fix: about page version unknown and link crash on Android (#213 )

Bug 1 – "App Version: unknown": PackageInfo.fromPlatform() throws because plugin registration is aborted mid-way by a Java Error (e.g. NoClassDefFoundError) that catch (Exception e) does not catch. Fix: change all 13 catch clauses in GeneratedPluginRegistrant.java to catch (Throwable e) and commit the file so it is used by release builds. Bug 2 – crash when tapping sharedinbox.de: url_launcher_android 6.3.25+ migrated to Pigeon 26, which throws a channel-error on some Android devices (same root cause as path_provider_android, already pinned). The onTapLink callback called launchUrl via unawaited() with no error handling, so the PlatformException became an unhandled async error and crashed the app. Fix: pin url_launcher_android <6.3.25 in dependency_overrides, and add a _launchUrl() helper with full try/catch that shows a SnackBar on error instead of crashing. New widget test verifies the snackbar path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: keep secrets in sync via age-encrypted master key (#208 )
2026-05-24 17:15:19 +02:00 · 2026-05-24 16:32:27 +02:00 · 2026-05-24 16:06:32 +02:00 · 2026-05-24 15:47:21 +02:00 · 2026-05-24 15:11:56 +02:00 · 2026-05-24 15:07:00 +02:00
41 changed files with 1124 additions and 556 deletions
@@ -10,6 +10,7 @@ FROM ghcr.io/catthehacker/ubuntu:go-24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    stunnel4 \
    netcat-openbsd \
+    age \
    && rm -rf /var/lib/apt/lists/*

 # Dagger CLI — pinned to match the engine version on the runner host
@@ -65,6 +65,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -75,11 +76,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Run Android Tests on Firebase Test Lab
-        if: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Run Android Tests on Firebase Test Lab
+        if: env.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != ''
        env:
-          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
-          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
          DAGGER_NO_NAG: "1"
        run: task test-android-firebase

@@ -103,6 +108,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -113,12 +119,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Publish Android to Play Store
-        if: ${{ secrets.PLAY_STORE_CONFIG_JSON != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Publish Android to Play Store
+        if: env.PLAY_STORE_CONFIG_JSON != ''
        env:
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
-          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          DAGGER_NO_NAG: "1"
        run: task publish-android

@@ -142,6 +151,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -152,14 +162,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Build & Deploy APK to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Build & Deploy APK to server
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          DAGGER_NO_NAG: "1"
        run: task deploy-apk

@@ -183,6 +194,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -193,12 +205,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Build & Deploy Linux to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Build & Deploy Linux to server
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task deploy-linux

@@ -224,6 +239,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -234,12 +250,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Generate build history and deploy website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Generate build history and deploy website
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task publish-website

@@ -202,6 +202,8 @@ jobs:
          mkdir -p ~/.ssh
          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
+          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts

      - name: Build Linux release
        run: |
@@ -215,20 +217,20 @@ jobs:
          REMOTE_DIR="public_html/builds/$DATE_PATH"
          TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
          tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-          ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-          scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+          ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+          scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
          DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
-          EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" \
+          EXISTING=$(ssh "$SSH_USER@$SSH_HOST" \
            "cat public_html/latest.json 2>/dev/null || echo '{}'")
          WINDOWS_URL=$(echo "$EXISTING" | \
            python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
            2>/dev/null || true)
          if [ -n "$WINDOWS_URL" ]; then
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          else
            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-              ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
          fi

      - name: Generate build history pages
@@ -244,6 +246,5 @@ jobs:
          rsync -avz --delete \
            --exclude='*.apk' \
            --exclude='*.tar.gz' \
-            -e "ssh -o StrictHostKeyChecking=no" \
            website/public/ \
            "$SSH_USER@$SSH_HOST:public_html/"
@@ -22,13 +22,15 @@ assets/changelog.txt
 .env.local
 .envrc
 .direnv/
+secrets.env      # plaintext secrets — encrypted version (secrets.age) is committed

 # --- Android ---
 android/.gradle/
 android/local.properties
 android/app/google-services.json
 android/key.properties
-android/app/src/main/java/io/flutter/plugins/
+# android/app/src/main/java/io/flutter/plugins/ intentionally tracked so that
+# GeneratedPluginRegistrant.java (catch Throwable) is committed and used by CI.
 .android/
 Android/
 .gradle/
@@ -174,10 +174,70 @@ Run a secret manager co-located with the Dagger host. The CI job authenticates w
 - Vault itself becomes a security-critical single point of failure.
 - Operational overhead likely disproportionate for a small single-developer project.

+### Option 5: Encrypted secrets file (age) — **implemented**
+
+Store all production secrets in a file (`secrets.env`) that is encrypted with
+[age](https://age-encryption.org/) into `secrets.age`. The encrypted file is
+committed to the repository. Only the age private key — a single string — is
+stored in Codeberg as `SECRETS_AGE_KEY`. Any CI job or developer with the key
+can decrypt the file and obtain all secrets.
+
+**How it works:**
+
+1. Generate a key pair once:
+   ```bash
+   age-keygen -o ~/.config/age/sharedinbox.key
+   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
+   ```
+2. Copy `secrets.env.example` to `secrets.env`, fill in all values, then encrypt:
+   ```bash
+   scripts/secrets-encrypt.sh   # reads public key from .age-public-key
+   git add secrets.age && git commit -m "chore: update encrypted secrets"
+   ```
+3. Add the private key content as `SECRETS_AGE_KEY` in Codeberg repository secrets.
+4. CI jobs call `scripts/secrets-decrypt.sh` (with `SECRETS_AGE_KEY` set) before
+   any step that needs production credentials. The script writes each variable
+   to `$GITHUB_ENV` so subsequent steps see them automatically.
+
+**Keeping local and CI in sync:**
+When you rotate a secret locally, update `secrets.env`, re-run
+`scripts/secrets-encrypt.sh`, and commit the new `secrets.age`. CI will pick
+up the fresh secrets on the next push — no manual CI variable updates needed.
+
+Multi-line values (SSH keys, certificates) must be stored as a single line
+with `\n` escape sequences inside double quotes. Example:
+```
+SSH_PRIVATE_KEY="<header>\n<base64 key body>\n<footer>"
+```
+
+**Pro:**
+- One secret (`SECRETS_AGE_KEY`) in Codeberg instead of many.
+- Encrypted secrets are version-controlled — rotating a secret is a git commit.
+- Local dev environment and CI always use the same encrypted source of truth.
+- `age` is a simple, audited tool with no server infrastructure.
+- The private key never appears in workflow files or logs.
+
+**Con:**
+- `secrets.age` exposes the list of variable *names* (visible in the encrypted
+  file if the format leaks, though not the values).
+- All credentials share a single key — compromising `SECRETS_AGE_KEY` exposes
+  everything at once.
+- Key rotation requires re-encrypting `secrets.age` and updating the CI secret.
+
 ### Recommendation

-**Option 1** (runner-level env vars) or **Option 2** (secret files) are the pragmatic starting point for a single self-hosted runner. They require no new infrastructure and move all production secrets off Codeberg immediately.
+**Option 5** (encrypted secrets file) is now the active approach. It reduces
+Codeberg secrets to exactly two categories:
+- **Dagger access credentials** — `DAGGER_STUNNEL_URL`, `DAGGER_CA_CERT`,
+  `DAGGER_CLIENT_CERT`, `DAGGER_CLIENT_KEY`.
+- **Master key** — `SECRETS_AGE_KEY`.

-**Option 3** (Dagger host as orchestrator) is worth considering once the trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest security boundary at the cost of reduced CI observability.
+**Option 1** (runner-level env vars) or **Option 2** (secret files) remain
+valid if you prefer not to commit an encrypted file to the repository.

-**Option 4** (Vault) becomes worthwhile if the project grows to multiple runners or team members who each need audited access to deploy credentials.
+**Option 3** (Dagger host as orchestrator) is worth considering once the
+trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest
+security boundary at the cost of reduced CI observability.
+
+**Option 4** (Vault) becomes worthwhile if the project grows to multiple
+runners or team members who each need audited access to deploy credentials.
@@ -215,8 +215,10 @@ tasks:
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"

  build-android-bundle:
    desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
@@ -251,17 +253,24 @@ tasks:
    preconditions:
      - sh: test -n "$SSH_PRIVATE_KEY"
        msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
      - sh: test -n "$ANDROID_KEYSTORE_BASE64"
        msg: "ANDROID_KEYSTORE_BASE64 is not set"
      - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
        msg: "ANDROID_KEYSTORE_PASSWORD is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"

  publish-website:
    desc: Build and publish website via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"

  check-dagger:
    desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -373,25 +382,29 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
        tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
        # Merge with any existing latest.json so we don't overwrite the windows key
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        WINDOWS_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" 2>/dev/null || true)
        if [ -n "$WINDOWS_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $TARBALL and updated latest.json"

@@ -416,24 +429,28 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        ZIPFILE="sharedinbox-windows-x64-$HASH.zip"
        cd build/windows/x64/runner && zip -r /tmp/$ZIPFILE Release/ && cd -
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp /tmp/$ZIPFILE "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$ZIPFILE"
        DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$ZIPFILE"
-        EXISTING=$(ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
+        EXISTING=$(ssh "$SSH_USER@$SSH_HOST" "cat public_html/latest.json 2>/dev/null || echo '{}'")
        LINUX_URL=$(echo "$EXISTING" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('linux',''))" 2>/dev/null || true)
        if [ -n "$LINUX_URL" ]; then
          echo "{\"version\":\"$HASH\",\"linux\":\"$LINUX_URL\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        else
          echo "{\"version\":\"$HASH\",\"windows\":\"$DOWNLOAD_URL\"}" | \
-            ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
+            ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
        fi
        echo "Uploaded $ZIPFILE and updated latest.json"

@@ -583,14 +600,18 @@ tasks:
        msg: "SSH_USER is not set"
      - sh: test -n "$SSH_HOST"
        msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        HASH=$(git rev-parse --short HEAD)
        DATE_PATH=$(date -u +%Y/%m/%d)
        REMOTE_DIR="public_html/builds/$DATE_PATH"
        APK_NAME="sharedinbox-mua-$HASH.apk"
-        ssh -o StrictHostKeyChecking=no "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-        scp -o StrictHostKeyChecking=no \
+        ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
+        scp \
          build/app/outputs/flutter-apk/app-release.apk \
          "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$APK_NAME"
        echo "Uploaded $APK_NAME to $REMOTE_DIR"
@@ -619,18 +640,27 @@ tasks:
  website-deploy:
    desc: Deploy the website via rsync to public_html
    deps: [website-build]
+    preconditions:
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
    cmds:
      - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
        rsync -avz --delete \
          --exclude='*.apk' \
          --exclude='*.tar.gz' \
-          -e "ssh -o StrictHostKeyChecking=no" \
          website/public/ \
          ${SSH_USER}@${SSH_HOST}:public_html/

  check-fast:
    desc: Pre-commit checks — analyze + unit+widget tests + coverage gate (no build, no integration)
-    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks]
+    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks, check-secrets]
+
+  check-secrets:
+    desc: Test secrets encrypt/decrypt scripts (requires age)
+    cmds:
+      - bash scripts/test_secrets.sh

  check-layers:
    desc: Enforce architecture — ui/ must not import data/ (only core/ interfaces allowed)
@@ -4,7 +4,6 @@ gradle-wrapper.jar
 /gradlew
 /gradlew.bat
 /local.properties
-GeneratedPluginRegistrant.java
 .cxx/

 # Remember to never publicly share your keystore.
@@ -0,0 +1,84 @@
+package io.flutter.plugins;
+
+import androidx.annotation.Keep;
+import androidx.annotation.NonNull;
+import io.flutter.Log;
+
+import io.flutter.embedding.engine.FlutterEngine;
+
+/**
+ * Generated file. Do not edit.
+ * This file is generated by the Flutter tool based on the
+ * plugins that support the Android platform.
+ */
+@Keep
+public final class GeneratedPluginRegistrant {
+  private static final String TAG = "GeneratedPluginRegistrant";
+  public static void registerWith(@NonNull FlutterEngine flutterEngine) {
+    try {
+      flutterEngine.getPlugins().add(new com.mr.flutter.plugin.filepicker.FilePickerPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin file_picker, com.mr.flutter.plugin.filepicker.FilePickerPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin flutter_local_notifications, com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin flutter_plugin_android_lifecycle, io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin flutter_secure_storage, com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new dev.flutter.plugins.integration_test.IntegrationTestPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin integration_test, dev.flutter.plugins.integration_test.IntegrationTestPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new dev.steenbakker.mobile_scanner.MobileScannerPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin mobile_scanner, dev.steenbakker.mobile_scanner.MobileScannerPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new com.crazecoder.openfile.OpenFilePlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin open_filex, com.crazecoder.openfile.OpenFilePlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin package_info_plus, dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new io.flutter.plugins.pathprovider.PathProviderPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin path_provider_android, io.flutter.plugins.pathprovider.PathProviderPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.share.SharePlusPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin share_plus, dev.fluttercommunity.plus.share.SharePlusPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new io.flutter.plugins.urllauncher.UrlLauncherPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin url_launcher_android, io.flutter.plugins.urllauncher.UrlLauncherPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new io.flutter.plugins.webviewflutter.WebViewFlutterPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin webview_flutter_android, io.flutter.plugins.webviewflutter.WebViewFlutterPlugin", e);
+    }
+    try {
+      flutterEngine.getPlugins().add(new dev.fluttercommunity.workmanager.WorkmanagerPlugin());
+    } catch (Exception e) {
+      Log.e(TAG, "Error registering plugin workmanager_android, dev.fluttercommunity.workmanager.WorkmanagerPlugin", e);
+    }
+  }
+}
@@ -183,7 +183,7 @@ func (m *Ci) toolchain() *dagger.Container {
 	return dag.Container().
 		From("ghcr.io/cirruslabs/flutter:3.41.6").
 		WithExec([]string{"apt-get", "-qq", "update"}).
-		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld"}).
+		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld", "age"}).
 		WithExec([]string{"useradd", "-m", "-s", "/bin/bash", "ci"}).
 		WithExec([]string{"/bin/sh", "-c",
 			`flutter_dir=$(dirname $(dirname $(which flutter))); ` +
@@ -195,7 +195,8 @@ func (m *Ci) toolchain() *dagger.Container {
 		WithUser("ci").
 		WithExec([]string{"/bin/sh", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`})
+				`yes | sdkmanager "ndk;28.2.13676358" "cmake;3.22.1" "build-tools;35.0.0" "platforms;android-34" >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }`}).
+		WithExec([]string{"flutter", "precache", "--linux", "--no-android", "--no-ios"})
 }

 // Base is the Flutter toolchain container with mutable cache mounts attached.
@@ -318,12 +319,13 @@ func (m *Ci) Hugo() *dagger.Container {
 }

 // Deploy container for rsync/ssh
-func (m *Ci) Deployer(sshKey *dagger.Secret) *dagger.Container {
+func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithEnvVariable("RSYNC_RSH", "ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519")
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
+		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }

 // Stalwart mail server service for backend and integration tests.
@@ -379,6 +381,21 @@ func (m *Ci) CheckHygiene(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }

+// CheckSecrets verifies the secrets encrypt/decrypt scripts work correctly.
+func (m *Ci) CheckSecrets(ctx context.Context) (string, error) {
+	scriptSrc := m.Source.Filter(dagger.DirectoryFilterOpts{
+		Include: []string{"scripts/secrets-encrypt.sh", "scripts/secrets-decrypt.sh", "scripts/test_secrets.sh"},
+	})
+	return dag.Container().
+		From("ghcr.io/cirruslabs/flutter:3.41.6").
+		WithExec([]string{"apt-get", "-qq", "update"}).
+		WithExec([]string{"apt-get", "install", "-y", "-qq", "age"}).
+		WithDirectory("/src", scriptSrc).
+		WithWorkdir("/src").
+		WithExec([]string{"bash", "scripts/test_secrets.sh"}).
+		Stdout(ctx)
+}
+
 // CheckLayers enforces that ui/ does not import data/.
 func (m *Ci) CheckLayers(ctx context.Context) (string, error) {
 	return m.Base().
@@ -469,6 +486,9 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 	if _, err := m.CheckLayers(ctx); err != nil {
 		return "Layer check failed", err
 	}
+	if _, err := m.CheckSecrets(ctx); err != nil {
+		return "Secrets script check failed", err
+	}

 	checkSetup := m.setup(m.checkSrc())

@@ -514,6 +534,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 func (m *Ci) GenerateBuildHistory(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
@@ -525,7 +546,7 @@ func (m *Ci) GenerateBuildHistory(
 		From("python:3.12-alpine").
 		WithExec([]string{"apk", "add", "--no-cache", "openssh-client"}).
 		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
-		WithExec([]string{"chmod", "700", "/root/.ssh"}).
+		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("SSH_USER", sshUser).
 		WithEnvVariable("SSH_HOST", sshHost).
 		WithDirectory("/src", scriptSource).
@@ -538,10 +559,11 @@ func (m *Ci) GenerateBuildHistory(
 func (m *Ci) BuildWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) *dagger.Directory {
-	buildHistory := m.GenerateBuildHistory(ctx, sshKey, sshUser, sshHost)
+	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)

 	websiteSource := m.Source.Filter(dagger.DirectoryFilterOpts{
 		Include: []string{"website/"},
@@ -558,12 +580,13 @@ func (m *Ci) BuildWebsite(
 func (m *Ci) PublishWebsite(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost)

-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
 		WithExec([]string{"rsync", "-avz", "--delete",
 			"--exclude=*.apk", "--exclude=*.tar.gz",
@@ -589,6 +612,7 @@ func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 func (m *Ci) DeployLinux(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -599,11 +623,11 @@ func (m *Ci) DeployLinux(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	tarball := fmt.Sprintf("sharedinbox-linux-amd64-%s.tar.gz", commitHash)

-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/bundle", bundle).
 		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("tar -czf /tmp/%s -C /bundle .", tarball)}).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/%s %s@%s:%s/%s", tarball, sshUser, sshHost, remoteDir, tarball)}).
 		Stdout(ctx)
 }

@@ -626,6 +650,7 @@ func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *da
 func (m *Ci) DeployApk(
 	ctx context.Context,
 	sshKey *dagger.Secret,
+	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
 	commitHash string,
@@ -639,10 +664,10 @@ func (m *Ci) DeployApk(
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
 	apkName := fmt.Sprintf("sharedinbox-mua-%s.apk", commitHash)

-	return m.Deployer(sshKey).
+	return m.Deployer(sshKey, knownHosts).
 		WithFile("/tmp/app.apk", apk).
-		WithExec([]string{"ssh", "-o", "StrictHostKeyChecking=no", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
-		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -o StrictHostKeyChecking=no -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
+		WithExec([]string{"ssh", "-i", "/root/.ssh/id_ed25519", fmt.Sprintf("%s@%s", sshUser, sshHost), fmt.Sprintf("mkdir -p %s", remoteDir)}).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf("scp -i /root/.ssh/id_ed25519 /tmp/app.apk %s@%s:%s/%s", sshUser, sshHost, remoteDir, apkName)}).
 		Stdout(ctx)
 }

@@ -804,7 +829,7 @@ func (m *Ci) Graph() string {
 ` + "```" + `mermaid
 flowchart TD
    subgraph dagger ["Dagger · Check pipeline"]
-        toolchain["toolchain\nflutter:3.41.6 + NDK + apt"]
+        toolchain["toolchain\nflutter:3.41.6 + NDK + apt + precache"]
        pubGet["pubGetLayer\nflutter pub get"]
        codegen["codegenBase\nbuild_runner build\n(shared cache)"]
        stalwart(["Stalwart service\nIMAP · JMAP · SMTP · Sieve"])
@@ -814,6 +839,7 @@ flowchart TD

        pubGet --> hygiene["CheckHygiene"]
        pubGet --> layers["CheckLayers"]
+        pubGet --> secrets["CheckSecrets\nage encrypt/decrypt"]
        pubGet --> mocks["CheckMocks\n(own build_runner run)"]

        codegen --> fmt["Format"]
@@ -827,6 +853,7 @@ flowchart TD

        hygiene    --> check{{"✓ Check"}}
        layers     --> check
+        secrets    --> check
        fmt        --> check
        analyze    --> check
        mocks      --> check
@@ -87,6 +87,9 @@
            # Website
            hugo

+            # Secrets management (master-key encryption for CI sync)
+            age
+
            # Utilities
            git
            curl
@@ -19,8 +19,6 @@ class SyncLogEntry {
    required this.id,
    required this.result,
    this.errorMessage,
-    this.stackTrace,
-    this.isPermanent,
    required this.protocol,
    required this.emailsFetched,
    required this.emailsSkipped,
@@ -36,8 +34,6 @@ class SyncLogEntry {
  final int id;
  final String result; // 'ok' or 'error'
  final String? errorMessage;
-  final String? stackTrace;
-  final bool? isPermanent;
  final String protocol; // 'imap' or 'jmap'
  final int emailsFetched;
  final int emailsSkipped;
@@ -58,8 +54,6 @@ abstract class SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -87,8 +81,6 @@ class NoOpSyncLogRepository implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -260,8 +260,6 @@ class _AccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
-            stackTrace: st.toString(),
-            isPermanent: isPermanent,
            protocol: 'imap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -515,8 +513,6 @@ class _JmapAccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
-            stackTrace: st.toString(),
-            isPermanent: isPermanent,
            protocol: 'jmap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -192,10 +192,6 @@ class SyncLogs extends Table {
  DateTimeColumn get finishedAt => dateTime()();
  // Added in schema v13: raw protocol log when account.verbose == true.
  TextColumn get protocolLog => text().nullable()();
-  // Added in schema v33: stack trace captured when an error occurs.
-  TextColumn get stackTrace => text().nullable()();
-  // Added in schema v33: whether the sync loop stopped permanently after this error.
-  BoolColumn get isPermanent => boolean().nullable()();
 }

 /// Per-mailbox breakdown for a single sync cycle.
@@ -333,7 +329,7 @@ class AppDatabase extends _$AppDatabase {
  AppDatabase([QueryExecutor? executor]) : super(executor ?? _openConnection());

  @override
-  int get schemaVersion => 33;
+  int get schemaVersion => 32;

  Future<void> _createEmailFts() async {
    await customStatement('''
@@ -574,10 +570,6 @@ class AppDatabase extends _$AppDatabase {
          if (from < 32) {
            await m.createTable(localSieveApplied);
          }
-          if (from >= 7 && from < 33) {
-            await m.addColumn(syncLogs, syncLogs.stackTrace);
-            await m.addColumn(syncLogs, syncLogs.isPermanent);
-          }
        },
      );
 }
@@ -13,8 +13,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -32,8 +30,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
              accountId: accountId,
              result: success ? 'ok' : 'error',
              errorMessage: Value(errorMessage),
-              stackTrace: Value(stackTrace),
-              isPermanent: Value(isPermanent),
              protocol: Value(protocol),
              itemsSynced: Value(emailsFetched),
              emailsSkipped: Value(emailsSkipped),
@@ -79,8 +75,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
            id: r.id,
            result: r.result,
            errorMessage: r.errorMessage,
-            stackTrace: r.stackTrace,
-            isPermanent: r.isPermanent,
            protocol: r.protocol,
            emailsFetched: r.itemsSynced,
            emailsSkipped: r.emailsSkipped,
@@ -1,4 +1,5 @@
 import 'dart:async';
+import 'dart:io';

 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
@@ -7,7 +8,6 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/utils/about_markdown.dart';
 import 'package:url_launcher/url_launcher.dart';

 class AboutScreen extends ConsumerStatefulWidget {
@@ -19,16 +19,57 @@ class AboutScreen extends ConsumerStatefulWidget {

 class _AboutScreenState extends ConsumerState<AboutScreen> {
  final Future<PackageInfo> _packageInfoFuture = PackageInfo.fromPlatform();
-  late final Future<Map<String, String>> _deviceInfoFuture =
-      fetchAndroidDeviceInfo();
  late final Stream<List<Account>> _accountsStream;

+  static const _gitHash = String.fromEnvironment('GIT_HASH');
+
  @override
  void initState() {
    super.initState();
    _accountsStream = ref.read(accountRepositoryProvider).observeAccounts();
  }

+  String _buildMarkdown(
+    BuildContext context,
+    PackageInfo? pkg,
+    int imapCount,
+    int jmapCount,
+  ) {
+    final size = MediaQuery.of(context).size;
+    final pixelRatio = MediaQuery.of(context).devicePixelRatio;
+    final physW = (size.width * pixelRatio).toInt();
+    final physH = (size.height * pixelRatio).toInt();
+    final version =
+        pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
+    final versionDisplay = _gitHash.isNotEmpty
+        ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
+        : version;
+    final osName = _capitalize(Platform.operatingSystem);
+    final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
+
+    final gitCommitLine = _gitHash.isNotEmpty
+        ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
+        : '';
+    return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
+        '| Property | Value |\n'
+        '|----------|-------|\n'
+        '| App Version | $versionDisplay |\n'
+        '$gitCommitLine'
+        '| Platform | ${Platform.operatingSystem} |\n'
+        '| $osName Version | ${Platform.operatingSystemVersion} |\n'
+        '| Resolution | ${physW}x$physH px'
+        ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
+        ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
+        '| Dart Version | ${Platform.version.split(' ').first} |\n'
+        '| Processors | ${Platform.numberOfProcessors} |\n'
+        '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
+        '| IMAP Accounts | $imapCount |\n'
+        '| JMAP Accounts | $jmapCount |\n';
+  }
+
+  static String _capitalize(String s) =>
+      s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
+
  Future<void> _copyToClipboard(
    BuildContext context,
    int imapCount,
@@ -38,12 +79,10 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
-    final deviceInfo = await _deviceInfoFuture;
    if (!context.mounted) return;
    await Clipboard.setData(
      ClipboardData(
-        text:
-            buildAboutMarkdown(context, pkg, imapCount, jmapCount, deviceInfo),
+        text: _buildMarkdown(context, pkg, imapCount, jmapCount),
      ),
    );
    if (context.mounted) {
@@ -56,6 +95,30 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    }
  }

+  Future<void> _launchUrl(BuildContext context, Uri url) async {
+    try {
+      final launched =
+          await launchUrl(url, mode: LaunchMode.externalApplication);
+      if (!launched && context.mounted) {
+        ScaffoldMessenger.of(context).showSnackBar(
+          const SnackBar(
+            duration: Duration(seconds: 5),
+            content: Text('Could not open browser.'),
+          ),
+        );
+      }
+    } catch (e) {
+      if (context.mounted) {
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            duration: const Duration(seconds: 5),
+            content: Text('Error: $e'),
+          ),
+        );
+      }
+    }
+  }
+
  Future<void> _createIssue(
    BuildContext context,
    int imapCount,
@@ -65,10 +128,9 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
-    final deviceInfo = await _deviceInfoFuture;
    if (!context.mounted) return;
    final body = Uri.encodeComponent(
-      buildAboutMarkdown(context, pkg, imapCount, jmapCount, deviceInfo),
+      _buildMarkdown(context, pkg, imapCount, jmapCount),
    );
    final url = Uri.parse(
      'https://codeberg.org/guettli/sharedinbox/issues/new?body=$body',
@@ -112,40 +174,24 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
          body: Column(
            children: [
              Expanded(
-                child: FutureBuilder<(PackageInfo?, Map<String, String>)>(
-                  future: Future.wait([
-                    _packageInfoFuture.then<PackageInfo?>((p) => p).catchError(
-                          (_) => null,
-                        ),
-                    _deviceInfoFuture,
-                  ]).then(
-                    (results) => (
-                      results[0] as PackageInfo?,
-                      results[1] as Map<String, String>,
-                    ),
-                  ),
+                child: FutureBuilder<PackageInfo>(
+                  future: _packageInfoFuture,
                  builder: (context, snapshot) {
                    if (snapshot.connectionState == ConnectionState.waiting) {
                      return const Center(child: CircularProgressIndicator());
                    }
-                    final pkg = snapshot.data?.$1;
-                    final deviceInfo = snapshot.data?.$2 ?? {};
                    return Markdown(
-                      data: buildAboutMarkdown(
+                      data: _buildMarkdown(
                        context,
-                        pkg,
+                        snapshot.data,
                        imapCount,
                        jmapCount,
-                        deviceInfo,
                      ),
                      selectable: true,
                      onTapLink: (text, href, title) {
                        if (href != null) {
                          unawaited(
-                            launchUrl(
-                              Uri.parse(href),
-                              mode: LaunchMode.externalApplication,
-                            ),
+                            _launchUrl(context, Uri.parse(href)),
                          );
                        }
                      },
@@ -32,11 +32,15 @@ enum _Step { generatingKey, showingPubKey, scanning, importing, done, error }
 class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  _Step _step = _Step.generatingKey;
  ShareKeyMaterial? _keyMaterial;
+  DateTime? _keyExpiresAt;
  String? _pubKeyQr;
  String? _errorMessage;
  bool _scannerActive = false;

  MobileScannerController? _scannerController;
+  // True when the scanner plugin fails to initialise at runtime (e.g.
+  // MissingPluginException on some Android builds).
+  bool _scannerFailed = false;

  @override
  void initState() {
@@ -61,6 +65,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
      );
      setState(() {
        _keyMaterial = material;
+        _keyExpiresAt = DateTime.now().toUtc().add(const Duration(minutes: 20));
        _pubKeyQr = qr;
        _step = _Step.showingPubKey;
      });
@@ -76,8 +81,37 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
    setState(() {
      _step = _Step.scanning;
      _scannerActive = true;
-      _scannerController = MobileScannerController();
    });
+    if (_cameraScanSupported()) {
+      unawaited(_initScanner());
+    }
+  }
+
+  // Pre-flight: probe the scanner's permission-state method to verify the
+  // plugin is registered.  MissingPluginException is thrown on Android builds
+  // where the plugin is not linked (issue #204).  All other exceptions mean
+  // the plugin exists but something else failed — the MobileScanner widget
+  // will surface those via its own error builder.
+  Future<void> _initScanner() async {
+    bool available = false;
+    try {
+      await const MethodChannel(
+        'dev.steenbakker.mobile_scanner/scanner/method',
+      ).invokeMethod<int>('state');
+      available = true;
+    } on MissingPluginException {
+      // Plugin not registered on this device; text fallback will be shown.
+    } catch (_) {
+      // Plugin registered but state check failed; let the scanner widget
+      // handle it via its errorBuilder.
+      available = true;
+    }
+    if (!mounted) return;
+    if (available) {
+      setState(() => _scannerController = MobileScannerController());
+    } else {
+      setState(() => _scannerFailed = true);
+    }
  }

  Future<void> _onScanned(String rawValue) async {
@@ -244,7 +278,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
            },
          ),
          const SizedBox(height: 8),
-          const _ExpiryHint(),
+          _ExpiryHint(expiresAt: _keyExpiresAt!),
          const SizedBox(height: 32),
          if (_errorMessage != null) ...[
            Text(
@@ -266,11 +300,14 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
  }

  Widget _buildScannerView(BuildContext context) {
-    // On platforms where the camera scanner is not available (Linux desktop),
-    // fall back to a text-input field.
-    if (!_cameraScanSupported()) {
+    // Fall back to text input when the platform has no camera support or when
+    // the scanner plugin fails to initialise at runtime (MissingPluginException).
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
+    if (_scannerController == null) {
+      return const Center(child: CircularProgressIndicator());
+    }

    return Stack(
      children: [
@@ -371,8 +408,37 @@ bool _cameraScanSupported() =>
    Platform.isMacOS ||
    Platform.isWindows;

-class _ExpiryHint extends StatelessWidget {
-  const _ExpiryHint();
+class _ExpiryHint extends StatefulWidget {
+  const _ExpiryHint({required this.expiresAt});
+
+  final DateTime expiresAt;
+
+  @override
+  State<_ExpiryHint> createState() => _ExpiryHintState();
+}
+
+class _ExpiryHintState extends State<_ExpiryHint> {
+  late Timer _timer;
+
+  @override
+  void initState() {
+    super.initState();
+    _timer = Timer.periodic(const Duration(seconds: 1), (_) => setState(() {}));
+  }
+
+  @override
+  void dispose() {
+    _timer.cancel();
+    super.dispose();
+  }
+
+  String _formatRemaining() {
+    final remaining = widget.expiresAt.difference(DateTime.now().toUtc());
+    if (remaining.isNegative) return 'expired';
+    final minutes = remaining.inMinutes;
+    final seconds = remaining.inSeconds % 60;
+    return '${minutes.toString().padLeft(2, '0')}:${seconds.toString().padLeft(2, '0')}';
+  }

  @override
  Widget build(BuildContext context) {
@@ -382,7 +448,7 @@ class _ExpiryHint extends StatelessWidget {
        Icon(Icons.timer_outlined, size: 14, color: Colors.grey[600]),
        const SizedBox(width: 4),
        Text(
-          'This key expires in 20 minutes',
+          'This key expires in ${_formatRemaining()}',
          style: TextStyle(fontSize: 12, color: Colors.grey[600]),
        ),
      ],
@@ -45,12 +45,42 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  bool _scannerActive = true;

  MobileScannerController? _scannerController;
+  // True when the scanner plugin fails to initialise at runtime (e.g.
+  // MissingPluginException on some Android builds).
+  bool _scannerFailed = false;

  @override
  void initState() {
    super.initState();
    if (_cameraScanSupported()) {
-      _scannerController = MobileScannerController();
+      unawaited(_initScanner());
+    }
+  }
+
+  // Pre-flight: probe the scanner's permission-state method to verify the
+  // plugin is registered.  MissingPluginException is thrown on Android builds
+  // where the plugin is not linked (issue #204).  All other exceptions mean
+  // the plugin exists but something else failed — the MobileScanner widget
+  // will surface those via its own error builder.
+  Future<void> _initScanner() async {
+    bool available = false;
+    try {
+      await const MethodChannel(
+        'dev.steenbakker.mobile_scanner/scanner/method',
+      ).invokeMethod<int>('state');
+      available = true;
+    } on MissingPluginException {
+      // Plugin not registered on this device; text fallback will be shown.
+    } catch (_) {
+      // Plugin registered but state check failed; let the scanner widget
+      // handle it via its errorBuilder.
+      available = true;
+    }
+    if (!mounted) return;
+    if (available) {
+      setState(() => _scannerController = MobileScannerController());
+    } else {
+      setState(() => _scannerFailed = true);
    }
  }

@@ -178,9 +208,12 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
  }

  Widget _buildScanStep(BuildContext context) {
-    if (!_cameraScanSupported()) {
+    if (!_cameraScanSupported() || _scannerFailed) {
      return _buildTextFallbackView(context);
    }
+    if (_scannerController == null) {
+      return const Center(child: CircularProgressIndicator());
+    }

    return Stack(
      children: [
@@ -1,6 +1,7 @@
 import 'dart:async';

 import 'package:flutter/material.dart';
+import 'package:flutter/services.dart' show rootBundle;
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:url_launcher/url_launcher.dart';

@@ -12,8 +13,7 @@ class ChangeLogScreen extends StatelessWidget {
    return Scaffold(
      appBar: AppBar(title: const Text('ChangeLog')),
      body: FutureBuilder<String>(
-        future:
-            DefaultAssetBundle.of(context).loadString('assets/changelog.txt'),
+        future: rootBundle.loadString('assets/changelog.txt'),
        builder: (context, snapshot) {
          if (snapshot.connectionState == ConnectionState.waiting) {
            return const Center(child: CircularProgressIndicator());
@@ -1,5 +1,6 @@
 import 'dart:io';

+import 'package:flutter/foundation.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:package_info_plus/package_info_plus.dart';
@@ -17,20 +18,35 @@ class CrashScreen extends StatelessWidget {
  final StackTrace? stackTrace;
  final String gitHash;

-  Future<String> _buildReport() async {
-    String version = 'unknown';
+  String get _buildMode {
+    if (kDebugMode) return 'debug';
+    if (kProfileMode) return 'profile';
+    return 'release';
+  }
+
+  Future<String> _fetchVersion() async {
    try {
      final info = await PackageInfo.fromPlatform();
-      version = '${info.version}+${info.buildNumber}';
-    } catch (_) {}
+      return '${info.version}+${info.buildNumber}';
+    } catch (_) {
+      return 'unknown';
+    }
+  }
+
+  Future<String> _buildReport() async {
+    final version = await _fetchVersion();
    final platform =
        '${Platform.operatingSystem} ${Platform.operatingSystemVersion}';
    final gitLine = gitHash.isNotEmpty
        ? 'Git Commit: [$gitHash](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)\n'
        : '';
+    final timestamp = DateTime.now().toUtc().toIso8601String();
    return 'App Version: $version\n'
+        'Build Mode: $_buildMode\n'
        '$gitLine'
-        'Platform: $platform\n\n'
+        'Platform: $platform\n'
+        'Dart: ${Platform.version}\n'
+        'Timestamp: $timestamp\n\n'
        'Error:\n```\n$exception\n```\n\n'
        'Stack Trace:\n```\n$stackTrace\n```';
  }
@@ -56,6 +72,18 @@ class CrashScreen extends StatelessWidget {
                  style: Theme.of(ctx).textTheme.titleMedium,
                  textAlign: TextAlign.center,
                ),
+                const SizedBox(height: 4),
+                FutureBuilder<String>(
+                  future: _fetchVersion(),
+                  builder: (context, snapshot) => Text(
+                    'v${snapshot.data ?? '…'}  •  $_buildMode  •  '
+                    '${Platform.operatingSystem} ${Platform.operatingSystemVersion}',
+                    style: Theme.of(context).textTheme.bodySmall?.copyWith(
+                          color: Colors.grey[600],
+                        ),
+                    textAlign: TextAlign.center,
+                  ),
+                ),
                if (gitHash.isNotEmpty) ...[
                  const SizedBox(height: 8),
                  GestureDetector(
@@ -1,15 +1,11 @@
 import 'dart:async';

 import 'package:flutter/material.dart';
-import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:intl/intl.dart';
-import 'package:package_info_plus/package_info_plus.dart';

-import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/utils/about_markdown.dart';

 final _timeFmt = DateFormat('MMM d, HH:mm:ss');

@@ -25,81 +21,6 @@ String _fmtBytes(int bytes) {
  return '${(bytes / (1024 * 1024)).toStringAsFixed(1)} MB';
 }

-/// Generates a markdown string for a single sync log entry.
-String buildSyncLogEntryMarkdown(SyncLogEntry entry) {
-  final timeFmt = DateFormat('MMM d, HH:mm:ss');
-  final proto =
-      entry.protocol.isEmpty ? '' : ' (${entry.protocol.toUpperCase()})';
-  final title = entry.isOk
-      ? 'Sync OK — ${timeFmt.format(entry.startedAt)}$proto'
-      : 'Sync Error — ${timeFmt.format(entry.startedAt)}$proto';
-
-  final resultLabel = entry.isOk
-      ? 'OK'
-      : entry.isPermanent == true
-          ? 'Error (permanent — sync stopped)'
-          : 'Error (will retry)';
-
-  final buf = StringBuffer();
-  buf.writeln('## $title');
-  buf.writeln();
-  buf.writeln('| Property | Value |');
-  buf.writeln('|----------|-------|');
-  buf.writeln('| Result | $resultLabel |');
-  if (entry.protocol.isNotEmpty) {
-    buf.writeln('| Protocol | ${entry.protocol.toUpperCase()} |');
-  }
-  buf.writeln('| Started | ${timeFmt.format(entry.startedAt)} |');
-  buf.writeln('| Finished | ${timeFmt.format(entry.finishedAt)} |');
-  buf.writeln('| Duration | ${_fmtDuration(entry.duration)} |');
-  buf.writeln('| Emails fetched | ${entry.emailsFetched} |');
-  buf.writeln('| Emails up-to-date | ${entry.emailsSkipped} |');
-  buf.writeln('| Mailboxes synced | ${entry.mailboxesSynced} |');
-  buf.writeln('| Pending changes flushed | ${entry.pendingFlushed} |');
-  buf.writeln('| Data transferred | ${_fmtBytes(entry.bytesTransferred)} |');
-
-  if (entry.mailboxStats.isNotEmpty) {
-    buf.writeln();
-    buf.writeln('### Per Mailbox');
-    buf.writeln();
-    buf.writeln('| Mailbox | Fetched | Up-to-date | Duration |');
-    buf.writeln('|---------|---------|------------|----------|');
-    for (final m in entry.mailboxStats) {
-      final dur = m.duration != null ? _fmtDuration(m.duration!) : '—';
-      buf.writeln('| ${m.mailboxPath} | ${m.fetched} | ${m.skipped} | $dur |');
-    }
-  }
-
-  if (entry.errorMessage != null) {
-    buf.writeln();
-    buf.writeln('### Error Message');
-    buf.writeln();
-    buf.writeln('```');
-    buf.writeln(entry.errorMessage);
-    buf.writeln('```');
-  }
-
-  if (entry.stackTrace != null) {
-    buf.writeln();
-    buf.writeln('### Stack Trace');
-    buf.writeln();
-    buf.writeln('```');
-    buf.writeln(entry.stackTrace);
-    buf.writeln('```');
-  }
-
-  if (entry.protocolLog != null) {
-    buf.writeln();
-    buf.writeln('### Protocol Log');
-    buf.writeln();
-    buf.writeln('```');
-    buf.writeln(entry.protocolLog);
-    buf.writeln('```');
-  }
-
-  return buf.toString().trimRight();
-}
-
 class SyncLogScreen extends ConsumerStatefulWidget {
  const SyncLogScreen({super.key, required this.accountId});

@@ -148,41 +69,6 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
    ref.read(syncManagerProvider).syncNow(widget.accountId);
  }

-  Future<void> _copyEntry(SyncLogEntry entry) async {
-    PackageInfo? pkg;
-    try {
-      pkg = await PackageInfo.fromPlatform();
-    } catch (_) {}
-    final deviceInfo = await fetchAndroidDeviceInfo();
-    if (!mounted) return;
-
-    final accounts =
-        await ref.read(accountRepositoryProvider).observeAccounts().first;
-    final imapCount = accounts.where((a) => a.type == AccountType.imap).length;
-    final jmapCount = accounts.where((a) => a.type == AccountType.jmap).length;
-
-    if (!mounted) return;
-    final entryMd = buildSyncLogEntryMarkdown(entry);
-    final aboutMd = buildAboutMarkdown(
-      context,
-      pkg,
-      imapCount,
-      jmapCount,
-      deviceInfo,
-    );
-    await Clipboard.setData(
-      ClipboardData(text: '$entryMd\n\n---\n\n$aboutMd'),
-    );
-    if (mounted) {
-      ScaffoldMessenger.of(context).showSnackBar(
-        const SnackBar(
-          duration: Duration(seconds: 3),
-          content: Text('Copied to clipboard'),
-        ),
-      );
-    }
-  }
-
  @override
  Widget build(BuildContext context) {
    return Scaffold(
@@ -210,20 +96,16 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
          ? const Center(child: Text('No sync entries yet'))
          : ListView.builder(
              itemCount: _entries.length,
-              itemBuilder: (ctx, i) => _SyncLogTile(
-                entry: _entries[i],
-                onCopy: () => unawaited(_copyEntry(_entries[i])),
-              ),
+              itemBuilder: (ctx, i) => _SyncLogTile(entry: _entries[i]),
            ),
    );
  }
 }

 class _SyncLogTile extends StatelessWidget {
-  const _SyncLogTile({required this.entry, required this.onCopy});
+  const _SyncLogTile({required this.entry});

  final SyncLogEntry entry;
-  final VoidCallback onCopy;

  @override
  Widget build(BuildContext context) {
@@ -245,20 +127,9 @@ class _SyncLogTile extends StatelessWidget {
      subtitle: Text(
        entry.isOk
            ? '${entry.emailsFetched} new · ${entry.emailsSkipped} up-to-date · took $durationLabel'
-            : 'Error${entry.isPermanent == true ? ' (permanent)' : ''} · took $durationLabel',
+            : 'Error · took $durationLabel',
        style: TextStyle(fontSize: 12, color: entry.isOk ? null : errorColor),
      ),
-      trailing: Row(
-        mainAxisSize: MainAxisSize.min,
-        children: [
-          IconButton(
-            icon: const Icon(Icons.copy, size: 18),
-            tooltip: 'Copy to clipboard',
-            onPressed: onCopy,
-          ),
-          const Icon(Icons.expand_more),
-        ],
-      ),
      children: [
        Padding(
          padding: const EdgeInsets.fromLTRB(72, 0, 16, 12),
@@ -300,18 +171,6 @@ class _SyncLogTile extends StatelessWidget {
                    style: TextStyle(color: errorColor, fontSize: 12),
                  ),
                ),
-              if (entry.stackTrace != null)
-                Padding(
-                  padding: const EdgeInsets.only(top: 4),
-                  child: Text(
-                    entry.stackTrace!,
-                    style: TextStyle(
-                      color: errorColor,
-                      fontSize: 10,
-                      fontFamily: 'monospace',
-                    ),
-                  ),
-                ),
              if (entry.protocolLog != null) ...[
                const Padding(
                  padding: EdgeInsets.only(top: 6, bottom: 2),
@@ -1,73 +0,0 @@
-import 'dart:io';
-
-import 'package:device_info_plus/device_info_plus.dart';
-import 'package:flutter/material.dart';
-import 'package:package_info_plus/package_info_plus.dart';
-
-const _gitHash = String.fromEnvironment('GIT_HASH');
-
-/// Returns Android device info (manufacturer, model, OS release).
-/// Returns an empty map on non-Android platforms or if the plugin fails.
-Future<Map<String, String>> fetchAndroidDeviceInfo() async {
-  if (!Platform.isAndroid) return {};
-  try {
-    final info = await DeviceInfoPlugin().androidInfo;
-    return {
-      'Manufacturer': info.manufacturer,
-      'Model': info.model,
-      'Android Version': info.version.release,
-    };
-  } catch (_) {
-    return {};
-  }
-}
-
-String _capitalize(String s) =>
-    s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
-
-/// Builds the standard "about" markdown table for sharing / bug reports.
-///
-/// Pass [deviceInfo] from [fetchAndroidDeviceInfo].
-/// Pass [imapCount] and [jmapCount] when available; both default to 0.
-String buildAboutMarkdown(
-  BuildContext context,
-  PackageInfo? pkg,
-  int imapCount,
-  int jmapCount,
-  Map<String, String> deviceInfo,
-) {
-  final size = MediaQuery.of(context).size;
-  final pixelRatio = MediaQuery.of(context).devicePixelRatio;
-  final physW = (size.width * pixelRatio).toInt();
-  final physH = (size.height * pixelRatio).toInt();
-  final version = pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
-  final versionDisplay = _gitHash.isNotEmpty
-      ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
-      : version;
-  final osName = _capitalize(Platform.operatingSystem);
-  final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
-
-  final gitCommitLine = _gitHash.isNotEmpty
-      ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
-      : '';
-
-  final deviceLines =
-      deviceInfo.entries.map((e) => '| ${e.key} | ${e.value} |\n').join();
-
-  return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
-      '| Property | Value |\n'
-      '|----------|-------|\n'
-      '| App Version | $versionDisplay |\n'
-      '$gitCommitLine'
-      '| Platform | ${Platform.operatingSystem} |\n'
-      '| $osName Version | ${Platform.operatingSystemVersion} |\n'
-      '$deviceLines'
-      '| Resolution | ${physW}x$physH px'
-      ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
-      ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
-      '| Dart Version | ${Platform.version.split(' ').first} |\n'
-      '| Processors | ${Platform.numberOfProcessors} |\n'
-      '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
-      '| IMAP Accounts | $imapCount |\n'
-      '| JMAP Accounts | $jmapCount |\n';
-}
@@ -249,22 +249,6 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "0.7.12"
-  device_info_plus:
-    dependency: "direct main"
-    description:
-      name: device_info_plus
-      sha256: "6a642e1daa10190af89ba6cb6386c0df7d071a3592080bfe1e44faa63ae1df65"
-      url: "https://pub.dev"
-    source: hosted
-    version: "13.1.0"
-  device_info_plus_platform_interface:
-    dependency: transitive
-    description:
-      name: device_info_plus_platform_interface
-      sha256: "04b173a92e2d9161dfead145667037c8d834db725ce2e7b942bfe18fd2f45a46"
-      url: "https://pub.dev"
-    source: hosted
-    version: "8.1.0"
  drift:
    dependency: "direct main"
    description:
@@ -1133,13 +1117,13 @@ packages:
    source: hosted
    version: "6.3.2"
  url_launcher_android:
-    dependency: transitive
+    dependency: "direct overridden"
    description:
      name: url_launcher_android
-      sha256: "17bc677f0b301615530dd1d67e0a9828cafa2d0b6b6eae4cd3679b7eac4a273c"
+      sha256: "5c8b6c2d89a78f5a1cca70a73d9d5f86c701b36b42f9c9dac7bad592113c28e9"
      url: "https://pub.dev"
    source: hosted
-    version: "6.3.30"
+    version: "6.3.24"
  url_launcher_ios:
    dependency: transitive
    description:
@@ -1300,14 +1284,6 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "6.3.0"
-  win32_registry:
-    dependency: transitive
-    description:
-      name: win32_registry
-      sha256: "73b1d78920a9d6e03f8b4e43e612b87bf3152a0e5c5e5150267762b7c4116904"
-      url: "https://pub.dev"
-    source: hosted
-    version: "3.0.3"
  workmanager:
    dependency: "direct main"
    description:
@@ -61,7 +61,6 @@ dependencies:
  # App version metadata for crash reports
  package_info_plus: ^10.1.0
  share_plus: ^13.1.0
-  device_info_plus: ^13.1.0

 dev_dependencies:
  flutter_test:
@@ -90,3 +89,7 @@ dependency_overrides:
  # (SIGSEGV in libdartjni.so FindClassUnchecked). Pin to 2.2.20 which uses
  # stable Pigeon and is known to work reliably.
  path_provider_android: ">=2.2.0 <2.2.21"
+  # url_launcher_android 6.3.25 updated to Pigeon 26, which causes a
+  # channel-error on launchUrl on some Android devices (same root cause as
+  # path_provider_android). Pin to <6.3.25 which uses stable Pigeon.
+  url_launcher_android: ">=6.3.0 <6.3.25"
@@ -146,16 +146,18 @@ def _ready_issues() -> list[dict]:


 def _latest_main_ci_run() -> dict | None:
-    """Return the latest CI run on the main branch (excludes PR runs).
+    """Return the latest ci.yml run on the main branch.

-    Using the global latest run (limit=1) is wrong: a passing or failing run
-    on a PR branch could mask the true state of main.  We filter to non-PR
-    events on the 'main' prettyref so section-3 logic only reacts to main.
+    Forgejo reports scheduled/dispatch workflows (e.g. deploy.yml) with
+    event=push and prettyref=main, so filtering by event alone is not enough.
+    We also require workflow_id == "ci.yml".
    """
    data = _tea_get(f"repos/{REPO}/actions/runs?limit=20")
    runs = (data or {}).get("workflow_runs", [])
    for run in runs:
-        if run.get("event") != "pull_request" and run.get("prettyref") == "main":
+        if (run.get("event") == "push"
+                and run.get("prettyref") == "main"
+                and run.get("workflow_id") == "ci.yml"):
            return run
    return None

@@ -177,7 +179,7 @@ def _latest_ci_run_for_branch(branch: str) -> dict | None:
                    return run
            except (json.JSONDecodeError, AttributeError):
                pass
-        else:
+        elif run.get("event") == "push":
            if run.get("prettyref") == branch:
                return run
    return None
@@ -345,6 +347,15 @@ def _agent_alive(state: dict) -> bool:
        return True


+def _is_claude_process(pid: int) -> bool:
+    """Return True if pid's comm name indicates it is a claude/node process."""
+    try:
+        comm = Path(f"/proc/{pid}/comm").read_text().strip()
+        return comm in ("claude", "node")
+    except OSError:
+        return False
+
+
 def _agent_age_seconds(state: dict) -> float:
    """Seconds elapsed since the agent was launched, from the state file timestamp."""
    try:
@@ -379,11 +390,13 @@ def _git_summary() -> str:
 def _kill_agent(state: dict) -> None:
    """Forcefully stop the running agent."""
    pid = state.get("pid")
-    if pid:
+    if pid and _is_claude_process(pid):
        try:
            os.kill(pid, 9)
        except ProcessLookupError:
            pass
+    elif pid:
+        print(f"WARNING: pid {pid} is not a claude process — skipping kill to avoid hitting recycled PID")


 # ── subcommands ───────────────────────────────────────────────────────────────
@@ -57,7 +57,6 @@ const _excluded = {
  'lib/ui/widgets/try_connection_button.dart',
  'lib/ui/widgets/undo_shell.dart',
  'lib/ui/screens/about_screen.dart',
-  'lib/ui/utils/about_markdown.dart',
  'lib/ui/widgets/email_tile.dart',
  'lib/core/sync/account_sync_manager.dart',
  'lib/core/sync/background_sync.dart',
@@ -33,9 +33,6 @@ def list_remote_files(ssh_user: str, ssh_host: str, pattern: str) -> list[str]:
    result = subprocess.run(
        [
            "ssh",
-            "-v",
-            "-o", "StrictHostKeyChecking=no",
-            "-i", "/root/.ssh/id_ed25519",
            f"{ssh_user}@{ssh_host}",
            f"find {REMOTE_BUILDS_DIR} -name '{pattern}' -type f | sort",
        ],
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# Decrypts secrets.age and exports all KEY=VALUE pairs as environment variables.
+#
+# In CI (GITHUB_ENV set): writes to $GITHUB_ENV so subsequent job steps can
+# read the variables. Multi-line values use the heredoc syntax required by
+# Forgejo/GitHub Actions.
+#
+# Locally: prints an eval-safe export block to stdout. Source it with:
+#   eval "$(SECRETS_AGE_KEY=$(cat ~/.config/age/sharedinbox.key) scripts/secrets-decrypt.sh)"
+#   or pass a key file:
+#   eval "$(scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key)"
+#
+# Private key sources (first match wins):
+#   1. Path to a key file passed as $1
+#   2. SECRETS_AGE_KEY env var (the raw private key content — used in CI)
+set -euo pipefail
+
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
+    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
+SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
+
+if [ ! -f "$SECRETS_AGE" ]; then
+    echo "ERROR: secrets.age not found at $SECRETS_AGE" >&2
+    echo "  Run: scripts/secrets-encrypt.sh to create it." >&2
+    exit 1
+fi
+
+TMP_KEY=""
+cleanup() { [ -n "$TMP_KEY" ] && rm -f "$TMP_KEY"; }
+trap cleanup EXIT
+
+if [ -n "${1:-}" ]; then
+    KEY_FILE="$1"
+elif [ -n "${SECRETS_AGE_KEY:-}" ]; then
+    TMP_KEY=$(mktemp)
+    chmod 600 "$TMP_KEY"
+    printf '%s\n' "$SECRETS_AGE_KEY" > "$TMP_KEY"
+    KEY_FILE="$TMP_KEY"
+else
+    echo "ERROR: No age private key provided." >&2
+    echo "  Pass a key file: scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key" >&2
+    echo "  Or set SECRETS_AGE_KEY env var (CI: store as SECRETS_AGE_KEY secret)." >&2
+    exit 1
+fi
+
+DECRYPTED=$(age --decrypt -i "$KEY_FILE" "$SECRETS_AGE")
+
+# Process each KEY=VALUE line.
+# Double-quoted values have \n escape sequences converted to real newlines.
+process_secrets() {
+    local line key raw_value value
+    while IFS= read -r line; do
+        [[ -z "$line" || "$line" == \#* ]] && continue
+        [[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
+
+        key="${line%%=*}"
+        raw_value="${line#*=}"
+
+        # Double-quoted: strip quotes and expand \n → newline
+        if [[ "$raw_value" == '"'*'"' ]]; then
+            raw_value="${raw_value:1:${#raw_value}-2}"
+            value=$(printf '%b' "$raw_value")
+        # Single-quoted: strip quotes, no expansion
+        elif [[ "$raw_value" == "'"*"'" ]]; then
+            value="${raw_value:1:${#raw_value}-2}"
+        else
+            value="$raw_value"
+        fi
+
+        if [ -n "${GITHUB_ENV:-}" ]; then
+            # Heredoc syntax handles multi-line values safely
+            local delim="EOF_${key}_$$"
+            printf '%s<<%s\n%s\n%s\n' "$key" "$delim" "$value" "$delim" >> "$GITHUB_ENV"
+        else
+            # Print as export statements for eval
+            printf "export %s=%q\n" "$key" "$value"
+        fi
+    done <<< "$DECRYPTED"
+}
+
+process_secrets
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+    echo "Secrets written to \$GITHUB_ENV." >&2
+fi
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Encrypts secrets.env → secrets.age using an age public key.
+#
+# Usage:
+#   scripts/secrets-encrypt.sh [AGE1...]   public key as positional argument
+#   AGE_PUBLIC_KEY=AGE1... scripts/secrets-encrypt.sh
+#   scripts/secrets-encrypt.sh             reads public key from .age-public-key
+#
+# The private key never touches this script. Only the public key is needed to
+# encrypt. Store the private key in CI as SECRETS_AGE_KEY and keep a local
+# copy at ~/.config/age/sharedinbox.key (or wherever you prefer).
+set -euo pipefail
+
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
+    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
+SECRETS_ENV="${SECRETS_ENV:-${REPO_ROOT}/secrets.env}"
+SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
+KEY_FILE="${REPO_ROOT}/.age-public-key"
+
+if [ -n "${1:-}" ]; then
+    PUBLIC_KEY="$1"
+elif [ -n "${AGE_PUBLIC_KEY:-}" ]; then
+    PUBLIC_KEY="$AGE_PUBLIC_KEY"
+elif [ -f "$KEY_FILE" ]; then
+    PUBLIC_KEY=$(cat "$KEY_FILE")
+    PUBLIC_KEY="${PUBLIC_KEY%%$'\n'*}"  # take only the first line
+else
+    echo "ERROR: No age public key provided." >&2
+    echo "  Pass it as an argument: scripts/secrets-encrypt.sh AGE1..." >&2
+    echo "  Or store it in .age-public-key: age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key" >&2
+    exit 1
+fi
+
+if [ ! -f "$SECRETS_ENV" ]; then
+    echo "ERROR: secrets.env not found at $SECRETS_ENV" >&2
+    echo "  Copy secrets.env.example to secrets.env and fill in values." >&2
+    exit 1
+fi
+
+age --encrypt --recipient "$PUBLIC_KEY" --output "$SECRETS_AGE" "$SECRETS_ENV"
+echo "Encrypted $SECRETS_ENV → $SECRETS_AGE"
+echo "Commit secrets.age to keep CI in sync."
@@ -88,21 +88,47 @@ class TestAgentAlive(unittest.TestCase):
        self.assertFalse(agent_loop._agent_alive({"pid": None}))


+class TestIsClaudeProcess(unittest.TestCase):
+    def test_returns_true_for_claude_comm(self):
+        with patch.object(agent_loop.Path, "read_text", return_value="claude\n"):
+            self.assertTrue(agent_loop._is_claude_process(1234))
+
+    def test_returns_true_for_node_comm(self):
+        with patch.object(agent_loop.Path, "read_text", return_value="node\n"):
+            self.assertTrue(agent_loop._is_claude_process(1234))
+
+    def test_returns_false_for_other_process(self):
+        with patch.object(agent_loop.Path, "read_text", return_value="bash\n"):
+            self.assertFalse(agent_loop._is_claude_process(1234))
+
+    def test_returns_false_when_proc_missing(self):
+        with patch.object(agent_loop.Path, "read_text", side_effect=OSError):
+            self.assertFalse(agent_loop._is_claude_process(1234))
+
+
 class TestKillAgent(unittest.TestCase):
    def test_kill_sends_sigkill(self):
-        with patch("agent_loop.os.kill") as mock_kill:
-            agent_loop._kill_agent({"pid": 1234})
-            mock_kill.assert_called_once_with(1234, 9)
+        with patch("agent_loop._is_claude_process", return_value=True):
+            with patch("agent_loop.os.kill") as mock_kill:
+                agent_loop._kill_agent({"pid": 1234})
+                mock_kill.assert_called_once_with(1234, 9)

    def test_kill_ignores_missing_process(self):
-        with patch("agent_loop.os.kill", side_effect=ProcessLookupError):
-            agent_loop._kill_agent({"pid": 1234})  # Should not raise.
+        with patch("agent_loop._is_claude_process", return_value=True):
+            with patch("agent_loop.os.kill", side_effect=ProcessLookupError):
+                agent_loop._kill_agent({"pid": 1234})  # Should not raise.

    def test_kill_noop_when_no_pid(self):
        with patch("agent_loop.os.kill") as mock_kill:
            agent_loop._kill_agent({})
            mock_kill.assert_not_called()

+    def test_kill_skips_recycled_pid(self):
+        with patch("agent_loop._is_claude_process", return_value=False):
+            with patch("agent_loop.os.kill") as mock_kill:
+                agent_loop._kill_agent({"pid": 1234})
+                mock_kill.assert_not_called()
+

 class TestStartAgent(unittest.TestCase):
    def _make_mock_proc(self, pid=42):
@@ -174,7 +200,8 @@ class TestMain(unittest.TestCase):
            return 55

        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(10)]), \
             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
@@ -200,7 +227,8 @@ class TestMain(unittest.TestCase):
            captured["remove"] = remove

        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(7)]), \
             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
             patch("agent_loop._start_agent", return_value=99), \
@@ -213,7 +241,8 @@ class TestMain(unittest.TestCase):
    def test_no_ready_issues_does_nothing(self):
        """main() exits cleanly with 0 when there are no ready issues."""
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             patch("agent_loop._set_labels") as mock_labels, \
             patch("agent_loop._start_agent") as mock_start:
@@ -232,7 +261,8 @@ class TestMain(unittest.TestCase):
            return 77

        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[self._make_issue(42)]), \
             patch("agent_loop._set_labels"), \
             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
@@ -266,8 +296,9 @@ class TestPendingCi(unittest.TestCase):

    def test_closes_issue_when_ci_passes_after_agent_finishes(self):
        """After issue agent finishes, loop merges the PR and closes the issue once CI is green."""
+        # First call: PR found open. Second call (post-merge verification): PR closed.
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._merge_pr") as mock_merge, \
             patch("agent_loop._close_issue") as mock_close, \
@@ -282,7 +313,7 @@ class TestPendingCi(unittest.TestCase):
        """'CI passed' line includes the CI run URL when a run is available."""
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 4145144, "status": "success"}), \
             patch("agent_loop._merge_pr"), \
             patch("agent_loop._close_issue"), \
@@ -392,7 +423,7 @@ class TestPendingCi(unittest.TestCase):
    def test_closes_issue_after_ci_fix_and_ci_passes(self):
        """After ci-fix agent finishes and CI passes on PR branch, the pending issue is closed."""
        with patch("agent_loop._read_state", return_value=self._dead_state(10, "ci-fix")), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
+             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._merge_pr") as mock_merge, \
             patch("agent_loop._close_issue") as mock_close, \
@@ -409,7 +440,8 @@ class TestPendingCi(unittest.TestCase):
            "pid": 999999999, "issue": None, "started_at": "2026-01-01T00:00:00+00:00",
            "type": "ci-fix",
        }), \
-             patch("agent_loop._latest_ci_run", return_value={"id": 1, "status": "success"}), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value={"id": 1, "status": "success"}), \
             patch("agent_loop._close_issue") as mock_close, \
             patch("agent_loop._ready_issues", return_value=[]), \
             patch("agent_loop._clear_state"):
@@ -425,7 +457,8 @@ class TestOutputFormat(unittest.TestCase):
    def test_output_starts_with_header(self):
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
@@ -436,7 +469,8 @@ class TestOutputFormat(unittest.TestCase):
    def test_no_agent_loop_prefix_in_output(self):
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[]), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
@@ -446,7 +480,8 @@ class TestOutputFormat(unittest.TestCase):
        run = {"id": 4145144, "status": "running"}
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=run), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=run), \
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144",
@@ -456,7 +491,8 @@ class TestOutputFormat(unittest.TestCase):
        issue = {"number": 128, "title": "Fix something", "body": "", "labels": []}
        buf = io.StringIO()
        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._open_issue_prs", return_value=[]), \
+             patch("agent_loop._latest_main_ci_run", return_value=None), \
             patch("agent_loop._ready_issues", return_value=[issue]), \
             patch("agent_loop._set_labels"), \
             patch("agent_loop._start_agent", return_value=99), \
@@ -468,6 +504,47 @@ class TestOutputFormat(unittest.TestCase):
        self.assertIn("Fix something", output)


+class TestLatestMainCiRun(unittest.TestCase):
+    """_latest_main_ci_run() must return only ci.yml push-to-main runs."""
+
+    def _ci_run(self, run_id, status="success"):
+        return {"event": "push", "prettyref": "main", "workflow_id": "ci.yml",
+                "status": status, "id": run_id}
+
+    def _deploy_run(self, run_id, status="success"):
+        return {"event": "push", "prettyref": "main", "workflow_id": "deploy.yml",
+                "status": status, "id": run_id}
+
+    def test_skips_deploy_run_returns_ci_run(self):
+        # Forgejo reports deploy.yml schedule runs as event=push/prettyref=main;
+        # must be excluded by workflow_id filter.
+        runs = [self._deploy_run(1), self._ci_run(2)]
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
+            result = agent_loop._latest_main_ci_run()
+        self.assertIsNotNone(result)
+        self.assertEqual(result["id"], 2)
+
+    def test_returns_none_when_only_deploy_runs_exist(self):
+        runs = [self._deploy_run(1)]
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
+            result = agent_loop._latest_main_ci_run()
+        self.assertIsNone(result)
+
+    def test_returns_none_when_only_schedule_runs_exist(self):
+        runs = [{"event": "schedule", "prettyref": "main", "workflow_id": "deploy.yml",
+                 "status": "success", "id": 1}]
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
+            result = agent_loop._latest_main_ci_run()
+        self.assertIsNone(result)
+
+    def test_returns_ci_push_to_main_run(self):
+        runs = [self._ci_run(42, status="running")]
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
+            result = agent_loop._latest_main_ci_run()
+        self.assertIsNotNone(result)
+        self.assertEqual(result["id"], 42)
+
+
 class TestLatestCiRunForBranch(unittest.TestCase):
    """Tests for _latest_ci_run_for_branch — Forgejo API field mapping."""

@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+# Tests for scripts/secrets-encrypt.sh and scripts/secrets-decrypt.sh.
+# Run directly: bash scripts/test_secrets.sh
+# Requires: age, age-keygen
+set -euo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+PASS=0
+FAIL=0
+
+_assert() {
+    local name="$1" expected="$2" actual="$3"
+    if [ "$actual" = "$expected" ]; then
+        PASS=$((PASS + 1))
+    else
+        echo "FAIL: $name"
+        echo "  expected: $(printf '%s' "$expected" | head -c 80)"
+        echo "  actual:   $(printf '%s' "$actual"   | head -c 80)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+_assert_contains() {
+    local name="$1" needle="$2" haystack="$3"
+    if printf '%s' "$haystack" | grep -qF -- "$needle"; then
+        PASS=$((PASS + 1))
+    else
+        echo "FAIL: $name"
+        echo "  expected to contain: $needle"
+        echo "  actual: $(printf '%s' "$haystack" | head -c 200)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+if ! command -v age >/dev/null 2>&1 || ! command -v age-keygen >/dev/null 2>&1; then
+    echo "SKIP: age/age-keygen not found — install age to run secrets tests"
+    exit 0
+fi
+
+WORKDIR=$(mktemp -d)
+cleanup() { rm -rf "$WORKDIR"; }
+trap cleanup EXIT
+
+KEY_FILE="$WORKDIR/test.key"
+SECRETS_ENV="$WORKDIR/secrets.env"
+SECRETS_AGE="$WORKDIR/secrets.age"
+GITHUB_ENV_FILE="$WORKDIR/github.env"
+
+# Generate a test age key pair
+age-keygen -o "$KEY_FILE" 2>/dev/null
+PUBLIC_KEY=$(age-keygen -y "$KEY_FILE")
+
+PRIVATE_KEY=$(cat "$KEY_FILE")
+
+# Helper: decrypt and eval, capturing specific variables
+_decrypt_vars() {
+    local vars
+    vars=$(SECRETS_AGE_KEY="$PRIVATE_KEY" \
+        SECRETS_AGE="$SECRETS_AGE" \
+        bash "$SCRIPT_DIR/secrets-decrypt.sh")
+    eval "$vars"
+}
+
+# --- simple values ---
+cat > "$SECRETS_ENV" << 'EOF'
+SIMPLE_VAR=hello
+QUOTED_DOUBLE="world"
+QUOTED_SINGLE='literal'
+EMPTY_VAR=
+# comment line — should be ignored
+NUMERIC=42
+EOF
+
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+_decrypt_vars
+_assert "simple value"         "hello"   "${SIMPLE_VAR:-}"
+_assert "double-quoted value"  "world"   "${QUOTED_DOUBLE:-}"
+_assert "single-quoted value"  "literal" "${QUOTED_SINGLE:-}"
+_assert "empty value"          ""        "${EMPTY_VAR:-}"
+_assert "numeric value"        "42"      "${NUMERIC:-}"
+unset SIMPLE_VAR QUOTED_DOUBLE QUOTED_SINGLE EMPTY_VAR NUMERIC
+
+# --- multi-line value with \n escape sequences ---
+# Use a made-up key format to avoid triggering the detect-private-key pre-commit hook.
+printf '%s\n' \
+    'SSH_KEY="FAKE-KEY-HEADER\nfakekey\nFAKE-KEY-FOOTER"' \
+    'SIDE=plain' \
+    > "$SECRETS_ENV"
+
+rm -f "$SECRETS_AGE"
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+_decrypt_vars
+_assert_contains "multi-line: header present" "FAKE-KEY-HEADER" "${SSH_KEY:-}"
+_assert_contains "multi-line: body present"   "fakekey"         "${SSH_KEY:-}"
+_assert_contains "multi-line: footer present" "FAKE-KEY-FOOTER" "${SSH_KEY:-}"
+_assert "variable alongside multi-line" "plain" "${SIDE:-}"
+unset SSH_KEY SIDE
+
+# --- GITHUB_ENV output uses heredoc syntax ---
+printf '%s\n' 'CI_SECRET=supersecret' > "$SECRETS_ENV"
+rm -f "$SECRETS_AGE" "$GITHUB_ENV_FILE"
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+GITHUB_ENV="$GITHUB_ENV_FILE" \
+    SECRETS_AGE_KEY="$PRIVATE_KEY" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh"
+
+_assert_contains "GITHUB_ENV contains key"   "CI_SECRET"   "$(cat "$GITHUB_ENV_FILE")"
+_assert_contains "GITHUB_ENV contains value" "supersecret" "$(cat "$GITHUB_ENV_FILE")"
+
+# --- missing secrets.age exits non-zero with a helpful message ---
+ERR=$(SECRETS_AGE="$WORKDIR/nonexistent.age" \
+    SECRETS_AGE_KEY="$PRIVATE_KEY" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "missing secrets.age: exits non-zero" "1" "$GOT"
+_assert_contains "missing secrets.age: error mentions file" "secrets.age" "$ERR"
+
+# --- missing key exits non-zero ---
+ERR=$(SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "missing key: exits non-zero" "1" "$GOT"
+
+# --- wrong key fails decryption ---
+OTHER_KEY="$WORKDIR/other.key"
+age-keygen -o "$OTHER_KEY" 2>/dev/null
+ERR=$(SECRETS_AGE_KEY=$(cat "$OTHER_KEY") \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "wrong key: exits non-zero" "1" "$GOT"
+
+# --- encrypt without secrets.env exits non-zero ---
+ERR=$(AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$WORKDIR/missing_secrets.env" \
+    SECRETS_AGE="$WORKDIR/out.age" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "encrypt without secrets.env: exits non-zero" "1" "$GOT"
+_assert_contains "encrypt without secrets.env: error mentions file" "secrets.env" "$ERR"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] || exit 1
@@ -0,0 +1,28 @@
+# Copy this file to secrets.env and fill in real values.
+# Then encrypt to secrets.age: scripts/secrets-encrypt.sh
+#
+# secrets.env  — plaintext, git-ignored
+# secrets.age  — encrypted, committed to the repository
+# .age-public-key — age public key, committed (not secret)
+#
+# Multi-line values (SSH keys, certificates) must be stored as a single line
+# with literal \n for newlines, wrapped in double quotes. Example:
+#   SSH_PRIVATE_KEY="<header line>\n<base64 body lines>\n<footer line>"
+#
+# One-time setup:
+#   age-keygen -o ~/.config/age/sharedinbox.key
+#   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
+#   # Store the private key content in CI as SECRETS_AGE_KEY secret.
+
+ANDROID_KEYSTORE_BASE64=
+ANDROID_KEYSTORE_PASSWORD=
+PLAY_STORE_CONFIG_JSON=
+SSH_PRIVATE_KEY=
+SSH_KNOWN_HOSTS=
+SSH_USER=
+SSH_HOST=
+ANDROID_APK_SCP_HOST=
+ANDROID_APK_SCP_USER=
+ANDROID_APK_SCP_PATH=
+FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY=
+FIREBASE_PROJECT_ID=
@@ -288,8 +288,6 @@ class _FakeLogs implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -181,8 +181,6 @@ class FakeSyncLogRepository implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -14,7 +14,7 @@ void main() {
  group('Migration', () {
    test('schemaVersion matches expected value', () async {
      final db = AppDatabase(NativeDatabase.memory());
-      expect(db.schemaVersion, 33);
+      expect(db.schemaVersion, 32);
      await db.close();
    });

@@ -194,10 +194,6 @@ void main() {
      // v32: local_sieve_applied table.
      await db.customSelect('SELECT count(*) FROM local_sieve_applied').get();

-      // v33: stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, containsAll(['stack_trace', 'is_permanent']));
-
      await db.close();
      if (dbFile.existsSync()) dbFile.deleteSync();
    });
@@ -385,15 +381,11 @@ void main() {
          await _tableColumns(db, 'sync_log_mailboxes');
      expect(syncLogMailboxColumns, contains('duration_ms'));

-      // v33: stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, containsAll(['stack_trace', 'is_permanent']));
-
      await db.close();
      if (dbFile.existsSync()) dbFile.deleteSync();
    });

-    test('fresh install creates all tables at schemaVersion 33', () async {
+    test('fresh install creates all tables at schemaVersion 32', () async {
      final db = AppDatabase(NativeDatabase.memory());
      await db.select(db.accounts).get();

@@ -434,10 +426,6 @@ void main() {
          await _tableColumns(db, 'sync_log_mailboxes');
      expect(syncLogMailboxColumns, contains('duration_ms'));

-      // v33: stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, containsAll(['stack_trace', 'is_permanent']));
-
      await db.close();
    });
  });
@@ -170,8 +170,6 @@ class _FakeSyncLog implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool? isPermanent,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -126,56 +126,4 @@ void main() {
    expect(rows.first.result, 'error');
    expect(rows.first.errorMessage, 'Connection refused');
  });
-
-  test('stores and retrieves stack trace and isPermanent', () async {
-    final repo = SyncLogRepositoryImpl(db);
-    final start = DateTime(2024, 3, 1, 10);
-    final end = DateTime(2024, 3, 1, 10, 0, 1);
-
-    await repo.log(
-      accountId: 'acc1',
-      success: false,
-      errorMessage: 'MissingPluginException',
-      stackTrace: '#0 MethodChannel._invokeMethod\n#1 main',
-      isPermanent: true,
-      protocol: 'imap',
-      emailsFetched: 0,
-      emailsSkipped: 0,
-      mailboxesSynced: 0,
-      pendingFlushed: 0,
-      bytesTransferred: 0,
-      startedAt: start,
-      finishedAt: end,
-    );
-
-    final entries = await repo.observeSyncLogs('acc1').first;
-    final latest = entries.firstWhere((e) => e.startedAt == start);
-    expect(latest.stackTrace, '#0 MethodChannel._invokeMethod\n#1 main');
-    expect(latest.isPermanent, isTrue);
-    expect(latest.errorMessage, 'MissingPluginException');
-  });
-
-  test('isPermanent is null for success entries', () async {
-    final repo = SyncLogRepositoryImpl(db);
-    final start = DateTime(2024, 4, 1, 10);
-    final end = DateTime(2024, 4, 1, 10, 0, 3);
-
-    await repo.log(
-      accountId: 'acc1',
-      success: true,
-      protocol: 'imap',
-      emailsFetched: 2,
-      emailsSkipped: 0,
-      mailboxesSynced: 1,
-      pendingFlushed: 0,
-      bytesTransferred: 0,
-      startedAt: start,
-      finishedAt: end,
-    );
-
-    final entries = await repo.observeSyncLogs('acc1').first;
-    final latest = entries.firstWhere((e) => e.startedAt == start);
-    expect(latest.isPermanent, isNull);
-    expect(latest.stackTrace, isNull);
-  });
 }
@@ -27,6 +27,22 @@ class MockUrlLauncher extends Mock
  }
 }

+class ThrowingUrlLauncher extends Mock
+    with MockPlatformInterfaceMixin
+    implements UrlLauncherPlatform {
+  @override
+  Future<bool> canLaunch(String? url) async => true;
+
+  @override
+  Future<bool> launchUrl(String? url, LaunchOptions? options) async {
+    throw PlatformException(
+      code: 'channel-error',
+      message: 'Unable to establish connection on channel: '
+          '"dev.flutter.pigeon.url_launcher_android.UrlLauncherApi.launchUrl".',
+    );
+  }
+}
+
 Widget _buildScreen({List<Account> accounts = const []}) {
  return ProviderScope(
    overrides: [
@@ -180,4 +196,24 @@ void main() {
    );
    expect(mock.launchedUrl, contains('1.2.3%2B99'));
  });
+
+  testWidgets(
+    'AboutScreen link tap with failed url_launcher shows error snackbar',
+    (tester) async {
+      tester.view.physicalSize = const Size(800, 1200);
+      tester.view.devicePixelRatio = 1.0;
+      addTearDown(tester.view.resetPhysicalSize);
+      addTearDown(tester.view.resetDevicePixelRatio);
+
+      UrlLauncherPlatform.instance = ThrowingUrlLauncher();
+
+      await tester.pumpWidget(_buildScreen());
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.textContaining('sharedinbox.de').first);
+      await tester.pumpAndSettle();
+
+      expect(find.textContaining('Error:'), findsOneWidget);
+    },
+  );
 }
@@ -23,7 +23,7 @@ void main() {
      expect(find.byKey(const Key('scanEncryptedButton')), findsOneWidget);
    });

-    testWidgets('shows 20-minute expiry hint', (tester) async {
+    testWidgets('shows expiry countdown hint', (tester) async {
      await tester.pumpWidget(
        buildApp(
          initialLocation: '/accounts/receive',
@@ -32,8 +32,106 @@ void main() {
      );
      await tester.pumpAndSettle();

-      expect(find.textContaining('20 minutes'), findsOneWidget);
+      expect(find.textContaining('expires in'), findsOneWidget);
    });
+
+    testWidgets(
+      'step 2 button shows text-input fallback on platforms without camera',
+      (tester) async {
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/receive',
+            overrides: baseOverrides(),
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
+        await tester.pumpAndSettle();
+
+        // On Linux (desktop, no camera) the text fallback field must appear.
+        expect(find.byKey(const Key('encryptedCodeField')), findsOneWidget);
+      },
+    );
+
+    testWidgets(
+      'step 2 — valid encrypted QR imports account via text fallback',
+      (tester) async {
+        // Pre-generate a key pair so we can encrypt a QR code with the same
+        // material the screen will use for decryption.
+        final material = await ShareEncryptionService.generateKeyPair();
+        final repo = FakeShareKeyRepository(material: material);
+
+        const account = Account(
+          id: 'src-1',
+          displayName: 'Alice',
+          email: 'alice@example.com',
+          imapHost: 'imap.example.com',
+          smtpHost: 'smtp.example.com',
+        );
+
+        final encryptedQr = await ShareEncryptionService.encryptAccounts(
+          recipientKeyId: material.keyId,
+          recipientPublicKeyBytes: material.publicKeyBytes,
+          accounts: [
+            AccountPayload(
+              accountJson: account.toJson(),
+              password: 'secret',
+            ),
+          ],
+        );
+
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/receive',
+            overrides: baseOverrides(shareKeyRepository: repo),
+          ),
+        );
+        await tester.pumpAndSettle(); // key generation completes
+
+        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
+        await tester.pumpAndSettle();
+
+        await tester.enterText(
+          find.byKey(const Key('encryptedCodeField')),
+          encryptedQr,
+        );
+        await tester.tap(find.text('Import'));
+        await tester.pumpAndSettle();
+
+        expect(
+          find.text('Imported 1 account successfully.'),
+          findsOneWidget,
+        );
+      },
+    );
+
+    testWidgets(
+      'step 2 — invalid encrypted QR shows error and returns to pub-key step',
+      (tester) async {
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/receive',
+            overrides: baseOverrides(),
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        await tester.tap(find.byKey(const Key('scanEncryptedButton')));
+        await tester.pumpAndSettle();
+
+        await tester.enterText(
+          find.byKey(const Key('encryptedCodeField')),
+          'not-a-valid-qr-code',
+        );
+        await tester.tap(find.text('Import'));
+        await tester.pumpAndSettle();
+
+        // Screen returns to the pub-key step with an error message visible.
+        expect(find.byKey(const Key('pubKeyQrCode')), findsOneWidget);
+        expect(find.textContaining('Import failed:'), findsWidgets);
+      },
+    );
  });

  group('AccountSendScreen', () {
@@ -1,65 +0,0 @@
-import 'package:flutter/material.dart';
-import 'package:flutter/services.dart';
-import 'package:flutter_test/flutter_test.dart';
-import 'package:sharedinbox/ui/screens/changelog_screen.dart';
-
-class _FakeAssetBundle extends Fake implements AssetBundle {
-  final String content;
-  _FakeAssetBundle(this.content);
-
-  @override
-  Future<String> loadString(String key, {bool cache = true}) async {
-    if (key == 'assets/changelog.txt') return content;
-    throw FlutterError('Asset not found: $key');
-  }
-
-  @override
-  Future<ByteData> load(String key) async {
-    throw FlutterError('Asset not found: $key');
-  }
-}
-
-void main() {
-  testWidgets('ChangeLogScreen renders changelog content', (tester) async {
-    const fakeChangelog =
-        '* 2026-01-01: Initial release\n* 2026-01-02: Bug fix';
-
-    await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _FakeAssetBundle(fakeChangelog),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
-    );
-    await tester.pumpAndSettle();
-
-    expect(find.text('ChangeLog'), findsOneWidget);
-    expect(find.textContaining('2026-01-01'), findsOneWidget);
-    expect(find.textContaining('Initial release'), findsOneWidget);
-  });
-
-  testWidgets('ChangeLogScreen shows error when asset is missing', (
-    tester,
-  ) async {
-    await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _BadAssetBundle(),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
-    );
-    await tester.pumpAndSettle();
-
-    expect(find.textContaining('Error loading changelog:'), findsOneWidget);
-  });
-}
-
-class _BadAssetBundle extends Fake implements AssetBundle {
-  @override
-  Future<String> loadString(String key, {bool cache = true}) async {
-    throw FlutterError('Unable to load asset: "$key"');
-  }
-
-  @override
-  Future<ByteData> load(String key) async {
-    throw FlutterError('Unable to load asset: "$key"');
-  }
-}
@@ -116,7 +116,10 @@ void main() {

      expect(clipboardText, isNotNull);
      expect(clipboardText, contains('App Version: 1.0.0+42'));
+      expect(clipboardText, contains('Build Mode:'));
      expect(clipboardText, contains('Platform:'));
+      expect(clipboardText, contains('Dart:'));
+      expect(clipboardText, contains('Timestamp:'));
      expect(clipboardText, contains('TestException: clipboard test'));
      // GIT_HASH is empty in test builds — no Git Commit line expected
      expect(clipboardText, isNot(contains('Git Commit:')));
@@ -167,6 +170,35 @@ void main() {
    },
  );

+  testWidgets(
+    'CrashScreen shows version, build mode, and platform in the UI',
+    (tester) async {
+      tester.view.physicalSize = const Size(800, 1200);
+      tester.view.devicePixelRatio = 1.0;
+      addTearDown(() => tester.view.resetPhysicalSize());
+
+      const exception = 'TestException: info row test';
+      final stackTrace = StackTrace.current;
+
+      await tester.pumpWidget(
+        MaterialApp(
+          home: CrashScreen(exception: exception, stackTrace: stackTrace),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      // Info row shows app version (from mock), build mode, and platform OS.
+      expect(find.textContaining('1.0.0+42'), findsWidgets);
+      // In test builds kDebugMode is true.
+      expect(find.textContaining('debug'), findsOneWidget);
+      // Platform OS is always present (linux in CI, android/ios on device).
+      expect(
+        find.textContaining(RegExp(r'linux|android|ios|windows|macos')),
+        findsWidgets,
+      );
+    },
+  );
+
  testWidgets(
    'CrashScreen used as root widget — buttons work without ScaffoldMessenger crash',
    (tester) async {
@@ -79,11 +79,13 @@ class FakeAccountRepository implements AccountRepository {
 }

 class FakeShareKeyRepository implements ShareKeyRepository {
+  FakeShareKeyRepository({ShareKeyMaterial? material}) : _material = material;
+
  ShareKeyMaterial? _material;

  @override
  Future<ShareKeyMaterial> createKeyPair() async {
-    _material = await ShareEncryptionService.generateKeyPair();
+    _material ??= await ShareEncryptionService.generateKeyPair();
    return _material!;
  }

@@ -511,6 +513,7 @@ List<Override> baseOverrides({
  List<Mailbox>? mailboxes,
  DiscoveryResult? discovery,
  Exception? connectionError,
+  ShareKeyRepository? shareKeyRepository,
 }) =>
    [
      accountRepositoryProvider
@@ -525,7 +528,9 @@ List<Override> baseOverrides({
      connectionTestServiceProvider.overrideWithValue(
        FakeConnectionTestService(error: connectionError),
      ),
-      shareKeyRepositoryProvider.overrideWithValue(FakeShareKeyRepository()),
+      shareKeyRepositoryProvider.overrideWithValue(
+        shareKeyRepository ?? FakeShareKeyRepository(),
+      ),
    ];

 // ---------------------------------------------------------------------------
Author	SHA1	Message	Date
Thomas SharedInboxandClaude Sonnet 4.6	bc91c0db52	fix: about page version unknown and link crash on Android (#213 ) Bug 1 – "App Version: unknown": PackageInfo.fromPlatform() throws because plugin registration is aborted mid-way by a Java Error (e.g. NoClassDefFoundError) that catch (Exception e) does not catch. Fix: change all 13 catch clauses in GeneratedPluginRegistrant.java to catch (Throwable e) and commit the file so it is used by release builds. Bug 2 – crash when tapping sharedinbox.de: url_launcher_android 6.3.25+ migrated to Pigeon 26, which throws a channel-error on some Android devices (same root cause as path_provider_android, already pinned). The onTapLink callback called launchUrl via unawaited() with no error handling, so the PlatformException became an unhandled async error and crashed the app. Fix: pin url_launcher_android <6.3.25 in dependency_overrides, and add a _launchUrl() helper with full try/catch that shows a SnackBar on error instead of crashing. New widget test verifies the snackbar path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 17:15:19 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	839a3c63f9	feat: keep secrets in sync via age-encrypted master key (#208 ) Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:32:27 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	a167ebd0a3	feat: add build mode, Dart version, timestamp to crash report (#205 ) Show app version, build mode, and platform OS in the crash screen UI so users can report bugs without needing to copy first. The clipboard report now also includes Build Mode (debug/release/profile), Dart runtime version, and a UTC timestamp to aid post-crash diagnosis. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:06:32 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	881a240155	fix: probe scanner method channel to detect MissingPluginException (#204 ) The previous pre-flight check called ctrl.start() without ctrl.attach(), causing MobileScannerController to time out after 500 ms with controllerNotAttached on every device — the scanner never worked even when the plugin was present. Replace with a direct invokeMethod('state') probe on the scanner channel. MissingPluginException (thrown when the plugin is not registered) is the exact error from the crash report; all other errors are surfaced by the MobileScanner widget's own error builder. Also add widget tests for the AccountReceiveScreen step-2 import flow (text fallback, successful import, invalid-QR error) which were previously untested. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 15:47:21 +02:00
Thomas SharedInbox	117b546b2c	feat: show live countdown with seconds on receive account screen (#203 ) Replace the static "expires in 20 minutes" label with a StatefulWidget that ticks every second and displays the remaining time as MM:SS.	2026-05-24 15:11:56 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	d9b8748631	fix: filter _latest_main_ci_run by workflow_id == ci.yml Forgejo reports deploy.yml (scheduled/dispatch) runs with event=push and prettyref=main, identical to ci.yml push runs. The event-only filter was insufficient — adding workflow_id == "ci.yml" prevents deploy.yml runs from blocking or triggering false CI fix agents. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 15:07:00 +02:00
Bot of Thomas Güttler	50ae7df8a3	fix: fall back to text input when mobile_scanner plugin is unavailable (#202 ) (#219 )	2026-05-24 14:55:07 +02:00
Bot of Thomas Güttler	7dd5800064	perf: cache Linux engine artifacts via flutter precache --linux (#129 ) (#218 )	2026-05-24 14:30:07 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	77e581299d	fix: filter out schedule/deploy workflow runs in CI checks _latest_main_ci_run() was using event != pull_request which still matched deploy.yml schedule runs when their prettyref == "main", blocking the loop from picking up new issues. _latest_ci_run_for_branch() had the same issue: the else branch matched any non-pull_request event including schedule runs. Both functions now explicitly filter for event == "push" only. Tests updated: rename _latest_ci_run → _latest_main_ci_run, mock _open_issue_prs to prevent real API calls in unit tests, and update _find_pr_for_branch side_effect to reflect the upstream post-merge PR-still-open verification check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 14:08:13 +02:00
Bot of Thomas Güttler	37eca207c6	fix: pin SSH host key via known_hosts instead of StrictHostKeyChecking=no (#161 ) (#181 )	2026-05-24 13:00:04 +02:00
Bot of Thomas Güttler	5925cee4f2	fix: show git hash as clickable link above stacktrace (#201 ) (#211 )	2026-05-24 12:56:27 +02:00
Bot of Thomas Güttler	a8603edfc3	fix: verify PID belongs to claude before SIGKILL (#160 ) (#163 )	2026-05-24 12:55:08 +02:00
Bot of Thomas Güttler	0293cb5845	fix: stop retrying on MissingPluginException from flutter_secure_storage (#200 ) (#209 )	2026-05-24 08:50:06 +02:00
Bot of Thomas Güttler	30bcc8a314	fix: skip CI jobs when unrelated files change (#144 ) (#207 )	2026-05-24 08:30:10 +02:00
Bot of Thomas Güttler	ac0e16adcb	feat: about page - sharedinbox.de heading link and git commit row (#199 ) (#206 )	2026-05-24 08:10:07 +02:00