fix: pin SSH host key via known_hosts instead of StrictHostKeyChecking=no (#161)

- Add knownHosts *dagger.Secret parameter to Deployer(), DeployLinux(),
  DeployApk(), PublishWebsite(), BuildWebsite(), GenerateBuildHistory()
- Mount SSH_KNOWN_HOSTS secret at /root/.ssh/known_hosts (mode 0644) in
  both the Deployer container and the GenerateBuildHistory container
- Remove all -o StrictHostKeyChecking=no flags from ssh/scp/rsync calls
  in ci/main.go and scripts/generate_build_history.py
- Update Taskfile dagger tasks (deploy-linux, deploy-apk, publish-website)
  to require SSH_KNOWN_HOSTS and pass --known-hosts env:SSH_KNOWN_HOSTS
- Fix non-Dagger Taskfile tasks to write SSH_KNOWN_HOSTS to ~/.ssh/known_hosts
- Fix .forgejo/workflows/deploy.yml to pass SSH_KNOWN_HOSTS secret
- Fix .github/workflows/ci.yml SSH setup step to write known_hosts file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/ci.yml

@@ -3,7 +3,41 @@ name: CI
 on:
   push:
     branches: [main]
+    paths:
+      - 'lib/**'
+      - 'test/**'
+      - 'integration_test/**'
+      - 'android/**'
+      - 'linux/**'
+      - 'assets/**'
+      - '!assets/changelog.txt'
+      - 'pubspec.yaml'
+      - 'pubspec.lock'
+      - 'analysis_options.yaml'
+      - 'scripts/**'
+      - 'stalwart-dev/**'
+      - 'ci/**'
+      - 'Taskfile.yml'
+      - 'drift_schemas/**'
+      - '.forgejo/workflows/ci.yml'
   pull_request:
+    paths:
+      - 'lib/**'
+      - 'test/**'
+      - 'integration_test/**'
+      - 'android/**'
+      - 'linux/**'
+      - 'assets/**'
+      - '!assets/changelog.txt'
+      - 'pubspec.yaml'
+      - 'pubspec.lock'
+      - 'analysis_options.yaml'
+      - 'scripts/**'
+      - 'stalwart-dev/**'
+      - 'ci/**'
+      - 'Taskfile.yml'
+      - 'drift_schemas/**'
+      - '.forgejo/workflows/ci.yml'
 
 jobs:
   check:

.forgejo/workflows/deploy.yml

@@ -6,10 +6,55 @@ on:
   workflow_dispatch:
 
 jobs:
+  check-changes:
+    name: Detect Changed Files
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      android: ${{ steps.diff.outputs.android }}
+      linux: ${{ steps.diff.outputs.linux }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Detect Android and Linux changes
+        id: diff
+        shell: bash
+        run: |
+          # On workflow_dispatch always build everything
+          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
+            echo "android=true" >> "$GITHUB_OUTPUT"
+            echo "linux=true"   >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Diff the HEAD commit against its parent; fall back to listing HEAD's files
+          # when the parent is unavailable (initial commit, shallow clone).
+          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null \
+            || git show --name-only --format= HEAD)
+
+          echo "Changed files:"
+          echo "$CHANGED"
+
+          android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/)'
+          linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'
+
+          echo "$CHANGED" | grep -qE "$android_re" \
+            && echo "android=true" >> "$GITHUB_OUTPUT" \
+            || echo "android=false" >> "$GITHUB_OUTPUT"
+
+          echo "$CHANGED" | grep -qE "$linux_re" \
+            && echo "linux=true"   >> "$GITHUB_OUTPUT" \
+            || echo "linux=false"  >> "$GITHUB_OUTPUT"
+
   test-android-firebase:
     name: Android Instrumented Tests (Firebase Test Lab)
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.android == 'true'
 
     steps:
       - uses: actions/checkout@v4
@@ -46,6 +91,8 @@ jobs:
     name: Build & Deploy to Play Store
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.android == 'true'
 
     steps:
       - uses: actions/checkout@v4
@@ -83,6 +130,8 @@ jobs:
     name: Build & Deploy APK to Server
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.android == 'true'
 
     steps:
       - uses: actions/checkout@v4
@@ -107,6 +156,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
@@ -122,6 +172,8 @@ jobs:
     name: Build Linux Release
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.linux == 'true'
 
     steps:
       - uses: actions/checkout@v4
@@ -146,6 +198,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"
@@ -187,6 +240,7 @@ jobs:
         if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"
@@ -200,7 +254,13 @@ jobs:
     name: Update Deploy Health Label
     runs-on: ubuntu-latest
     needs: [test-android-firebase, deploy-playstore, deploy-apk, build-linux]
-    if: always() && vars.DEPLOY_HEALTH_ISSUE != ''
+    if: |
+      always() && vars.DEPLOY_HEALTH_ISSUE != '' && (
+        needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'failure' ||
+        needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'failure' ||
+        needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'failure' ||
+        needs.build-linux.result == 'success' || needs.build-linux.result == 'failure'
+      )
     timeout-minutes: 5
 
     steps:
@@ -209,7 +269,7 @@ jobs:
           FORGEJO_TOKEN: ${{ github.token }}
           FORGEJO_URL: ${{ github.server_url }}
           DEPLOY_HEALTH_ISSUE: ${{ vars.DEPLOY_HEALTH_ISSUE }}
-          ALL_SUCCEEDED: ${{ needs.test-android-firebase.result == 'success' && needs.deploy-playstore.result == 'success' && needs.deploy-apk.result == 'success' && needs.build-linux.result == 'success' }}
+          ALL_SUCCEEDED: ${{ (needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'skipped') && (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
         run: |
           python3 - << 'PYEOF'
           import os, json, urllib.request, urllib.error

.github/workflows/ci.yml

@@ -202,6 +202,8 @@ jobs:
           mkdir -p ~/.ssh
           printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
+          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
 
       - name: Build Linux release
         run: |
@@ -215,20 +217,20 @@ jobs:
           REMOTE_DIR="public_html/builds/$DATE_PATH"
           TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
           tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-          scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+          ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+          scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
           DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
-          EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" \
+          EXISTING=$(ssh "$SSH_USER@$SSH_HOST" \
             "cat public_html/latest.json 2>/dev/null || echo '{}'")
           WINDOWS_URL=$(echo "$EXISTING" | \
             python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
             2>/dev/null || true)
           if [ -n "$WINDOWS_URL" ]; then
             echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
           else
             echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
           fi
 
       - name: Generate build history pages
@@ -244,6 +246,5 @@ jobs:
           rsync -avz --delete \
             --exclude='*.apk' \
             --exclude='*.tar.gz' \
-            -e "ssh -o StrictHostKeyChecking=no" \
             website/public/ \
             "$SSH_USER@$SSH_HOST:public_html/"

Taskfile.yml

@@ -215,8 +215,10 @@ tasks:
     preconditions:
       - sh: test -n "$SSH_PRIVATE_KEY"
         msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
 
   build-android-bundle:
     desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
@@ -251,17 +253,24 @@ tasks:
     preconditions:
       - sh: test -n "$SSH_PRIVATE_KEY"
         msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
       - sh: test -n "$ANDROID_KEYSTORE_BASE64"
         msg: "ANDROID_KEYSTORE_BASE64 is not set"
       - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
         msg: "ANDROID_KEYSTORE_PASSWORD is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
 
   publish-website:
     desc: Build and publish website via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
 
   check-dagger:
     desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -373,25 +382,29 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
         tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
         DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
         # Merge with any existing latest.json so we don't overwrite the windows key
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
         WINDOWS_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" 2>/dev/null || true)
         if [ -n "$WINDOWS_URL" ]; then
           echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         else
           echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         fi
         echo "Uploaded $TARBALL and updated latest.json"
 
@@ -416,24 +429,28 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         ZIPFILE="sharedinbox-windows-x64-$HASH.zip"
         cd build/windows/x64/runner && zip -r /tmp/$ZIPFILE Release/ && cd -
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
         DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$ZIPFILE"
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
         LINUX_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('linux',''))" 2>/dev/null || true)
         if [ -n "$LINUX_URL" ]; then
           echo "{\"version\":\"$HASH\",\"linux\":\"$LINUX_URL\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         else
           echo "{\"version\":\"$HASH\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
         fi
         echo "Uploaded $ZIPFILE and updated latest.json"
 
@@ -583,14 +600,18 @@ tasks:
         msg: "SSH_USER is not set"
       - sh: test -n "$SSH_HOST"
         msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         HASH=$(git rev-parse --short HEAD)
         DATE_PATH=$(date -u +%Y/%m/%d)
         REMOTE_DIR="public_html/builds/$DATE_PATH"
         APK_NAME="sharedinbox-mua-$HASH.apk"
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no \
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp \
           build/app/outputs/flutter-apk/app-release.apk \
           "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$APK_NAME"
         echo "Uploaded $APK_NAME to $REMOTE_DIR"
@@ -619,12 +640,16 @@ tasks:
   website-deploy:
     desc: Deploy the website via rsync to public_html
     deps: [website-build]
+    preconditions:
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
       - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
         rsync -avz --delete \
           --exclude='*.apk' \
           --exclude='*.tar.gz' \
-          -e "ssh -o StrictHostKeyChecking=no" \
           website/public/ \
           ${SSH_USER}@${SSH_HOST}:public_html/
 

ci/main.go

@@ -318,12 +318,13 @@ func (m *Ci) Hugo() *dagger.Container {
 }
 
 // Deploy container for rsync/ssh
-func (m *Ci) Deployer(sshKey *dagger.Secret) *dagger.Container {
+func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithEnvVariable("RSYNC_RSH", "ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519")
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
+		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }
 
 // Stalwart mail server service for backend and integration tests.
@@ -514,6 +515,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 func (m *Ci) GenerateBuildHistory(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
@@ -525,7 +527,7 @@ func (m *Ci) GenerateBuildHistory(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "openssh-client"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithExec([]string{"chmod", "700", "/root/.ssh"}).
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("SSH_USER", sshUser).
 		WithEnvVariable("SSH_HOST", sshHost).
 		WithDirectory("/src", scriptSource).
@@ -538,10 +540,11 @@ func (m *Ci) GenerateBuildHistory(
 func (m *Ci) BuildWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
-	buildHistory := m.GenerateBuildHistory(ctx, sshKey, sshUser, sshHost)
+	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)
 
 	websiteSource := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"website/"},
@@ -558,12 +561,13 @@ func (m *Ci) BuildWebsite(
 func (m *Ci) PublishWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
 		WithExec([]string{"rsync", "-avz", "--delete",
 			"--exclude=*.apk", "--exclude=*.tar.gz",
@@ -589,6 +593,7 @@ func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 func (m *Ci) DeployLinux(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -599,11 +604,11 @@ func (m *Ci) DeployLinux(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	tarball := fmt.Sprintf("sharedinbox-linux-amd64-%s.tar.gz", commitHash)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/bundle", bundle).
 		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("tar -czf /tmp/%s -C /bundle .", tarball)}).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
 		Stdout(ctx)
 }
 
@@ -626,6 +631,7 @@ func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *da
 func (m *Ci) DeployApk(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -639,10 +645,10 @@ func (m *Ci) DeployApk(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	apkName := fmt.Sprintf("sharedinbox-mua-%s.apk", commitHash)
 
-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithFile("/tmp/app.apk", apk).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
 		Stdout(ctx)
 }
 
@@ -739,7 +745,7 @@ func (m *Ci) UploadToPlayStore(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "curl"}).
 		WithMountedCache("/root/.cache/pip", dag.CacheVolume("pip-cache")).
-		WithExec([]string{"pip", "install", "google-api-python-client", "google-auth-httplib2", "httplib2"}).
+		WithExec([]string{"pip", "install", "google-auth", "requests"}).
 		WithFile("/src/build/app/outputs/bundle/release/app-release.aab", aab).
 		WithFile("/src/scripts/deploy_playstore.py", scriptSource.File("scripts/deploy_playstore.py")).
 		WithSecretVariable("PLAY_STORE_CONFIG_JSON", playStoreConfig).
@@ -835,16 +841,25 @@ flowchart TD
         integration --> check
     end
 
-    subgraph forgejo ["Codeberg CI · .forgejo/workflows/ci.yml"]
+    subgraph forgejo_ci ["Codeberg CI · ci.yml (push/PR, source paths only)"]
         ciCheck["check"]
-        buildLinux["build-linux\n(main only)"]
-        deployPS["deploy-playstore\n(main only)"]
-        pubWeb["publish-website\n(main only)"]
+    end
 
-        ciCheck --> buildLinux
-        ciCheck --> deployPS
+    subgraph forgejo_deploy ["Codeberg CI · deploy.yml (hourly schedule + workflow_dispatch)"]
+        detectChanges["check-changes\ndetect android / linux diff"]
+        buildLinux["build-linux\n(linux changed)"]
+        deployPS["deploy-playstore\n(android changed)"]
+        deployApk["deploy-apk\n(android changed)"]
+        fbTest["test-android-firebase\n(android changed)"]
+        pubWeb["publish-website\n(any build succeeded)"]
+
+        detectChanges --> buildLinux
+        detectChanges --> deployPS
+        detectChanges --> deployApk
+        detectChanges --> fbTest
         buildLinux  --> pubWeb
         deployPS    --> pubWeb
+        deployApk   --> pubWeb
     end
 
     check -- "task check-dagger" --> ciCheck

lib/core/sync/account_sync_manager.dart

@@ -1,6 +1,7 @@
 import 'dart:async';
 
 import 'package:enough_mail/enough_mail.dart' as imap;
+import 'package:flutter/services.dart' show MissingPluginException;
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart' show SyncEmailsResult;
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -294,6 +295,7 @@ class _AccountSync implements _SyncLoop {
 
   bool _isPermanentError(Object e) {
     if (isTlsConfigError(e)) return true;
+    if (e is MissingPluginException) return true;
     final s = e.toString().toLowerCase();
     // enough_mail doesn't always have typed exceptions for auth, so we check strings.
     return s.contains('invalid credentials') ||
@@ -546,6 +548,7 @@ class _JmapAccountSync implements _SyncLoop {
 
   bool _isPermanentError(Object e) {
     if (isTlsConfigError(e)) return true;
+    if (e is MissingPluginException) return true;
     final s = e.toString().toLowerCase();
     return s.contains('invalid credentials') ||
         s.contains('authentication failed') ||

lib/ui/screens/about_screen.dart

@@ -47,10 +47,14 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
     final osName = _capitalize(Platform.operatingSystem);
     final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
 
-    return '## sharedinbox.de\n\n'
+    final gitCommitLine = _gitHash.isNotEmpty
+        ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
+        : '';
+    return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
         '| Property | Value |\n'
         '|----------|-------|\n'
         '| App Version | $versionDisplay |\n'
+        '$gitCommitLine'
         '| Platform | ${Platform.operatingSystem} |\n'
         '| $osName Version | ${Platform.operatingSystemVersion} |\n'
         '| Resolution | ${physW}x$physH px'

scripts/agent_loop.py

@@ -31,6 +31,7 @@ To resume the Claude conversation, look up the session UUID first:
 import argparse
 import json
 import os
+import re
 import shlex
 import subprocess
 import sys
@@ -188,6 +189,40 @@ def _find_pr_for_branch(branch: str, state: str = "open") -> dict | None:
     return None
 
 
+def _open_issue_prs() -> list[dict]:
+    """Return all open PRs with issue-{N}-fix branches, oldest-first."""
+    result = subprocess.run(
+        ["fgj", "--hostname", "codeberg.org", "pr", "list",
+         "--repo", REPO, "--state", "open", "--json"],
+        capture_output=True, text=True,
+    )
+    if result.returncode != 0 or not result.stdout.strip():
+        return []
+    prs = json.loads(result.stdout)
+    issue_prs = []
+    for pr in prs:
+        head = pr.get("head", {})
+        ref = head.get("ref") or head.get("label", "").split(":")[-1]
+        if re.match(r"^issue-\d+-fix$", ref or ""):
+            issue_prs.append(pr)
+    issue_prs.sort(key=lambda p: p["number"])
+    return issue_prs
+
+
+def _latest_ci_run_for_pr(pr_number: int) -> dict | None:
+    """Return the latest CI run triggered by a pull_request event for the given PR number."""
+    data = _tea_get(f"repos/{REPO}/actions/runs?event=pull_request&limit=50")
+    runs = (data or {}).get("workflow_runs", [])
+    for run in runs:
+        try:
+            payload = json.loads(run.get("event_payload", "{}"))
+            if payload.get("pull_request", {}).get("number") == pr_number:
+                return run
+        except (json.JSONDecodeError, AttributeError):
+            pass
+    return None
+
+
 def _merge_pr(pr_number: int) -> None:
     """Squash-merge a PR via fgj."""
     _fgj("pr", "merge", str(pr_number), "--repo", REPO, "--merge-method", "squash")
@@ -538,6 +573,38 @@ def _run_loop() -> int:
         )
         return 0
 
+    # ── 2b. Catch-up: scan open issue-N-fix PRs orphaned by a cleared state ─────
+    # This handles PRs whose CI has passed but were never merged because the
+    # state file was cleared (loop restart, killed agent, manual intervention).
+    open_prs = _open_issue_prs()
+    for pr in open_prs:
+        pr_number = pr["number"]
+        pr_url = f"{REPO_URL}/pulls/{pr_number}"
+        head = pr.get("head", {})
+        branch = head.get("ref") or head.get("label", "").split(":")[-1]
+        m = re.match(r"^issue-(\d+)-fix$", branch or "")
+        issue_num = int(m.group(1)) if m else None
+        pr_run = _latest_ci_run_for_pr(pr_number)
+
+        if pr_run and pr_run.get("status") == "running":
+            print(f"Catch-up: CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} still running. Waiting.")
+            _write_state(None, issue_num, "pending-ci")
+            return 0
+
+        if pr_run and pr_run.get("status") in ("failure", "error"):
+            print(f"Catch-up: CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} failed — skipping.")
+            continue
+
+        if pr_run and pr_run.get("status") == "success":
+            print(f"Catch-up: CI passed on PR #{pr_number} ({pr_url}) — merging.")
+            _merge_pr(pr_number)
+            if issue_num:
+                _close_issue(issue_num)
+                print(f"Merged PR #{pr_number} and closed issue #{issue_num}.")
+            else:
+                print(f"Merged PR #{pr_number}.")
+            return 0
+
     # ── 3. Global CI check (agent pushed to main, or no pending issue) ────────
     run = _latest_ci_run()
 

scripts/deploy_playstore.py

@@ -6,19 +6,51 @@ import os
 import sys
 import time
 
-import google_auth_httplib2
-import httplib2
+from google.auth.transport.requests import AuthorizedSession
 from google.oauth2 import service_account
-from googleapiclient.discovery import build
-from googleapiclient.http import MediaFileUpload
 
 PACKAGE_NAME = "de.sharedinbox.mua"
 AAB_PATH = "build/app/outputs/bundle/release/app-release.aab"
 TRACK = "internal"
-_TIMEOUT = 300  # seconds — AAB uploads can be large
+_BASE = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications"
+_UPLOAD_BASE = "https://androidpublisher.googleapis.com/upload/androidpublisher/v3/applications"
 _MAX_UPLOAD_ATTEMPTS = 3
 
 
+def _upload_aab_resumable(session, package, edit_id, aab_path):
+    """Upload AAB using the Google resumable upload protocol."""
+    file_size = os.path.getsize(aab_path)
+    init_url = f"{_UPLOAD_BASE}/{package}/edits/{edit_id}/bundles"
+
+    # Step 1: initiate the resumable upload session
+    init_resp = session.post(
+        init_url,
+        params={"uploadType": "resumable"},
+        headers={
+            "X-Upload-Content-Type": "application/octet-stream",
+            "X-Upload-Content-Length": str(file_size),
+            "Content-Length": "0",
+        },
+        timeout=60,
+    )
+    init_resp.raise_for_status()
+    upload_url = init_resp.headers["Location"]
+
+    # Step 2: upload the file in a single PUT to the session URI
+    with open(aab_path, "rb") as f:
+        upload_resp = session.put(
+            upload_url,
+            data=f,
+            headers={
+                "Content-Type": "application/octet-stream",
+                "Content-Length": str(file_size),
+            },
+            timeout=600,
+        )
+    upload_resp.raise_for_status()
+    return upload_resp.json()
+
+
 def main():
     config_json = os.environ.get("PLAY_STORE_CONFIG_JSON")
     if not config_json:
@@ -33,57 +65,47 @@ def main():
         json.loads(config_json),
         scopes=["https://www.googleapis.com/auth/androidpublisher"],
     )
+    session = AuthorizedSession(creds)
 
-    authorized_http = google_auth_httplib2.AuthorizedHttp(
-        creds, http=httplib2.Http(timeout=_TIMEOUT)
-    )
-    service = build("androidpublisher", "v3", http=authorized_http)
+    edit_resp = session.post(f"{_BASE}/{PACKAGE_NAME}/edits", json={}, timeout=30)
+    edit_resp.raise_for_status()
+    edit_id = edit_resp.json()["id"]
 
-    edit = service.edits().insert(body={}, packageName=PACKAGE_NAME).execute(num_retries=3)
-    edit_id = edit["id"]
-
-    # The resumable upload can fail with RedirectMissingLocation on transient
-    # network hiccups. Retry with a fresh MediaFileUpload each time (resumable
-    # uploads can't reuse the same object) using exponential backoff.
-    version_code = None
     last_exc = None
+    bundle = None
     for attempt in range(_MAX_UPLOAD_ATTEMPTS):
         try:
-            media = MediaFileUpload(
-                AAB_PATH, mimetype="application/octet-stream", resumable=True
-            )
-            bundle = (
-                service.edits()
-                .bundles()
-                .upload(packageName=PACKAGE_NAME, editId=edit_id, media_body=media)
-                .execute(num_retries=3)
-            )
-            version_code = bundle["versionCode"]
+            bundle = _upload_aab_resumable(session, PACKAGE_NAME, edit_id, AAB_PATH)
             break
-        except httplib2.error.RedirectMissingLocation as exc:
+        except Exception as exc:
             last_exc = exc
             if attempt < _MAX_UPLOAD_ATTEMPTS - 1:
                 delay = 10 * (2 ** attempt)
                 print(
-                    f"Upload attempt {attempt + 1} failed (redirect error), "
+                    f"Upload attempt {attempt + 1} failed ({type(exc).__name__}: {exc}), "
                     f"retrying in {delay}s…"
                 )
                 time.sleep(delay)
-    else:
+    if bundle is None:
         raise RuntimeError(
             f"AAB upload failed after {_MAX_UPLOAD_ATTEMPTS} attempts"
         ) from last_exc
 
+    version_code = bundle["versionCode"]
     print(f"Uploaded AAB, version code: {version_code}")
 
-    service.edits().tracks().update(
-        packageName=PACKAGE_NAME,
-        editId=edit_id,
-        track=TRACK,
-        body={"releases": [{"versionCodes": [version_code], "status": "completed"}]},
-    ).execute(num_retries=3)
+    track_resp = session.put(
+        f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}/tracks/{TRACK}",
+        json={"releases": [{"versionCodes": [version_code], "status": "completed"}]},
+        timeout=30,
+    )
+    track_resp.raise_for_status()
 
-    service.edits().commit(packageName=PACKAGE_NAME, editId=edit_id).execute(num_retries=3)
+    commit_resp = session.post(
+        f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}:commit",
+        timeout=30,
+    )
+    commit_resp.raise_for_status()
     print(f"Deployed version {version_code} to {TRACK} track")
 
 

scripts/generate_build_history.py

@@ -33,9 +33,6 @@ def list_remote_files(ssh_user: str, ssh_host: str, pattern: str) -> list[str]:
     result = subprocess.run(
         [
             "ssh",
-            "-v",
-            "-o", "StrictHostKeyChecking=no",
-            "-i", "/root/.ssh/id_ed25519",
             f"{ssh_user}@{ssh_host}",
             f"find {REMOTE_BUILDS_DIR} -name '{pattern}' -type f | sort",
         ],

scripts/test_deploy_playstore.py

@@ -1,9 +1,7 @@
 #!/usr/bin/env python3
 """Tests for deploy_playstore.py."""
-import io
 import os
 import sys
-import tempfile
 import unittest
 from pathlib import Path
 from unittest.mock import MagicMock, call, patch
@@ -13,6 +11,35 @@ sys.path.insert(0, str(Path(__file__).parent))
 import deploy_playstore
 
 
+def _make_session(
+    edit_id="edit-42",
+    version_code=7,
+    upload_side_effects=None,
+):
+    """Return a mock AuthorizedSession with sensible defaults."""
+    session = MagicMock()
+
+    # POST /edits → create edit
+    edit_resp = MagicMock()
+    edit_resp.json.return_value = {"id": edit_id}
+    session.post.return_value = edit_resp
+
+    # POST resumable-init → Location header
+    init_resp = MagicMock()
+    init_resp.headers = {"Location": "https://upload.example.com/session"}
+
+    # PUT upload → bundle JSON
+    upload_resp = MagicMock()
+    upload_resp.json.return_value = {"versionCode": version_code}
+
+    if upload_side_effects is not None:
+        # Use side_effect list: first call is edit create, rest are upload inits
+        # We override the PUT side effects via _upload_aab_resumable mock instead
+        pass
+
+    return session, init_resp, upload_resp
+
+
 class TestMainEnvChecks(unittest.TestCase):
     def test_missing_env_exits(self):
         with patch.dict(os.environ, {}, clear=True):
@@ -30,169 +57,143 @@ class TestMainEnvChecks(unittest.TestCase):
 
 
 class TestMainHappyPath(unittest.TestCase):
-    def _run_main(self, fake_config):
-        mock_service = MagicMock()
-        mock_edits = mock_service.edits.return_value
-        mock_edits.insert.return_value.execute.return_value = {"id": "edit-42"}
-        mock_edits.bundles.return_value.upload.return_value.execute.return_value = {
-            "versionCode": 7
-        }
-        mock_edits.tracks.return_value.update.return_value.execute.return_value = {}
-        mock_edits.commit.return_value.execute.return_value = {}
+    def _run_main(self, fake_config='{"type":"service_account"}'):
+        mock_session = MagicMock()
+        # POST for edit create and commit
+        post_responses = [
+            MagicMock(**{"json.return_value": {"id": "edit-42"}}),  # create edit
+            MagicMock(),  # commit
+        ]
+        mock_session.post.side_effect = post_responses
+        # PUT for track update
+        mock_session.put.return_value = MagicMock()
 
         with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": fake_config}):
             with patch("deploy_playstore.os.path.exists", return_value=True):
                 with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload"):
-                                deploy_playstore.main()
+                    with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
+                        with patch(
+                            "deploy_playstore._upload_aab_resumable",
+                            return_value={"versionCode": 7},
+                        ):
+                            deploy_playstore.main()
 
-        return mock_edits
+        return mock_session
 
-    def test_insert_called_with_num_retries(self):
-        edits = self._run_main('{"type":"service_account"}')
-        edits.insert.return_value.execute.assert_called_once_with(num_retries=3)
+    def test_creates_edit(self):
+        session = self._run_main()
+        create_call = session.post.call_args_list[0]
+        self.assertIn("/edits", create_call[0][0])
 
-    def test_bundle_upload_called_with_num_retries(self):
-        edits = self._run_main('{"type":"service_account"}')
-        edits.bundles.return_value.upload.return_value.execute.assert_called_once_with(num_retries=3)
+    def test_commits_edit(self):
+        session = self._run_main()
+        commit_call = session.post.call_args_list[1]
+        self.assertIn(":commit", commit_call[0][0])
 
-    def test_tracks_update_called_with_num_retries(self):
-        edits = self._run_main('{"type":"service_account"}')
-        edits.tracks.return_value.update.return_value.execute.assert_called_once_with(num_retries=3)
-
-    def test_commit_called_with_num_retries(self):
-        edits = self._run_main('{"type":"service_account"}')
-        edits.commit.return_value.execute.assert_called_once_with(num_retries=3)
-
-    def test_authorized_http_uses_timeout(self):
-        fake_config = '{"type":"service_account"}'
-        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": fake_config}):
-            with patch("deploy_playstore.os.path.exists", return_value=True):
-                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.httplib2.Http") as mock_http_cls:
-                        with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp") as mock_auth:
-                            mock_service = MagicMock()
-                            mock_edits = mock_service.edits.return_value
-                            mock_edits.insert.return_value.execute.return_value = {"id": "e1"}
-                            mock_edits.bundles.return_value.upload.return_value.execute.return_value = {
-                                "versionCode": 1
-                            }
-                            mock_edits.tracks.return_value.update.return_value.execute.return_value = {}
-                            mock_edits.commit.return_value.execute.return_value = {}
-                            with patch("deploy_playstore.build", return_value=mock_service):
-                                with patch("deploy_playstore.MediaFileUpload"):
-                                    deploy_playstore.main()
-
-        mock_http_cls.assert_called_once_with(timeout=deploy_playstore._TIMEOUT)
-
-
-def _redirect_error():
-    import httplib2
-    return httplib2.error.RedirectMissingLocation("redirect missing", {}, b"")
+    def test_updates_track(self):
+        session = self._run_main()
+        track_call = session.put.call_args_list[0]
+        self.assertIn("/tracks/", track_call[0][0])
 
 
 class TestUploadRetry(unittest.TestCase):
-    def _make_mock_service(self, upload_side_effects):
-        mock_service = MagicMock()
-        mock_edits = mock_service.edits.return_value
-        mock_edits.insert.return_value.execute.return_value = {"id": "edit-1"}
-        mock_edits.bundles.return_value.upload.return_value.execute.side_effect = (
-            upload_side_effects
-        )
-        mock_edits.tracks.return_value.update.return_value.execute.return_value = {}
-        mock_edits.commit.return_value.execute.return_value = {}
-        return mock_service, mock_edits
+    def _run_main(self, upload_side_effects, sleep_mock=None):
+        mock_session = MagicMock()
+        post_responses = [
+            MagicMock(**{"json.return_value": {"id": "edit-1"}}),
+            MagicMock(),
+        ]
+        mock_session.post.side_effect = post_responses
+        mock_session.put.return_value = MagicMock()
 
-    def _run_with_service(self, mock_service):
-        fake_config = '{"type":"service_account"}'
-        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": fake_config}):
-            with patch("deploy_playstore.os.path.exists", return_value=True):
-                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload"):
-                                with patch("deploy_playstore.time.sleep"):
-                                    deploy_playstore.main()
+        patches = [
+            patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}),
+            patch("deploy_playstore.os.path.exists", return_value=True),
+            patch("deploy_playstore.service_account.Credentials.from_service_account_info"),
+            patch("deploy_playstore.AuthorizedSession", return_value=mock_session),
+            patch("deploy_playstore._upload_aab_resumable", side_effect=upload_side_effects),
+            patch("deploy_playstore.time.sleep"),
+        ]
+        for p in patches:
+            p.start()
+        try:
+            deploy_playstore.main()
+        finally:
+            for p in patches:
+                p.stop()
 
     def test_succeeds_on_first_attempt(self):
-        mock_service, mock_edits = self._make_mock_service([{"versionCode": 5}])
-        self._run_with_service(mock_service)
-        mock_edits.bundles.return_value.upload.return_value.execute.assert_called_once_with(
-            num_retries=3
-        )
+        with patch("deploy_playstore._upload_aab_resumable", return_value={"versionCode": 5}) as mock_upload:
+            with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
+                with patch("deploy_playstore.os.path.exists", return_value=True):
+                    with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
+                        mock_session = MagicMock()
+                        mock_session.post.side_effect = [
+                            MagicMock(**{"json.return_value": {"id": "e1"}}),
+                            MagicMock(),
+                        ]
+                        mock_session.put.return_value = MagicMock()
+                        with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
+                            deploy_playstore.main()
+            mock_upload.assert_called_once()
 
-    def test_retries_once_on_redirect_error_then_succeeds(self):
-        mock_service, mock_edits = self._make_mock_service(
-            [_redirect_error(), {"versionCode": 9}]
-        )
-
-        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
-            with patch("deploy_playstore.os.path.exists", return_value=True):
-                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload") as mock_media_cls:
-                                with patch("deploy_playstore.time.sleep") as mock_sleep:
-                                    deploy_playstore.main()
-
-        self.assertEqual(
-            mock_edits.bundles.return_value.upload.return_value.execute.call_count, 2
-        )
-        mock_sleep.assert_called_once_with(10)
-        self.assertEqual(mock_media_cls.call_count, 2)
+    def test_retries_once_on_error_then_succeeds(self):
+        self._run_main([ValueError("transient"), {"versionCode": 9}])
 
     def test_raises_after_all_attempts_exhausted(self):
-        mock_service, _ = self._make_mock_service(
-            [_redirect_error(), _redirect_error(), _redirect_error()]
-        )
-
-        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
-            with patch("deploy_playstore.os.path.exists", return_value=True):
-                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload"):
-                                with patch("deploy_playstore.time.sleep"):
-                                    with self.assertRaises(RuntimeError) as ctx:
-                                        deploy_playstore.main()
-
-        self.assertIn(
-            str(deploy_playstore._MAX_UPLOAD_ATTEMPTS), str(ctx.exception)
-        )
+        with self.assertRaises(RuntimeError) as ctx:
+            self._run_main([ValueError("err"), ValueError("err"), ValueError("err")])
+        self.assertIn(str(deploy_playstore._MAX_UPLOAD_ATTEMPTS), str(ctx.exception))
 
     def test_backoff_delays_are_10s_then_20s(self):
-        mock_service, _ = self._make_mock_service(
-            [_redirect_error(), _redirect_error(), {"versionCode": 3}]
-        )
+        mock_session = MagicMock()
+        mock_session.post.side_effect = [
+            MagicMock(**{"json.return_value": {"id": "e1"}}),
+            MagicMock(),
+        ]
+        mock_session.put.return_value = MagicMock()
 
         with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
             with patch("deploy_playstore.os.path.exists", return_value=True):
                 with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload"):
-                                with patch("deploy_playstore.time.sleep") as mock_sleep:
-                                    deploy_playstore.main()
+                    with patch("deploy_playstore.AuthorizedSession", return_value=mock_session):
+                        with patch(
+                            "deploy_playstore._upload_aab_resumable",
+                            side_effect=[ValueError("e"), ValueError("e"), {"versionCode": 3}],
+                        ):
+                            with patch("deploy_playstore.time.sleep") as mock_sleep:
+                                deploy_playstore.main()
 
         mock_sleep.assert_has_calls([call(10), call(20)])
 
-    def test_fresh_media_upload_created_on_each_attempt(self):
-        mock_service, _ = self._make_mock_service(
-            [_redirect_error(), {"versionCode": 2}]
-        )
 
-        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
-            with patch("deploy_playstore.os.path.exists", return_value=True):
-                with patch("deploy_playstore.service_account.Credentials.from_service_account_info"):
-                    with patch("deploy_playstore.google_auth_httplib2.AuthorizedHttp"):
-                        with patch("deploy_playstore.build", return_value=mock_service):
-                            with patch("deploy_playstore.MediaFileUpload") as mock_media_cls:
-                                with patch("deploy_playstore.time.sleep"):
-                                    deploy_playstore.main()
+class TestUploadAabResumable(unittest.TestCase):
+    def test_initiates_and_uploads(self):
+        mock_session = MagicMock()
+        init_resp = MagicMock()
+        init_resp.headers = {"Location": "https://upload.example.com/sess"}
+        upload_resp = MagicMock()
+        upload_resp.json.return_value = {"versionCode": 42}
+        mock_session.post.return_value = init_resp
+        mock_session.put.return_value = upload_resp
 
-        self.assertEqual(mock_media_cls.call_count, 2)
+        import tempfile
+        with tempfile.NamedTemporaryFile(delete=False) as f:
+            f.write(b"fake-aab-content")
+            aab_path = f.name
+
+        try:
+            result = deploy_playstore._upload_aab_resumable(
+                mock_session, "com.example.app", "edit-1", aab_path
+            )
+        finally:
+            os.unlink(aab_path)
+
+        self.assertEqual(result["versionCode"], 42)
+        mock_session.post.assert_called_once()
+        mock_session.put.assert_called_once()
+        put_call = mock_session.put.call_args
+        self.assertEqual(put_call[0][0], "https://upload.example.com/sess")
 
 
 if __name__ == "__main__":

test/unit/account_sync_manager_test.dart

@@ -1,6 +1,8 @@
 import 'dart:async';
 
+import 'package:flutter/services.dart' show MissingPluginException;
 import 'package:mockito/annotations.dart';
+import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
@@ -30,6 +32,40 @@ void main() {
     // This is hard to test without real loops, but we can verify it doesn't crash.
     manager.syncNow('unknown');
   });
+
+  // Regression test for issue #200: when flutter_secure_storage throws
+  // MissingPluginException (channel unavailable on the device), the IMAP sync
+  // loop must stop permanently instead of retrying indefinitely with backoff.
+  test(
+      'MissingPluginException from secure storage stops IMAP sync loop permanently',
+      () async {
+    final syncLog = FakeSyncLogRepository();
+
+    final m = AccountSyncManager(
+      _AccountRepositoryWithMissingPlugin(),
+      FakeMailboxRepositoryWithInbox(),
+      FakeEmailRepository(),
+      syncLog: syncLog,
+    );
+
+    m.start();
+
+    // Allow the first sync cycle to run and fail.
+    await Future<void>.delayed(const Duration(milliseconds: 100));
+
+    expect(syncLog.logs, hasLength(1));
+    expect(syncLog.logs.first.success, isFalse);
+
+    // Kicking the loop should have no effect once it has stopped permanently.
+    m.syncNow('1');
+    await Future<void>.delayed(const Duration(milliseconds: 100));
+
+    // Before the fix: kick triggers a retry → 2 log entries.
+    // After the fix: loop is permanently stopped → still exactly 1 entry.
+    expect(syncLog.logs, hasLength(1));
+
+    m.dispose();
+  });
 }
 
 class FakeEmailRepository implements EmailRepository {
@@ -187,3 +223,34 @@ class FakeMailboxRepositoryWithInbox implements MailboxRepository {
   @override
   Future<void> clearForResync(String accountId) async {}
 }
+
+class _AccountRepositoryWithMissingPlugin implements AccountRepository {
+  static const _account = Account(
+    id: '1',
+    displayName: 'Test',
+    email: 'test@example.com',
+  );
+
+  @override
+  Stream<List<Account>> observeAccounts() => Stream.value([_account]);
+
+  @override
+  Future<Account?> getAccount(String id) async => _account;
+
+  @override
+  Future<String> getPassword(String accountId) => Future.error(
+        MissingPluginException(
+          'No implementation found for method read on channel '
+          'plugins.it.nomads.com/flutter_secure_storage',
+        ),
+      );
+
+  @override
+  Future<void> addAccount(Account account, String password) async {}
+
+  @override
+  Future<void> updateAccount(Account account, {String? password}) async {}
+
+  @override
+  Future<void> removeAccount(String id) async {}
+}

test/widget/about_screen_test.dart

@@ -151,6 +151,10 @@ void main() {
     expect(clipboardText, contains('Dark Mode'));
     expect(clipboardText, contains('IMAP Accounts'));
     expect(clipboardText, contains('JMAP Accounts'));
+    expect(
+      clipboardText,
+      contains('[sharedinbox.de](https://sharedinbox.de)'),
+    );
   });
 
   testWidgets('AboutScreen create-issue button opens Codeberg URL', (