
        type: UndoType.move,
        emailIds: t.emailIds,
        sourceMailboxPath: t.mailboxPath,
        destinationMailboxPath: archive.path,
        originalEmails: originalEmails,
      );
      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
      return;
    }
    String? lastDestPath;
    for (final id in t.emailIds) {
      lastDestPath = await repo.deleteEmail(id);
    }
    final action = UndoAction(
      id: DateTime.now().toIso8601String(),
      accountId: t.accountId,
      type: UndoType.delete,
      emailIds: t.emailIds,
      sourceMailboxPath: t.mailboxPath,
      destinationMailboxPath: lastDestPath,
      originalEmails: originalEmails,
    );
    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
  }
  Future<void> _batchArchive() async {
    final repo = ref.read(emailRepositoryProvider);
    final mailboxRepo = ref.read(mailboxRepositoryProvider);
    // Group selected threads by accountId so we look up each account's archive once.
    final byAccount = <String, List<EmailThread>>{};
    for (final t in _currentThreads) {
      if (!_selectedThreadIds.contains(t.threadId)) continue;
      (byAccount[t.accountId] ??= []).add(t);
    }
    _clearSelection();
    for (final entry in byAccount.entries) {
      final accountId = entry.key;
      final threads = entry.value;
      final archive = await mailboxRepo.findMailboxByRole(accountId, 'archive');
      if (!mounted || archive == null) continue;
      for (final t in threads) {
        final originalEmails = (await Future.wait(
          t.emailIds.map((id) => repo.getEmail(id)),
        ))
            .whereType<Email>()
            .toList();
        for (final id in t.emailIds) {
          await repo.moveEmail(id, archive.path);
        }
        final action = UndoAction(
          id: DateTime.now().toIso8601String(),
          accountId: accountId,
          type: UndoType.move,
          emailIds: t.emailIds,
          sourceMailboxPath: t.mailboxPath,
          destinationMailboxPath: archive.path,
          originalEmails: originalEmails,
        );
        unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
      }
    }
  }
  Future<void> _batchDelete() async {
    final repo = ref.read(emailRepositoryProvider);
    final selectedThreads = _currentThreads
        .where((t) => _selectedThreadIds.contains(t.threadId))
        .toList();
    _clearSelection();
    for (final t in selectedThreads) {
      final originalEmails = (await Future.wait(
        t.emailIds.map((id) => repo.getEmail(id)),
      ))
          .whereType<Email>()
          .toList();
      String? lastDestPath;
      for (final id in t.emailIds) {
        lastDestPath = await repo.deleteEmail(id);
      }
      final action = UndoAction(
        id: DateTime.now().toIso8601String(),
        accountId: t.accountId,
        type: UndoType.delete,
        emailIds: t.emailIds,
        sourceMailboxPath: t.mailboxPath,
        destinationMailboxPath: lastDestPath,
        originalEmails: originalEmails,
      );
      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
    }
  }
 }
@@ -194,9 +194,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
      await OpenFilex.open(path);
    } catch (e) {
      if (!mounted) return;
-      ScaffoldMessenger.of(
+      ScaffoldMessenger.of(context).showSnackBar(
        context,
      ).showSnackBar(
        SnackBar(
          duration: const Duration(seconds: 5),
          content: Text('Failed to open file: $e'),
@@ -213,9 +211,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
  Future<void> _send() async {
    if (_accountId == null) {
-      ScaffoldMessenger.of(
+      ScaffoldMessenger.of(context).showSnackBar(
        context,
      ).showSnackBar(
        const SnackBar(
          duration: Duration(seconds: 5),
          content: Text('Select an account first'),
@@ -255,9 +251,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
      if (mounted) context.pop();
    } catch (e) {
      if (!mounted) return;
-      ScaffoldMessenger.of(
+      ScaffoldMessenger.of(context).showSnackBar(
        context,
      ).showSnackBar(
        SnackBar(
          duration: const Duration(seconds: 5),
          content: Text('Send failed: $e'),
@@ -1,5 +1,6 @@
 import 'dart:io';
 import 'package:flutter/foundation.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:package_info_plus/package_info_plus.dart';
@@ -10,27 +11,45 @@ class CrashScreen extends StatelessWidget {
    super.key,
    required this.exception,
    required this.stackTrace,
    this.gitHash = const String.fromEnvironment('GIT_HASH'),
  });
  final Object exception;
  final StackTrace? stackTrace;
  final String gitHash;
-  static const _gitHash = String.fromEnvironment('GIT_HASH');
+  String get _buildMode {
    if (kDebugMode) return 'debug';
    if (kProfileMode) return 'profile';
    return 'release';
  }
-  Future<String> _buildReport() async {
+  Future<String> _fetchVersion() async {
    String version = 'unknown';
    try {
      final info = await PackageInfo.fromPlatform();
-      version = '${info.version}+${info.buildNumber}';
+      return '${info.version}+${info.buildNumber}';
-    } catch (_) {}
+    } catch (_) {
      return 'unknown';
    }
  }
  Future<String> _buildReport() async {
    final version = await _fetchVersion();
    final platform =
        '${Platform.operatingSystem} ${Platform.operatingSystemVersion}';
-    final gitLine = _gitHash.isNotEmpty
+    final versionDisplay = gitHash.isNotEmpty
-        ? 'Git Commit: [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)\n'
+        ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)'
        : version;
    final gitLine = gitHash.isNotEmpty
        ? 'Git Commit: [$gitHash](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)\n'
        : '';
-    return 'App Version: $version\n'
+    final timestamp = DateTime.now().toUtc().toIso8601String();
    return 'App Version: $versionDisplay\n'
        'Build Mode: $_buildMode\n'
        '$gitLine'
-        'Platform: $platform\n\n'
+        'Platform: $platform\n'
        'Dart: ${Platform.version}\n'
        'Timestamp: $timestamp\n\n'
        'Error:\n```\n$exception\n```\n\n'
        'Stack Trace:\n```\n$stackTrace\n```';
  }
@@ -38,6 +57,7 @@ class CrashScreen extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      theme: ThemeData(splashFactory: NoSplash.splashFactory),
      home: Scaffold(
        appBar: AppBar(
          title: const Text('Something went wrong'),
@@ -56,13 +76,69 @@ class CrashScreen extends StatelessWidget {
                  style: Theme.of(ctx).textTheme.titleMedium,
                  textAlign: TextAlign.center,
                ),
-                if (_gitHash.isNotEmpty) ...[
+                const SizedBox(height: 4),
-                  const SizedBox(height: 8),
+                FutureBuilder<String>(
-                  const Text(
+                  future: _fetchVersion(),
-                    'Git Commit: $_gitHash',
+                  builder: (context, snapshot) => Text(
-                    style: TextStyle(fontSize: 12, color: Colors.grey),
+                    'v${snapshot.data ?? '…'}  •  $_buildMode  •  '
                    '${Platform.operatingSystem} ${Platform.operatingSystemVersion}',
                    style: Theme.of(
                      context,
                    ).textTheme.bodySmall?.copyWith(color: Colors.grey[600]),
                    textAlign: TextAlign.center,
                  ),
                ),
                if (gitHash.isNotEmpty) ...[
                  const SizedBox(height: 8),
                  FutureBuilder<PackageInfo>(
                    future: PackageInfo.fromPlatform(),
                    builder: (_, snapshot) {
                      if (!snapshot.hasData) return const SizedBox.shrink();
                      final version =
                          '${snapshot.data!.version}+${snapshot.data!.buildNumber}';
                      return GestureDetector(
                        onTap: () async {
                          final url = Uri.parse(
                            'https://codeberg.org/guettli/sharedinbox/commit/$gitHash',
                          );
                          await launchUrl(
                            url,
                            mode: LaunchMode.externalApplication,
                          );
                        },
                        child: Text(
                          'App Version: $version',
                          style: const TextStyle(
                            fontSize: 12,
                            color: Colors.blue,
                            decoration: TextDecoration.underline,
                          ),
                          textAlign: TextAlign.center,
                        ),
                      );
                    },
                  ),
                  const SizedBox(height: 4),
                  GestureDetector(
                    onTap: () async {
                      final url = Uri.parse(
                        'https://codeberg.org/guettli/sharedinbox/commit/$gitHash',
                      );
                      await launchUrl(
                        url,
                        mode: LaunchMode.externalApplication,
                      );
                    },
                    child: Text(
                      'Git Commit: $gitHash',
                      style: const TextStyle(
                        fontSize: 12,
                        color: Colors.blue,
                        decoration: TextDecoration.underline,
                      ),
                      textAlign: TextAlign.center,
                    ),
                  ),
                ],
                const SizedBox(height: 24),
                const Text(
@@ -106,32 +182,6 @@ class CrashScreen extends StatelessWidget {
                    ),
                  ),
                ],
                if (_gitHash.isNotEmpty) ...[
                  const SizedBox(height: 16),
                  const Text(
                    'Git Commit:',
                    style: TextStyle(fontWeight: FontWeight.bold),
                  ),
                  const SizedBox(height: 4),
                  GestureDetector(
                    onTap: () async {
                      final url = Uri.parse(
                        'https://codeberg.org/guettli/sharedinbox/commit/$_gitHash',
                      );
                      await launchUrl(
                        url,
                        mode: LaunchMode.externalApplication,
                      );
                    },
                    child: const Text(
                      _gitHash,
                      style: TextStyle(
                        color: Colors.blue,
                        decoration: TextDecoration.underline,
                      ),
                    ),
                  ),
                ],
                const SizedBox(height: 24),
                FilledButton.icon(
                  onPressed: () async {
@@ -38,6 +38,7 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
  var _sieveSsl = true;
  var _verbose = false;
  final _jmapUrlCtrl = TextEditingController();
  bool _hasStoredPassword = false;
  // -- "Try connection" state ------------------------------------------------
  bool _tryTesting = false;
@@ -50,6 +51,7 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
    _smtpHostCtrl.addListener(_rebuild);
    _sieveHostCtrl.addListener(_rebuild);
    _imapHostCtrl.addListener(_rebuild);
    _passwordCtrl.addListener(_rebuild);
    unawaited(_load());
  }
@@ -63,6 +65,11 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
      context.pop();
      return;
    }
    try {
      await repo.getPassword(account.id);
      _hasStoredPassword = true;
    } catch (_) {}
    if (!mounted) return;
    _account = account;
    _displayNameCtrl.text = account.displayName;
    _usernameCtrl.text = account.username;
@@ -84,6 +91,7 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
    _smtpHostCtrl.removeListener(_rebuild);
    _sieveHostCtrl.removeListener(_rebuild);
    _imapHostCtrl.removeListener(_rebuild);
    _passwordCtrl.removeListener(_rebuild);
    for (final c in [
      _displayNameCtrl,
      _usernameCtrl,
@@ -267,10 +275,12 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
            ),
            _field(
              _passwordCtrl,
-              'New password (leave blank to keep)',
+              _hasStoredPassword
                  ? 'New password (leave blank to keep)'
                  : 'Password',
              key: const Key('editPasswordField'),
              obscure: true,
-              required: false,
+              required: !_hasStoredPassword,
            ),
            if (account.type == AccountType.jmap) ...[
              const Divider(height: 32),
@@ -345,10 +355,17 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
              testing: _tryTesting,
              okMessage: _tryOk,
              errorMessage: _tryErr,
-              onPressed: _tryConnection,
+              onPressed: _hasStoredPassword || _passwordCtrl.text.isNotEmpty
                  ? _tryConnection
                  : null,
            ),
            const SizedBox(height: 8),
-            FilledButton(onPressed: _save, child: const Text('Save')),
+            FilledButton(
              onPressed: _hasStoredPassword || _passwordCtrl.text.isNotEmpty
                  ? _save
                  : null,
              child: const Text('Save'),
            ),
          ],
        ),
      ),
@@ -0,0 +1,80 @@
 import 'package:flutter/material.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
 enum _MissingFolderChoice { chooseExisting, createNew }
 /// Resolves a mailbox by role, prompting the user to choose or create one when
 /// the role is not found.  Returns the target [Mailbox], or null if cancelled.
 Future<Mailbox?> resolveMailboxByRole(
  BuildContext context,
  MailboxRepository mailboxRepo,
  String accountId,
  String currentMailboxPath,
  String role, {
  required String dialogTitle,
  required String createFolderName,
 }) async {
  Mailbox? mailbox = await mailboxRepo.findMailboxByRole(accountId, role);
  if (!context.mounted) return null;
  if (mailbox != null) return mailbox;
  final choice = await showDialog<_MissingFolderChoice>(
    context: context,
    builder: (ctx) => AlertDialog(
      title: Text(dialogTitle),
      actions: [
        TextButton(
          onPressed: () =>
              Navigator.pop(ctx, _MissingFolderChoice.chooseExisting),
          child: const Text('Choose existing folder'),
        ),
        FilledButton(
          onPressed: () => Navigator.pop(ctx, _MissingFolderChoice.createNew),
          child: Text('Create "$createFolderName"'),
        ),
      ],
    ),
  );
  if (!context.mounted || choice == null) return null;
  switch (choice) {
    case _MissingFolderChoice.chooseExisting:
      final mailboxes = await mailboxRepo.observeMailboxes(accountId).first;
      if (!context.mounted) return null;
      final chosen = await showModalBottomSheet<String>(
        context: context,
        builder: (ctx) => ListView(
          shrinkWrap: true,
          children: [
            const ListTile(
              title: Text(
                'Move to…',
                style: TextStyle(fontWeight: FontWeight.bold),
              ),
            ),
            for (final m in mailboxes.where(
              (m) => m.path != currentMailboxPath,
            ))
              ListTile(
                leading: const Icon(Icons.folder_outlined),
                title: Text(m.name),
                onTap: () => Navigator.pop(ctx, m.path),
              ),
          ],
        ),
      );
      if (chosen == null || !context.mounted) return null;
      mailbox = mailboxes.firstWhere((m) => m.path == chosen);
    case _MissingFolderChoice.createNew:
      mailbox = await mailboxRepo.createMailboxWithRole(
        accountId,
        createFolderName,
        role,
      );
      if (!context.mounted) return null;
  }
  return mailbox;
 }
@@ -12,10 +12,15 @@ import 'package:path_provider/path_provider.dart';
 import 'package:share_plus/share_plus.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/format_utils.dart';
 import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
 import 'package:sharedinbox/ui/widgets/email_headers_dialog.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
 import 'package:url_launcher/url_launcher.dart';
@@ -34,6 +39,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
  bool _isFlagged = false;
  bool _loadRemoteImages = false;
  final Set<String> _downloading = {};
  bool _notesSynced = false;
  @override
  Widget build(BuildContext context) {
@@ -47,6 +53,15 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
        if (email != null && mounted) {
          setState(() => _isFlagged = email.isFlagged);
        }
        if (!_notesSynced && email?.messageId != null) {
          _notesSynced = true;
          unawaited(
            ref.read(noteRepositoryProvider).syncNotes(
                  email!.accountId,
                  email.messageId!,
                ),
          );
        }
      },
    );
@@ -59,10 +74,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    return Scaffold(
      appBar: AppBar(
        automaticallyImplyLeading: !isMobile,
        title: Text(
          header?.subject ?? '(loading…)',
          overflow: TextOverflow.ellipsis,
        ),
        actions: [
          IconButton(
            icon: const Icon(Icons.reply),
@@ -70,33 +81,40 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
            onPressed: header == null
                ? null
                : () {
-                    unawaited(_reply(context, header, body, replyAll: false));
+                    unawaited(_replyWithRecipientDialog(context, header, body));
                  },
          ),
          IconButton(
-            icon: const Icon(Icons.reply_all),
+            icon: const Icon(Icons.archive),
-            tooltip: 'Reply all',
+            tooltip: 'Archive',
            onPressed: header == null
                ? null
                : () {
-                    unawaited(_reply(context, header, body, replyAll: true));
+                    unawaited(_archive(context, header));
                  },
          ),
          IconButton(
-            icon: const Icon(Icons.forward),
+            icon: const Icon(Icons.delete),
-            tooltip: 'Forward',
+            tooltip: 'Delete',
            onPressed: header == null
                ? null
                : () {
                    unawaited(_forward(context, header, body));
                  },
          ),
          IconButton(
            icon: const Icon(Icons.mark_email_unread_outlined),
            tooltip: 'Mark as unread',
            onPressed: () async {
-              await repo.setFlag(widget.emailId, seen: false);
+              final nextEmailId = await _getNextEmailIdIfNeeded(header);
-              if (context.mounted) context.pop();
+              final destPath = await repo.deleteEmail(widget.emailId);
              if (header != null) {
                await ref.read(undoServiceProvider.notifier).pushAction(
                      UndoAction(
                        id: DateTime.now().toIso8601String(),
                        accountId: header.accountId,
                        type: UndoType.delete,
                        emailIds: [widget.emailId],
                        sourceMailboxPath: header.mailboxPath,
                        destinationMailboxPath: destPath,
                        originalEmails: [header],
                      ),
                    );
              }
              if (context.mounted) _navigateTo(context, header, nextEmailId);
            },
          ),
          IconButton(
@@ -112,42 +130,24 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
            },
          ),
          IconButton(
-            icon: const Icon(Icons.drive_file_move_outline),
+            icon: const Icon(Icons.report_outlined),
-            tooltip: 'Move to folder',
+            tooltip: 'Mark as spam',
-            onPressed: header == null ? null : () => _moveTo(context, header),
+            onPressed: header == null
-          ),
+                ? null
-          IconButton(
+                : () {
-            icon: const Icon(Icons.access_time),
+                    unawaited(_markAsSpam(context, header));
-            tooltip: 'Snooze',
+                  },
            onPressed: header == null ? null : () => _snooze(context, header),
          ),
          IconButton(
            icon: const Icon(Icons.delete),
            tooltip: 'Delete',
            onPressed: () async {
              final destPath = await repo.deleteEmail(widget.emailId);
              if (header != null) {
                unawaited(
                  ref.read(undoServiceProvider.notifier).pushAction(
                        UndoAction(
                          id: DateTime.now().toIso8601String(),
                          accountId: header.accountId,
                          type: UndoType.delete,
                          emailIds: [widget.emailId],
                          sourceMailboxPath: header.mailboxPath,
                          destinationMailboxPath: destPath,
                          originalEmails: [header],
                        ),
                      ),
                );
              }
              if (context.mounted) context.pop();
            },
          ),
          PopupMenuButton<String>(
            itemBuilder: (ctx) => [
              const PopupMenuItem(value: 'forward', child: Text('Forward')),
              const PopupMenuItem(value: 'move', child: Text('Move to folder')),
              const PopupMenuItem(value: 'snooze', child: Text('Snooze')),
              const PopupMenuItem(
                value: 'mark_unread',
                child: Text('Mark as unread'),
              ),
              const PopupMenuDivider(),
              const PopupMenuItem(
                value: 'headers',
                child: Text('Show Mail Headers'),
@@ -156,18 +156,34 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                value: 'structure',
                child: Text('Show Mail Structure'),
              ),
              const PopupMenuItem(value: 'rfc', child: Text('Show Raw Email')),
              const PopupMenuDivider(),
              const PopupMenuItem(
-                value: 'rfc',
+                value: 'bug_report',
-                child: Text('Show Raw Email'),
+                child: Text('Report a Bug'),
              ),
            ],
-            onSelected: (value) {
+            onSelected: (value) async {
-              if (value == 'headers' && body != null) {
+              if (value == 'forward' && header != null) {
                unawaited(_forward(context, header, body));
              } else if (value == 'move' && header != null) {
                unawaited(_moveTo(context, header));
              } else if (value == 'snooze' && header != null) {
                unawaited(_snooze(context, header));
              } else if (value == 'mark_unread') {
                final nextEmailId = await _getNextEmailIdIfNeeded(header);
                await repo.setFlag(widget.emailId, seen: false);
                if (context.mounted) _navigateTo(context, header, nextEmailId);
              } else if (value == 'headers' && body != null) {
                _showHeaders(context, body);
              } else if (value == 'structure' && body != null) {
                _showStructure(context, body);
              } else if (value == 'rfc') {
                unawaited(_showRaw(context, header));
              } else if (value == 'bug_report') {
                unawaited(
                  context.push('/bug-report?emailId=${widget.emailId}'),
                );
              }
            },
          ),
@@ -176,19 +192,35 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
      body: detail.when(
        loading: () => const Center(child: CircularProgressIndicator()),
        error: (e, _) => Center(child: Text('Error: $e')),
-        data: (d) => _buildBody(context, d.$1, d.$2),
+        data: (d) {
          final trusted =
              ref.watch(trustedImageSendersProvider).value ?? const <String>[];
          return _buildBody(context, d.$1, d.$2, trusted);
        },
      ),
    );
  }
-  Widget _buildBody(BuildContext ctx, Email? header, EmailBody body) {
+  Widget _buildBody(
    BuildContext ctx,
    Email? header,
    EmailBody body,
    List<String> trustedSenders,
  ) {
    final hasHtml = (body.htmlBody ?? '').trim().isNotEmpty;
    final senderEmail = header?.from.isNotEmpty == true
        ? header!.from.first.email.toLowerCase()
        : null;
    final isTrusted = senderEmail != null &&
        trustedSenders.any((p) => globMatch(senderEmail, p));
    final effectiveLoadImages = _loadRemoteImages || isTrusted;
    return ListView(
      padding: const EdgeInsets.all(16),
      children: [
        if (header != null) ...[_buildHeader(ctx, header), const Divider()],
        if (hasHtml) ...[
-          if (!_loadRemoteImages)
+          if (!effectiveLoadImages)
            Align(
              alignment: Alignment.centerLeft,
              child: Padding(
@@ -196,19 +228,50 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                child: OutlinedButton.icon(
                  icon: const Icon(Icons.image_outlined, size: 18),
                  label: const Text('Load remote images'),
-                  onPressed: () => setState(() => _loadRemoteImages = true),
+                  onPressed: () {
                    setState(() => _loadRemoteImages = true);
                    if (senderEmail != null) {
                      unawaited(
                        ref
                            .read(userPreferencesRepositoryProvider)
                            .addTrustedImageSender(senderEmail),
                      );
                      ScaffoldMessenger.of(ctx).showSnackBar(
                        SnackBar(
                          duration: const Duration(seconds: 3),
                          content: const Text(
                            'Images will be loaded automatically for this sender.',
                          ),
                          action: SnackBarAction(
                            label: 'View',
                            onPressed: () {
                              if (mounted) {
                                unawaited(
                                  context.push(
                                    '/accounts/trusted-senders',
                                    extra: senderEmail,
                                  ),
                                );
                              }
                            },
                          ),
                        ),
                      );
                    }
                  },
                ),
              ),
            ),
          SecureEmailWebView(
            htmlBody: body.htmlBody!,
-            loadRemoteImages: _loadRemoteImages,
+            loadRemoteImages: effectiveLoadImages,
          ),
        ] else
          SelectableText(
            body.textBody ?? '',
            style: Theme.of(ctx).textTheme.bodyMedium,
          ),
        if (header?.messageId != null) _buildNotesSection(ctx, header!),
        if (body.attachments.isNotEmpty) ...[
          const Divider(),
          Padding(
@@ -241,6 +304,40 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    );
  }
  Future<String?> _getNextEmailIdIfNeeded(Email? header) async {
    if (header == null) return null;
    final prefs = ref.read(userPreferencesProvider).value;
    final action =
        prefs?.afterMailViewAction ?? AfterMailViewAction.nextMessage;
    if (action != AfterMailViewAction.nextMessage) return null;
    final threads = await ref
        .read(emailRepositoryProvider)
        .observeThreads(header.accountId, header.mailboxPath)
        .first;
    final currentIndex = threads.indexWhere(
      (t) => t.emailIds.contains(widget.emailId),
    );
    if (currentIndex >= 0 && currentIndex + 1 < threads.length) {
      return threads[currentIndex + 1].latestEmailId;
    }
    return null;
  }
  void _navigateTo(BuildContext context, Email? header, String? nextEmailId) {
    if (!context.mounted) return;
    if (nextEmailId != null && header != null) {
      context.go(
        '/accounts/${header.accountId}'
        '/mailboxes/${Uri.encodeComponent(header.mailboxPath)}'
        '/emails/${Uri.encodeComponent(nextEmailId)}',
      );
    } else {
      context.pop();
    }
  }
  Future<void> _downloadAndOpen(EmailAttachment att) async {
    setState(() => _downloading.add(att.filename));
    try {
@@ -258,6 +355,114 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    }
  }
  Widget _buildNotesSection(BuildContext ctx, Email header) {
    final messageId = header.messageId!;
    final notes = ref.watch(notesProvider((header.accountId, messageId)));
    return Column(
      crossAxisAlignment: CrossAxisAlignment.start,
      children: [
        const Divider(),
        Row(
          children: [
            Padding(
              padding: const EdgeInsets.symmetric(vertical: 4),
              child: Text(
                'Notes',
                style: Theme.of(ctx).textTheme.titleSmall,
              ),
            ),
            const Spacer(),
            TextButton.icon(
              icon: const Icon(Icons.add, size: 16),
              label: const Text('Add'),
              onPressed: () => unawaited(_addNoteDialog(ctx, header)),
            ),
          ],
        ),
        notes.when(
          loading: () => const SizedBox.shrink(),
          error: (e, _) => Text('Error loading notes: $e'),
          data: (list) {
            if (list.isEmpty) {
              return const Padding(
                padding: EdgeInsets.only(bottom: 4),
                child: Text(
                  'No notes yet.',
                  style: TextStyle(color: Colors.grey),
                ),
              );
            }
            return Column(
              children: [
                for (final note in list) _buildNoteRow(ctx, note),
              ],
            );
          },
        ),
      ],
    );
  }
  Widget _buildNoteRow(BuildContext ctx, EmailNote note) {
    return ListTile(
      dense: true,
      contentPadding: EdgeInsets.zero,
      title: Text(note.noteText),
      subtitle: Text(
        DateFormat('MMM d, HH:mm').format(note.createdAt),
        style: Theme.of(ctx).textTheme.bodySmall,
      ),
      trailing: IconButton(
        icon: const Icon(Icons.delete_outline, size: 20),
        tooltip: 'Delete note',
        onPressed: () {
          unawaited(ref.read(noteRepositoryProvider).deleteNote(note.id));
        },
      ),
    );
  }
  Future<void> _addNoteDialog(BuildContext context, Email header) async {
    final messageId = header.messageId;
    if (messageId == null) return;
    final ctrl = TextEditingController();
    final confirmed = await showDialog<bool>(
      context: context,
      builder: (ctx) => AlertDialog(
        title: const Text('Add note'),
        content: TextField(
          controller: ctrl,
          autofocus: true,
          maxLines: 4,
          decoration: const InputDecoration(hintText: 'Type a note…'),
        ),
        actions: [
          TextButton(
            onPressed: () => Navigator.pop(ctx, false),
            child: const Text('Cancel'),
          ),
          FilledButton(
            onPressed: () => Navigator.pop(ctx, true),
            child: const Text('Save'),
          ),
        ],
      ),
    );
    final text = ctrl.text.trim();
    ctrl.dispose();
    if (confirmed != true || text.isEmpty) return;
    if (!context.mounted) return;
    await ref.read(noteRepositoryProvider).addNote(
          header.accountId,
          messageId,
          text,
        );
  }
  Widget _buildHeader(BuildContext ctx, Email email) {
    return Column(
      crossAxisAlignment: CrossAxisAlignment.start,
@@ -303,17 +508,78 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    return '\n\n— On $date, $from wrote:\n$quoted';
  }
-  Future<void> _reply(
+  Future<void> _replyWithRecipientDialog(
    BuildContext context,
    Email header,
    EmailBody? body,
  ) async {
    final account =
        await ref.read(accountRepositoryProvider).getAccount(header.accountId);
    final ownEmail = account?.email.toLowerCase() ?? '';
    final seen = <String>{};
    final candidates = <_Candidate>[];
    void addIfNew(EmailAddress addr, _Placement defaultPlacement) {
      final key = addr.email.toLowerCase();
      if (key == ownEmail || seen.contains(key)) return;
      seen.add(key);
      candidates.add(_Candidate(addr, defaultPlacement));
    }
    for (final addr in header.from) {
      addIfNew(addr, _Placement.to);
    }
    for (final addr in header.to) {
      addIfNew(addr, _Placement.to);
    }
    for (final addr in header.cc) {
      addIfNew(addr, _Placement.cc);
    }
    if (!context.mounted) return;
    if (candidates.length <= 1) {
      final to = candidates
          .where((c) => c.placement == _Placement.to)
          .map((c) => c.address.email)
          .join(', ');
      final cc = candidates
          .where((c) => c.placement == _Placement.cc)
          .map((c) => c.address.email)
          .join(', ');
      await _composeReply(context, header, body, to: to, cc: cc);
      return;
    }
    final confirmed = await showDialog<List<_Candidate>>(
      context: context,
      builder: (ctx) => _ReplyAllDialog(candidates: candidates),
    );
    if (confirmed == null || !context.mounted) return;
    final to = confirmed
        .where((c) => c.placement == _Placement.to)
        .map((c) => c.address.email)
        .join(', ');
    final cc = confirmed
        .where((c) => c.placement == _Placement.cc)
        .map((c) => c.address.email)
        .join(', ');
    await _composeReply(context, header, body, to: to, cc: cc);
  }
  Future<void> _composeReply(
    BuildContext context,
    Email header,
    EmailBody? body, {
-    required bool replyAll,
+    required String to,
    required String cc,
  }) async {
    final to = header.from.isNotEmpty ? header.from.first.email : '';
    final subject = (header.subject?.startsWith('Re:') ?? false)
        ? header.subject!
        : 'Re: ${header.subject ?? ''}';
    final cc = replyAll ? header.to.map((a) => a.email).join(', ') : '';
    final quoted = await _quotedBody(header, body);
    if (!context.mounted) return;
    unawaited(
@@ -330,6 +596,78 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    );
  }
  Future<void> _archive(BuildContext context, Email header) async {
    final nextEmailId = await _getNextEmailIdIfNeeded(header);
    if (!context.mounted) return;
    final mailbox = await resolveMailboxByRole(
      context,
      ref.read(mailboxRepositoryProvider),
      header.accountId,
      header.mailboxPath,
      'archive',
      dialogTitle: 'No archive folder found',
      createFolderName: 'Archive',
    );
    if (mailbox == null || !context.mounted) return;
    await ref
        .read(emailRepositoryProvider)
        .moveEmail(widget.emailId, mailbox.path);
    unawaited(
      ref.read(undoServiceProvider.notifier).pushAction(
            UndoAction(
              id: DateTime.now().toIso8601String(),
              accountId: header.accountId,
              type: UndoType.move,
              emailIds: [widget.emailId],
              sourceMailboxPath: header.mailboxPath,
              destinationMailboxPath: mailbox.path,
            ),
          ),
    );
    if (context.mounted) _navigateTo(context, header, nextEmailId);
  }
  Future<void> _markAsSpam(BuildContext context, Email header) async {
    final nextEmailId = await _getNextEmailIdIfNeeded(header);
    if (!context.mounted) return;
    final mailbox = await resolveMailboxByRole(
      context,
      ref.read(mailboxRepositoryProvider),
      header.accountId,
      header.mailboxPath,
      'junk',
      dialogTitle: 'No spam folder found',
      createFolderName: 'Junk',
    );
    if (mailbox == null || !context.mounted) return;
    await ref
        .read(emailRepositoryProvider)
        .moveEmail(widget.emailId, mailbox.path);
    unawaited(
      ref.read(undoServiceProvider.notifier).pushAction(
            UndoAction(
              id: DateTime.now().toIso8601String(),
              accountId: header.accountId,
              type: UndoType.move,
              emailIds: [widget.emailId],
              sourceMailboxPath: header.mailboxPath,
              destinationMailboxPath: mailbox.path,
            ),
          ),
    );
    if (context.mounted) _navigateTo(context, header, nextEmailId);
  }
  Future<void> _forward(
    BuildContext context,
    Email header,
@@ -343,15 +681,50 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    unawaited(
      context.push(
        '/compose',
-        extra: {
+        extra: {'prefillSubject': subject, 'prefillBody': quoted},
          'prefillSubject': subject,
          'prefillBody': quoted,
        },
      ),
    );
  }
  Future<String?> _promptNewFolderName(BuildContext context) async {
    final controller = TextEditingController();
    try {
      return await showDialog<String>(
        context: context,
        builder: (ctx) => AlertDialog(
          title: const Text('Create new folder'),
          content: TextField(
            controller: controller,
            autofocus: true,
            decoration: const InputDecoration(hintText: 'Folder name'),
            textCapitalization: TextCapitalization.words,
            onSubmitted: (value) {
              if (value.trim().isNotEmpty) Navigator.pop(ctx, value.trim());
            },
          ),
          actions: [
            TextButton(
              onPressed: () => Navigator.pop(ctx),
              child: const Text('Cancel'),
            ),
            FilledButton(
              onPressed: () {
                final name = controller.text.trim();
                if (name.isNotEmpty) Navigator.pop(ctx, name);
              },
              child: const Text('Create'),
            ),
          ],
        ),
      );
    } finally {
      controller.dispose();
    }
  }
  Future<void> _moveTo(BuildContext context, Email header) async {
    final nextEmailId = await _getNextEmailIdIfNeeded(header);
    final mailboxRepo = ref.read(mailboxRepositoryProvider);
    final mailboxes =
        await mailboxRepo.observeMailboxes(header.accountId).first;
@@ -362,6 +735,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    if (!context.mounted) return;
    const createNewSentinel = '__create_new__';
    final chosen = await showModalBottomSheet<String>(
      context: context,
      builder: (ctx) => ListView(
@@ -379,13 +754,28 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
              title: Text(m.name),
              onTap: () => Navigator.pop(ctx, m.path),
            ),
          ListTile(
            leading: const Icon(Icons.create_new_folder_outlined),
            title: const Text('Create new folder…'),
            onTap: () => Navigator.pop(ctx, createNewSentinel),
          ),
        ],
      ),
    );
    if (chosen == null || !context.mounted) return;
-    await ref.read(emailRepositoryProvider).moveEmail(widget.emailId, chosen);
+    String destination = chosen;
    if (chosen == createNewSentinel) {
      final name = await _promptNewFolderName(context);
      if (name == null || !context.mounted) return;
      final mailbox = await mailboxRepo.createMailbox(header.accountId, name);
      destination = mailbox.path;
    }
    await ref
        .read(emailRepositoryProvider)
        .moveEmail(widget.emailId, destination);
    unawaited(
      ref.read(undoServiceProvider.notifier).pushAction(
@@ -395,15 +785,18 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
              type: UndoType.move,
              emailIds: [widget.emailId],
              sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: chosen,
+              destinationMailboxPath: destination,
            ),
          ),
    );
-    if (context.mounted) context.pop();
+    if (context.mounted) _navigateTo(context, header, nextEmailId);
  }
  Future<void> _snooze(BuildContext context, Email header) async {
    final nextEmailId = await _getNextEmailIdIfNeeded(header);
    if (!context.mounted) return;
    final until = await showModalBottomSheet<DateTime>(
      context: context,
      builder: (ctx) => const SnoozePicker(),
@@ -431,7 +824,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
          ),
        ),
      );
-      context.pop();
+      _navigateTo(context, header, nextEmailId);
    }
  }
@@ -443,9 +836,9 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
          .fetchRawRfc822(widget.emailId);
    } catch (e) {
      if (!context.mounted) return;
-      ScaffoldMessenger.of(context).showSnackBar(
+      ScaffoldMessenger.of(
-        SnackBar(content: Text('Failed to fetch raw email: $e')),
+        context,
-      );
+      ).showSnackBar(SnackBar(content: Text('Failed to fetch raw email: $e')));
      return;
    }
@@ -559,47 +952,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    unawaited(
      showDialog<void>(
        context: context,
-        builder: (ctx) => AlertDialog(
+        builder: (ctx) => EmailHeadersDialog(headers: body.headers),
          title: const Text('Mail Headers'),
          content: SizedBox(
            width: double.maxFinite,
            child: ListView.builder(
              shrinkWrap: true,
              itemCount: body.headers.length,
              itemBuilder: (ctx, i) {
                final header = body.headers[i];
                return Container(
                  color: i.isEven
                      ? Theme.of(ctx).colorScheme.surfaceContainerHighest
                      : Theme.of(ctx).colorScheme.surface,
                  padding: const EdgeInsets.symmetric(
                    vertical: 4,
                    horizontal: 8,
                  ),
                  child: Row(
                    crossAxisAlignment: CrossAxisAlignment.start,
                    children: [
                      Expanded(
                        child: SelectableText(
                          header.name,
                          style: const TextStyle(fontWeight: FontWeight.bold),
                        ),
                      ),
                      const SizedBox(width: 8),
                      Expanded(flex: 2, child: SelectableText(header.value)),
                    ],
                  ),
                );
              },
            ),
          ),
          actions: [
            TextButton(
              onPressed: () => Navigator.pop(ctx),
              child: const Text('Close'),
            ),
          ],
        ),
      ),
    );
  }
@@ -610,9 +963,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
      ScaffoldMessenger.of(context).showSnackBar(
        const SnackBar(
          duration: Duration(seconds: 5),
-          content: Text(
+          content: Text('Structure not available. Try re-syncing the email.'),
            'Structure not available. Try re-syncing the email.',
          ),
        ),
      );
      return;
@@ -624,12 +975,13 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    unawaited(
      showDialog<void>(
        context: context,
-        builder: (ctx) => AlertDialog(
+        builder: (ctx) => Dialog.fullscreen(
-          title: const Text('Mail Structure'),
+          child: Scaffold(
-          content: SizedBox(
+            appBar: AppBar(
-            width: double.maxFinite,
+              title: const Text('Mail Structure'),
-            child: ListView.builder(
+              leading: const CloseButton(),
-              shrinkWrap: true,
+            ),
            body: ListView.builder(
              itemCount: rows.length,
              itemBuilder: (ctx, i) {
                final row = rows[i];
@@ -658,14 +1010,90 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
              },
            ),
          ),
-          actions: [
+        ),
-            TextButton(
+      ),
-              onPressed: () => Navigator.pop(ctx),
+    );
-              child: const Text('Close'),
+  }
-            ),
+}
 enum _Placement { to, cc, skip }
 class _Candidate {
  _Candidate(this.address, this.placement);
  final EmailAddress address;
  _Placement placement;
 }
 class _ReplyAllDialog extends StatefulWidget {
  const _ReplyAllDialog({required this.candidates});
  final List<_Candidate> candidates;
  @override
  State<_ReplyAllDialog> createState() => _ReplyAllDialogState();
 }
 class _ReplyAllDialogState extends State<_ReplyAllDialog> {
  late final List<_Candidate> _candidates;
  @override
  void initState() {
    super.initState();
    _candidates = [
      for (final c in widget.candidates) _Candidate(c.address, c.placement),
    ];
  }
  @override
  Widget build(BuildContext context) {
    return AlertDialog(
      title: const Text('Reply All'),
      content: SizedBox(
        width: double.maxFinite,
        child: ListView(
          shrinkWrap: true,
          children: [
            for (final c in _candidates)
              Padding(
                padding: const EdgeInsets.symmetric(vertical: 4),
                child: Row(
                  children: [
                    Expanded(
                      child: Text(
                        c.address.toString(),
                        overflow: TextOverflow.ellipsis,
                      ),
                    ),
                    const SizedBox(width: 8),
                    SegmentedButton<_Placement>(
                      showSelectedIcon: false,
                      segments: const [
                        ButtonSegment(value: _Placement.to, label: Text('To')),
                        ButtonSegment(value: _Placement.cc, label: Text('Cc')),
                        ButtonSegment(
                          value: _Placement.skip,
                          label: Text('Skip'),
                        ),
                      ],
                      selected: {c.placement},
                      onSelectionChanged: (s) =>
                          setState(() => c.placement = s.first),
                    ),
                  ],
                ),
              ),
          ],
        ),
      ),
      actions: [
        TextButton(
          onPressed: () => Navigator.pop(context),
          child: const Text('Cancel'),
        ),
        TextButton(
          onPressed: () => Navigator.pop(context, _candidates),
          child: const Text('Reply'),
        ),
      ],
    );
  }
 }
@@ -712,10 +1140,13 @@ class _UnsubscribeChip extends StatelessWidget {
  Widget build(BuildContext context) {
    final uri = _parseUnsubscribeUri(header);
    if (uri == null) return const SizedBox.shrink();
-    return ActionChip(
+    return Tooltip(
-      avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
+      message: uri.toString(),
-      label: const Text('Unsubscribe'),
+      child: ActionChip(
-      onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
+        avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
        label: const Text('Unsubscribe'),
        onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
      ),
    );
  }
 }
@@ -8,21 +8,14 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
+import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
 import 'package:sharedinbox/ui/widgets/email_thread_tile.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
-
+import 'package:sharedinbox/ui/widgets/thread_tile.dart';
 final _dateFmt = DateFormat('MMM d');
 // Cache formatted dates by local calendar day so DateFormat.format is called
 // at most once per unique date rather than once per list item per rebuild.
 final _formattedDates = <int, String>{};
 int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
 String _fmtDate(DateTime dt) =>
    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
 class EmailListScreen extends ConsumerStatefulWidget {
  const EmailListScreen({
@@ -57,6 +50,15 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  // Pagination: number of threads currently requested from the DB.
  static const _pageSize = 50;
  int _limit = _pageSize;
  // Incremented on every search start; stale completions are ignored when the
  // generation has advanced (prevents out-of-order IMAP responses from
  // overwriting fresh results with results for an older query).
  int _searchGeneration = 0;
  // The query whose results are currently settled in _searchResults.
  // Used to skip redundant re-runs when the user presses Enter on an
  // already-settled search (issue #473).
  String? _lastSettledQuery;
  bool get _selecting =>
      _selectedThreadIds.isNotEmpty || _selectedSearchIds.isNotEmpty;
@@ -68,6 +70,7 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
        setState(() {
          _searchResults = null;
          _searchLoading = false;
          _lastSettledQuery = null;
        });
      }
    });
@@ -124,18 +127,35 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  }
  Future<void> _runSearch(String query) async {
-    if (query.trim().isEmpty) {
+    final q = query.trim();
-      setState(() => _searchResults = null);
+    if (q.isEmpty) {
      setState(() {
        _searchResults = null;
        _lastSettledQuery = null;
      });
      return;
    }
    // Skip if results are already settled for this exact query — prevents the
    // Enter key from re-triggering a search that already completed.
    if (_searchResults != null && !_searchLoading && q == _lastSettledQuery) {
      return;
    }
    final generation = ++_searchGeneration;
    setState(() => _searchLoading = true);
    try {
      final results = await ref
          .read(emailRepositoryProvider)
-          .searchEmails(widget.accountId, widget.mailboxPath, query.trim());
+          .searchEmails(widget.accountId, widget.mailboxPath, q);
-      if (mounted) setState(() => _searchResults = results);
+      if (mounted && generation == _searchGeneration) {
        setState(() {
          _searchResults = results;
          _lastSettledQuery = q;
        });
      }
    } finally {
-      if (mounted) setState(() => _searchLoading = false);
+      if (mounted && generation == _searchGeneration) {
        setState(() => _searchLoading = false);
      }
    }
  }
@@ -147,16 +167,21 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  Widget build(BuildContext context) {
    final repo = ref.watch(emailRepositoryProvider);
    final accountAsync = ref.watch(accountByIdProvider(widget.accountId));
    final prefs =
        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;
    return Scaffold(
-      appBar: _buildAppBar(repo, accountAsync),
+      appBar: _buildAppBar(repo, accountAsync, menuAtBottom: menuAtBottom),
      drawer: _selecting
          ? null
          : FolderDrawer(
              accountId: widget.accountId,
              currentMailboxPath: widget.mailboxPath,
            ),
-      bottomNavigationBar: _selecting ? _selectionBottomBar() : null,
+      bottomNavigationBar: _selecting
          ? _selectionBottomBar()
          : (menuAtBottom ? _folderNavBottomBar() : null),
      body: Column(
        children: [
          _buildSyncErrorBanner(),
@@ -172,12 +197,14 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  PreferredSizeWidget _buildAppBar(
    EmailRepository emailRepo,
-    AsyncValue<Account?> accountAsync,
+    AsyncValue<Account?> accountAsync, {
-  ) {
+    required bool menuAtBottom,
  }) {
    final selectionCount =
        _searching ? _selectedSearchIds.length : _selectedThreadIds.length;
    return AppBar(
      automaticallyImplyLeading: !menuAtBottom,
      leading: _selecting
          ? IconButton(
              icon: const Icon(Icons.close),
@@ -251,7 +278,14 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
                ),
            ],
            onChanged: _onSearchChanged,
-            onSubmitted: _runSearch,
+            onSubmitted: (value) {
              // Only run the search if results haven't settled yet via
              // onChanged — prevents a second IMAP round-trip from reordering
              // the already-visible results when the user presses Enter.
              if (_searchResults == null && !_searchLoading) {
                unawaited(_runSearch(value));
              }
            },
            textInputAction: TextInputAction.search,
          ),
        ),
@@ -300,6 +334,22 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    );
  }
  Widget _folderNavBottomBar() {
    return BottomAppBar(
      child: Row(
        children: [
          Builder(
            builder: (context) => IconButton(
              icon: const Icon(Icons.menu),
              tooltip: 'Open folders',
              onPressed: () => Scaffold.of(context).openDrawer(),
            ),
          ),
        ],
      ),
    );
  }
  Widget _selectionBottomBar() {
    return BottomAppBar(
      child: Row(
@@ -356,11 +406,7 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    }
    return MaterialBanner(
      padding: const EdgeInsets.fromLTRB(16, 8, 8, 8),
-      content: Text(
+      content: Text(error, maxLines: 2, overflow: TextOverflow.ellipsis),
        error,
        maxLines: 2,
        overflow: TextOverflow.ellipsis,
      ),
      leading: Icon(
        Icons.sync_problem,
        color: Theme.of(context).colorScheme.error,
@@ -374,9 +420,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
          child: const Text('Retry'),
        ),
        TextButton(
-          onPressed: () => context.push(
+          onPressed: () =>
-            '/accounts/${widget.accountId}/sync-log',
+              context.push('/accounts/${widget.accountId}/sync-log'),
          ),
          child: const Text('View log'),
        ),
        TextButton(
@@ -420,24 +465,26 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    );
  }
-  Future<void> _batchMoveToRole(String role, String notFoundMessage) async {
+  Future<void> _batchMoveToRole(
    String role, {
    required String dialogTitle,
    required String createFolderName,
  }) async {
    final ids = _selectedEmailIds;
    _clearSelection();
-    final mailbox = await ref
+
-        .read(mailboxRepositoryProvider)
+    final mailbox = await resolveMailboxByRole(
-        .findMailboxByRole(widget.accountId, role);
+      context,
-    if (!mounted) return;
+      ref.read(mailboxRepositoryProvider),
-    if (mailbox == null) {
+      widget.accountId,
-      ScaffoldMessenger.of(
+      widget.mailboxPath,
-        context,
+      role,
-      ).showSnackBar(
+      dialogTitle: dialogTitle,
-        SnackBar(
+      createFolderName: createFolderName,
-          duration: const Duration(seconds: 5),
+    );
-          content: Text(notFoundMessage),
+
-        ),
+    if (!mounted || mailbox == null) return;
-      );
+
      return;
    }
    final repo = ref.read(emailRepositoryProvider);
    // Fetch full email data before moving so we can restore them if user clicks Undo.
@@ -463,8 +510,11 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
  }
-  Future<void> _batchArchive() =>
+  Future<void> _batchArchive() => _batchMoveToRole(
-      _batchMoveToRole('archive', 'No archive folder found');
+        'archive',
        dialogTitle: 'No archive folder found',
        createFolderName: 'Archive',
      );
  Future<void> _refreshSearchAndPopIfEmpty() async {
    if (!mounted || !_searching) return;
@@ -525,8 +575,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    if (wasSearching && mounted) {
      // Filter deleted emails out of the local results immediately.
-      // Calling searchEmails here would hit the IMAP server, which still has
+      // Calling searchEmails here would still return deleted rows because the
-      // the emails because the delete is only enqueued — not yet applied.
+      // delete is only enqueued — not yet applied to the local DB.
      final deletedIds = ids.toSet();
      final remaining = (_searchResults ?? [])
          .where((e) => !deletedIds.contains(e.id))
@@ -543,8 +593,11 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    }
  }
-  Future<void> _batchMarkSpam() =>
+  Future<void> _batchMarkSpam() => _batchMoveToRole(
-      _batchMoveToRole('junk', 'No spam folder found');
+        'junk',
        dialogTitle: 'No spam folder found',
        createFolderName: 'Junk',
      );
  Future<void> _batchMove() async {
    final ids = _selectedEmailIds;
@@ -660,177 +713,93 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
          );
        }
        final t = threads[i];
-        final isSelected = _selectedThreadIds.contains(t.threadId);
+        return EmailThreadTile(
-        final senderNames =
+          thread: t,
-            t.participants.map((a) => a.name ?? a.email).take(3).join(', ');
+          isSelected: _selectedThreadIds.contains(t.threadId),
-
+          isSelecting: _selecting,
        final tile = ListTile(
          leading: SizedBox(
            width: 40,
            child: _selecting
                ? Checkbox(
                    value: isSelected,
                    onChanged: (_) => _toggleThreadSelection(t),
                  )
                : Icon(
                    t.hasUnread ? Icons.mail : Icons.mail_outline,
                    color:
                        t.hasUnread ? Theme.of(ctx).colorScheme.primary : null,
                  ),
          ),
          title: Row(
            children: [
              Expanded(
                child: Text(
                  senderNames.isEmpty ? '(unknown)' : senderNames,
                  style: t.hasUnread
                      ? const TextStyle(fontWeight: FontWeight.bold)
                      : null,
                  overflow: TextOverflow.ellipsis,
                ),
              ),
              if (t.messageCount > 1)
                Padding(
                  padding: const EdgeInsets.only(left: 4),
                  child: Text(
                    '[${t.messageCount}]',
                    style: Theme.of(ctx).textTheme.bodySmall,
                  ),
                ),
            ],
          ),
          subtitle: Column(
            crossAxisAlignment: CrossAxisAlignment.start,
            children: [
              Text(
                t.subject ?? '(no subject)',
                maxLines: 1,
                overflow: TextOverflow.ellipsis,
                style: t.hasUnread
                    ? const TextStyle(fontWeight: FontWeight.bold)
                    : null,
              ),
              if (t.preview != null && t.preview!.isNotEmpty)
                Text(
                  t.preview!,
                  maxLines: 1,
                  overflow: TextOverflow.ellipsis,
                  style: Theme.of(ctx).textTheme.bodySmall,
                ),
            ],
          ),
          selected: isSelected,
          trailing: Row(
            mainAxisSize: MainAxisSize.min,
            children: [
              if (t.isFlagged)
                const Icon(Icons.star, color: Colors.amber, size: 16),
              const SizedBox(width: 4),
              Text(
                _fmtDate(t.latestDate),
                style: Theme.of(ctx).textTheme.bodySmall,
              ),
            ],
          ),
          onTap: _selecting
              ? () => _toggleThreadSelection(t)
              : t.messageCount > 1
                  ? () => context.push(
-                        '/accounts/${widget.accountId}/mailboxes/${Uri.encodeComponent(widget.mailboxPath)}/threads/${Uri.encodeComponent(t.threadId)}',
+                        '/accounts/${widget.accountId}/mailboxes'
                        '/${Uri.encodeComponent(widget.mailboxPath)}'
                        '/threads/${Uri.encodeComponent(t.threadId)}',
                      )
                  : () => context.push(
-                        '/accounts/${widget.accountId}/mailboxes/${Uri.encodeComponent(widget.mailboxPath)}/emails/${Uri.encodeComponent(t.latestEmailId)}',
+                        '/accounts/${widget.accountId}/mailboxes'
                        '/${Uri.encodeComponent(widget.mailboxPath)}'
                        '/emails/${Uri.encodeComponent(t.latestEmailId)}',
                      ),
          onLongPress: () => _toggleThreadSelection(t),
-        );
+          onDismissed: (direction) => _onSwipeDismissed(t, direction),
        // For swipe actions on threads, operate on the latest email only
        // (single-email threads) or the whole thread.
        return Dismissible(
          key: ValueKey(t.threadId),
          direction:
              _selecting ? DismissDirection.none : DismissDirection.horizontal,
          background: _swipeBackground(
            alignment: Alignment.centerLeft,
            color: Colors.green,
            icon: Icons.archive,
            label: 'Archive',
          ),
          secondaryBackground: _swipeBackground(
            alignment: Alignment.centerRight,
            color: Colors.red,
            icon: Icons.delete,
            label: 'Delete',
          ),
          onDismissed: (direction) async {
            final repo = ref.read(emailRepositoryProvider);
            final type = direction == DismissDirection.startToEnd
                ? UndoType.move
                : UndoType.delete;
            // Fetch full email data before moving/deleting.
            final originalEmails = (await Future.wait(
              t.emailIds.map((id) => repo.getEmail(id)),
            ))
                .whereType<Email>()
                .toList();
            if (direction == DismissDirection.startToEnd) {
              final archive = await ref
                  .read(mailboxRepositoryProvider)
                  .findMailboxByRole(widget.accountId, 'archive');
              if (!mounted || archive == null) return;
              for (final id in t.emailIds) {
                await repo.moveEmail(id, archive.path);
              }
              final action = UndoAction(
                id: DateTime.now().toIso8601String(),
                accountId: widget.accountId,
                type: type,
                emailIds: t.emailIds,
                sourceMailboxPath: widget.mailboxPath,
                destinationMailboxPath: archive.path,
                originalEmails: originalEmails,
              );
              unawaited(
                ref.read(undoServiceProvider.notifier).pushAction(action),
              );
            } else {
              String? lastDestPath;
              for (final id in t.emailIds) {
                lastDestPath = await repo.deleteEmail(id);
              }
              final action = UndoAction(
                id: DateTime.now().toIso8601String(),
                accountId: widget.accountId,
                type: type,
                emailIds: t.emailIds,
                sourceMailboxPath: widget.mailboxPath,
                destinationMailboxPath: lastDestPath,
                originalEmails: originalEmails,
              );
              unawaited(
                ref.read(undoServiceProvider.notifier).pushAction(action),
              );
            }
          },
          child: tile,
        );
      },
    );
  }
  Future<void> _onSwipeDismissed(
    EmailThread t,
    DismissDirection direction,
  ) async {
    final repo = ref.read(emailRepositoryProvider);
    final type = direction == DismissDirection.startToEnd
        ? UndoType.move
        : UndoType.delete;
    // Fetch full email data before moving/deleting.
    final originalEmails = (await Future.wait(
      t.emailIds.map((id) => repo.getEmail(id)),
    ))
        .whereType<Email>()
        .toList();
    if (direction == DismissDirection.startToEnd) {
      final archive = await ref
          .read(mailboxRepositoryProvider)
          .findMailboxByRole(widget.accountId, 'archive');
      if (!mounted || archive == null) return;
      for (final id in t.emailIds) {
        await repo.moveEmail(id, archive.path);
      }
      final action = UndoAction(
        id: DateTime.now().toIso8601String(),
        accountId: widget.accountId,
        type: type,
        emailIds: t.emailIds,
        sourceMailboxPath: widget.mailboxPath,
        destinationMailboxPath: archive.path,
        originalEmails: originalEmails,
      );
      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
      return;
    }
    String? lastDestPath;
    for (final id in t.emailIds) {
      lastDestPath = await repo.deleteEmail(id);
    }
    final action = UndoAction(
      id: DateTime.now().toIso8601String(),
      accountId: widget.accountId,
      type: type,
      emailIds: t.emailIds,
      sourceMailboxPath: widget.mailboxPath,
      destinationMailboxPath: lastDestPath,
      originalEmails: originalEmails,
    );
    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
  }
  // Used for search results, which are individual emails.
  Widget _buildEmailList(List<Email> emails) {
    return ListView.builder(
      itemCount: emails.length,
      itemBuilder: (ctx, i) {
        final e = emails[i];
        final t = EmailThread.fromEmail(e);
        final isSelected = _selectedSearchIds.contains(e.id);
-        return EmailTile(
+        return ThreadTile(
-          email: e,
+          thread: t,
          selected: isSelected,
          leading: SizedBox(
            width: 40,
@@ -849,25 +818,4 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
      },
    );
  }
  Widget _swipeBackground({
    required AlignmentGeometry alignment,
    required Color color,
    required IconData icon,
    required String label,
  }) {
    return Container(
      color: color,
      alignment: alignment,
      padding: const EdgeInsets.symmetric(horizontal: 20),
      child: Row(
        mainAxisSize: MainAxisSize.min,
        children: [
          Icon(icon, color: Colors.white),
          const SizedBox(width: 8),
          Text(label, style: const TextStyle(color: Colors.white)),
        ],
      ),
    );
  }
 }
@@ -4,6 +4,7 @@ import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
@@ -17,8 +18,12 @@ class MailboxListScreen extends ConsumerWidget {
    final mailboxRepo = ref.watch(mailboxRepositoryProvider);
    final emailRepo = ref.watch(emailRepositoryProvider);
    final accountAsync = ref.watch(accountByIdProvider(accountId));
    final prefs =
        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;
    return Scaffold(
      appBar: AppBar(
        automaticallyImplyLeading: !menuAtBottom,
        title: const Text('Folders'),
        actions: [
          IconButton(
@@ -42,6 +47,21 @@ class MailboxListScreen extends ConsumerWidget {
        ],
      ),
      drawer: FolderDrawer(accountId: accountId),
      bottomNavigationBar: menuAtBottom
          ? BottomAppBar(
              child: Row(
                children: [
                  Builder(
                    builder: (ctx) => IconButton(
                      icon: const Icon(Icons.menu),
                      tooltip: 'Open folders',
                      onPressed: () => Scaffold.of(ctx).openDrawer(),
                    ),
                  ),
                ],
              ),
            )
          : null,
      body: Column(
        children: [
          // ── Failed-mutation banner ───────────────────────────────────────
@@ -4,14 +4,17 @@ import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/utils/logger.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
+import 'package:sharedinbox/ui/widgets/filter_builder.dart';
 import 'package:sharedinbox/ui/widgets/thread_tile.dart';
-final _searchHistoryProvider =
+final _searchHistoryProvider = FutureProvider.autoDispose<List<String>>((
-    FutureProvider.autoDispose<List<String>>((ref) async {
+  ref,
 ) async {
  return ref.watch(searchHistoryRepositoryProvider).getRecentSearches();
 });
@@ -36,6 +39,10 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
  bool _loading = false;
  bool _fieldFocused = false;
  // Advanced (structured) search state.
  bool _advancedMode = false;
  FilterGroup _filterGroup = FilterGroup.empty();
  @override
  void initState() {
    super.initState();
@@ -52,6 +59,13 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
    super.dispose();
  }
  void _toggleAdvanced() {
    setState(() {
      _advancedMode = !_advancedMode;
      _results = null;
    });
  }
  void _onChanged(String value) {
    _debounce?.cancel();
    if (value.trim().length < 3) {
@@ -134,22 +148,47 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
    }
  }
  Future<void> _searchStructured() async {
    if (_filterGroup.isEmpty) return;
    setState(() => _loading = true);
    try {
      final emails = await ref
          .read(emailRepositoryProvider)
          .searchEmailsStructured(widget.accountId, _filterGroup);
      if (mounted) {
        setState(() {
          _results = _SearchResults(
            mailboxes: const [],
            addresses: const [],
            emails: emails,
          );
          _loading = false;
        });
      }
    } catch (e) {
      log('Structured search failed: $e');
      if (mounted) setState(() => _loading = false);
    }
  }
  @override
  Widget build(BuildContext context) {
    return Scaffold(
      appBar: AppBar(
-        title: TextField(
+        title: _advancedMode
-          controller: _ctrl,
+            ? const Text('Advanced Search')
-          focusNode: _focusNode,
+            : TextField(
-          autofocus: true,
+                controller: _ctrl,
-          decoration: const InputDecoration(
+                focusNode: _focusNode,
-            hintText: 'Search folders, addresses, emails…',
+                autofocus: true,
-            border: InputBorder.none,
+                decoration: const InputDecoration(
-          ),
+                  hintText: 'Search folders, addresses, emails…',
-          onChanged: _onChanged,
+                  border: InputBorder.none,
-        ),
+                ),
                onChanged: _onChanged,
              ),
        actions: [
-          if (_ctrl.text.isNotEmpty)
+          if (!_advancedMode && _ctrl.text.isNotEmpty)
            IconButton(
              icon: const Icon(Icons.clear),
              onPressed: () {
@@ -157,6 +196,15 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
                setState(() => _results = null);
              },
            ),
          IconButton(
            icon: Icon(
              _advancedMode ? Icons.search : Icons.tune,
              color:
                  _advancedMode ? Theme.of(context).colorScheme.primary : null,
            ),
            tooltip: _advancedMode ? 'Simple search' : 'Advanced search',
            onPressed: _toggleAdvanced,
          ),
        ],
      ),
      body: _buildBody(),
@@ -164,6 +212,7 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
  }
  Widget _buildBody() {
    if (_advancedMode) return _buildAdvancedBody();
    if (_loading) return const Center(child: CircularProgressIndicator());
    if (_results == null) {
      if (_fieldFocused && _ctrl.text.isEmpty) {
@@ -173,7 +222,54 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
    }
    final r = _results!;
    if (r.isEmpty) return const Center(child: Text('No results'));
    return _buildResultsList(r);
  }
  Widget _buildAdvancedBody() {
    return SingleChildScrollView(
      padding: const EdgeInsets.all(12),
      child: Column(
        crossAxisAlignment: CrossAxisAlignment.stretch,
        children: [
          FilterBuilderWidget(
            initialValue: _filterGroup,
            onChanged: (g) => setState(() {
              _filterGroup = g;
              _results = null;
            }),
          ),
          const SizedBox(height: 12),
          FilledButton.icon(
            onPressed: _filterGroup.isEmpty ? null : _searchStructured,
            icon: const Icon(Icons.search),
            label: const Text('Search'),
          ),
          if (_loading)
            const Padding(
              padding: EdgeInsets.only(top: 24),
              child: Center(child: CircularProgressIndicator()),
            )
          else if (_results != null) ...[
            const SizedBox(height: 8),
            if (_results!.isEmpty)
              const Center(
                child: Padding(
                  padding: EdgeInsets.all(24),
                  child: Text('No results'),
                ),
              )
            else
              _buildResultsList(_results!),
          ],
        ],
      ),
    );
  }
  Widget _buildResultsList(_SearchResults r) {
    return ListView(
      shrinkWrap: true,
      physics: const NeverScrollableScrollPhysics(),
      children: [
        if (r.mailboxes.isNotEmpty) ...[
          const _SectionHeader('Folders'),
@@ -188,9 +284,9 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
        if (r.emails.isNotEmpty) ...[
          const _SectionHeader('Messages'),
          for (final e in r.emails)
-            EmailTile(
+            ThreadTile(
-              email: e,
+              thread: EmailThread.fromEmail(e),
-              showLocation: true,
+              locationLabel: '${e.accountId} • ${e.mailboxPath}',
              onTap: () => context.push(
                '/accounts/${e.accountId}/mailboxes'
                '/${Uri.encodeComponent(e.mailboxPath)}'
@@ -3,8 +3,13 @@ import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 import 'package:sharedinbox/core/filter/filter_sieve_converter.dart';
 import 'package:sharedinbox/core/models/sieve_script.dart';
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 import 'package:sharedinbox/core/sieve/sieve_serializer.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/filter_builder.dart';
 class SieveScriptEditScreen extends ConsumerStatefulWidget {
  const SieveScriptEditScreen({
@@ -27,18 +32,29 @@ class SieveScriptEditScreen extends ConsumerStatefulWidget {
      _SieveScriptEditScreenState();
 }
-class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
+class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen>
    with SingleTickerProviderStateMixin {
  late final TextEditingController _nameController;
  late final TextEditingController _contentController;
  late final TabController _tabController;
  bool _loadingContent = false;
  bool _saving = false;
  String? _error;
  // Visual-editor state.
  FilterGroup _filterGroup = FilterGroup.empty();
  List<SieveAction> _actions = [];
  bool _visualSupported = true;
  int _visualLoadCount = 0;
  @override
  void initState() {
    super.initState();
    _nameController = TextEditingController(text: widget.script?.name ?? '');
    _contentController = TextEditingController();
    _tabController = TabController(length: 2, vsync: this);
    _tabController.addListener(_onTabChanged);
    if (widget.script != null) {
      unawaited(_loadContent());
    }
@@ -48,9 +64,40 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
  void dispose() {
    _nameController.dispose();
    _contentController.dispose();
    _tabController
      ..removeListener(_onTabChanged)
      ..dispose();
    super.dispose();
  }
  void _onTabChanged() {
    if (_tabController.indexIsChanging) return;
    if (_tabController.index == 1) {
      // Switched to Script tab: serialize visual state.
      if (_visualSupported) {
        _contentController.text =
            SieveSerializer().serialize(_filterGroup, _actions);
      }
    } else {
      // Switched to Visual tab: parse script into visual state.
      _parseScriptIntoVisual();
    }
  }
  void _parseScriptIntoVisual() {
    final result = FilterSieveConverter().parse(_contentController.text);
    if (result == null) {
      setState(() => _visualSupported = false);
      return;
    }
    setState(() {
      _filterGroup = result.group;
      _actions = List<SieveAction>.from(result.actions);
      _visualSupported = true;
      _visualLoadCount++;
    });
  }
  Future<void> _loadContent() async {
    setState(() => _loadingContent = true);
    try {
@@ -63,6 +110,7 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
              .getScriptContent(widget.accountId, widget.script!.blobId);
      if (mounted) {
        _contentController.text = content;
        _parseScriptIntoVisual();
        setState(() => _loadingContent = false);
      }
    } catch (e) {
@@ -76,6 +124,11 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
  }
  Future<void> _save() async {
    // Sync visual → script if on visual tab.
    if (_tabController.index == 0 && _visualSupported) {
      _contentController.text =
          SieveSerializer().serialize(_filterGroup, _actions);
    }
    final name = _nameController.text.trim();
    if (name.isEmpty) {
      setState(() => _error = 'Name is required');
@@ -118,6 +171,10 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
    return Scaffold(
      appBar: AppBar(
        title: Text(isNew ? 'New script' : 'Edit script'),
        bottom: TabBar(
          controller: _tabController,
          tabs: const [Tab(text: 'Visual'), Tab(text: 'Script')],
        ),
        actions: [
          if (_saving)
            const Padding(
@@ -163,18 +220,9 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
                    const SizedBox(height: 8),
                  ],
                  Expanded(
-                    child: TextField(
+                    child: TabBarView(
-                      controller: _contentController,
+                      controller: _tabController,
-                      decoration: const InputDecoration(
+                      children: [_buildVisualTab(), _buildScriptTab()],
                        labelText: 'Script',
                        border: OutlineInputBorder(),
                        alignLabelWithHint: true,
                      ),
                      maxLines: null,
                      expands: true,
                      textAlignVertical: TextAlignVertical.top,
                      style: const TextStyle(fontFamily: 'monospace'),
                      enabled: !_saving,
                    ),
                  ),
                ],
@@ -182,4 +230,220 @@ class _SieveScriptEditScreenState extends ConsumerState<SieveScriptEditScreen> {
            ),
    );
  }
  Widget _buildVisualTab() {
    if (!_visualSupported) {
      return Center(
        child: Padding(
          padding: const EdgeInsets.all(24),
          child: Text(
            'This script uses features not supported by the visual editor.\n'
            'Edit as raw Sieve on the Script tab.',
            textAlign: TextAlign.center,
            style: TextStyle(
              color: Theme.of(context).colorScheme.onSurfaceVariant,
            ),
          ),
        ),
      );
    }
    return SingleChildScrollView(
      child: Column(
        crossAxisAlignment: CrossAxisAlignment.stretch,
        children: [
          FilterBuilderWidget(
            key: ValueKey(_visualLoadCount),
            initialValue: _filterGroup,
            onChanged: (g) => setState(() => _filterGroup = g),
          ),
          const SizedBox(height: 12),
          _ActionEditor(
            actions: _actions,
            onChanged: (a) => setState(() => _actions = a),
          ),
        ],
      ),
    );
  }
  Widget _buildScriptTab() {
    return TextField(
      controller: _contentController,
      decoration: const InputDecoration(
        labelText: 'Script',
        border: OutlineInputBorder(),
        alignLabelWithHint: true,
      ),
      maxLines: null,
      expands: true,
      textAlignVertical: TextAlignVertical.top,
      style: const TextStyle(fontFamily: 'monospace'),
      enabled: !_saving,
    );
  }
 }
 // ---------------------------------------------------------------------------
 // Action editor
 // ---------------------------------------------------------------------------
 enum _ActionType { keep, discard, markAsRead, fileInto }
 class _ActionEditor extends StatelessWidget {
  const _ActionEditor({required this.actions, required this.onChanged});
  final List<SieveAction> actions;
  final void Function(List<SieveAction>) onChanged;
  _ActionType _typeOf(SieveAction a) => switch (a) {
        KeepAction() => _ActionType.keep,
        DiscardAction() => _ActionType.discard,
        MarkAsSeenAction() => _ActionType.markAsRead,
        FileIntoAction() => _ActionType.fileInto,
        FlagAction() => _ActionType.keep,
      };
  SieveAction _defaultFor(_ActionType t) => switch (t) {
        _ActionType.keep => KeepAction(),
        _ActionType.discard => DiscardAction(),
        _ActionType.markAsRead => MarkAsSeenAction(),
        _ActionType.fileInto => FileIntoAction(''),
      };
  void _changeType(int i, _ActionType t) {
    final next = List<SieveAction>.from(actions);
    final current = next[i];
    if (t == _ActionType.fileInto && current is FileIntoAction) return;
    next[i] = _defaultFor(t);
    onChanged(next);
  }
  void _changeFolder(int i, String folder) {
    final next = List<SieveAction>.from(actions);
    next[i] = FileIntoAction(folder);
    onChanged(next);
  }
  void _remove(int i) {
    final next = List<SieveAction>.from(actions)..removeAt(i);
    onChanged(next);
  }
  void _add() {
    onChanged([...actions, KeepAction()]);
  }
  @override
  Widget build(BuildContext context) {
    return Column(
      crossAxisAlignment: CrossAxisAlignment.start,
      children: [
        Padding(
          padding: const EdgeInsets.symmetric(vertical: 4),
          child: Text('Actions', style: Theme.of(context).textTheme.labelLarge),
        ),
        for (var i = 0; i < actions.length; i++) _buildRow(context, i),
        TextButton.icon(
          onPressed: _add,
          icon: const Icon(Icons.add, size: 16),
          label: const Text('Add action'),
        ),
      ],
    );
  }
  Widget _buildRow(BuildContext context, int i) {
    final action = actions[i];
    final type = _typeOf(action);
    return Padding(
      padding: const EdgeInsets.symmetric(vertical: 4),
      child: Row(
        children: [
          DropdownButton<_ActionType>(
            value: type,
            isDense: true,
            underline: const SizedBox.shrink(),
            onChanged: (t) {
              if (t != null) _changeType(i, t);
            },
            items: const [
              DropdownMenuItem(value: _ActionType.keep, child: Text('Keep')),
              DropdownMenuItem(
                value: _ActionType.discard,
                child: Text('Discard'),
              ),
              DropdownMenuItem(
                value: _ActionType.markAsRead,
                child: Text('Mark as read'),
              ),
              DropdownMenuItem(
                value: _ActionType.fileInto,
                child: Text('File into'),
              ),
            ],
          ),
          if (type == _ActionType.fileInto) ...[
            const SizedBox(width: 8),
            Expanded(
              child: _FolderField(
                value: (action as FileIntoAction).folder,
                onChanged: (v) => _changeFolder(i, v),
              ),
            ),
          ] else
            const Spacer(),
          IconButton(
            icon: const Icon(Icons.remove_circle_outline, size: 18),
            tooltip: 'Remove',
            onPressed: () => _remove(i),
          ),
        ],
      ),
    );
  }
 }
 class _FolderField extends StatefulWidget {
  const _FolderField({required this.value, required this.onChanged});
  final String value;
  final void Function(String) onChanged;
  @override
  State<_FolderField> createState() => _FolderFieldState();
 }
 class _FolderFieldState extends State<_FolderField> {
  late final TextEditingController _ctrl;
  @override
  void initState() {
    super.initState();
    _ctrl = TextEditingController(text: widget.value);
  }
  @override
  void didUpdateWidget(_FolderField old) {
    super.didUpdateWidget(old);
    if (widget.value != _ctrl.text) _ctrl.text = widget.value;
  }
  @override
  void dispose() {
    _ctrl.dispose();
    super.dispose();
  }
  @override
  Widget build(BuildContext context) {
    return TextField(
      controller: _ctrl,
      onChanged: widget.onChanged,
      decoration: const InputDecoration(
        hintText: 'folder',
        isDense: true,
        border: OutlineInputBorder(),
        contentPadding: EdgeInsets.symmetric(horizontal: 8, vertical: 6),
      ),
    );
  }
 }
@@ -137,9 +137,7 @@ class _SieveScriptsScreenState extends ConsumerState<SieveScriptsScreen> {
  Widget build(BuildContext context) {
    return Scaffold(
      appBar: AppBar(
-        title: Text(
+        title: Text(widget.isLocal ? 'Local Filters' : 'Remote Filters'),
          widget.isLocal ? 'Local Filters' : 'Remote Filters',
        ),
      ),
      body: _buildBody(),
      floatingActionButton: FloatingActionButton(
@@ -1,11 +1,15 @@
 import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:intl/intl.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/utils/about_markdown.dart';
 final _timeFmt = DateFormat('MMM d, HH:mm:ss');
@@ -21,6 +25,57 @@ String _fmtBytes(int bytes) {
  return '${(bytes / (1024 * 1024)).toStringAsFixed(1)} MB';
 }
 String _buildSyncEntryMarkdown(SyncLogEntry entry) {
  final buf = StringBuffer();
  buf.writeln('## Sync Entry');
  buf.writeln();
  buf.writeln('| Property | Value |');
  buf.writeln('|----------|-------|');
  buf.writeln('| Started | ${_timeFmt.format(entry.startedAt)} |');
  buf.writeln('| Finished | ${_timeFmt.format(entry.finishedAt)} |');
  buf.writeln('| Duration | ${_fmtDuration(entry.duration)} |');
  if (entry.protocol.isNotEmpty) {
    buf.writeln('| Protocol | ${entry.protocol.toUpperCase()} |');
  }
  final statusLabel = entry.isOk
      ? 'OK'
      : entry.isPermanent
          ? 'Error (permanent)'
          : 'Error';
  buf.writeln('| Status | $statusLabel |');
  buf.writeln('| Emails fetched | ${entry.emailsFetched} |');
  buf.writeln('| Emails up-to-date | ${entry.emailsSkipped} |');
  buf.writeln('| Mailboxes synced | ${entry.mailboxesSynced} |');
  buf.writeln('| Pending changes flushed | ${entry.pendingFlushed} |');
  buf.writeln('| Data transferred | ${_fmtBytes(entry.bytesTransferred)} |');
  if (entry.mailboxStats.isNotEmpty) {
    buf.writeln();
    buf.writeln('### Per mailbox');
    buf.writeln();
    buf.writeln('| Mailbox | Fetched | Up-to-date | Duration |');
    buf.writeln('|---------|---------|------------|----------|');
    for (final m in entry.mailboxStats) {
      final dur = m.duration != null ? _fmtDuration(m.duration!) : '-';
      buf.writeln('| ${m.mailboxPath} | ${m.fetched} | ${m.skipped} | $dur |');
    }
  }
  if (entry.errorMessage != null) {
    buf.writeln();
    buf.writeln('**Error:**');
    buf.writeln();
    buf.writeln(entry.errorMessage);
  }
  if (entry.stackTrace != null) {
    buf.writeln();
    buf.writeln('**Stack trace:**');
    buf.writeln();
    buf.writeln('```');
    buf.write(entry.stackTrace);
    buf.writeln('```');
  }
  return buf.toString();
 }
 class SyncLogScreen extends ConsumerStatefulWidget {
  const SyncLogScreen({super.key, required this.accountId});
@@ -69,6 +124,41 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
    ref.read(syncManagerProvider).syncNow(widget.accountId);
  }
  Future<void> _copyEntry(SyncLogEntry entry, BuildContext context) async {
    final accounts =
        await ref.read(accountRepositoryProvider).observeAccounts().first;
    final imapCount = accounts.where((a) => a.type == AccountType.imap).length;
    final jmapCount = accounts.where((a) => a.type == AccountType.jmap).length;
    PackageInfo? pkg;
    try {
      pkg = await PackageInfo.fromPlatform();
    } catch (_) {}
    final deviceModel = await getDeviceModel();
    if (!context.mounted) return;
    final syncMd = _buildSyncEntryMarkdown(entry);
    final aboutMd = buildAboutMarkdown(
      context: context,
      pkg: pkg,
      imapCount: imapCount,
      jmapCount: jmapCount,
      deviceModel: deviceModel,
    );
    await Clipboard.setData(ClipboardData(text: '$syncMd\n$aboutMd'));
    if (context.mounted) {
      ScaffoldMessenger.of(context).showSnackBar(
        const SnackBar(
          duration: Duration(seconds: 3),
          content: Text('Copied to clipboard'),
        ),
      );
    }
  }
  @override
  Widget build(BuildContext context) {
    return Scaffold(
@@ -96,16 +186,20 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
          ? const Center(child: Text('No sync entries yet'))
          : ListView.builder(
              itemCount: _entries.length,
-              itemBuilder: (ctx, i) => _SyncLogTile(entry: _entries[i]),
+              itemBuilder: (ctx, i) => _SyncLogTile(
                entry: _entries[i],
                onCopy: () => _copyEntry(_entries[i], ctx),
              ),
            ),
    );
  }
 }
 class _SyncLogTile extends StatelessWidget {
-  const _SyncLogTile({required this.entry});
+  const _SyncLogTile({required this.entry, required this.onCopy});
  final SyncLogEntry entry;
  final VoidCallback onCopy;
  @override
  Widget build(BuildContext context) {
@@ -115,6 +209,12 @@ class _SyncLogTile extends StatelessWidget {
    final theme = Theme.of(context);
    final errorColor = theme.colorScheme.error;
    final subtitleText = entry.isOk
        ? '${entry.emailsFetched} new · ${entry.emailsSkipped} up-to-date · took $durationLabel'
        : entry.isPermanent
            ? 'Error (permanent) · took $durationLabel'
            : 'Error · took $durationLabel';
    return ExpansionTile(
      leading: Icon(
        entry.isOk ? Icons.check_circle : Icons.error_outline,
@@ -125,11 +225,20 @@ class _SyncLogTile extends StatelessWidget {
        style: entry.isOk ? null : TextStyle(color: errorColor),
      ),
      subtitle: Text(
-        entry.isOk
+        subtitleText,
            ? '${entry.emailsFetched} new · ${entry.emailsSkipped} up-to-date · took $durationLabel'
            : 'Error · took $durationLabel',
        style: TextStyle(fontSize: 12, color: entry.isOk ? null : errorColor),
      ),
      trailing: Row(
        mainAxisSize: MainAxisSize.min,
        children: [
          IconButton(
            icon: const Icon(Icons.copy, size: 18),
            tooltip: 'Copy as markdown',
            onPressed: onCopy,
          ),
          const Icon(Icons.expand_more),
        ],
      ),
      children: [
        Padding(
          padding: const EdgeInsets.fromLTRB(72, 0, 16, 12),
@@ -171,6 +280,31 @@ class _SyncLogTile extends StatelessWidget {
                    style: TextStyle(color: errorColor, fontSize: 12),
                  ),
                ),
              if (entry.stackTrace != null) ...[
                const Padding(
                  padding: EdgeInsets.only(top: 6, bottom: 2),
                  child: Text(
                    'Stack trace',
                    style: TextStyle(fontSize: 12, color: Colors.grey),
                  ),
                ),
                Container(
                  width: double.infinity,
                  padding: const EdgeInsets.all(8),
                  decoration: BoxDecoration(
                    color: Colors.black87,
                    borderRadius: BorderRadius.circular(4),
                  ),
                  child: Text(
                    entry.stackTrace!,
                    style: TextStyle(
                      fontSize: 10,
                      fontFamily: 'monospace',
                      color: Colors.red[300],
                    ),
                  ),
                ),
              ],
              if (entry.protocolLog != null) ...[
                const Padding(
                  padding: EdgeInsets.only(top: 6, bottom: 2),
@@ -7,6 +7,8 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
@@ -28,9 +30,16 @@ class ThreadDetailScreen extends ConsumerWidget {
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    final repo = ref.watch(emailRepositoryProvider);
    final prefs =
        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
    final buttonAtBottom = prefs.mailViewButtonPosition == MenuPosition.bottom;
    return Scaffold(
-      appBar: AppBar(title: const Text('Thread')),
+      appBar: AppBar(
        title: const Text('Thread'),
        automaticallyImplyLeading: !buttonAtBottom,
      ),
      bottomNavigationBar: buttonAtBottom ? _buildBackButtonBar(context) : null,
      body: StreamBuilder<List<Email>>(
        stream: repo.observeEmailsInThread(accountId, mailboxPath, threadId),
        builder: (context, snapshot) {
@@ -60,6 +69,20 @@ class ThreadDetailScreen extends ConsumerWidget {
      ),
    );
  }
  Widget _buildBackButtonBar(BuildContext context) {
    return BottomAppBar(
      child: Row(
        children: [
          IconButton(
            icon: const Icon(Icons.arrow_back),
            tooltip: 'Back',
            onPressed: () => context.pop(),
          ),
        ],
      ),
    );
  }
 }
 class _EmailMessageCard extends ConsumerStatefulWidget {
@@ -91,6 +114,14 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
  @override
  Widget build(BuildContext context) {
    final trustedSenders =
        ref.watch(trustedImageSendersProvider).value ?? const <String>[];
    final senderEmail = widget.email.from.isNotEmpty
        ? widget.email.from.first.email.toLowerCase()
        : null;
    final isTrusted = senderEmail != null &&
        trustedSenders.any((p) => globMatch(senderEmail, p));
    return Card(
      margin: const EdgeInsets.symmetric(vertical: 4),
      child: Column(
@@ -125,13 +156,13 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
              ],
            ),
          ),
-          if (_expanded) _buildExpandedBody(),
+          if (_expanded) _buildExpandedBody(isTrusted, senderEmail),
        ],
      ),
    );
  }
-  Widget _buildExpandedBody() {
+  Widget _buildExpandedBody(bool isTrusted, String? senderEmail) {
    return Padding(
      padding: const EdgeInsets.fromLTRB(16, 0, 16, 16),
      child: Column(
@@ -141,6 +172,17 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
          FutureBuilder<EmailBody>(
            future: _bodyFuture,
            builder: (context, snapshot) {
              if (snapshot.hasError) {
                return Padding(
                  padding: const EdgeInsets.all(16),
                  child: Text(
                    'Failed to load email: ${snapshot.error}',
                    style: TextStyle(
                      color: Theme.of(context).colorScheme.error,
                    ),
                  ),
                );
              }
              if (!snapshot.hasData) {
                return const Center(
                  child: Padding(
@@ -151,21 +193,51 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
              }
              final body = snapshot.data!;
              final hasHtml = (body.htmlBody ?? '').trim().isNotEmpty;
              final effectiveLoadImages = _loadRemoteImages || isTrusted;
              return Column(
                crossAxisAlignment: CrossAxisAlignment.start,
                children: [
                  if (hasHtml) ...[
-                    if (!_loadRemoteImages)
+                    if (!effectiveLoadImages)
                      TextButton.icon(
                        icon: const Icon(Icons.image_outlined, size: 16),
                        label: const Text('Load remote images'),
-                        onPressed: () =>
+                        onPressed: () {
-                            setState(() => _loadRemoteImages = true),
+                          setState(() => _loadRemoteImages = true);
                          if (senderEmail != null) {
                            unawaited(
                              ref
                                  .read(userPreferencesRepositoryProvider)
                                  .addTrustedImageSender(senderEmail),
                            );
                            ScaffoldMessenger.of(context).showSnackBar(
                              SnackBar(
                                duration: const Duration(seconds: 3),
                                content: const Text(
                                  'Images will be loaded automatically for this sender.',
                                ),
                                action: SnackBarAction(
                                  label: 'View',
                                  onPressed: () {
                                    if (mounted) {
                                      unawaited(
                                        context.push(
                                          '/accounts/trusted-senders',
                                          extra: senderEmail,
                                        ),
                                      );
                                    }
                                  },
                                ),
                              ),
                            );
                          }
                        },
                      ),
                    SecureEmailWebView(
                      htmlBody: body.htmlBody!,
-                      loadRemoteImages: _loadRemoteImages,
+                      loadRemoteImages: effectiveLoadImages,
                    ),
                  ] else
                    SelectableText(
@@ -229,47 +301,27 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
  }
  Future<void> _delete() async {
-    final confirmed = await showDialog<bool>(
+    final repo = ref.read(emailRepositoryProvider);
-      context: context,
+    // Fetch data first for IMAP undo support
-      builder: (ctx) => AlertDialog(
+    final original = await repo.getEmail(widget.email.id);
-        title: const Text('Delete email'),
+
-        content: const Text('Move this email to Trash?'),
+    final destPath = await repo.deleteEmail(widget.email.id);
-        actions: [
+
          TextButton(
            onPressed: () => Navigator.pop(ctx, false),
            child: const Text('Cancel'),
          ),
          TextButton(
            onPressed: () => Navigator.pop(ctx, true),
            child: const Text('Delete'),
          ),
        ],
      ),
    );
    if (!mounted) return;
-    if (confirmed == true) {
+    if (original != null) {
-      final repo = ref.read(emailRepositoryProvider);
+      unawaited(
-      // Fetch data first for IMAP undo support
+        ref.read(undoServiceProvider.notifier).pushAction(
-      final original = await repo.getEmail(widget.email.id);
+              UndoAction(
-
+                id: DateTime.now().toIso8601String(),
-      final destPath = await repo.deleteEmail(widget.email.id);
+                accountId: widget.email.accountId,
-
+                type: UndoType.delete,
-      if (!mounted) return;
+                emailIds: [widget.email.id],
-      if (original != null) {
+                sourceMailboxPath: widget.email.mailboxPath,
-        unawaited(
+                destinationMailboxPath: destPath,
-          ref.read(undoServiceProvider.notifier).pushAction(
+                originalEmails: [original],
                UndoAction(
                  id: DateTime.now().toIso8601String(),
                  accountId: widget.email.accountId,
                  type: UndoType.delete,
                  emailIds: [widget.email.id],
                  sourceMailboxPath: widget.email.mailboxPath,
                  destinationMailboxPath: destPath,
                  originalEmails: [original],
                ),
              ),
-        );
+            ),
-      }
+      );
    }
  }
 }
@@ -0,0 +1,126 @@
 import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:sharedinbox/di.dart';
 class TrustedImageSendersScreen extends ConsumerWidget {
  const TrustedImageSendersScreen({super.key, this.highlightedSender});
  final String? highlightedSender;
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    final trustedSendersAsync = ref.watch(trustedImageSendersProvider);
    return Scaffold(
      appBar: AppBar(title: const Text('Allowed addresses for images')),
      floatingActionButton: FloatingActionButton(
        tooltip: 'Add address',
        onPressed: () => _showAddDialog(context, ref),
        child: const Icon(Icons.add),
      ),
      body: trustedSendersAsync.when(
        loading: () => const Center(child: CircularProgressIndicator()),
        error: (_, __) =>
            const Center(child: Text('Error loading trusted senders')),
        data: (senders) {
          if (senders.isEmpty) {
            return const Padding(
              padding: EdgeInsets.all(16),
              child: Text(
                'No addresses added yet. '
                'Tap + to add an address or pattern (e.g. *@example.com), '
                'or tap "Load remote images" in an email to add the sender automatically.',
              ),
            );
          }
          return ListView.builder(
            itemCount: senders.length,
            itemBuilder: (context, index) {
              final sender = senders[index];
              final isHighlighted = sender == highlightedSender;
              return ListTile(
                title: Text(
                  sender,
                  style: isHighlighted
                      ? const TextStyle(fontWeight: FontWeight.bold)
                      : null,
                ),
                trailing: IconButton(
                  icon: const Icon(Icons.delete_outline),
                  tooltip: 'Remove',
                  onPressed: () {
                    unawaited(
                      ref
                          .read(userPreferencesRepositoryProvider)
                          .removeTrustedImageSender(sender),
                    );
                  },
                ),
              );
            },
          );
        },
      ),
    );
  }
  Future<void> _showAddDialog(BuildContext context, WidgetRef ref) async {
    final controller = TextEditingController();
    await showDialog<void>(
      context: context,
      builder: (ctx) {
        return StatefulBuilder(
          builder: (ctx, setState) {
            return AlertDialog(
              title: const Text('Add allowed address'),
              content: TextField(
                controller: controller,
                autofocus: true,
                keyboardType: TextInputType.emailAddress,
                decoration: const InputDecoration(
                  labelText: 'Email address or pattern',
                  hintText: '*@example.com',
                  helperText: '* matches any characters, e.g. *@example.com',
                ),
                onChanged: (_) => setState(() {}),
                onSubmitted: (value) {
                  if (value.trim().isNotEmpty) {
                    _addSender(ref, value);
                    Navigator.of(ctx).pop();
                  }
                },
              ),
              actions: [
                TextButton(
                  onPressed: () => Navigator.of(ctx).pop(),
                  child: const Text('Cancel'),
                ),
                TextButton(
                  onPressed: controller.text.trim().isEmpty
                      ? null
                      : () {
                          _addSender(ref, controller.text);
                          Navigator.of(ctx).pop();
                        },
                  child: const Text('Add'),
                ),
              ],
            );
          },
        );
      },
    );
  }
  void _addSender(WidgetRef ref, String value) {
    unawaited(
      ref
          .read(userPreferencesRepositoryProvider)
          .addTrustedImageSender(value.trim()),
    );
  }
 }
@@ -0,0 +1,139 @@
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/di.dart';
 final _dateTimeFmt = DateFormat('yyyy-MM-dd HH:mm:ss');
 class UndoLogDetailScreen extends ConsumerWidget {
  const UndoLogDetailScreen({super.key, required this.action});
  final UndoAction action;
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    final theme = Theme.of(context);
    return Scaffold(
      appBar: AppBar(
        title: const Text('Undo Log Detail'),
        actions: [
          TextButton(
            onPressed: () async {
              await ref
                  .read(undoServiceProvider.notifier)
                  .undo(actionId: action.id);
              if (context.mounted) {
                Navigator.of(context).pop();
                ScaffoldMessenger.of(context).showSnackBar(
                  const SnackBar(
                    duration: Duration(seconds: 5),
                    content: Text('Action undone.'),
                  ),
                );
              }
            },
            child: const Text('Undo'),
          ),
        ],
      ),
      body: ListView(
        children: [
          _SectionHeader(text: 'Transaction', theme: theme),
          ListTile(
            leading: const Icon(Icons.account_circle),
            title: const Text('Account'),
            subtitle: Text(action.accountId),
          ),
          ListTile(
            leading: Icon(
              action.type == UndoType.delete
                  ? Icons.delete_outline
                  : (action.type == UndoType.snooze
                      ? Icons.access_time
                      : Icons.move_to_inbox),
              color: action.type == UndoType.delete
                  ? Colors.redAccent
                  : (action.type == UndoType.snooze
                      ? Colors.orangeAccent
                      : Colors.blueAccent),
            ),
            title: const Text('Action'),
            subtitle: Text(action.type.name.toUpperCase()),
          ),
          ListTile(
            leading: const Icon(Icons.schedule),
            title: const Text('Timestamp'),
            subtitle: Text(_dateTimeFmt.format(action.timestamp.toLocal())),
          ),
          _SectionHeader(text: 'Folders', theme: theme),
          ListTile(
            leading: const Icon(Icons.folder_open),
            title: const Text('Source'),
            subtitle: Text(action.sourceMailboxPath),
          ),
          if (action.type == UndoType.move &&
              action.destinationMailboxPath != null)
            ListTile(
              leading: const Icon(Icons.drive_file_move),
              title: const Text('Destination'),
              subtitle: Text(action.destinationMailboxPath!),
            ),
          _SectionHeader(
            text: 'Emails (${action.emailIds.length})',
            theme: theme,
          ),
          if (action.originalEmails.isEmpty)
            Padding(
              padding: const EdgeInsets.symmetric(horizontal: 16, vertical: 8),
              child: Text(
                '${action.emailIds.length} email(s) — details not available',
                style: theme.textTheme.bodySmall,
              ),
            ),
          ...action.originalEmails.map((email) => _EmailTile(email: email)),
        ],
      ),
    );
  }
 }
 class _SectionHeader extends StatelessWidget {
  const _SectionHeader({required this.text, required this.theme});
  final String text;
  final ThemeData theme;
  @override
  Widget build(BuildContext context) {
    return Padding(
      padding: const EdgeInsets.fromLTRB(16, 16, 16, 4),
      child: Text(
        text,
        style: theme.textTheme.labelLarge?.copyWith(
          color: theme.colorScheme.primary,
        ),
      ),
    );
  }
 }
 class _EmailTile extends StatelessWidget {
  const _EmailTile({required this.email});
  final Email email;
  @override
  Widget build(BuildContext context) {
    final sender = email.from.isNotEmpty
        ? (email.from.first.name ?? email.from.first.email)
        : '(Unknown Sender)';
    return ListTile(
      leading: const Icon(Icons.email_outlined),
      title: Text(email.subject ?? '(No Subject)'),
      subtitle: Text(sender, maxLines: 1, overflow: TextOverflow.ellipsis),
    );
  }
 }
@@ -2,6 +2,7 @@ import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/di.dart';
@@ -55,6 +56,10 @@ class _UndoActionTile extends ConsumerWidget {
    final extraCount = count > 1 ? ' (+${count - 1} more)' : '';
    return ListTile(
      onTap: () => context.go(
        '/accounts/undo-log/${action.id}',
        extra: action,
      ),
      leading: Icon(
        action.type == UndoType.delete
            ? Icons.delete_outline
@@ -84,9 +89,7 @@ class _UndoActionTile extends ConsumerWidget {
              .read(undoServiceProvider.notifier)
              .undo(actionId: action.id);
          if (context.mounted) {
-            ScaffoldMessenger.of(
+            ScaffoldMessenger.of(context).showSnackBar(
              context,
            ).showSnackBar(
              const SnackBar(
                duration: Duration(seconds: 5),
                content: Text('Action undone.'),
@@ -0,0 +1,241 @@
 import 'dart:async';
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/sync/background_sync.dart';
 import 'package:sharedinbox/di.dart';
 class UserPreferencesScreen extends ConsumerWidget {
  const UserPreferencesScreen({super.key});
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    final prefsAsync = ref.watch(userPreferencesProvider);
    final trustedSendersAsync = ref.watch(trustedImageSendersProvider);
    final trustedCount = trustedSendersAsync.value?.length ?? 0;
    return Scaffold(
      appBar: AppBar(title: const Text('Preferences')),
      body: prefsAsync.when(
        loading: () => const Center(child: CircularProgressIndicator()),
        error: (_, __) =>
            const Center(child: Text('Error loading preferences')),
        data: (prefs) => ListView(
          children: [
            ListTile(
              title: Text(
                'Menu bar position',
                style: Theme.of(context).textTheme.titleSmall,
              ),
              subtitle: const Text(
                'Where the folder navigation menu is shown in the mailbox view.',
              ),
            ),
            RadioGroup<MenuPosition>(
              groupValue: prefs.menuPosition,
              onChanged: (value) {
                if (value == null) return;
                unawaited(
                  ref
                      .read(userPreferencesRepositoryProvider)
                      .updateMenuPosition(value),
                );
              },
              child: const Column(
                children: [
                  RadioListTile<MenuPosition>(
                    title: Text('Bottom (default)'),
                    subtitle: Text(
                      'Open folder navigation from a button at the bottom of the screen.',
                    ),
                    value: MenuPosition.bottom,
                  ),
                  RadioListTile<MenuPosition>(
                    title: Text('Top'),
                    subtitle: Text(
                      'Open folder navigation from the hamburger icon in the top bar.',
                    ),
                    value: MenuPosition.top,
                  ),
                ],
              ),
            ),
            const Divider(),
            ListTile(
              title: Text(
                'Single mail view button position',
                style: Theme.of(context).textTheme.titleSmall,
              ),
              subtitle: const Text(
                'Where the back button is shown in the single mail view.',
              ),
            ),
            RadioGroup<MenuPosition>(
              groupValue: prefs.mailViewButtonPosition,
              onChanged: (value) {
                if (value == null) return;
                unawaited(
                  ref
                      .read(userPreferencesRepositoryProvider)
                      .updateMailViewButtonPosition(value),
                );
              },
              child: const Column(
                children: [
                  RadioListTile<MenuPosition>(
                    title: Text('Bottom (default)'),
                    subtitle: Text(
                      'Show the back button at the bottom of the screen.',
                    ),
                    value: MenuPosition.bottom,
                  ),
                  RadioListTile<MenuPosition>(
                    title: Text('Top'),
                    subtitle: Text('Show the back button in the top bar.'),
                    value: MenuPosition.top,
                  ),
                ],
              ),
            ),
            const Divider(),
            ListTile(
              title: Text(
                'After mail action',
                style: Theme.of(context).textTheme.titleSmall,
              ),
              subtitle: const Text(
                'What to show after deleting, archiving, or otherwise handling a message.',
              ),
            ),
            RadioGroup<AfterMailViewAction>(
              groupValue: prefs.afterMailViewAction,
              onChanged: (value) {
                if (value == null) return;
                unawaited(
                  ref
                      .read(userPreferencesRepositoryProvider)
                      .updateAfterMailViewAction(value),
                );
              },
              child: const Column(
                children: [
                  RadioListTile<AfterMailViewAction>(
                    title: Text('Next message (default)'),
                    subtitle: Text('Show the next message in the mailbox.'),
                    value: AfterMailViewAction.nextMessage,
                  ),
                  RadioListTile<AfterMailViewAction>(
                    title: Text('Return to mailbox'),
                    subtitle: Text('Return to the message list.'),
                    value: AfterMailViewAction.showMailbox,
                  ),
                ],
              ),
            ),
            const Divider(),
            ListTile(
              title: Text(
                'Offline email cache',
                style: Theme.of(context).textTheme.titleSmall,
              ),
              subtitle: const Text(
                'Pre-fetch email bodies in the background so they are available offline.',
              ),
            ),
            RadioGroup<PrefetchMode>(
              groupValue: prefs.prefetchMode,
              onChanged: (value) {
                if (value == null) return;
                unawaited(
                  ref
                      .read(userPreferencesRepositoryProvider)
                      .updatePrefetchMode(value),
                );
                unawaited(registerBodyPrefetchTask(value));
              },
              child: const Column(
                children: [
                  RadioListTile<PrefetchMode>(
                    title: Text('Wi-Fi only (default)'),
                    subtitle: Text(
                      'Pre-fetch bodies in the background when connected to Wi-Fi.',
                    ),
                    value: PrefetchMode.wifiOnly,
                  ),
                  RadioListTile<PrefetchMode>(
                    title: Text('Any network'),
                    subtitle: Text(
                      'Pre-fetch bodies on Wi-Fi and mobile data.',
                    ),
                    value: PrefetchMode.always,
                  ),
                  RadioListTile<PrefetchMode>(
                    title: Text('Disabled'),
                    subtitle: Text(
                      'Do not pre-fetch email bodies in the background.',
                    ),
                    value: PrefetchMode.disabled,
                  ),
                ],
              ),
            ),
            if (prefs.prefetchMode != PrefetchMode.disabled) ...[
              const SizedBox(height: 4),
              Padding(
                padding: const EdgeInsets.symmetric(horizontal: 16),
                child: Row(
                  children: [
                    const Text('Cache size limit:'),
                    const SizedBox(width: 16),
                    DropdownButton<int>(
                      value: _nearestCacheOption(prefs.bodyCacheLimitMb),
                      items: const [
                        DropdownMenuItem(value: 50, child: Text('50 MB')),
                        DropdownMenuItem(value: 100, child: Text('100 MB')),
                        DropdownMenuItem(value: 200, child: Text('200 MB')),
                        DropdownMenuItem(value: 500, child: Text('500 MB')),
                      ],
                      onChanged: (value) {
                        if (value == null) return;
                        unawaited(
                          ref
                              .read(userPreferencesRepositoryProvider)
                              .updateBodyCacheLimitMb(value),
                        );
                      },
                    ),
                  ],
                ),
              ),
              const SizedBox(height: 8),
            ],
            const Divider(),
            ListTile(
              title: Text(
                'Allowed addresses for images',
                style: Theme.of(context).textTheme.titleSmall,
              ),
              subtitle: Text(
                trustedCount == 0
                    ? 'No addresses added yet.'
                    : '$trustedCount address${trustedCount == 1 ? '' : 'es'}',
              ),
              trailing: const Icon(Icons.chevron_right),
              onTap: () => context.push('/accounts/trusted-senders'),
            ),
          ],
        ),
      ),
    );
  }
  int _nearestCacheOption(int mb) {
    const options = [50, 100, 200, 500];
    return options.reduce(
      (a, b) => (a - mb).abs() <= (b - mb).abs() ? a : b,
    );
  }
 }
@@ -0,0 +1,76 @@
 import 'dart:io';
 import 'package:device_info_plus/device_info_plus.dart';
 import 'package:flutter/material.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/db_schema_version.dart';
 const _gitHash = String.fromEnvironment('GIT_HASH');
 /// Builds the About markdown table used in [AboutScreen] and sync log copies.
 String buildAboutMarkdown({
  required BuildContext context,
  PackageInfo? pkg,
  required int imapCount,
  required int jmapCount,
  String? deviceModel,
 }) {
  final size = MediaQuery.of(context).size;
  final pixelRatio = MediaQuery.of(context).devicePixelRatio;
  final physW = (size.width * pixelRatio).toInt();
  final physH = (size.height * pixelRatio).toInt();
  final version = pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
  final versionDisplay = _gitHash.isNotEmpty
      ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
      : version;
  final osName = _capitalize(Platform.operatingSystem);
  final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
  final locale = Localizations.localeOf(context).toString();
  final textScale = MediaQuery.of(
    context,
  ).textScaler.scale(1.0).toStringAsFixed(1);
  final gitCommitLine = _gitHash.isNotEmpty
      ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
      : '';
  final deviceModelLine =
      deviceModel != null ? '| Device Model | $deviceModel |\n' : '';
  return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
      '| Property | Value |\n'
      '|----------|-------|\n'
      '| App Version | $versionDisplay |\n'
      '$gitCommitLine'
      '| Platform | ${Platform.operatingSystem} |\n'
      '| $osName Version | ${Platform.operatingSystemVersion} |\n'
      '$deviceModelLine'
      '| Resolution | ${physW}x$physH px'
      ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
      ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
      '| Dart Version | ${Platform.version.split(' ').first} |\n'
      '| Processors | ${Platform.numberOfProcessors} |\n'
      '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
      '| Locale | $locale |\n'
      '| Text Scale | $textScale× |\n'
      '| DB Schema Version | $dbSchemaVersion |\n'
      '| IMAP Accounts | $imapCount |\n'
      '| JMAP Accounts | $jmapCount |\n';
 }
 /// Fetches device model string, or null when unavailable.
 Future<String?> getDeviceModel() async {
  try {
    final info = DeviceInfoPlugin();
    if (Platform.isAndroid) {
      final android = await info.androidInfo;
      return '${android.manufacturer} / ${android.model}';
    } else if (Platform.isIOS) {
      final ios = await info.iosInfo;
      return ios.utsname.machine;
    }
  } catch (_) {}
  return null;
 }
 String _capitalize(String s) =>
    s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
@@ -0,0 +1,258 @@
 import 'package:flutter/material.dart';
 import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 /// Full-screen dialog for browsing email headers, organised into groups.
 class EmailHeadersDialog extends StatelessWidget {
  const EmailHeadersDialog({super.key, required this.headers});
  final List<EmailHeader> headers;
  @override
  Widget build(BuildContext context) {
    return Dialog.fullscreen(
      child: Scaffold(
        appBar: AppBar(
          title: const Text('Mail Headers'),
          leading: const CloseButton(),
        ),
        body: _HeadersBody(headers: headers),
      ),
    );
  }
 }
 class _HeadersBody extends StatelessWidget {
  const _HeadersBody({required this.headers});
  final List<EmailHeader> headers;
  @override
  Widget build(BuildContext context) {
    final receivedHeaders = <EmailHeader>[];
    final listHeaders = <EmailHeader>[];
    final arcHeaders = <EmailHeader>[];
    final otherHeaders = <EmailHeader>[];
    // Maps X- prefix (e.g. "X-Google") → headers with that prefix.
    final xByPrefix = <String, List<EmailHeader>>{};
    for (final h in headers) {
      final lower = h.name.toLowerCase();
      if (lower == 'received') {
        receivedHeaders.add(h);
        continue;
      }
      if (lower.startsWith('list-')) {
        listHeaders.add(h);
        continue;
      }
      if (lower.startsWith('arc-')) {
        arcHeaders.add(h);
        continue;
      }
      if (lower.startsWith('x-')) {
        final parts = h.name.split('-');
        // "X-Foo-Bar-Baz" → prefix "X-Foo"; "X-Single" → prefix "X-Single".
        final prefix = parts.length >= 3 ? '${parts[0]}-${parts[1]}' : h.name;
        xByPrefix.putIfAbsent(prefix, () => []).add(h);
        continue;
      }
      otherHeaders.add(h);
    }
    final sections = <Widget>[];
    if (otherHeaders.isNotEmpty) {
      sections.add(_HeadersSection(title: 'Headers', headers: otherHeaders));
    }
    if (listHeaders.isNotEmpty) {
      sections.add(
        _HeadersSection(title: 'List- Headers', headers: listHeaders),
      );
    }
    if (receivedHeaders.isNotEmpty) {
      sections.add(_ReceivedSection(headers: receivedHeaders));
    }
    if (arcHeaders.isNotEmpty) {
      sections.add(
        _HeadersSection(title: 'ARC- Headers', headers: arcHeaders),
      );
    }
    // X- headers at bottom, each prefix in its own collapsible group.
    final sortedPrefixes = xByPrefix.keys.toList()
      ..sort((a, b) => a.toLowerCase().compareTo(b.toLowerCase()));
    for (final prefix in sortedPrefixes) {
      sections.add(
        _HeadersSection(
          title: '$prefix Headers',
          headers: xByPrefix[prefix]!,
        ),
      );
    }
    return ListView(children: sections);
  }
 }
 class _HeadersSection extends StatelessWidget {
  const _HeadersSection({required this.title, required this.headers});
  final String title;
  final List<EmailHeader> headers;
  @override
  Widget build(BuildContext context) {
    return ExpansionTile(
      title: Text('$title (${headers.length})'),
      children: [
        for (var i = 0; i < headers.length; i++)
          _HeaderRow(header: headers[i], index: i),
      ],
    );
  }
 }
 /// Received headers section — collapsed by default; shows inter-hop delays.
 class _ReceivedSection extends StatelessWidget {
  const _ReceivedSection({required this.headers});
  final List<EmailHeader> headers;
  @override
  Widget build(BuildContext context) {
    final entries = _buildEntries(headers);
    return ExpansionTile(
      title: Text('Received (${headers.length})'),
      children: [
        for (var i = 0; i < entries.length; i++) ...[
          _HeaderRow(header: entries[i].header, index: i),
          if (entries[i].delay != null) _DelayRow(delay: entries[i].delay!),
        ],
      ],
    );
  }
  static List<_ReceivedEntry> _buildEntries(List<EmailHeader> headers) {
    final timestamps =
        headers.map((h) => _parseReceivedTimestamp(h.value)).toList();
    return [
      for (var i = 0; i < headers.length; i++)
        _ReceivedEntry(
          header: headers[i],
          delay: _computeDelay(timestamps, i),
        ),
    ];
  }
  static Duration? _computeDelay(List<DateTime?> timestamps, int i) {
    if (i >= timestamps.length - 1) return null;
    final current = timestamps[i];
    final next = timestamps[i + 1];
    if (current == null || next == null) return null;
    final d = current.difference(next);
    return d.isNegative ? Duration.zero : d;
  }
 }
 class _ReceivedEntry {
  const _ReceivedEntry({required this.header, this.delay});
  final EmailHeader header;
  final Duration? delay;
 }
 class _HeaderRow extends StatelessWidget {
  const _HeaderRow({required this.header, required this.index});
  final EmailHeader header;
  final int index;
  @override
  Widget build(BuildContext context) {
    final bg = index.isEven
        ? Theme.of(context).colorScheme.surfaceContainerHighest
        : Theme.of(context).colorScheme.surface;
    return Container(
      color: bg,
      padding: const EdgeInsets.symmetric(vertical: 4, horizontal: 8),
      child: Row(
        crossAxisAlignment: CrossAxisAlignment.start,
        children: [
          Expanded(
            child: SelectableText(
              header.name,
              style: const TextStyle(fontWeight: FontWeight.bold),
            ),
          ),
          const SizedBox(width: 8),
          Expanded(flex: 2, child: SelectableText(header.value)),
        ],
      ),
    );
  }
 }
 class _DelayRow extends StatelessWidget {
  const _DelayRow({required this.delay});
  final Duration delay;
  @override
  Widget build(BuildContext context) {
    final color = _delayColor(delay);
    return Padding(
      padding: const EdgeInsets.symmetric(horizontal: 16, vertical: 2),
      child: Row(
        children: [
          Icon(Icons.arrow_downward, size: 14, color: color),
          const SizedBox(width: 4),
          Text(
            _formatDuration(delay),
            style: TextStyle(
              fontSize: 12,
              color: color,
              fontWeight:
                  delay.inSeconds >= 30 ? FontWeight.bold : FontWeight.normal,
            ),
          ),
        ],
      ),
    );
  }
 }
 /// Parses the RFC 2822 timestamp from a Received header value.
 ///
 /// Received headers end with `; date`, e.g.:
 ///   by mx.example.com; Mon, 1 Jan 2024 12:00:00 +0000 (UTC)
 DateTime? _parseReceivedTimestamp(String value) {
  final semiIndex = value.lastIndexOf(';');
  if (semiIndex < 0) return null;
  var s = value.substring(semiIndex + 1).trim();
  // Strip parenthesised comments like (UTC).
  s = s.replaceAll(RegExp(r'\([^)]*\)'), ' ').trim();
  // Strip leading day-of-week abbreviation like "Mon, ".
  s = s.replaceFirst(RegExp(r'^[A-Za-z]{2,4},\s*'), '');
  // Collapse runs of whitespace.
  s = s.replaceAll(RegExp(r'\s+'), ' ').trim();
  for (final fmt in [
    DateFormat('dd MMM yyyy HH:mm:ss Z', 'en_US'),
    DateFormat('d MMM yyyy HH:mm:ss Z', 'en_US'),
    DateFormat('dd MMM yyyy HH:mm:ss', 'en_US'),
    DateFormat('d MMM yyyy HH:mm:ss', 'en_US'),
  ]) {
    try {
      return fmt.parse(s);
    } catch (_) {}
  }
  return null;
 }
 String _formatDuration(Duration d) {
  if (d.inSeconds < 60) return '${d.inSeconds}s';
  if (d.inMinutes < 60) return '${d.inMinutes}m ${d.inSeconds.remainder(60)}s';
  return '${d.inHours}h ${d.inMinutes.remainder(60)}m';
 }
 Color _delayColor(Duration d) {
  if (d.inSeconds < 30) return Colors.green;
  if (d.inSeconds < 300) return Colors.orange;
  return Colors.red;
 }
@@ -0,0 +1,171 @@
 import 'package:flutter/material.dart';
 import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 final _dateFmt = DateFormat('MMM d');
 final _formattedDates = <int, String>{};
 int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
 String _fmtDate(DateTime dt) =>
    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
 /// A swipeable list tile for an [EmailThread].
 ///
 /// Handles the [Dismissible] wrapper (archive left, delete right) and
 /// selection-mode checkbox. Pass [showAccount] to display an extra subtitle
 /// line with the account name — used in the combined-inbox view.
 class EmailThreadTile extends StatelessWidget {
  const EmailThreadTile({
    super.key,
    required this.thread,
    required this.isSelected,
    required this.isSelecting,
    required this.onTap,
    required this.onLongPress,
    required this.onDismissed,
    this.showAccount = false,
    this.accountName,
  });
  final EmailThread thread;
  final bool isSelected;
  final bool isSelecting;
  final VoidCallback onTap;
  final VoidCallback onLongPress;
  final Future<void> Function(DismissDirection) onDismissed;
  /// When true, renders an extra subtitle line with [accountName].
  final bool showAccount;
  final String? accountName;
  @override
  Widget build(BuildContext context) {
    final t = thread;
    final senderNames =
        t.participants.map((a) => a.name ?? a.email).take(3).join(', ');
    final tile = ListTile(
      leading: SizedBox(
        width: 40,
        child: isSelecting
            ? Checkbox(
                value: isSelected,
                onChanged: (_) => onTap(),
              )
            : Icon(
                t.hasUnread ? Icons.mail : Icons.mail_outline,
                color:
                    t.hasUnread ? Theme.of(context).colorScheme.primary : null,
              ),
      ),
      title: Row(
        children: [
          Expanded(
            child: Text(
              senderNames.isEmpty ? '(unknown)' : senderNames,
              style: t.hasUnread
                  ? const TextStyle(fontWeight: FontWeight.bold)
                  : null,
              overflow: TextOverflow.ellipsis,
            ),
          ),
          if (t.messageCount > 1)
            Padding(
              padding: const EdgeInsets.only(left: 4),
              child: Text(
                '[${t.messageCount}]',
                style: Theme.of(context).textTheme.bodySmall,
              ),
            ),
        ],
      ),
      subtitle: Column(
        crossAxisAlignment: CrossAxisAlignment.start,
        children: [
          Text(
            t.subject ?? '(no subject)',
            maxLines: 1,
            overflow: TextOverflow.ellipsis,
            style: t.hasUnread
                ? const TextStyle(fontWeight: FontWeight.bold)
                : null,
          ),
          if (t.preview != null && t.preview!.isNotEmpty)
            Text(
              t.preview!,
              maxLines: 1,
              overflow: TextOverflow.ellipsis,
              style: Theme.of(context).textTheme.bodySmall,
            ),
          if (showAccount && accountName != null)
            Text(
              accountName!,
              maxLines: 1,
              overflow: TextOverflow.ellipsis,
              style: Theme.of(context).textTheme.bodySmall?.copyWith(
                    color: Theme.of(context).colorScheme.primary,
                  ),
            ),
        ],
      ),
      selected: isSelected,
      trailing: Row(
        mainAxisSize: MainAxisSize.min,
        children: [
          if (t.isFlagged)
            const Icon(Icons.star, color: Colors.amber, size: 16),
          const SizedBox(width: 4),
          Text(
            _fmtDate(t.latestDate),
            style: Theme.of(context).textTheme.bodySmall,
          ),
        ],
      ),
      onTap: onTap,
      onLongPress: onLongPress,
    );
    return Dismissible(
      key: ValueKey('${t.accountId}:${t.threadId}'),
      direction:
          isSelecting ? DismissDirection.none : DismissDirection.horizontal,
      background: _swipeBackground(
        alignment: Alignment.centerLeft,
        color: Colors.green,
        icon: Icons.archive,
        label: 'Archive',
      ),
      secondaryBackground: _swipeBackground(
        alignment: Alignment.centerRight,
        color: Colors.red,
        icon: Icons.delete,
        label: 'Delete',
      ),
      onDismissed: onDismissed,
      child: tile,
    );
  }
  static Widget _swipeBackground({
    required AlignmentGeometry alignment,
    required Color color,
    required IconData icon,
    required String label,
  }) {
    return Container(
      color: color,
      alignment: alignment,
      padding: const EdgeInsets.symmetric(horizontal: 20),
      child: Row(
        mainAxisSize: MainAxisSize.min,
        children: [
          Icon(icon, color: Colors.white),
          const SizedBox(width: 8),
          Text(label, style: const TextStyle(color: Colors.white)),
        ],
      ),
    );
  }
 }
@@ -0,0 +1,312 @@
 import 'package:flutter/material.dart';
 import 'package:sharedinbox/core/filter/filter_expression.dart';
 /// A widget that lets the user build a structured [FilterGroup] interactively.
 ///
 /// Use a [ValueKey] on this widget when replacing [initialValue] from the
 /// outside (e.g., after loading a Sieve script) to force a full rebuild.
 class FilterBuilderWidget extends StatefulWidget {
  const FilterBuilderWidget({
    super.key,
    required this.initialValue,
    required this.onChanged,
  });
  final FilterGroup initialValue;
  final void Function(FilterGroup) onChanged;
  @override
  State<FilterBuilderWidget> createState() => _FilterBuilderWidgetState();
 }
 class _FilterBuilderWidgetState extends State<FilterBuilderWidget> {
  late FilterGroup _group;
  @override
  void initState() {
    super.initState();
    _group = widget.initialValue;
  }
  void _update(FilterGroup g) {
    setState(() => _group = g);
    widget.onChanged(g);
  }
  @override
  Widget build(BuildContext context) {
    return _GroupEditor(
      group: _group,
      onChanged: _update,
      depth: 0,
    );
  }
 }
 // ---------------------------------------------------------------------------
 // Group editor
 // ---------------------------------------------------------------------------
 class _GroupEditor extends StatelessWidget {
  const _GroupEditor({
    super.key,
    required this.group,
    required this.onChanged,
    required this.depth,
    this.onRemoveGroup,
  });
  final FilterGroup group;
  final void Function(FilterGroup) onChanged;
  final int depth;
  final VoidCallback? onRemoveGroup;
  static const _maxDepth = 1;
  void _setOperator(FilterOperator op) =>
      onChanged(group.copyWith(operator: op));
  void _addLeaf() {
    final leaf = FilterLeaf(
      field: FilterField.from_,
      comparison: FilterComparison.contains,
      value: '',
    );
    onChanged(group.copyWith(children: [...group.children, leaf]));
  }
  void _addSubGroup() {
    final sub = FilterGroup(
      operator: FilterOperator.and_,
      children: [],
    );
    onChanged(group.copyWith(children: [...group.children, sub]));
  }
  void _replaceChild(int index, FilterNode node) {
    final next = List<FilterNode>.from(group.children);
    next[index] = node;
    onChanged(group.copyWith(children: next));
  }
  void _removeChild(int index) {
    final next = List<FilterNode>.from(group.children)..removeAt(index);
    onChanged(group.copyWith(children: next));
  }
  @override
  Widget build(BuildContext context) {
    final theme = Theme.of(context);
    final isRoot = depth == 0;
    final content = Column(
      crossAxisAlignment: CrossAxisAlignment.start,
      children: [
        _OperatorRow(
          operator: group.operator,
          onChanged: _setOperator,
          onRemove: onRemoveGroup,
        ),
        for (var i = 0; i < group.children.length; i++) _buildChild(context, i),
        const SizedBox(height: 6),
        Row(
          children: [
            TextButton.icon(
              onPressed: _addLeaf,
              icon: const Icon(Icons.add, size: 16),
              label: const Text('Add condition'),
            ),
            if (depth < _maxDepth)
              TextButton.icon(
                onPressed: _addSubGroup,
                icon: const Icon(Icons.playlist_add, size: 16),
                label: const Text('Add group'),
              ),
          ],
        ),
      ],
    );
    if (isRoot) return content;
    return Card(
      margin: const EdgeInsets.only(left: 12, top: 4, bottom: 4),
      color: theme.colorScheme.surfaceContainerLow,
      child: Padding(
        padding: const EdgeInsets.all(8),
        child: content,
      ),
    );
  }
  Widget _buildChild(BuildContext context, int i) {
    final child = group.children[i];
    return switch (child) {
      final FilterLeaf leaf => _LeafRow(
          key: ValueKey(i),
          leaf: leaf,
          onChanged: (l) => _replaceChild(i, l),
          onDelete: () => _removeChild(i),
        ),
      final FilterGroup sub => _GroupEditor(
          key: ValueKey(i),
          group: sub,
          onChanged: (g) => _replaceChild(i, g),
          depth: depth + 1,
          onRemoveGroup: () => _removeChild(i),
        ),
    };
  }
 }
 // ---------------------------------------------------------------------------
 // Operator row (AND / OR toggle)
 // ---------------------------------------------------------------------------
 class _OperatorRow extends StatelessWidget {
  const _OperatorRow({
    required this.operator,
    required this.onChanged,
    this.onRemove,
  });
  final FilterOperator operator;
  final void Function(FilterOperator) onChanged;
  final VoidCallback? onRemove;
  @override
  Widget build(BuildContext context) {
    return Row(
      children: [
        SegmentedButton<FilterOperator>(
          segments: const [
            ButtonSegment(value: FilterOperator.and_, label: Text('AND')),
            ButtonSegment(value: FilterOperator.or_, label: Text('OR')),
          ],
          selected: {operator},
          onSelectionChanged: (s) => onChanged(s.first),
          style: const ButtonStyle(
            visualDensity: VisualDensity.compact,
            tapTargetSize: MaterialTapTargetSize.shrinkWrap,
          ),
        ),
        const Spacer(),
        if (onRemove != null)
          IconButton(
            icon: const Icon(Icons.close, size: 18),
            tooltip: 'Remove group',
            onPressed: onRemove,
          ),
      ],
    );
  }
 }
 // ---------------------------------------------------------------------------
 // Leaf row (field | comparison | value | delete)
 // ---------------------------------------------------------------------------
 class _LeafRow extends StatefulWidget {
  const _LeafRow({
    super.key,
    required this.leaf,
    required this.onChanged,
    required this.onDelete,
  });
  final FilterLeaf leaf;
  final void Function(FilterLeaf) onChanged;
  final VoidCallback onDelete;
  @override
  State<_LeafRow> createState() => _LeafRowState();
 }
 class _LeafRowState extends State<_LeafRow> {
  late final TextEditingController _ctrl;
  @override
  void initState() {
    super.initState();
    _ctrl = TextEditingController(text: widget.leaf.value);
  }
  @override
  void didUpdateWidget(_LeafRow old) {
    super.didUpdateWidget(old);
    if (widget.leaf.value != _ctrl.text) {
      _ctrl.text = widget.leaf.value;
    }
  }
  @override
  void dispose() {
    _ctrl.dispose();
    super.dispose();
  }
  void _onFieldChanged(FilterField? f) {
    if (f == null) return;
    final allowed = f.allowedComparisons;
    final comp = allowed.contains(widget.leaf.comparison)
        ? widget.leaf.comparison
        : allowed.first;
    widget.onChanged(widget.leaf.copyWith(field: f, comparison: comp));
  }
  void _onCompChanged(FilterComparison? c) {
    if (c == null) return;
    widget.onChanged(widget.leaf.copyWith(comparison: c));
  }
  @override
  Widget build(BuildContext context) {
    return Padding(
      padding: const EdgeInsets.symmetric(vertical: 4),
      child: Row(
        children: [
          DropdownButton<FilterField>(
            value: widget.leaf.field,
            onChanged: _onFieldChanged,
            isDense: true,
            underline: const SizedBox.shrink(),
            items: FilterField.values
                .map(
                  (f) => DropdownMenuItem(value: f, child: Text(f.label)),
                )
                .toList(),
          ),
          const SizedBox(width: 8),
          DropdownButton<FilterComparison>(
            value: widget.leaf.comparison,
            onChanged: _onCompChanged,
            isDense: true,
            underline: const SizedBox.shrink(),
            items: widget.leaf.field.allowedComparisons
                .map(
                  (c) => DropdownMenuItem(value: c, child: Text(c.label)),
                )
                .toList(),
          ),
          const SizedBox(width: 8),
          Expanded(
            child: TextField(
              controller: _ctrl,
              onChanged: (v) =>
                  widget.onChanged(widget.leaf.copyWith(value: v)),
              decoration: const InputDecoration(
                hintText: 'value',
                isDense: true,
                border: OutlineInputBorder(),
                contentPadding:
                    EdgeInsets.symmetric(horizontal: 8, vertical: 6),
              ),
            ),
          ),
          IconButton(
            icon: const Icon(Icons.remove_circle_outline, size: 18),
            tooltip: 'Remove',
            onPressed: widget.onDelete,
          ),
        ],
      ),
    );
  }
 }
@@ -31,10 +31,13 @@ String buildEmailHtml(String htmlBody, {bool loadRemoteImages = false}) {
 <meta name="color-scheme" content="light">
 <meta http-equiv="Content-Security-Policy" content="$csp">
 <style>
-body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; color-scheme: light; background-color: #ffffff; color: #000000; }
+body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; overflow-x: hidden; color-scheme: light; background-color: #ffffff; color: #000000; }
 img { max-width: 100%; height: auto; }
 a { color: #1976D2; }
-* { box-sizing: border-box; }
+* { box-sizing: border-box; max-width: 100%; }
 table { width: 100%; border-collapse: collapse; }
 td, th { overflow-wrap: break-word; word-break: break-word; }
 pre { white-space: pre-wrap; word-break: break-word; overflow-x: auto; }
 </style>
 </head>
 <body>
@@ -108,12 +111,16 @@ class _SecureEmailWebViewState extends State<SecureEmailWebView> {
      );
  Future<void> _measureHeight(String _) async {
-    final result = await _controller!.runJavaScriptReturningResult(
+    try {
-      'document.documentElement.scrollHeight',
+      final result = await _controller!.runJavaScriptReturningResult(
-    );
+        'document.documentElement.scrollHeight',
-    final h = double.tryParse(result.toString());
+      );
-    if (h != null && h > 0 && mounted) {
+      final h = double.tryParse(result.toString());
-      setState(() => _height = h);
+      if (h != null && h > 0 && mounted) {
        setState(() => _height = h);
      }
    } catch (_) {
      // WebView not ready yet; height stays at default
    }
  }
@@ -184,12 +191,14 @@ class _SecureEmailWebViewState extends State<SecureEmailWebView> {
    );
    if (confirmed == true && mounted) {
-      final launched =
+      final launched = await launchUrl(
-          await launchUrl(uri, mode: LaunchMode.externalApplication);
+        uri,
        mode: LaunchMode.externalApplication,
      );
      if (!launched && mounted) {
-        ScaffoldMessenger.of(context).showSnackBar(
+        ScaffoldMessenger.of(
-          SnackBar(content: Text('Could not open: $url')),
+          context,
-        );
+        ).showSnackBar(SnackBar(content: Text('Could not open: $url')));
      }
    }
  }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`module codeberg.org/guettli/sharedinbox`

							`go 1.22`