chore: merge main into branch (resolve screen conflicts, add thread_tile to coverage exclusions)

Replace EmailTile (used only in search results) and the duplicated inline
ListTile blocks in EmailListScreen and CombinedInboxScreen with a single
ThreadTile widget. Add EmailThread.fromEmail factory so search results
(which come back as individual Email objects) can be displayed via the
same widget. Delete email_tile.dart.

Closes #429

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/Dockerfile

@@ -4,14 +4,18 @@
 # In systemd service:
 #    ExecStartPre=docker build -t forgejo-act-runner:latest /etc/forgejo/runner
 #    ExecStart=/usr/local/bin/forgejo-runner daemon --config /etc/forgejo/config.yml
+
 FROM ghcr.io/catthehacker/ubuntu:go-24.04
 
 # Infrastructure tools required by CI workflows
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    stunnel4 \
-    netcat-openbsd \
+    jq \
     && rm -rf /var/lib/apt/lists/*
 
+# SOPS
+RUN curl -fsSL -o /usr/local/bin/sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
+    && chmod +x /usr/local/bin/sops
+
 # Dagger CLI — pinned to match the engine version on the runner host
 RUN curl -fsSL https://dl.dagger.io/dagger/install.sh \
     | DAGGER_VERSION=0.20.8 BIN_DIR=/usr/local/bin sh

.forgejo/workflows/ci.yml

@@ -1,111 +1,15 @@
 name: CI
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'lib/**'
-      - 'test/**'
-      - 'integration_test/**'
-      - 'android/**'
-      - 'linux/**'
-      - 'assets/**'
-      - '!assets/changelog.txt'
-      - 'pubspec.yaml'
-      - 'pubspec.lock'
-      - 'analysis_options.yaml'
-      - 'scripts/**'
-      - 'stalwart-dev/**'
-      - 'ci/**'
-      - 'Taskfile.yml'
-      - 'drift_schemas/**'
-      - '.forgejo/workflows/ci.yml'
-  pull_request:
-    paths:
-      - 'lib/**'
-      - 'test/**'
-      - 'integration_test/**'
-      - 'android/**'
-      - 'linux/**'
-      - 'assets/**'
-      - '!assets/changelog.txt'
-      - 'pubspec.yaml'
-      - 'pubspec.lock'
-      - 'analysis_options.yaml'
-      - 'scripts/**'
-      - 'stalwart-dev/**'
-      - 'ci/**'
-      - 'Taskfile.yml'
-      - 'drift_schemas/**'
-      - '.forgejo/workflows/ci.yml'
-
+on: [push, pull_request]
 jobs:
   check:
     name: Full Project Check
     runs-on: ubuntu-latest
     timeout-minutes: 60
-
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 50
-
-      - name: Check runner tools
-        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
-
-      - name: Locate Docker daemon for local Dagger engine
-        run: |
-          # Skip if remote Dagger engine is already configured (preferred path)
-          if [ -n "${_DAGGER_RUNNER_HOST:-}" ]; then
-            echo "Remote Dagger engine configured, no local Docker needed."
-            exit 0
-          fi
-
-          # Try host Docker socket (DooD) if runner mounts it
-          if [ -S /var/run/docker.sock ]; then
-            if DOCKER_HOST=unix:///var/run/docker.sock docker info >/dev/null 2>&1; then
-              echo "Docker available via host socket."
-              echo "DOCKER_HOST=unix:///var/run/docker.sock" >> "$GITHUB_ENV"
-              exit 0
-            fi
-          fi
-
-          echo "WARNING: No remote Dagger engine and no local Docker found." >&2
-          echo "  - Remote engine: check DAGGER_STUNNEL_URL secret and that the host proxy is running." >&2
-          echo "  - Local Docker: runner does not expose /var/run/docker.sock." >&2
-          echo "CI will likely fail at the Dagger step." >&2
-
-      - name: Prune Dagger cache before check
-        env:
-          DAGGER_NO_NAG: "1"
-        # prune(maxUsedSpace) also reclaims named cache volumes (gradle-cache, go-build-cache, etc.)
-        # when total cache exceeds the limit; without args only unreferenced entries are removed.
-        run: |
-          dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }' || true
-
       - name: Run Full Check Suite
-        env:
-          DAGGER_NO_NAG: "1"
         run: task check-dagger
-
-      - name: Prune Dagger cache after check
-        if: always()
-        env:
-          DAGGER_NO_NAG: "1"
-        run: |
-          dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }' || true
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid

.forgejo/workflows/deploy.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 2
+          fetch-depth: 0
 
       - name: Detect Android and Linux changes
         id: diff
@@ -34,40 +34,78 @@ jobs:
 
           HEAD_SHA=$(git rev-parse HEAD)
 
-          # Skip if this exact commit was already successfully deployed (prevents
-          # hourly schedule from redeploying the same commit on every tick).
+          # Find the most recent workflow run where deploy-playstore actually succeeded
+          # (not merely skipped). Bug fix: previous code used commit_sha (always None in
+          # Forgejo's API) instead of head_sha, causing LAST_DEPLOYED_SHA to be empty on
+          # every run and the fallback diff to only cover HEAD~1..HEAD.
           LAST_DEPLOYED_SHA=$(python3 - << 'PYEOF'
           import json, os, sys, urllib.request
           token = os.environ.get("FORGEJO_TOKEN", "")
           server = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
           repo = os.environ.get("GITHUB_REPOSITORY", "")
-          url = f"{server}/api/v1/repos/{repo}/actions/runs?workflow_id=deploy.yml&status=success&limit=5"
+          base_api = f"{server}/api/v1/repos/{repo}/actions"
+          url = f"{base_api}/runs?workflow_id=deploy.yml&status=success&limit=10"
           req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
           try:
               with urllib.request.urlopen(req) as r:
                   data = json.loads(r.read())
               runs = [
                   r for r in data.get("workflow_runs", [])
-                  if r.get("workflow_id") == "deploy.yml" and r.get("status") == "success"
+                  if r.get("status") == "success"
               ]
-              print(runs[0].get("commit_sha") or "")
+              # Walk runs newest-first; pick the first one where deploy-playstore
+              # actually ran (conclusion=success), not just skipped.
+              for run in runs:
+                  run_id = run.get("id")
+                  jobs_url = f"{base_api}/runs/{run_id}/jobs"
+                  jobs_req = urllib.request.Request(jobs_url, headers={"Authorization": f"token {token}"})
+                  try:
+                      with urllib.request.urlopen(jobs_req) as jr:
+                          jobs_data = json.loads(jr.read())
+                      for job in jobs_data.get("workflow_jobs", []):
+                          if "Deploy to Play Store" in job.get("name", "") and (
+                              job.get("conclusion") == "success" or
+                              job.get("status") == "success"
+                          ):
+                              print(run.get("head_sha") or "")
+                              sys.exit(0)
+                  except Exception:
+                      pass  # skip this run if jobs API fails
+              print("")
           except Exception as e:
-              print(f"API check failed: {e}", file=sys.stderr)
+              print(f"::error::LAST_DEPLOYED_SHA lookup failed ({type(e).__name__}: {e})")
               print("")
           PYEOF
           )
 
-          if [ -n "$LAST_DEPLOYED_SHA" ] && [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
-            echo "HEAD $HEAD_SHA already successfully deployed — skipping"
-            echo "android=false" >> "$GITHUB_OUTPUT"
-            echo "linux=false"   >> "$GITHUB_OUTPUT"
+          if [ -z "$LAST_DEPLOYED_SHA" ]; then
+            echo "::warning::Could not determine last successfully deployed SHA — deploying all targets as a precaution"
+            echo "android=true" >> "$GITHUB_OUTPUT"
+            echo "linux=true"   >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          # Diff the HEAD commit against its parent; fall back to listing HEAD's files
-          # when the parent is unavailable (initial commit, shallow clone).
-          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null \
-            || git show --name-only --format= HEAD)
+          if [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
+            echo "::notice::All deploys SKIPPED — HEAD $HEAD_SHA was already successfully deployed"
+            echo "android=false" >> "$GITHUB_OUTPUT"
+            echo "linux=false"   >> "$GITHUB_OUTPUT"
+            echo "skip_reason=commit $HEAD_SHA was already successfully deployed" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Diff from the last successfully deployed commit to catch all changes since
+          # that deploy, not just the most recent commit. Deploy all targets when the
+          # SHA is not in local history (shallow clone or very old deploy).
+          if git cat-file -e "$LAST_DEPLOYED_SHA" 2>/dev/null; then
+            echo "Diffing from last deployed SHA $LAST_DEPLOYED_SHA"
+            CHANGED=$(git diff --name-only "$LAST_DEPLOYED_SHA" HEAD 2>/dev/null \
+              || git show --name-only --format= HEAD)
+          else
+            echo "::warning::Last deployed SHA $LAST_DEPLOYED_SHA not in local history — deploying all targets as a precaution"
+            echo "android=true" >> "$GITHUB_OUTPUT"
+            echo "linux=true"   >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
 
           echo "Changed files:"
           echo "$CHANGED"
@@ -75,13 +113,25 @@ jobs:
           android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/|scripts/deploy_playstore\.py)'
           linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'
 
-          echo "$CHANGED" | grep -qE "$android_re" \
-            && echo "android=true" >> "$GITHUB_OUTPUT" \
-            || echo "android=false" >> "$GITHUB_OUTPUT"
+          if echo "$CHANGED" | grep -qE "$android_re"; then
+            echo "android=true" >> "$GITHUB_OUTPUT"
+            echo "Android deploy: TRIGGERED (android-relevant files changed)"
+            echo "::notice::Android deploy TRIGGERED — android-relevant files changed since $LAST_DEPLOYED_SHA"
+          else
+            echo "android=false" >> "$GITHUB_OUTPUT"
+            echo "Android deploy: SKIPPED (no android-relevant files changed)"
+            echo "::notice::Android deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no android-relevant changes"
+          fi
 
-          echo "$CHANGED" | grep -qE "$linux_re" \
-            && echo "linux=true"   >> "$GITHUB_OUTPUT" \
-            || echo "linux=false"  >> "$GITHUB_OUTPUT"
+          if echo "$CHANGED" | grep -qE "$linux_re"; then
+            echo "linux=true" >> "$GITHUB_OUTPUT"
+            echo "Linux deploy: TRIGGERED (linux-relevant files changed)"
+            echo "::notice::Linux deploy TRIGGERED — linux-relevant files changed since $LAST_DEPLOYED_SHA"
+          else
+            echo "linux=false" >> "$GITHUB_OUTPUT"
+            echo "Linux deploy: SKIPPED (no linux-relevant files changed)"
+            echo "::notice::Linux deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no linux-relevant changes"
+          fi
 
   deploy-playstore:
     name: Build & Deploy to Play Store
@@ -99,28 +149,23 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
       - name: Publish Android to Play Store
-        if: ${{ secrets.PLAY_STORE_CONFIG_JSON != '' }}
         env:
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
-          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
           DAGGER_NO_NAG: "1"
         run: task publish-android
 
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
+      - name: Verify Play Store deployment
+        run: |
+          python3 -m venv /tmp/playstore-venv
+          /tmp/playstore-venv/bin/pip install google-auth requests --quiet
+          /tmp/playstore-venv/bin/python3 scripts/verify_playstore_deploy.py
+
 
   deploy-apk:
     name: Build & Deploy APK to Server
@@ -138,31 +183,17 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
       - name: Build & Deploy APK to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
           DAGGER_NO_NAG: "1"
         run: task deploy-apk
 
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
 
   build-linux:
     name: Build Linux Release
@@ -180,71 +211,17 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
       - name: Build & Deploy Linux to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
         env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"
         run: task deploy-linux
 
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
-
-  publish-website:
-    name: Publish Website Build History
-    runs-on: ubuntu-latest
-    needs: [build-linux, deploy-playstore, deploy-apk]
-    if: |
-      always() &&
-      (needs.build-linux.result == 'success' || needs.deploy-playstore.result == 'success' || needs.deploy-apk.result == 'success')
-    timeout-minutes: 60
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Check runner tools
-        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-
-      - name: Setup Dagger Remote Engine (via stunnel)
-        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
-        run: scripts/setup_dagger_remote.sh
-
-      - name: Generate build history and deploy website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
-          DAGGER_NO_NAG: "1"
-        run: task publish-website
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
 
   label-deploy-health:
     name: Update Deploy Health Label

.forgejo/workflows/firebase-tests.yml

@@ -58,28 +58,18 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
       - name: Run Android Tests on Firebase Test Lab
-        if: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != '' }}
         env:
-          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
           FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
           DAGGER_NO_NAG: "1"
         run: task test-android-firebase
 
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
-
       - name: Create issue on test failure
         if: failure()
         env:

.forgejo/workflows/monitor.yml

@@ -1,18 +0,0 @@
-name: Monitor Agent Loop
-
-on:
-  schedule:
-    - cron: '0 */2 * * *'  # every 2 hours
-  workflow_dispatch:
-
-jobs:
-  monitor:
-    name: Check Agent Loop Health
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check agent loop heartbeat
-        run: python3 scripts/agent_loop.py monitor

.forgejo/workflows/renovate.yml

@@ -18,22 +18,13 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
       - name: Run Renovate
         env:
           DAGGER_NO_NAG: "1"
-          RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
         run: task renovate
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid

.forgejo/workflows/website.yml

@@ -1,6 +1,8 @@
-name: Deploy Website
+name: Update Website
 
 on:
+  schedule:
+    - cron: '0 * * * *'   # every hour on the hour
   push:
     branches: [main]
     paths:
@@ -11,7 +13,7 @@ on:
 
 jobs:
   deploy:
-    name: Build & Deploy Website
+    name: Build & Update Website
     runs-on: ubuntu-latest
     timeout-minutes: 60
 
@@ -24,31 +26,18 @@ jobs:
         run: |
           command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
           command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
 
-      - name: Setup Dagger Remote Engine (via stunnel)
+      - name: Setup Dagger Remote Engine
         env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
         run: scripts/setup_dagger_remote.sh
 
-      - name: Build & Deploy Website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Build & Update Website
         env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
           DAGGER_NO_NAG: "1"
         run: task publish-website
 
       - name: Verify Website
         env:
-          SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
+          SSH_HOST: ${{ env.WEBSITE_SSH_HOST }}
         run: scripts/website-verify.sh
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid

.forgejo/workflows/windows-nightly.yml

@@ -10,6 +10,7 @@ jobs:
     # Disabled until a self-hosted runner with label "windows-runner" is registered.
     name: Build & Deploy Windows (Nightly)
     runs-on: windows-runner
+    timeout-minutes: 90
     if: false
 
     steps:

.fvmrc

@@ -1,3 +1,3 @@
 {
-  "flutter": "3.41.6"
+  "flutter": "3.44.0"
 }

.github/workflows/ci.yml

@@ -1,250 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-
-jobs:
-  analyze-and-test:
-    name: Analyze & unit test
-    runs-on: sharedinbox-runner
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: subosito/flutter-action@v2
-        with:
-          flutter-version: "3.41.6"
-          channel: stable
-          cache: true
-
-      - name: Install dependencies
-        run: flutter pub get
-
-      - name: Generate Drift code
-        run: flutter pub run build_runner build --delete-conflicting-outputs
-
-      - name: Check formatting
-        run: dart format --set-exit-if-changed .
-
-      - name: Analyze
-        run: flutter analyze --fatal-infos
-
-      - name: Unit + widget tests with coverage
-        run: flutter test test/unit/ test/widget/ --coverage
-
-      - name: Coverage gate
-        run: dart run scripts/check_coverage.dart
-
-  integration:
-    name: Integration tests (Stalwart)
-    runs-on: sharedinbox-runner
-    # Run integration tests only on push to main, not on every PR.
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: DeterminateSystems/nix-installer-action@v14
-
-      - uses: DeterminateSystems/magic-nix-cache-action@v8
-
-      - name: Cache FVM Flutter SDK
-        uses: actions/cache@v4
-        with:
-          path: ~/.fvm
-          key: fvm-${{ hashFiles('.fvm/fvm_config.json') }}
-
-      - name: Cache pub packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.pub-cache
-          key: pub-${{ hashFiles('pubspec.lock') }}
-          restore-keys: pub-
-
-      - name: Run integration tests
-        run: |
-          nix develop --command bash -c "
-            fvm install --skip-pub-get &&
-            fvm flutter pub get &&
-            fvm flutter pub run build_runner build --delete-conflicting-outputs &&
-            stalwart-dev/test.sh
-          "
-
-  integration-ui:
-    name: UI Integration tests (Stalwart + Xvfb)
-    runs-on: sharedinbox-runner
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: DeterminateSystems/nix-installer-action@v14
-
-      - uses: DeterminateSystems/magic-nix-cache-action@v8
-
-      - name: Install Flutter Linux build dependencies
-        run: |
-          sudo apt-get update -q
-          sudo apt-get install -y --no-install-recommends \
-            libgtk-3-dev pkg-config cmake ninja-build clang \
-            libsecret-1-dev
-
-      - name: Cache FVM Flutter SDK
-        uses: actions/cache@v4
-        with:
-          path: ~/.fvm
-          key: fvm-${{ hashFiles('.fvm/fvm_config.json') }}
-
-      - name: Cache pub packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.pub-cache
-          key: pub-${{ hashFiles('pubspec.lock') }}
-          restore-keys: pub-
-
-      - name: Cache Linux debug build
-        uses: actions/cache@v4
-        with:
-          path: |
-            build/linux
-            .dart_tool/flutter_build
-          key: linux-debug-${{ hashFiles('pubspec.lock', 'lib/**/*.dart', 'integration_test/**/*.dart') }}
-          restore-keys: linux-debug-
-
-      - name: Run UI integration tests
-        run: |
-          nix develop --command bash -c "
-            fvm install --skip-pub-get &&
-            fvm flutter pub get &&
-            fvm flutter pub run build_runner build --delete-conflicting-outputs &&
-            stalwart-dev/integration_ui_test.sh
-          "
-
-  build-linux:
-    name: Build Linux desktop
-    runs-on: sharedinbox-runner
-    needs: analyze-and-test
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install GTK3, build tools and libsecret
-        run: |
-          sudo apt-get update -q
-          sudo apt-get install -y --no-install-recommends \
-            libgtk-3-dev pkg-config cmake ninja-build clang \
-            libsecret-1-dev
-
-      - uses: subosito/flutter-action@v2
-        with:
-          flutter-version: "3.41.6"
-          channel: stable
-          cache: true
-
-      - name: Install dependencies
-        run: flutter pub get
-
-      - name: Generate Drift code
-        run: flutter pub run build_runner build --delete-conflicting-outputs
-
-      - name: Build Linux release
-        run: flutter build linux --release
-
-  deploy:
-    name: Deploy Linux build & publish website
-    runs-on: sharedinbox-runner
-    needs: build-linux
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    env:
-      SSH_HOST: ${{ secrets.SSH_HOST }}
-      SSH_USER: ${{ secrets.SSH_USER }}
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install build & deploy dependencies
-        run: |
-          sudo apt-get update -q
-          sudo apt-get install -y --no-install-recommends \
-            libgtk-3-dev pkg-config cmake ninja-build clang \
-            libsecret-1-dev hugo rsync
-
-      - uses: subosito/flutter-action@v2
-        with:
-          flutter-version: "3.41.6"
-          channel: stable
-          cache: true
-
-      - name: Cache pub packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.pub-cache
-          key: pub-${{ hashFiles('pubspec.lock') }}
-          restore-keys: pub-
-
-      - name: Install dependencies
-        run: flutter pub get
-
-      - name: Generate Drift code
-        run: flutter pub run build_runner build --delete-conflicting-outputs
-
-      - name: Generate changelog
-        run: |
-          mkdir -p assets
-          git log -n 50 \
-            --pretty=format:'* %ad [%h](https://codeberg.org/guettli/sharedinbox/commit/%H): %s' \
-            --date=short > assets/changelog.txt
-
-      - name: Setup SSH
-        run: |
-          mkdir -p ~/.ssh
-          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
-          chmod 644 ~/.ssh/known_hosts
-
-      - name: Build Linux release
-        run: |
-          HASH=$(git rev-parse --short HEAD)
-          flutter build linux --release --no-pub --dart-define=GIT_HASH=$HASH
-
-      - name: Deploy Linux build to server
-        run: |
-          HASH=$(git rev-parse --short HEAD)
-          DATE_PATH=$(date -u +%Y/%m/%d)
-          REMOTE_DIR="public_html/builds/$DATE_PATH"
-          TARBALL="sharedinbox-linux-amd64-$HASH.tar.gz"
-          tar -czf /tmp/$TARBALL -C build/linux/x64/release bundle
-          ssh "$SSH_USER@$SSH_HOST" "mkdir -p $REMOTE_DIR"
-          scp /tmp/$TARBALL "$SSH_USER@$SSH_HOST:$REMOTE_DIR/$TARBALL"
-          DOWNLOAD_URL="https://sharedinbox.de/builds/$DATE_PATH/$TARBALL"
-          EXISTING=$(ssh "$SSH_USER@$SSH_HOST" \
-            "cat public_html/latest.json 2>/dev/null || echo '{}'")
-          WINDOWS_URL=$(echo "$EXISTING" | \
-            python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('windows',''))" \
-            2>/dev/null || true)
-          if [ -n "$WINDOWS_URL" ]; then
-            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\",\"windows\":\"$WINDOWS_URL\"}" | \
-              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
-          else
-            echo "{\"version\":\"$HASH\",\"linux\":\"$DOWNLOAD_URL\"}" | \
-              ssh "$SSH_USER@$SSH_HOST" "cat > public_html/latest.json"
-          fi
-
-      - name: Generate build history pages
-        run: python3 scripts/generate_build_history.py
-
-      - name: Build website
-        env:
-          HUGO_PARAMS_GITVERSION: ${{ github.sha }}
-        run: hugo --source website --minify
-
-      - name: Deploy website
-        run: |
-          rsync -avz --delete \
-            --exclude='*.apk' \
-            --exclude='*.tar.gz' \
-            website/public/ \
-            "$SSH_USER@$SSH_HOST:public_html/"

.gitignore

@@ -1,5 +1,6 @@
 # --- Flutter/Dart ---
 coverage/
+screenshots/
 .dart_tool/
 .dart-tool/
 .packages

.pre-commit-config.yaml

@@ -10,6 +10,11 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
 
+  - repo: https://github.com/guettli/sync-branch
+    rev: v0.0.11
+    hooks:
+      - id: sync-branch
+
   - repo: local
     hooks:
       - id: check-no-binary
@@ -27,7 +32,7 @@ repos:
       - id: dart-check
         name: dart format (autofix) + check-fast (parallel)
         language: system
-        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command scripts/pre_commit_check.sh'
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command dagger call --progress=plain -q -m ci --source=. check-fast'
         pass_filenames: false
         always_run: true
       - id: ci-no-direct-dagger
@@ -42,3 +47,9 @@ repos:
         entry: "bash -c 'git --no-pager grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
         pass_filenames: false
         always_run: true
+      - id: ci-image-exists
+        name: verify container images in ci/main.go are reachable
+        language: system
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-ci-images'
+        pass_filenames: false
+        files: ^(ci/main\.go|\.fvmrc)$

AGENTS.md

@@ -8,46 +8,41 @@ CLI tool `fgj` is available to query issues/PRs/actions.
 
 ## Issue Label Workflow
 
-We use issues, follow this label state machine:
+Automation is handled by [agentloop](https://github.com/guettli/agentloop) running every 5 minutes via cron. Add a label to trigger an agent:
 
-- **State/ToPlan** — Issue needs a plan written by an agent before implementation
-- **State/Planned** — Plan has been posted as a comment; awaiting human review
-- **State/Ready** — Issue is approved and ready for implementation
-- **State/InProgress** — Set while an agent (or human) is actively working
-- **State/Question** — Agent hit a blocker or needs clarification
+| Label | Trigger | Outcome |
+|---|---|---|
+| `loop/plan` | Planning agent reads the issue and writes an implementation plan as a comment | Issue moves to `loop/plan-done` |
+| `loop/code` | Coding agent implements the change, creates a branch + PR | Issue moves to `loop/code-done` |
 
-Full lifecycle:
+**State machine:**
 
 ```
-State/ToPlan → State/Planned   (automated: agent_loop.py runs a planning agent)
-State/Planned → State/Ready    (manual: human reviews the plan and approves)
-State/Ready → State/InProgress (automated: agent_loop.py before starting implementation)
-State/InProgress → closed      (automated: after PR is merged and CI passes)
-any state → State/Question     (automated or manual: when blocked)
+loop/plan  →  loop/plan-in-progress  →  loop/plan-done
+                                      ↘  NeedSupervisor  (on failure)
+
+loop/code  →  loop/code-in-progress  →  loop/code-done
+                                      ↘  NeedSupervisor  (on failure)
 ```
 
-List open issues ready to pick up:
+**Rules:**
+
+- Only issues authored by allowed users are picked up (guettli, guettlibot, guettlibot2, forgejo-actions).
+- An issue with `NeedSupervisor` needs human attention — investigate, fix, then re-label.
+- The coding agent opens a PR but does NOT close the issue. A human reviews the PR and closes the issue after merging.
+- Planning agents only post a comment — they do NOT write code or open PRs.
+- `loop/*` labels are managed by agentloop — do not set them manually while an agent is active.
+
+**Typical lifecycle for a new feature:**
 
-```bash
-fgj issue list --json --state open | jq '[.[] | select(.labels[].name == "State/Ready")] | .[] | {number, title, html_url}'
 ```
-
-Rules:
-
-- Never start implementation on an issue without `State/Ready`
-- Planning agents only post a plan comment — they do NOT write code or open PRs
-- After `State/Planned`, a human must review the plan and manually add `State/Ready`
-- When working via the agent loop: label transitions are set automatically
-  by `agent_loop.py` — do **not** set them yourself.
-- When working manually: switch to `State/InProgress` as your **first action**:
-  ```bash
-  fgj issue edit <NUMBER> --remove-label "State/Ready" --add-label "State/InProgress"
-  ```
-- If blocked, replace current state label with `State/Question` and leave a comment explaining the blocker
-- When done and CI is green, close the issue:
-  ```bash
-  fgj issue close <NUMBER>
-  ```
+1. Create issue
+2. Add label loop/plan   → agent writes plan as comment
+3. Review plan, request changes or approve
+4. Add label loop/code   → agent implements + opens PR
+5. Review PR, merge
+6. Close issue
+```
 
 ## Code conventions
 

DAGGER.md

@@ -39,7 +39,7 @@ WorkingDirectory=/home/dagger-svc
 # Replace 1003 with the actual UID of dagger-svc
 Environment=DOCKER_HOST=unix:///run/user/1003/podman/podman.sock
 Environment=XDG_RUNTIME_DIR=/run/user/1003
-ExecStart=/usr/bin/nix run github:dagger/nix/v0.11.4#dagger -- engine --addr tcp://0.0.0.0:8080
+ExecStart=/usr/bin/nix run github:dagger/nix/v0.20.8#dagger -- engine --addr tcp://0.0.0.0:8080
 Restart=always
 
 [Install]

DEVELOPMENT.md

@@ -188,3 +188,5 @@ Using SSH to `localhost` is preferred over complex X11/Wayland permission hacks.
 ## Daily Workflow
 
 Refer to the [README.md](./README.md#daily-workflow) for common development tasks and commands.
+
+<!-- agentloop code test passed -->

PLAN_ISSUE_21.md

@@ -1,59 +0,0 @@
-# Implementation Plan: Secure WebView for HTML Emails (#21)
-
-## Goal
-Replace the current `flutter_html` based rendering with a hardened WebView-based approach to improve rendering fidelity while strictly enforcing security and privacy.
-
-## 1. Dependency Management
-- **Core**: `webview_flutter` (v4+)
-- **Linux Platform**: `webview_flutter_linux` (Official community-supported or WebKitGTK based implementation). *Note: I will verify the exact package name during implementation.*
-- **Utilities**: `url_launcher` (existing) for opening links in the system browser.
-
-## 2. Secure WebView Component (`lib/ui/widgets/secure_email_webview.dart`)
-Create a new widget `SecureEmailWebView` that encapsulates the `WebViewWidget` and its controller.
-
-### Configuration & Hardening
-- **Disable JavaScript**: `controller.setJavaScriptMode(JavaScriptMode.disabled)`.
-- **Background**: Match the application theme (e.g., transparent or surface color).
-- **Security Headers/CSP**: Inject a Content Security Policy via `<meta>` tag in the HTML wrapper:
-  - `default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:;` (Blocks all external assets by default).
-
-### Image Blocking Logic
-- **Initial State**: Block remote images by injecting a CSP that restricts `img-src` to `data:` and local schemes.
-- **Toggle Mechanism**:
-  - Provide a "Load Remote Images" button in the Flutter UI.
-  - When triggered, re-render the HTML with an updated CSP: `img-src * data:;`.
-
-### Link Interception & Phishing Protection
-- Implement `NavigationDelegate.onNavigationRequest`.
-- **Process**:
-  1. Intercept any URL that doesn't start with `about:blank` or `data:`.
-  2. Block the navigation in the WebView.
-  3. Trigger a Flutter `showDialog` for confirmation.
-- **Phishing Protection Dialog**:
-  - Show the full URL.
-  - **Bold the FQDN**: Parse the URL using `Uri.parse`.
-    - Example: `https://`**`important-bank.com`**`/login`
-  - "Open in Browser" button uses `url_launcher`.
-
-## 3. Integration Plan
-### Step 1: Initialization
-Modify `lib/main.dart` to initialize the Linux WebView platform (using `webview_flutter_linux` or similar) during app startup.
-
-### Step 2: Replace Renderer in Screens
-- **EmailDetailScreen**: Replace `Html(...)` with `SecureEmailWebView(html: body.htmlBody!)`.
-- **ThreadDetailScreen**: Replace `Html(...)` with `SecureEmailWebView(html: body.htmlBody!)`.
-- Remove `flutter_html` imports and dependencies once migration is complete.
-
-## 4. Verification & Security Audit
-- **Manual Tests**:
-  - Open emails with complex HTML layouts.
-  - Verify images are blocked initially.
-  - Verify "Load images" works.
-  - Click various links (http, https, mailto) and verify the confirmation dialog and FQDN bolding.
-- **Security Check**:
-  - Verify that `<script>` tags are not executed.
-  - Verify no network requests for external images occur before user consent (via DevTools or proxy).
-
-## 5. Potential Challenges
-- **Linux WebView Stability**: WebKitGTK on Linux can sometimes have rendering or sizing issues in Flutter.
-- **Scrolling**: Ensuring the WebView integrates smoothly into the `ListView` of the email detail screen (might require fixed height or `SizedBox`).

PLAN_SNOOZE.md

@@ -1,46 +0,0 @@
-# Snooze Feature Plan
-
-## Goal
-Allow users to snooze emails, moving them to a special folder and bringing them back to the Inbox at a specified time. Snooze data must be stored in the account (IMAP/JMAP) for cross-device synchronization.
-
-## Technical Approach
-
-### 1. Metadata Storage (Account Sync)
-- **Keyword format:** `snz:<ISO8601_TIMESTAMP>` (e.g., `snz:2026-05-10T15:00:00Z`).
-- **JMAP:** Use `keywords`.
-- **IMAP:** Use User Flags (keywords).
-
-### 2. Database Changes
-- **Migration v22:**
-    - `Emails` table:
-        - `snoozedUntil` (DateTime, nullable)
-        - `snoozedFromMailboxPath` (String, nullable) - to remember where to move it back (usually INBOX).
-    - Index on `snoozedUntil`.
-
-### 3. Repository Updates (`EmailRepository`)
-- New method: `Future<void> snoozeEmail(String emailId, DateTime until)`
-    - Optimistically update local DB.
-    - Enqueue `snooze` change.
-- New method: `Future<int> wakeUpEmails(String accountId)`
-    - Find local rows where `snoozedUntil <= now`.
-    - Enqueue `move` back to original mailbox.
-    - Clear snooze metadata.
-
-### 4. Sync Loop Integration
-- In `AccountSyncManager`, call `wakeUpEmails(accountId)` at the start of each sync cycle.
-- Update IMAP/JMAP sync logic to parse `snz:` keywords and update local `snoozedUntil` / `snoozedFromMailboxPath`.
-
-### 5. UI Implementation
-- **Snooze Picker:** A dialog with options like "Later today", "Tomorrow morning", "Next week", "Custom".
-- **Action:** Add "Snooze" icon to `EmailListScreen` selection bar and `EmailDetailScreen`.
-- **Mailbox:** Ensure a "Snoozed" mailbox exists (create if missing).
-
-## Implementation Steps
-1. [ ] Database migration and model updates.
-2. [ ] Repository implementation for `snoozeEmail` and `wakeUpEmails`.
-3. [ ] Update flush logic for IMAP and JMAP to handle `snooze` mutations.
-4. [ ] Update sync logic to parse snooze keywords.
-5. [ ] Integrate `wakeUpEmails` into the sync loop.
-6. [ ] UI: Snooze picker dialog.
-7. [ ] UI: Add Snooze action to list and detail screens.
-8. [ ] Testing and validation.

Taskfile.yml

@@ -37,6 +37,8 @@ tasks:
     run: once
     deps: [_nix-check]
     preconditions:
+      - sh: '[ "$(id -u)" != "0" ]'
+        msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
       - sh: test -n "${IN_NIX_SHELL}"
         msg: "Not in nix dev shell. Run: nix develop"
     cmds:
@@ -96,34 +98,19 @@ tasks:
       - scripts/silent_on_success.sh fvm flutter pub run build_runner build --delete-conflicting-outputs
 
   codegen:
-    desc: Generate Drift DB code (run after any schema change)
-    deps: [_preflight, _pub-get]
-    sources:
-      - lib/**/*.dart
-      - pubspec.yaml
-    generates:
-      - lib/**/*.g.dart
+    desc: Generate Drift DB code via Dagger (exports generated files back to host)
     cmds:
-      - fvm flutter pub run build_runner build --delete-conflicting-outputs
+      - dagger call --progress=plain -q -m ci --source=. codegen -o .
 
   analyze:
-    desc: Static analysis (flutter analyze)
-    deps: [_preflight, _codegen]
-    sources:
-      - lib/**/*.dart
-      - test/**/*.dart
-      - pubspec.yaml
-      - analysis_options.yaml
+    desc: Static analysis via Dagger (dart analyze --fatal-infos)
     cmds:
-      - scripts/run_analyze.sh
+      - dagger call --progress=plain -q -m ci --source=. analyze
 
   format:
-    desc: Format all Dart source files
-    deps: [_preflight]
-    sources:
-      - "**/*.dart"
+    desc: Format all Dart source files via Dagger (writes back to host)
     cmds:
-      - fvm dart format lib test
+      - dagger call --progress=plain -q -m ci --source=. format-write -o .
 
   check-mocks:
     desc: Fail if any *.mocks.dart file is out of date (re-runs build_runner)
@@ -136,13 +123,9 @@ tasks:
       - scripts/check_mocks_fresh.sh
 
   analyze-fix:
-    desc: Auto-fix lint issues with dart fix --apply
-    deps: [_preflight]
-    sources:
-      - lib/**/*.dart
-      - test/**/*.dart
+    desc: Auto-fix lint issues via Dagger (dart fix --apply, writes back to host)
     cmds:
-      - fvm dart fix --apply
+      - dagger call --progress=plain -q -m ci --source=. analyze-fix -o .
 
   test:
     desc: Unit tests + coverage gate (fails if any non-excluded lib/ file is missing)
@@ -177,17 +160,17 @@ tasks:
   test-backend:
     desc: Backend tests against a local Stalwart mail server (via Dagger)
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-backend
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-backend
 
   integration-ui:
     desc: UI E2E tests on Linux via Xvfb — headless, no emulator needed (via Dagger)
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-integration
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-integration
 
   sync-reliability:
     desc: Run sync reliability runner (via Dagger)
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. test-sync-reliability
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. test-sync-reliability
 
   test-android-firebase:
     desc: Build Android debug APKs and run instrumented tests on Firebase Test Lab (via Dagger)
@@ -202,7 +185,7 @@ tasks:
   ci-graph:
     desc: Print a Mermaid diagram of the CI pipeline — paste into mermaid.live or any Markdown renderer
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. graph
+      - timeout --kill-after=10 60 dagger call --progress=plain -q -m ci --source=. graph
 
   stalwart:
     desc: Start a Stalwart instance for local development (via Dagger)
@@ -218,13 +201,13 @@ tasks:
       - sh: test -n "$SSH_KNOWN_HOSTS"
         msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. deploy-linux --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
 
   build-android-bundle:
     desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
     cmds:
       - mkdir -p build/app/outputs/bundle/release
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. build-android-release --commit-hash "$HASH" -o build/app/outputs/bundle/release/app-release.aab
+      - HASH=$(git rev-parse --short HEAD) && timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. build-android-release --commit-hash "$HASH" -o build/app/outputs/bundle/release/app-release.aab
 
   upload-android-bundle:
     desc: Upload AAB from build/ to Play Store via Dagger
@@ -234,7 +217,7 @@ tasks:
       - sh: test -f build/app/outputs/bundle/release/app-release.aab
         msg: "AAB not found — run build-android-bundle first"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. upload-to-play-store --aab build/app/outputs/bundle/release/app-release.aab --play-store-config env:PLAY_STORE_CONFIG_JSON
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. upload-to-play-store --aab build/app/outputs/bundle/release/app-release.aab --play-store-config env:PLAY_STORE_CONFIG_JSON
 
   publish-android:
     desc: Build cached AAB, stamp versionCode, sign, and publish to Play Store via Dagger
@@ -247,7 +230,7 @@ tasks:
       - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
         msg: "ANDROID_KEYSTORE_PASSWORD is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --commit-hash "$HASH"
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --commit-hash "$HASH"
 
   deploy-apk:
     desc: Build and deploy Android APK via Dagger
@@ -261,7 +244,7 @@ tasks:
       - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
         msg: "ANDROID_KEYSTORE_PASSWORD is not set"
     cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
+      - HASH=$(git rev-parse --short HEAD) && scripts/silent_on_success.sh timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. deploy-apk --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH" --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --build-number "$(git log -1 --format=%ct HEAD)"
 
   publish-website:
     desc: Build and publish website via Dagger
@@ -271,7 +254,7 @@ tasks:
       - sh: test -n "$SSH_KNOWN_HOSTS"
         msg: "SSH_KNOWN_HOSTS is not set"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - HASH=$(git rev-parse --short HEAD) && timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --known-hosts env:SSH_KNOWN_HOSTS --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
 
   check-dagger:
     desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)
@@ -294,11 +277,11 @@ tasks:
           for attempt in 1 2 3; do
             run_dagger "$@" && return 0
             RC=$?
-            if [ "$attempt" -lt 3 ] && grep -qE "connection reset|context canceled|connection refused|invalid return status code" "$DAGGER_OUT"; then
+            if [ "$attempt" -lt 3 ] && { grep -qE "connection reset|context deadline exceeded|connection refused|invalid return status code" "$DAGGER_OUT" || [ "$RC" -eq 2 ]; }; then
               echo "$(_ts) dagger: network error on attempt $attempt/3, retrying..." >&2
             elif [ "$attempt" -lt 3 ] && grep -q "No space left on device" "$DAGGER_OUT"; then
               echo "$(_ts) dagger: disk space error on attempt $attempt/3, pruning Dagger cache..." >&2
-              dagger query '{ engine { localCache { prune(targetSpace: "20gb") } } }' 2>/dev/null || true
+              timeout 120 dagger query '{ engine { localCache { prune(targetSpace: "20gb") } } }' 2>/dev/null || true
               echo "$(_ts) dagger: waiting 90s for freed space to settle..." >&2
               sleep 90
             else
@@ -319,7 +302,16 @@ tasks:
           rm -f "$PORTFILE" "$DAGGER_OUT" "$RC_FILE"
         }
         trap cleanup EXIT
-        until [ -s "$PORTFILE" ]; do sleep 0.05; done
+        until [ -s "$PORTFILE" ]; do
+          sleep 0.05
+          if ! kill -0 "$RECV_PID" 2>/dev/null; then
+            echo "$(_ts) otel-receiver.py died before writing port file; falling back to plain run" >&2
+            retry_dagger dagger call --progress=plain -q -m ci --source=. check
+            RC=$?
+            rm -f "$PORTFILE" "$DAGGER_OUT" "$RC_FILE"
+            exit $RC
+          fi
+        done
         PORT=$(cat "$PORTFILE")
         retry_dagger env \
           OTEL_EXPORTER_OTLP_ENDPOINT="http://127.0.0.1:$PORT" \
@@ -342,7 +334,7 @@ tasks:
       - sh: test -n "$RENOVATE_FORGEJO_TOKEN"
         msg: "RENOVATE_FORGEJO_TOKEN is not set"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. renovate --renovate-token env:RENOVATE_FORGEJO_TOKEN
+      - timeout --kill-after=10 1800 dagger call --progress=plain -q -m ci --source=. renovate --renovate-token env:RENOVATE_FORGEJO_TOKEN
 
   integration-android:
     desc: UI integration tests on a connected Android emulator (Stalwart on host, emulator reaches it via 10.0.2.2)
@@ -417,6 +409,22 @@ tasks:
         fi
         echo "Uploaded $TARBALL and updated latest.json"
 
+  deploy-bugreport:
+    desc: Deploy the Go bugreport server by restarting the systemd service (it pulls latest code from Codeberg)
+    preconditions:
+      - sh: test -n "$SSH_USER"
+        msg: "SSH_USER is not set"
+      - sh: test -n "$SSH_HOST"
+        msg: "SSH_HOST is not set"
+      - sh: test -n "$SSH_KNOWN_HOSTS"
+        msg: "SSH_KNOWN_HOSTS is not set"
+    cmds:
+      - |
+        mkdir -p ~/.ssh
+        printf '%s\n' "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
+        ssh "root@$SSH_HOST" "systemctl restart bugreport"
+        echo "Restarted bugreport service on $SSH_HOST to pull latest code from Codeberg"
+
   build-windows-release:
     desc: Build the Windows desktop app (release) — must run on a Windows machine with MSVC
     deps: [_pub-get, generate-changelog]
@@ -516,15 +524,14 @@ tasks:
   deploy-android-bundle:
     desc: Build release AAB and upload to Play Store internal track (local/fvm)
     deps: [build-android-bundle-local]
-    preconditions:
-      - sh: test -n "$PLAY_STORE_CONFIG_JSON"
-        msg: "PLAY_STORE_CONFIG_JSON is not set"
+    dotenv: [".env"]
     cmds:
-      - python3 scripts/deploy_playstore.py
+      - sops exec-env secrets.enc.yaml 'python3 scripts/deploy_playstore.py'
 
   build-android-bundle-local:
     desc: Build a release App Bundle (AAB) locally via fvm (not Dagger)
     deps: [_preflight, _android-sdk-check, _codegen, generate-changelog]
+    dotenv: [".env"]
     method: timestamp
     sources:
       - lib/**/*.dart
@@ -533,7 +540,7 @@ tasks:
     generates:
       - build/app/outputs/bundle/release/app-release.aab
     cmds:
-      - ANDROID_HOME=${ANDROID_HOME:-$HOME/Android/Sdk} fvm flutter build appbundle --release --no-pub --build-number $(date +%s) --build-name $(date +%y%m%d-%H%M) --dart-define=GIT_HASH=$(git rev-parse --short HEAD) | grep -Ev "was tree-shaken|Tree-shaking can be disabled"
+      - sops exec-env secrets.enc.yaml 'bash scripts/build_android_bundle_local.sh'
 
   deploy-android:
     desc: Build release APK and upload via scp to $ANDROID_APK_SCP_USER@$ANDROID_APK_SCP_HOST:$ANDROID_APK_SCP_PATH
@@ -560,7 +567,7 @@ tasks:
 
   run:
     desc: Run the app on Linux desktop
-    deps: [_preflight, _linux-deps-check, _pub-get]
+    deps: [_preflight, _linux-deps-check, _pub-get, _codegen]
     cmds:
       - fvm flutter run -d linux --no-pub
 
@@ -663,8 +670,9 @@ tasks:
           ${SSH_USER}@${SSH_HOST}:public_html/
 
   check-fast:
-    desc: Pre-commit checks — analyze + unit+widget tests + coverage gate (no build, no integration)
-    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks]
+    desc: Pre-commit checks via Dagger (format, analyze, mocks, coverage — no integration or backend)
+    cmds:
+      - dagger call --progress=plain -q -m ci --source=. check-fast
 
   check-layers:
     desc: Enforce architecture — ui/ must not import data/ (only core/ interfaces allowed)
@@ -691,6 +699,11 @@ tasks:
         fi
         echo "Hygiene check passed."
 
+  check-ci-images:
+    desc: Verify that all container images referenced in ci/main.go are reachable
+    cmds:
+      - scripts/check_ci_images.sh
+
   _integrations:
     internal: true
     run: once
@@ -703,6 +716,12 @@ tasks:
     cmds:
       - scripts/ci_logs.sh "{{.RUN}}" "{{.JOB}}"
 
+  screenshots:
+    desc: Generate Play Store promotional screenshots (30 golden files — 3 devices × 2 themes × 5 scenes)
+    deps: [_preflight, _codegen]
+    cmds:
+      - fvm flutter test test/screenshot_automation_test.dart --update-goldens
+
   check:
     desc: Full check suite — unit tests first, then integration (merges coverage), then gate
     deps: [analyze, build-linux, test]

android/app/build.gradle.kts

@@ -16,19 +16,23 @@ android {
         isCoreLibraryDesugaringEnabled = true
     }
 
-    kotlinOptions {
-        jvmTarget = JavaVersion.VERSION_17.toString()
+    kotlin {
+        compilerOptions {
+            jvmTarget = org.jetbrains.kotlin.gradle.dsl.JvmTarget.JVM_17
+        }
     }
 
-    signingConfigs {
-        create("release") {
-            // Hardcoded alias matching t.sh
-            keyAlias = "upload"
-            // Use the same password for both key and keystore
-            val pass = System.getenv("ANDROID_KEYSTORE_PASSWORD")
-            storePassword = pass
-            keyPassword = pass
-            storeFile = file("upload-keystore.jks")
+    val ksPath: String? = System.getenv("ANDROID_KEYSTORE_PATH")
+
+    if (ksPath != null) {
+        signingConfigs {
+            create("release") {
+                keyAlias = "upload"
+                val pass = System.getenv("ANDROID_KEYSTORE_PASSWORD") ?: ""
+                storePassword = pass
+                keyPassword = pass
+                storeFile = file(ksPath)
+            }
         }
     }
 
@@ -44,14 +48,9 @@ android {
 
     buildTypes {
         release {
-            // Use the signing config defined above for release builds.
-            // If the keystore file exists (e.g. in CI or manually placed), sign it.
-            signingConfig = if (signingConfigs.getByName("release").storeFile?.exists() == true) {
-                signingConfigs.getByName("release")
-            } else {
-                signingConfigs.getByName("debug")
+            if (ksPath != null) {
+                signingConfig = signingConfigs.getByName("release")
             }
-
             isMinifyEnabled = false
             isShrinkResources = false
             ndk {
@@ -67,7 +66,7 @@ flutter {
 
 dependencies {
     // Required for flutter_local_notifications and other plugins that need Java 8+ APIs on API < 26.
-    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.4")
+    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.5")
     // integration_test is a dev dependency; the Flutter plugin loader adds it as
     // debugImplementation only, but GeneratedPluginRegistrant.java (in src/main)
     // references its class in all variants. Make it available for release compilation

android/gradle/wrapper/gradle-wrapper.properties

@@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.5.1-all.zip

android/settings.gradle.kts

@@ -19,8 +19,8 @@ pluginManagement {
 
 plugins {
     id("dev.flutter.flutter-plugin-loader") version "1.0.0"
-    id("com.android.application") version "8.11.1" apply false
-    id("org.jetbrains.kotlin.android") version "2.2.20" apply false
+    id("com.android.application") version "8.13.2" apply false
+    id("org.jetbrains.kotlin.android") version "2.4.0" apply false
 }
 
 include(":app")

ci/go.mod

@@ -2,52 +2,4 @@ module dagger/ci
 
 go 1.26.2
 
-require (
-	dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72
-	github.com/Khan/genqlient v0.8.1
-	github.com/dagger/otel-go v1.43.0
-	github.com/vektah/gqlparser/v2 v2.5.33
-	go.opentelemetry.io/otel v1.43.0
-	go.opentelemetry.io/otel/trace v1.43.0
-)
-
-require (
-	github.com/99designs/gqlgen v0.17.90 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
-	github.com/sosodev/duration v1.4.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.17.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.17.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 // indirect
-	go.opentelemetry.io/otel/log v0.17.0 // indirect
-	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.43.0
-	go.opentelemetry.io/otel/sdk/log v0.17.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
-	google.golang.org/grpc v1.79.3 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
-)
-
-replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0
-
-replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0
-
-replace go.opentelemetry.io/otel/log => go.opentelemetry.io/otel/log v0.16.0
-
-replace go.opentelemetry.io/otel/sdk/log => go.opentelemetry.io/otel/sdk/log v0.16.0
+require golang.org/x/sync v0.20.0

ci/go.sum

@@ -1,97 +1,2 @@
-dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72 h1:s39e07WvaUU6tLhpojK8ZEIoIbOSn5hHOJra0waenxQ=
-dagger.io/dagger v0.20.6-0.20260415192040-7058e9313c72/go.mod h1:ZXg8+pQZaZUC8rAw4V/gPP8aKvKARIJZ+pfcV+RC1es=
-github.com/99designs/gqlgen v0.17.90 h1:wSv6blm/PoplU6QoNw83EcQpNtC0HX3/+44vITJOzpk=
-github.com/99designs/gqlgen v0.17.90/go.mod h1:GqYrEwYsqCG8VaOsq2kJUCUKwAE1T+u2i+Nj7NtXiVI=
-github.com/Khan/genqlient v0.8.1 h1:wtOCc8N9rNynRLXN3k3CnfzheCUNKBcvXmVv5zt6WCs=
-github.com/Khan/genqlient v0.8.1/go.mod h1:R2G6DzjBvCbhjsEajfRjbWdVglSH/73kSivC9TLWVjU=
-github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
-github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/dagger/otel-go v1.43.0 h1:AYCnAamWmxtSxigWPTgC+8EWqiWPcDZEegh8y05gdJ8=
-github.com/dagger/otel-go v1.43.0/go.mod h1:83CTuXi70zcx1kaym5buqmb7RNzg1E9dEiQSFyLbLdU=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
-github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
-github.com/sosodev/duration v1.4.0 h1:35ed0KiVFriGHHzZZJaZLgmTEEICIyt8Sx0RQfj9IjE=
-github.com/sosodev/duration v1.4.0/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/vektah/gqlparser/v2 v2.5.33 h1:lRp8aIeNUNbimf/axZd7ETg24q06hBtPaas+TcvI/7E=
-github.com/vektah/gqlparser/v2 v2.5.33/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0 h1:ZVg+kCXxd9LtAaQNKBxAvJ5NpMf7LpvEr4MIZqb0TMQ=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0/go.mod h1:hh0tMeZ75CCXrHd9OXRYxTlCAdxcXioWHFIpYw2rZu8=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0 h1:djrxvDxAe44mJUrKataUbOhCKhR3F8QCyWucO16hTQs=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0/go.mod h1:dt3nxpQEiSoKvfTVxp3TUg5fHPLhKtbcnN3Z1I1ePD0=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 h1:VO3BL6OZXRQ1yQc8W6EVfJzINeJ35BkiHx4MYfoQf44=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0/go.mod h1:qRDnJ2nv3CQXMK2HUd9K9VtvedsPAce3S+/4LZHjX/s=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 h1:MMrOAN8H1FrvDyq9UJ4lu5/+ss49Qgfgb7Zpm0m8ABo=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0/go.mod h1:Na+2NNASJtF+uT4NxDe0G+NQb+bUgdPDfwxY/6JmS/c=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 h1:ao6Oe+wSebTlQ1OEht7jlYTzQKE+pnx/iNywFvTbuuI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0/go.mod h1:u3T6vz0gh/NVzgDgiwkgLxpsSF6PaPmo2il0apGJbls=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 h1:mq/Qcf28TWz719lE3/hMB4KkyDuLJIvgJnFGcd0kEUI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0/go.mod h1:yk5LXEYhsL2htyDNJbEq7fWzNEigeEdV5xBF/Y+kAv0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 h1:inYW9ZhgqiDqh6BioM7DVHHzEGVq76Db5897WLGZ5Go=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0/go.mod h1:Izur+Wt8gClgMJqO/cZ8wdeeMryJ/xxiOVgFSSfpDTY=
-go.opentelemetry.io/otel/log v0.16.0 h1:DeuBPqCi6pQwtCK0pO4fvMB5eBq6sNxEnuTs88pjsN4=
-go.opentelemetry.io/otel/log v0.16.0/go.mod h1:rWsmqNVTLIA8UnwYVOItjyEZDbKIkMxdQunsIhpUMes=
-go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/sdk/log v0.16.0 h1:e/b4bdlQwC5fnGtG3dlXUrNOnP7c8YLVSpSfEBIkTnI=
-go.opentelemetry.io/otel/sdk/log v0.16.0/go.mod h1:JKfP3T6ycy7QEuv3Hj8oKDy7KItrEkus8XJE6EoSzw4=
-go.opentelemetry.io/otel/sdk/log/logtest v0.16.0 h1:/XVkpZ41rVRTP4DfMgYv1nEtNmf65XPPyAdqV90TMy4=
-go.opentelemetry.io/otel/sdk/log/logtest v0.16.0/go.mod h1:iOOPgQr5MY9oac/F5W86mXdeyWZGleIx3uXO98X2R6Y=
-go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
-go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
-go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
-google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

ci/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"dagger/ci/internal/dagger"
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -148,16 +149,33 @@ if __name__ == "__main__":
 `
 
 type Ci struct {
-	Source *dagger.Directory
+	Source         *dagger.Directory
+	FlutterVersion string
 }
 
 func New(
+	ctx context.Context,
 	// +defaultPath=".."
 	source *dagger.Directory,
-) *Ci {
+) (*Ci, error) {
+	fvmrcContents, err := source.File(".fvmrc").Contents(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read .fvmrc: %w", err)
+	}
+	var fvmrc struct {
+		Flutter string `json:"flutter"`
+	}
+	if err := json.Unmarshal([]byte(fvmrcContents), &fvmrc); err != nil {
+		return nil, fmt.Errorf("failed to parse .fvmrc: %w", err)
+	}
+	if fvmrc.Flutter == "" {
+		return nil, fmt.Errorf(".fvmrc is missing the 'flutter' field")
+	}
 	return &Ci{
+		FlutterVersion: fvmrc.Flutter,
 		Source: source.Filter(dagger.DirectoryFilterOpts{
 			Include: []string{
+				".fvmrc",
 				"lib/",
 				"test/",
 				"assets/",
@@ -173,7 +191,7 @@ func New(
 				"website/",
 			},
 		}),
-	}
+	}, nil
 }
 
 // toolchain returns the Flutter+Android toolchain without any mutable cache mounts.
@@ -181,7 +199,7 @@ func New(
 // Used as the base for pubGetLayer so flutter pub get is execution-cached between runs.
 func (m *Ci) toolchain() *dagger.Container {
 	return dag.Container().
-		From("ghcr.io/cirruslabs/flutter:3.41.6").
+		From("ghcr.io/cirruslabs/flutter:"+m.FlutterVersion).
 		WithExec([]string{"apt-get", "-qq", "update"}).
 		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld"}).
 		WithExec([]string{"useradd", "-m", "-s", "/bin/bash", "ci"}).
@@ -338,7 +356,17 @@ func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
-		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
+		// Create .ssh with strict permissions before Dagger mounts anything there,
+		// so the directory is 700 (not Dagger's default 755).
+		WithExec([]string{"sh", "-c", "mkdir -p /root/.ssh && chmod 700 /root/.ssh"}).
+		// Mount the raw key outside .ssh so Dagger cannot override the directory
+		// permissions we just set above.
+		WithMountedSecret("/tmp/id_ed25519.raw", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
+		// Normalise with Python3: strip CRLF/bare-CR, ensure trailing newline.
+		// Using Python3 (not tr) changes the Dagger cache key so stale cached
+		// results from the old tr-based step are not reused.
+		WithExec([]string{"python3", "-c",
+			"import os; raw=open('/tmp/id_ed25519.raw','rb').read(); key=raw.replace(b'\\r\\n',b'\\n').replace(b'\\r',b'\\n'); key=key if key.endswith(b'\\n') else key+b'\\n'; open('/root/.ssh/id_ed25519','wb').write(key); os.chmod('/root/.ssh/id_ed25519',0o600)"}).
 		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }
@@ -412,11 +440,73 @@ func (m *Ci) Format(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }
 
-// CheckMocks verifies that generated mocks are up to date.
-// It snapshots the committed source (including any stale *.mocks.dart) before
+// FormatWrite formats Dart files and exports the modified /src directory.
+func (m *Ci) FormatWrite() *dagger.Directory {
+	return m.setup(m.checkSrc()).
+		WithExec([]string{"dart", "format", "lib", "test"}).
+		Directory("/src")
+}
+
+// Analyze runs static analysis with dart analyze --fatal-infos.
+func (m *Ci) Analyze(ctx context.Context) (string, error) {
+	return m.setup(m.checkSrc()).
+		WithExec([]string{"dart", "analyze", "--fatal-infos"}).
+		Stdout(ctx)
+}
+
+// Codegen runs build_runner and exports the modified /src directory.
+func (m *Ci) Codegen() *dagger.Directory {
+	return m.codegenBase().Directory("/src")
+}
+
+// AnalyzeFix runs dart fix --apply and exports the modified /src directory.
+func (m *Ci) AnalyzeFix() *dagger.Directory {
+	return m.setup(m.checkSrc()).
+		WithExec([]string{"dart", "fix", "--apply"}).
+		Directory("/src")
+}
+
+// CheckFast runs fast checks (hygiene, layers, format, analyze, mocks, coverage) in parallel.
+func (m *Ci) CheckFast(ctx context.Context) (string, error) {
+	ctx, cancel := context.WithTimeout(ctx, 15*time.Minute)
+	defer cancel()
+
+	var eg errgroup.Group
+	eg.Go(func() error {
+		_, err := m.CheckHygiene(ctx)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := m.CheckLayers(ctx)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := m.Format(ctx)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := m.Analyze(ctx)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := m.CheckGenerated(ctx)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := m.Coverage(ctx)
+		return err
+	})
+	if err := eg.Wait(); err != nil {
+		return "", err
+	}
+	return "All fast checks passed!", nil
+}
+
+// CheckGenerated verifies that all generated files (*.g.dart, *.mocks.dart) are up to date.
+// It snapshots the committed source (including any stale generated files) before
 // running build_runner, so git diff detects real staleness instead of always
 // comparing two freshly-generated outputs.
-func (m *Ci) CheckMocks(ctx context.Context) (string, error) {
+func (m *Ci) CheckGenerated(ctx context.Context) (string, error) {
 	return m.pubGetLayer().
 		WithDirectory("/src", m.checkSrc(), dagger.ContainerWithDirectoryOpts{Owner: "ci"}).
 		WithWorkdir("/src").
@@ -429,16 +519,16 @@ func (m *Ci) CheckMocks(ctx context.Context) (string, error) {
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
 				`flutter pub run build_runner build --delete-conflicting-outputs >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -vE '^\[.*s\] \|' "$tmp" || true`}).
-		WithExec([]string{"/bin/bash", "-c", "CHANGED=$(find . -name '*.mocks.dart' | xargs -r git diff --exit-code); if [ $? -ne 0 ]; then echo \"ERROR: Mocks are out of date\"; exit 1; fi; echo \"Mocks are up to date.\""}).
+		WithExec([]string{"/bin/bash", "-c", "CHANGED=$(find . \\( -name '*.g.dart' -o -name '*.mocks.dart' \\) | xargs -r git diff --exit-code); if [ $? -ne 0 ]; then echo \"ERROR: Generated files are out of date — run: dart run build_runner build\"; exit 1; fi; echo \"Generated files are up to date.\""}).
 		Stdout(ctx)
 }
 
-// Coverage runs unit tests with coverage gate.
+// Coverage runs unit and widget tests with coverage gate.
 func (m *Ci) Coverage(ctx context.Context) (string, error) {
 	return m.setup(m.checkSrc()).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`flutter test test/unit --coverage --reporter expanded --no-pub >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
+				`flutter test test/unit test/widget --exclude-tags golden --coverage --reporter expanded --no-pub >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
 		WithExec([]string{"dart", "scripts/check_coverage.dart"}).
 		Stdout(ctx)
@@ -480,11 +570,18 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Minute)
 	defer cancel()
 
-	if _, err := m.CheckHygiene(ctx); err != nil {
-		return "Hygiene check failed", err
-	}
-	if _, err := m.CheckLayers(ctx); err != nil {
-		return "Layer check failed", err
+	// Run cheap structural checks in parallel for faster fail detection.
+	var fastEg errgroup.Group
+	fastEg.Go(func() error {
+		_, err := m.CheckHygiene(ctx)
+		return err
+	})
+	fastEg.Go(func() error {
+		_, err := m.CheckLayers(ctx)
+		return err
+	})
+	if err := fastEg.Wait(); err != nil {
+		return "", err
 	}
 
 	checkSetup := m.setup(m.checkSrc())
@@ -498,7 +595,7 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 		return analyze, err
 	}
 
-	mocks, err := m.CheckMocks(ctx)
+	mocks, err := m.CheckGenerated(ctx)
 	if err != nil {
 		return mocks, err
 	}
@@ -508,16 +605,19 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 		return coverage, err
 	}
 
+	// Use errgroup.Group (not WithContext) so a failing test does not cancel its
+	// sibling via context — which would surface as "context canceled" in dagger
+	// output and trigger spurious retries in check-dagger.
 	var testBackend, testIntegration string
-	eg, egCtx := errgroup.WithContext(ctx)
+	var eg errgroup.Group
 	eg.Go(func() error {
 		var e error
-		testBackend, e = m.TestBackend(egCtx)
+		testBackend, e = m.TestBackend(ctx)
 		return e
 	})
 	eg.Go(func() error {
 		var e error
-		testIntegration, e = m.TestIntegration(egCtx)
+		testIntegration, e = m.TestIntegration(ctx)
 		return e
 	})
 	if err := eg.Wait(); err != nil {
@@ -559,6 +659,8 @@ func (m *Ci) BuildWebsite(
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
+	// +optional
+	commitHash string,
 ) *dagger.Directory {
 	buildHistory := m.GenerateBuildHistory(ctx, sshKey, knownHosts, sshUser, sshHost)
 
@@ -566,9 +668,13 @@ func (m *Ci) BuildWebsite(
 		Include: []string{"website/"},
 	}).WithDirectory("website/content/builds", buildHistory)
 
-	return m.Hugo().
+	hugo := m.Hugo().
 		WithDirectory("/src", websiteSource).
-		WithWorkdir("/src/website").
+		WithWorkdir("/src/website")
+	if commitHash != "" {
+		hugo = hugo.WithEnvVariable("HUGO_PARAMS_GITVERSION", commitHash)
+	}
+	return hugo.
 		WithExec([]string{"hugo", "--minify"}).
 		Directory("public")
 }
@@ -580,8 +686,10 @@ func (m *Ci) PublishWebsite(
 	knownHosts *dagger.Secret,
 	sshUser string,
 	sshHost string,
+	// +optional
+	commitHash string,
 ) (string, error) {
-	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost)
+	public := m.BuildWebsite(ctx, sshKey, knownHosts, sshUser, sshHost, commitHash)
 
 	return m.Deployer(sshKey, knownHosts).
 		WithDirectory("/public", public).
@@ -641,7 +749,8 @@ func (m *Ci) setupKeystore(keystoreBase64 *dagger.Secret, keystorePassword *dagg
 	return m.androidBase().
 		WithSecretVariable("ANDROID_KEYSTORE_BASE64", keystoreBase64).
 		WithSecretVariable("ANDROID_KEYSTORE_PASSWORD", keystorePassword).
-		WithExec([]string{"/bin/sh", "-c", `echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > android/app/upload-keystore.jks`})
+		WithExec([]string{"/bin/sh", "-c", `echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > /tmp/upload-keystore.jks`}).
+		WithEnvVariable("ANDROID_KEYSTORE_PATH", "/tmp/upload-keystore.jks")
 }
 
 // BuildAndroidApk builds a release APK signed with the upload key.
@@ -874,12 +983,12 @@ func (m *Ci) Renovate(ctx context.Context, renovateToken *dagger.Secret) (string
 //
 //	dagger call --progress=plain -q -m ci --source=. graph
 func (m *Ci) Graph() string {
-	return `# CI Pipeline Graph
+	return fmt.Sprintf(`# CI Pipeline Graph
 
-` + "```" + `mermaid
+`+"```"+`mermaid
 flowchart TD
     subgraph dagger ["Dagger · Check pipeline"]
-        toolchain["toolchain\nflutter:3.41.6 + NDK + apt + precache"]
+        toolchain["toolchain\nflutter:%s + NDK + apt + precache"]`, m.FlutterVersion) + `
         pubGet["pubGetLayer\nflutter pub get"]
         codegen["codegenBase\nbuild_runner build\n(shared cache)"]
         stalwart(["Stalwart service\nIMAP · JMAP · SMTP · Sieve"])
@@ -889,7 +998,7 @@ flowchart TD
 
         pubGet --> hygiene["CheckHygiene"]
         pubGet --> layers["CheckLayers"]
-        pubGet --> mocks["CheckMocks\n(own build_runner run)"]
+        pubGet --> mocks["CheckGenerated\n(own build_runner run)"]
 
         codegen --> fmt["Format"]
         codegen --> analyze["Analyze"]

deploy.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # Load .env into environment

done.md

@@ -4,6 +4,18 @@ This file contains tasks which got implemented.
 
 Tasks get moved from next.md to done.md
 
+## Tasks (2026-05-29)
+
+- **Merge PR #307 — user preferences and configurable navigation (Issue #315)**: Confirmed that
+  all features from PR #307 (issue #299) were already merged into main via separate PRs:
+  - Configurable menu bar position (bottom/top) for mailbox view — merged via #298/#303
+  - Configurable back button position for single mail view — merged via #299/#307 features in #300
+  - Configurable "after mail action" (next message / return to mailbox) — merged via #300/#308
+  - Archive button with `resolveMailboxByRole` helper — merged via #287/#291, #286/#290
+  - User preferences DB schema (v34–v36: `user_preferences` table) — in main
+  - PR #307 and issue #299 closed.
+  - Issue #315 closed.
+
 ## Tasks (2026-05-26)
 
 - **Renovate Bot (Issue #257)**: Renovate Bot runs daily via Forgejo Actions to keep

flake.nix

@@ -99,6 +99,7 @@
               httplib2
             ]))  # used by stalwart-dev/start and deploy_playstore.py
             fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
+            skopeo   # inspect OCI image manifests without pulling layers (used by check-ci-images)
           ]);
 
           shellHook = ''

go.mod

@@ -0,0 +1,3 @@
+module codeberg.org/guettli/sharedinbox
+
+go 1.22

icon.svg

@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="512" height="512" shape-rendering="geometricPrecision">
+  <!-- White Background -->
+  <rect width="512" height="512" fill="white"/>
+
+  <!-- 6 Concentric Rainbow Rings (Tunnel Vision Geometry) -->
+  <g fill-rule="evenodd" stroke="black" stroke-width="2.5">
+    <!-- Red -->
+    <path fill="#FF0000" d="M256,256 m-242,0 a242,242 0 1,0 484,0 a242,242 0 1,0 -484,0 Z M256,256 m-190,0 a190,190 0 1,0 380,0 a190,190 0 1,0 -380,0 Z" />
+
+    <!-- Orange -->
+    <path fill="#FF8C00" d="M256,256 m-170,0 a170,170 0 1,0 340,0 a170,170 0 1,0 -340,0 Z M256,256 m-131,0 a131,131 0 1,0 262,0 a131,131 0 1,0 -262,0 Z" />
+
+    <!-- Yellow -->
+    <path fill="#FFD700" d="M256,256 m-115,0 a115,115 0 1,0 230,0 a115,115 0 1,0 -230,0 Z M256,256 m-85,0 a85,85 0 1,0 170,0 a85,85 0 1,0 -170,0 Z" />
+
+    <!-- Green -->
+    <path fill="#22AA00" d="M256,256 m-73,0 a73,73 0 1,0 146,0 a73,73 0 1,0 -146,0 Z M256,256 m-51,0 a51,51 0 1,0 102,0 a51,51 0 1,0 -102,0 Z" />
+
+    <!-- Blue -->
+    <path fill="#0055FF" d="M256,256 m-41,0 a41,41 0 1,0 82,0 a41,41 0 1,0 -82,0 Z M256,256 m-24,0 a24,24 0 1,0 48,0 a24,24 0 1,0 -48,0 Z" />
+
+    <!-- Purple -->
+    <path fill="#8B00FF" d="M256,256 m-16,0 a16,16 0 1,0 32,0 a16,16 0 1,0 -32,0 Z M256,256 m-3,0 a3,3 0 1,0 6,0 a3,3 0 1,0 -6,0 Z" />
+  </g>
+</svg>

integration_test/app_e2e_test.dart

@@ -317,7 +317,7 @@ void main() {
 
       // ── Check Sent folder ──────────────────────────────────────────────────
       // Use the drawer to switch folders (no back button on Linux desktop).
-      await tester.tap(find.byTooltip('Open navigation menu'));
+      await tester.tap(find.byTooltip('Open folders'));
       await tester.pumpAndSettle();
       await tester.tap(find.text('Sent'));
       await tester.pumpAndSettle();
@@ -331,7 +331,7 @@ void main() {
       expect(find.text(subject), findsOneWidget);
 
       // ── Check Inbox ────────────────────────────────────────────────────────
-      await tester.tap(find.byTooltip('Open navigation menu'));
+      await tester.tap(find.byTooltip('Open folders'));
       await tester.pumpAndSettle();
       await tester.tap(find.text('INBOX'));
       await tester.pumpAndSettle();

lib/core/db_schema_version.dart

@@ -1 +1 @@
-const int dbSchemaVersion = 33;
+const int dbSchemaVersion = 38;

lib/core/models/email.dart

@@ -192,6 +192,22 @@ class EmailThread {
     required this.accountId,
     required this.mailboxPath,
   });
+
+  /// Wraps a single [Email] as a one-message thread for uniform rendering.
+  factory EmailThread.fromEmail(Email e) => EmailThread(
+        threadId: e.threadId ?? e.id,
+        subject: e.subject,
+        participants: e.from,
+        latestDate: e.sentAt ?? e.receivedAt,
+        messageCount: 1,
+        hasUnread: !e.isSeen,
+        isFlagged: e.isFlagged,
+        latestEmailId: e.id,
+        preview: e.preview,
+        emailIds: [e.id],
+        accountId: e.accountId,
+        mailboxPath: e.mailboxPath,
+      );
 }
 
 class EmailAddress {

lib/core/models/user_preferences.dart

@@ -0,0 +1,31 @@
+enum MenuPosition { bottom, top }
+
+enum AfterMailViewAction { nextMessage, showMailbox }
+
+enum PrefetchMode {
+  disabled,
+  wifiOnly,
+  always;
+
+  static PrefetchMode fromString(String? value) {
+    return PrefetchMode.values.firstWhere(
+      (e) => e.name == value,
+      orElse: () => PrefetchMode.wifiOnly,
+    );
+  }
+}
+
+class UserPreferences {
+  const UserPreferences({
+    this.menuPosition = MenuPosition.bottom,
+    this.mailViewButtonPosition = MenuPosition.bottom,
+    this.afterMailViewAction = AfterMailViewAction.nextMessage,
+    this.prefetchMode = PrefetchMode.wifiOnly,
+    this.bodyCacheLimitMb = 100,
+  });
+  final MenuPosition menuPosition;
+  final MenuPosition mailViewButtonPosition;
+  final AfterMailViewAction afterMailViewAction;
+  final PrefetchMode prefetchMode;
+  final int bodyCacheLimitMb;
+}

lib/core/repositories/email_repository.dart

@@ -15,6 +15,10 @@ abstract class EmailRepository {
     int limit = 50,
   });
 
+  /// Returns threads from the INBOX mailbox of every account, sorted by latest
+  /// message date descending. Inbox mailboxes are identified by role = 'inbox'.
+  Stream<List<EmailThread>> observeAllInboxThreads({int limit = 50});
+
   /// Returns all emails belonging to [threadId] in [mailboxPath].
   Stream<List<Email>> observeEmailsInThread(
     String accountId,

lib/core/repositories/mailbox_repository.dart

@@ -11,4 +11,17 @@ abstract class MailboxRepository {
 
   /// Deletes all locally-cached mailbox rows for [accountId].
   Future<void> clearForResync(String accountId);
+
+  /// Creates a new mailbox named [name] for [accountId] and tags it with
+  /// [role] in the local database. For JMAP accounts the role is also sent
+  /// to the server. Returns the newly created [Mailbox].
+  Future<Mailbox> createMailboxWithRole(
+    String accountId,
+    String name,
+    String role,
+  );
+
+  /// Creates a new mailbox named [name] for [accountId] without a special role.
+  /// Returns the newly created [Mailbox].
+  Future<Mailbox> createMailbox(String accountId, String name);
 }

lib/core/repositories/user_preferences_repository.dart

@@ -0,0 +1,14 @@
+import 'package:sharedinbox/core/models/user_preferences.dart';
+
+abstract class UserPreferencesRepository {
+  Stream<UserPreferences> observePreferences();
+  Future<void> updateMenuPosition(MenuPosition position);
+  Future<void> updateMailViewButtonPosition(MenuPosition position);
+  Future<void> updateAfterMailViewAction(AfterMailViewAction action);
+  Future<void> updatePrefetchMode(PrefetchMode mode);
+  Future<void> updateBodyCacheLimitMb(int mb);
+
+  Stream<List<String>> observeTrustedImageSenders();
+  Future<void> addTrustedImageSender(String senderEmail);
+  Future<void> removeTrustedImageSender(String senderEmail);
+}

lib/core/services/body_cache_service.dart

@@ -0,0 +1,82 @@
+import 'package:drift/drift.dart';
+import 'package:sharedinbox/core/repositories/account_repository.dart';
+import 'package:sharedinbox/data/db/database.dart';
+import 'package:sharedinbox/data/repositories/email_repository_impl.dart';
+
+/// Prefetches email bodies in the background and enforces a local cache size
+/// limit by evicting the oldest cached bodies when the limit is exceeded.
+class BodyCacheService {
+  BodyCacheService(this._db, this._accountRepo);
+
+  final AppDatabase _db;
+  final AccountRepository _accountRepo;
+
+  static const _batchSize = 20;
+
+  Future<void> run() async {
+    final prefs = await (_db.select(
+      _db.userPreferences,
+    )).getSingleOrNull();
+    final limitMb = prefs?.bodyCacheLimitMb ?? 100;
+    final limitBytes = limitMb * 1024 * 1024;
+
+    await _evictIfNeeded(limitBytes);
+
+    final candidates = await _fetchCandidates();
+    if (candidates.isEmpty) return;
+
+    final emailRepo = EmailRepositoryImpl(_db, _accountRepo);
+
+    for (final emailId in candidates) {
+      final currentSize = await _getCacheSizeBytes();
+      if (currentSize >= limitBytes) break;
+      try {
+        await emailRepo.getEmailBody(emailId);
+      } catch (_) {
+        // Skip emails that fail to fetch.
+      }
+    }
+  }
+
+  Future<void> _evictIfNeeded(int limitBytes) async {
+    final currentSize = await _getCacheSizeBytes();
+    if (currentSize <= limitBytes) return;
+
+    final bodies = await (_db.select(_db.emailBodies)
+          ..where((t) => t.cachedAt.isNotNull())
+          ..orderBy([(t) => OrderingTerm.asc(t.cachedAt)]))
+        .get();
+
+    var remaining = currentSize;
+    for (final body in bodies) {
+      if (remaining <= limitBytes) break;
+      final bodySize =
+          (body.textBody?.length ?? 0) + (body.htmlBody?.length ?? 0);
+      await (_db.delete(_db.emailBodies)
+            ..where((t) => t.emailId.equals(body.emailId)))
+          .go();
+      remaining -= bodySize;
+    }
+  }
+
+  Future<int> _getCacheSizeBytes() async {
+    final result = await _db
+        .customSelect(
+          "SELECT COALESCE(SUM(LENGTH(COALESCE(text_body, '')) + LENGTH(COALESCE(html_body, ''))), 0) AS total FROM email_bodies",
+        )
+        .getSingle();
+    return result.read<int>('total');
+  }
+
+  Future<List<String>> _fetchCandidates() async {
+    final rows = await _db.customSelect(
+      'SELECT e.id FROM emails e '
+      'LEFT JOIN email_bodies eb ON eb.email_id = e.id '
+      'WHERE eb.email_id IS NULL '
+      'ORDER BY e.received_at DESC '
+      'LIMIT ?',
+      variables: [Variable.withInt(_batchSize)],
+    ).get();
+    return rows.map((r) => r.read<String>('id')).toList();
+  }
+}

lib/core/services/share_encryption_service.dart

@@ -92,8 +92,9 @@ class ShareEncryptionService {
   ) {
     if (!s.startsWith(_pubKeyPrefix)) return null;
     try {
-      final data =
-          Uint8List.fromList(base64.decode(s.substring(_pubKeyPrefix.length)));
+      final data = Uint8List.fromList(
+        base64.decode(s.substring(_pubKeyPrefix.length)),
+      );
       if (data.length != _keyIdLen + _pubKeyLen) return null;
       return (
         keyId: data.sublist(0, _keyIdLen),

lib/core/sieve/sieve_interpreter.dart

@@ -108,8 +108,9 @@ class SieveInterpreter {
   }
 
   bool _globMatch(String value, String pattern) {
-    final regexStr =
-        RegExp.escape(pattern).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
+    final regexStr = RegExp.escape(
+      pattern,
+    ).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
     return RegExp('^$regexStr\$').hasMatch(value);
   }
 

lib/core/sieve/sieve_parser.dart

@@ -466,9 +466,7 @@ class _Scanner {
 
   String readTaggedArg() {
     if (!isAtEnd && _src[_pos] == ':') return readWord();
-    throw SieveParseException(
-      'Expected tagged argument at position $_pos',
-    );
+    throw SieveParseException('Expected tagged argument at position $_pos');
   }
 
   String? peekSizeUnit() {
@@ -480,9 +478,7 @@ class _Scanner {
 
   String readDigits() {
     if (isAtEnd || !_isDigit(_src[_pos])) {
-      throw SieveParseException(
-        'Expected number at position $_pos',
-      );
+      throw SieveParseException('Expected number at position $_pos');
     }
     final start = _pos;
     while (!isAtEnd && _isDigit(_src[_pos])) {
@@ -493,9 +489,7 @@ class _Scanner {
 
   String readQuotedString() {
     if (_src[_pos] != '"') {
-      throw SieveParseException(
-        'Expected " at position $_pos',
-      );
+      throw SieveParseException('Expected " at position $_pos');
     }
     _pos++; // skip opening quote
     final buf = StringBuffer();

lib/core/sync/background_sync.dart

@@ -11,7 +11,9 @@ import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
 
 import 'package:sharedinbox/core/models/account.dart' as model;
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
+import 'package:sharedinbox/core/services/body_cache_service.dart';
 import 'package:sharedinbox/core/services/notification_service.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
@@ -21,6 +23,7 @@ import 'package:sharedinbox/data/storage/flutter_secure_storage_impl.dart';
 import 'package:workmanager/workmanager.dart';
 
 const _kTaskName = 'si_bg_sync';
+const _kPrefetchTaskName = 'si_bg_prefetch';
 const _kResourceType = 'background_check';
 
 @pragma('vm:entry-point')
@@ -28,9 +31,13 @@ void callbackDispatcher() {
   // Required so that path_provider and other plugins are available in this
   // background isolate (issue #192).
   WidgetsFlutterBinding.ensureInitialized();
-  Workmanager().executeTask((_, __) async {
+  Workmanager().executeTask((taskName, __) async {
     try {
-      await _doBackgroundSync();
+      if (taskName == _kPrefetchTaskName) {
+        await _doBodyPrefetch();
+      } else {
+        await _doBackgroundSync();
+      }
     } catch (_) {}
     return true;
   });
@@ -55,6 +62,31 @@ Future<void> registerBackgroundSync() async {
   }
 }
 
+/// Registers (or cancels) the body-prefetch WorkManager task based on [mode].
+/// Call on app startup and whenever the user changes the prefetch preference.
+Future<void> registerBodyPrefetchTask(PrefetchMode mode) async {
+  try {
+    if (mode == PrefetchMode.disabled) {
+      await Workmanager().cancelByUniqueName(_kPrefetchTaskName);
+      return;
+    }
+    final networkType = mode == PrefetchMode.wifiOnly
+        ? NetworkType.unmetered
+        : NetworkType.connected;
+    await Workmanager().registerPeriodicTask(
+      _kPrefetchTaskName,
+      _kPrefetchTaskName,
+      frequency: const Duration(hours: 1),
+      constraints: Constraints(networkType: networkType),
+      existingWorkPolicy: ExistingPeriodicWorkPolicy.replace,
+    );
+  } on PlatformException {
+    // Ignore — WorkManager unavailable.
+  } on MissingPluginException {
+    // Ignore — plugin not registered.
+  } catch (_) {}
+}
+
 Future<void> _doBackgroundSync() async {
   final dir = await getApplicationSupportDirectory();
   final db = AppDatabase(
@@ -76,6 +108,22 @@ Future<void> _doBackgroundSync() async {
   }
 }
 
+Future<void> _doBodyPrefetch() async {
+  final dir = await getApplicationSupportDirectory();
+  final db = AppDatabase(
+    NativeDatabase(File(p.join(dir.path, 'sharedinbox.db'))),
+  );
+  try {
+    final accountRepo = AccountRepositoryImpl(
+      db,
+      const FlutterSecureStorageImpl(),
+    );
+    await BodyCacheService(db, accountRepo).run();
+  } finally {
+    await db.close();
+  }
+}
+
 Future<void> _checkAccount(
   AppDatabase db,
   AccountRepository accountRepo,

lib/core/utils/cid_utils.dart

@@ -35,10 +35,7 @@ String injectInlineImages(String html, imap.MimeMessage msg) {
         .replaceAll('src="cid:$bareCid"', 'src="$dataUri"')
         .replaceAll("src='cid:$bareCid'", "src='$dataUri'")
         .replaceAll('src="cid:${bareCid.toLowerCase()}"', 'src="$dataUri"')
-        .replaceAll(
-          "src='cid:${bareCid.toLowerCase()}'",
-          "src='$dataUri'",
-        );
+        .replaceAll("src='cid:${bareCid.toLowerCase()}'", "src='$dataUri'");
   }
   return result;
 }

lib/data/db/database.dart

@@ -307,6 +307,40 @@ class LocalSieveApplied extends Table {
   Set<Column> get primaryKey => {accountId, messageId};
 }
 
+/// Senders for whom remote images are loaded automatically.
+/// Per-device/per-user — not tied to any email account.
+@DataClassName('ImageTrustedSenderRow')
+class ImageTrustedSenders extends Table {
+  TextColumn get senderEmail => text()();
+  DateTimeColumn get addedAt => dateTime()();
+
+  @override
+  Set<Column> get primaryKey => {senderEmail};
+}
+
+/// App-wide user preferences, stored as a singleton row (id always 1).
+@DataClassName('UserPreferencesRow')
+class UserPreferences extends Table {
+  IntColumn get id => integer()();
+  // 'bottom' (default) | 'top'
+  TextColumn get menuPosition => text().withDefault(const Constant('bottom'))();
+  // Added in schema v35: 'bottom' (default) | 'top'
+  TextColumn get mailViewButtonPosition =>
+      text().withDefault(const Constant('bottom'))();
+  // Added in schema v36: 'nextMessage' (default) | 'showMailbox'
+  TextColumn get afterMailViewAction =>
+      text().withDefault(const Constant('nextMessage'))();
+  // Added in schema v38: 'disabled' | 'wifiOnly' (default) | 'always'
+  TextColumn get prefetchMode =>
+      text().withDefault(const Constant('wifiOnly'))();
+  // Added in schema v38: max cache size for offline email bodies, in megabytes.
+  IntColumn get bodyCacheLimitMb =>
+      integer().withDefault(const Constant(100))();
+
+  @override
+  Set<Column> get primaryKey => {id};
+}
+
 // ── Database ──────────────────────────────────────────────────────────────────
 
 @DriftDatabase(
@@ -327,6 +361,8 @@ class LocalSieveApplied extends Table {
     LocalSieveScripts,
     LocalSieveApplied,
     ShareKeys,
+    UserPreferences,
+    ImageTrustedSenders,
   ],
 )
 class AppDatabase extends _$AppDatabase {
@@ -578,6 +614,31 @@ class AppDatabase extends _$AppDatabase {
             await m.addColumn(syncLogs, syncLogs.errorStackTrace);
             await m.addColumn(syncLogs, syncLogs.isPermanent);
           }
+          if (from < 34) {
+            await m.createTable(userPreferences);
+          }
+          if (from >= 34 && from < 35) {
+            await m.addColumn(
+              userPreferences,
+              userPreferences.mailViewButtonPosition,
+            );
+          }
+          if (from >= 34 && from < 36) {
+            await m.addColumn(
+              userPreferences,
+              userPreferences.afterMailViewAction,
+            );
+          }
+          if (from < 37) {
+            await m.createTable(imageTrustedSenders);
+          }
+          if (from >= 34 && from < 38) {
+            await m.addColumn(userPreferences, userPreferences.prefetchMode);
+            await m.addColumn(
+              userPreferences,
+              userPreferences.bodyCacheLimitMb,
+            );
+          }
         },
       );
 }

lib/data/db/local_sieve_repository.dart

@@ -9,8 +9,9 @@ class LocalSieveRepository {
   final AppDatabase _db;
 
   Future<List<SieveScript>> listScripts(String accountId) async {
-    final rows = await (_db.select(_db.localSieveScripts)
-          ..where((t) => t.accountId.equals(accountId)))
+    final rows = await (_db.select(
+      _db.localSieveScripts,
+    )..where((t) => t.accountId.equals(accountId)))
         .get();
     return rows
         .map(
@@ -26,10 +27,9 @@ class LocalSieveRepository {
 
   Future<String> getScriptContent(String accountId, String blobId) async {
     final rowId = int.parse(blobId);
-    final row = await (_db.select(_db.localSieveScripts)
-          ..where(
-            (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
-          ))
+    final row = await (_db.select(
+      _db.localSieveScripts,
+    )..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
         .getSingleOrNull();
     if (row == null) throw Exception('Local script not found: $blobId');
     return row.content;
@@ -44,9 +44,7 @@ class LocalSieveRepository {
     if (id != null) {
       final rowId = int.parse(id);
       await (_db.update(_db.localSieveScripts)
-            ..where(
-              (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
-            ))
+            ..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
           .write(
         LocalSieveScriptsCompanion(
           name: Value(name),
@@ -78,10 +76,9 @@ class LocalSieveRepository {
 
   Future<void> deleteScript(String accountId, String scriptId) async {
     final rowId = int.parse(scriptId);
-    await (_db.delete(_db.localSieveScripts)
-          ..where(
-            (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
-          ))
+    await (_db.delete(
+      _db.localSieveScripts,
+    )..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
         .go();
   }
 
@@ -92,9 +89,7 @@ class LocalSieveRepository {
           .write(const LocalSieveScriptsCompanion(isActive: Value(false)));
       final rowId = int.parse(scriptId);
       await (_db.update(_db.localSieveScripts)
-            ..where(
-              (t) => t.id.equals(rowId) & t.accountId.equals(accountId),
-            ))
+            ..where((t) => t.id.equals(rowId) & t.accountId.equals(accountId)))
           .write(const LocalSieveScriptsCompanion(isActive: Value(true)));
     });
   }

lib/data/repositories/draft_repository_impl.dart

@@ -9,11 +9,8 @@ import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 
 class DraftRepositoryImpl implements DraftRepository {
-  DraftRepositoryImpl(
-    this._db,
-    this._accounts, {
-    ImapConnectFn? imapConnect,
-  }) : _imapConnect = imapConnect;
+  DraftRepositoryImpl(this._db, this._accounts, {ImapConnectFn? imapConnect})
+      : _imapConnect = imapConnect;
 
   final AppDatabase _db;
   final AccountRepository _accounts;
@@ -124,10 +121,7 @@ class DraftRepositoryImpl implements DraftRepository {
     }
   }
 
-  Future<void> _syncWithServer(
-    imap.ImapClient client,
-    String accountId,
-  ) async {
+  Future<void> _syncWithServer(imap.ImapClient client, String accountId) async {
     // Create/select the Drafts folder.
     try {
       await client.createMailbox('Drafts');
@@ -162,8 +156,9 @@ class DraftRepositoryImpl implements DraftRepository {
           ? uidList.first.toString()
           : null;
       if (uid != null) {
-        await (_db.update(_db.drafts)..where((t) => t.id.equals(row.id)))
-            .write(DraftsCompanion(imapServerId: Value(uid)));
+        await (_db.update(_db.drafts)..where((t) => t.id.equals(row.id))).write(
+          DraftsCompanion(imapServerId: Value(uid)),
+        );
       }
     }
 

lib/data/repositories/email_repository_impl.dart

@@ -95,6 +95,26 @@ class EmailRepositoryImpl implements EmailRepository {
         .map((rows) => rows.map(_threadRowToModel).toList());
   }
 
+  @override
+  Stream<List<model.EmailThread>> observeAllInboxThreads({int limit = 50}) {
+    final query = _db.select(_db.threads).join([
+      innerJoin(
+        _db.mailboxes,
+        _db.mailboxes.accountId.equalsExp(_db.threads.accountId) &
+            _db.mailboxes.path.equalsExp(_db.threads.mailboxPath),
+      ),
+    ]);
+    query
+      ..where(_db.mailboxes.role.equals('inbox'))
+      ..orderBy([OrderingTerm.desc(_db.threads.latestDate)])
+      ..limit(limit);
+    return query.watch().map(
+          (rows) => rows
+              .map((row) => _threadRowToModel(row.readTable(_db.threads)))
+              .toList(),
+        );
+  }
+
   model.EmailThread _threadRowToModel(ThreadRow row) {
     List<model.EmailAddress> parseAddresses(String json) {
       final list = jsonDecode(json) as List<dynamic>;
@@ -156,6 +176,7 @@ class EmailRepositoryImpl implements EmailRepository {
       return;
     }
 
+    if (threadEmails.isEmpty) return;
     final latest = threadEmails.last;
 
     // Collect unique participants across the whole thread.
@@ -237,7 +258,12 @@ class EmailRepositoryImpl implements EmailRepository {
     try {
       await client.selectMailboxByPath(emailRow.mailboxPath);
       final fetch = await client.uidFetchMessage(emailRow.uid, '(BODY.PEEK[])');
-      final msg = fetch.messages.first;
+      final msg = fetch.messages.firstOrNull;
+      if (msg == null) {
+        throw StateError(
+          'IMAP server returned no message for UID ${emailRow.uid}.',
+        );
+      }
       final textBody = msg.decodeTextPlainPart();
       final rawHtml = msg.decodeTextHtmlPart();
       final htmlBody =
@@ -325,13 +351,7 @@ class EmailRepositoryImpl implements EmailRepository {
           ],
           'fetchHTMLBodyValues': true,
           'fetchTextBodyValues': true,
-          'bodyProperties': [
-            'partId',
-            'type',
-            'name',
-            'size',
-            'subParts',
-          ],
+          'bodyProperties': ['partId', 'type', 'name', 'size', 'subParts'],
         },
         '0',
       ],
@@ -1949,8 +1969,9 @@ class EmailRepositoryImpl implements EmailRepository {
         .getSingleOrNull();
     final inboxPath = inboxMailbox?.path ?? 'INBOX';
 
-    final alreadyApplied = await (_db.select(_db.localSieveApplied)
-          ..where((t) => t.accountId.equals(accountId)))
+    final alreadyApplied = await (_db.select(
+      _db.localSieveApplied,
+    )..where((t) => t.accountId.equals(accountId)))
         .get();
     final appliedIds = alreadyApplied.map((r) => r.messageId).toSet();
 
@@ -2050,7 +2071,9 @@ class EmailRepositoryImpl implements EmailRepository {
             ..limit(1))
           .getSingleOrNull();
       if (destMailbox == null) {
-        log('Sieve: JMAP mailbox "$folder" not found for account ${account.id}');
+        log(
+          'Sieve: JMAP mailbox "$folder" not found for account ${account.id}',
+        );
         return;
       }
       destPath = destMailbox.path;
@@ -2808,11 +2831,13 @@ class EmailRepositoryImpl implements EmailRepository {
       // Content-Transfer-Encoding) and getPart() can decode the part correctly.
       // A partial BODY.PEEK[n] fetch omits those headers, causing
       // decodeContentBinary() to return raw base64 instead of decoded bytes.
-      final fetch = await client.uidFetchMessage(
-        emailRow.uid,
-        'BODY.PEEK[]',
-      );
-      final msg = fetch.messages.first;
+      final fetch = await client.uidFetchMessage(emailRow.uid, 'BODY.PEEK[]');
+      final msg = fetch.messages.firstOrNull;
+      if (msg == null) {
+        throw StateError(
+          'IMAP server returned no message for UID ${emailRow.uid}.',
+        );
+      }
       final part = msg.getPart(attachment.fetchPartId) ?? msg;
       final bytes = part.decodeContentBinary();
       if (bytes == null) {
@@ -2874,11 +2899,14 @@ class EmailRepositoryImpl implements EmailRepository {
     );
     try {
       await client.selectMailboxByPath(emailRow.mailboxPath);
-      final fetch = await client.uidFetchMessage(
-        emailRow.uid,
-        'BODY.PEEK[]',
-      );
-      return fetch.messages.first.renderMessage();
+      final fetch = await client.uidFetchMessage(emailRow.uid, 'BODY.PEEK[]');
+      final msg = fetch.messages.firstOrNull;
+      if (msg == null) {
+        throw StateError(
+          'IMAP server returned no message for UID ${emailRow.uid}.',
+        );
+      }
+      return msg.renderMessage();
     } finally {
       await client.logout();
     }
@@ -2955,6 +2983,20 @@ class EmailRepositoryImpl implements EmailRepository {
   }) async {
     if (query.length < 2) return [];
     final pattern = '%${query.toLowerCase()}%';
+
+    // Addresses we deliberately wrote to (sent folder) should appear before
+    // addresses that happened to email us (inbox/other folders).
+    final sentMailboxes = await (_db.select(_db.mailboxes)
+          ..where((t) {
+            Expression<bool> cond = t.role.equals('sent');
+            if (accountId != null) {
+              cond = t.accountId.equals(accountId) & cond;
+            }
+            return cond;
+          }))
+        .get();
+    final sentPaths = {for (final m in sentMailboxes) m.path};
+
     final rows = await (_db.select(_db.emails)
           ..where((t) {
             Expression<bool> cond = const Constant(true);
@@ -2969,11 +3011,22 @@ class EmailRepositoryImpl implements EmailRepository {
           ..limit(100))
         .get();
 
+    // Two passes: sent-folder rows first (prioritise recipients we chose),
+    // then other rows (senders who contacted us).
+    final sortedRows = [
+      ...rows.where((r) => sentPaths.contains(r.mailboxPath)),
+      ...rows.where((r) => !sentPaths.contains(r.mailboxPath)),
+    ];
+
     final seen = <String>{};
     final results = <model.EmailAddress>[];
     final lowerQuery = query.toLowerCase();
-    for (final row in rows) {
-      for (final jsonStr in [row.fromJson, row.toAddresses, row.ccJson]) {
+    for (final row in sortedRows) {
+      final isSent = sentPaths.contains(row.mailboxPath);
+      final fields = isSent
+          ? [row.toAddresses, row.ccJson, row.fromJson]
+          : [row.fromJson, row.toAddresses, row.ccJson];
+      for (final jsonStr in fields) {
         final list = jsonDecode(jsonStr) as List<dynamic>;
         for (final e in list) {
           final map = e as Map<String, dynamic>;
@@ -3252,14 +3305,17 @@ class EmailRepositoryImpl implements EmailRepository {
     await _db.customStatement('PRAGMA foreign_keys = OFF');
     try {
       await _db.transaction(() async {
-        await (_db.delete(_db.emails)
-              ..where((t) => t.accountId.equals(accountId)))
+        await (_db.delete(
+          _db.emails,
+        )..where((t) => t.accountId.equals(accountId)))
             .go();
-        await (_db.delete(_db.pendingChanges)
-              ..where((t) => t.accountId.equals(accountId)))
+        await (_db.delete(
+          _db.pendingChanges,
+        )..where((t) => t.accountId.equals(accountId)))
             .go();
-        await (_db.delete(_db.syncStates)
-              ..where((t) => t.accountId.equals(accountId)))
+        await (_db.delete(
+          _db.syncStates,
+        )..where((t) => t.accountId.equals(accountId)))
             .go();
       });
     } finally {

lib/data/repositories/mailbox_repository_impl.dart

@@ -79,6 +79,15 @@ class MailboxRepositoryImpl implements MailboxRepository {
     );
     try {
       final mailboxes = await client.listMailboxes(recursive: true);
+
+      // Pre-load existing DB roles so we can preserve manually-set roles for
+      // folders the server doesn't tag with a special-use attribute.
+      final existingRows = await (_db.select(
+        _db.mailboxes,
+      )..where((t) => t.accountId.equals(account.id)))
+          .get();
+      final existingRoles = {for (final r in existingRows) r.id: r.role};
+
       for (final mb in mailboxes) {
         final path = mb.path;
         final id = '${account.id}:$path';
@@ -96,6 +105,12 @@ class MailboxRepositoryImpl implements MailboxRepository {
           log('STATUS skipped for $path: $e');
         }
 
+        // Use the server-assigned role when available; fall back to the
+        // existing DB role so that manually-created folders (e.g. a user
+        // who just created their Archive folder) keep their role across syncs
+        // when the IMAP server does not expose a special-use attribute.
+        final role = _imapRole(mb) ?? existingRoles[id];
+
         await _db.into(_db.mailboxes).insertOnConflictUpdate(
               MailboxesCompanion.insert(
                 id: id,
@@ -104,7 +119,7 @@ class MailboxRepositoryImpl implements MailboxRepository {
                 name: mb.name,
                 unreadCount: Value(unread),
                 totalCount: Value(total),
-                role: Value(_imapRole(mb)),
+                role: Value(role),
               ),
             );
       }
@@ -306,8 +321,127 @@ class MailboxRepositoryImpl implements MailboxRepository {
 
   @override
   Future<void> clearForResync(String accountId) async {
-    await (_db.delete(_db.mailboxes)
-          ..where((t) => t.accountId.equals(accountId)))
+    await (_db.delete(
+      _db.mailboxes,
+    )..where((t) => t.accountId.equals(accountId)))
         .go();
   }
+
+  @override
+  Future<model.Mailbox> createMailboxWithRole(
+    String accountId,
+    String name,
+    String role,
+  ) async {
+    final account = (await _accounts.getAccount(accountId))!;
+    final password = await _accounts.getPassword(accountId);
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        return _createMailboxWithRoleImap(account, password, name, role);
+      case account_model.AccountType.jmap:
+        return _createMailboxWithRoleJmap(account, password, name, role);
+    }
+  }
+
+  @override
+  Future<model.Mailbox> createMailbox(String accountId, String name) async {
+    final account = (await _accounts.getAccount(accountId))!;
+    final password = await _accounts.getPassword(accountId);
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        return _createMailboxWithRoleImap(account, password, name, null);
+      case account_model.AccountType.jmap:
+        return _createMailboxWithRoleJmap(account, password, name, null);
+    }
+  }
+
+  Future<model.Mailbox> _createMailboxWithRoleImap(
+    account_model.Account account,
+    String password,
+    String name,
+    String? role,
+  ) async {
+    final client = await _imapConnect(
+      account,
+      _effectiveUsername(account),
+      password,
+    );
+    try {
+      await client.createMailbox(name);
+    } finally {
+      await client.logout();
+    }
+    final id = '${account.id}:$name';
+    await _db.into(_db.mailboxes).insertOnConflictUpdate(
+          MailboxesCompanion.insert(
+            id: id,
+            accountId: account.id,
+            path: name,
+            name: name,
+            role: Value(role),
+          ),
+        );
+    final row = await (_db.select(
+      _db.mailboxes,
+    )..where((t) => t.id.equals(id)))
+        .getSingle();
+    return _toModel(row);
+  }
+
+  Future<model.Mailbox> _createMailboxWithRoleJmap(
+    account_model.Account account,
+    String password,
+    String name,
+    String? role,
+  ) async {
+    final jmapUrl = account.jmapUrl;
+    if (jmapUrl == null || jmapUrl.isEmpty) {
+      throw Exception('JMAP account ${account.id} has no jmapUrl');
+    }
+    final jmap = await JmapClient.connect(
+      httpClient: _httpClient,
+      jmapUrl: Uri.parse(jmapUrl),
+      username: _effectiveUsername(account),
+      password: password,
+    );
+    final responses = await jmap.call([
+      [
+        'Mailbox/set',
+        {
+          'accountId': jmap.accountId,
+          'create': {
+            'new-mailbox': {
+              'name': name,
+              if (role != null) 'role': role,
+            },
+          },
+        },
+        '0',
+      ],
+    ]);
+    final result = _responseArgs(responses, 0, 'Mailbox/set');
+    final created = result['created'] as Map<String, dynamic>?;
+    final newId =
+        (created?['new-mailbox'] as Map<String, dynamic>?)?['id'] as String?;
+    if (newId == null) {
+      throw Exception(
+        'Failed to create mailbox "$name": server returned no ID',
+      );
+    }
+    final dbId = '${account.id}:$newId';
+    await _db.into(_db.mailboxes).insertOnConflictUpdate(
+          MailboxesCompanion.insert(
+            id: dbId,
+            accountId: account.id,
+            path: newId,
+            name: name,
+            role: Value(role),
+          ),
+        );
+    final row = await (_db.select(
+      _db.mailboxes,
+    )..where((t) => t.id.equals(dbId)))
+        .getSingle();
+    return _toModel(row);
+  }
 }

lib/data/repositories/search_history_repository_impl.dart

@@ -24,8 +24,9 @@ class SearchHistoryRepositoryImpl implements SearchHistoryRepository {
 
     await _db.transaction(() async {
       // Remove existing entry for same query (deduplication).
-      await (_db.delete(_db.searchHistoryEntries)
-            ..where((t) => t.query.equals(trimmed)))
+      await (_db.delete(
+        _db.searchHistoryEntries,
+      )..where((t) => t.query.equals(trimmed)))
           .go();
 
       await _db.into(_db.searchHistoryEntries).insert(
@@ -43,8 +44,9 @@ class SearchHistoryRepositoryImpl implements SearchHistoryRepository {
           .get();
 
       if (keepIds.isNotEmpty) {
-        await (_db.delete(_db.searchHistoryEntries)
-              ..where((t) => t.id.isNotIn(keepIds)))
+        await (_db.delete(
+          _db.searchHistoryEntries,
+        )..where((t) => t.id.isNotIn(keepIds)))
             .go();
       }
     });

lib/data/repositories/share_key_repository_impl.dart

@@ -40,8 +40,9 @@ class ShareKeyRepositoryImpl implements ShareKeyRepository {
     await _pruneExpired();
 
     final keyIdHex = _hex(keyId);
-    final row = await (_db.select(_db.shareKeys)
-          ..where((t) => t.id.equals(keyIdHex)))
+    final row = await (_db.select(
+      _db.shareKeys,
+    )..where((t) => t.id.equals(keyIdHex)))
         .getSingleOrNull();
 
     if (row == null) return null;
@@ -55,10 +56,9 @@ class ShareKeyRepositoryImpl implements ShareKeyRepository {
   }
 
   Future<void> _pruneExpired() async {
-    await (_db.delete(_db.shareKeys)
-          ..where(
-            (t) => t.expiresAt.isSmallerThanValue(DateTime.now().toUtc()),
-          ))
+    await (_db.delete(
+      _db.shareKeys,
+    )..where((t) => t.expiresAt.isSmallerThanValue(DateTime.now().toUtc())))
         .go();
   }
 

lib/data/repositories/user_preferences_repository_impl.dart

@@ -0,0 +1,117 @@
+import 'package:drift/drift.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart' as pref;
+import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
+import 'package:sharedinbox/data/db/database.dart';
+
+class UserPreferencesRepositoryImpl implements UserPreferencesRepository {
+  UserPreferencesRepositoryImpl(this._db);
+
+  final AppDatabase _db;
+  static const _rowId = 1;
+
+  @override
+  Stream<pref.UserPreferences> observePreferences() {
+    return (_db.select(
+      _db.userPreferences,
+    )..where((t) => t.id.equals(_rowId)))
+        .watchSingleOrNull()
+        .map(_rowToModel);
+  }
+
+  @override
+  Future<void> updateMenuPosition(pref.MenuPosition position) async {
+    await _db.into(_db.userPreferences).insertOnConflictUpdate(
+          UserPreferencesCompanion(
+            id: const Value(_rowId),
+            menuPosition: Value(position.name),
+          ),
+        );
+  }
+
+  @override
+  Future<void> updateMailViewButtonPosition(pref.MenuPosition position) async {
+    await _db.into(_db.userPreferences).insertOnConflictUpdate(
+          UserPreferencesCompanion(
+            id: const Value(_rowId),
+            mailViewButtonPosition: Value(position.name),
+          ),
+        );
+  }
+
+  @override
+  Future<void> updateAfterMailViewAction(
+    pref.AfterMailViewAction action,
+  ) async {
+    await _db.into(_db.userPreferences).insertOnConflictUpdate(
+          UserPreferencesCompanion(
+            id: const Value(_rowId),
+            afterMailViewAction: Value(action.name),
+          ),
+        );
+  }
+
+  @override
+  Future<void> updatePrefetchMode(pref.PrefetchMode mode) async {
+    await _db.into(_db.userPreferences).insertOnConflictUpdate(
+          UserPreferencesCompanion(
+            id: const Value(_rowId),
+            prefetchMode: Value(mode.name),
+          ),
+        );
+  }
+
+  @override
+  Future<void> updateBodyCacheLimitMb(int mb) async {
+    await _db.into(_db.userPreferences).insertOnConflictUpdate(
+          UserPreferencesCompanion(
+            id: const Value(_rowId),
+            bodyCacheLimitMb: Value(mb),
+          ),
+        );
+  }
+
+  @override
+  Stream<List<String>> observeTrustedImageSenders() {
+    return (_db.select(_db.imageTrustedSenders)
+          ..orderBy([(t) => OrderingTerm.desc(t.addedAt)]))
+        .watch()
+        .map((rows) => rows.map((r) => r.senderEmail).toList());
+  }
+
+  @override
+  Future<void> addTrustedImageSender(String senderEmail) async {
+    await _db.into(_db.imageTrustedSenders).insertOnConflictUpdate(
+          ImageTrustedSendersCompanion(
+            senderEmail: Value(senderEmail.toLowerCase()),
+            addedAt: Value(DateTime.now()),
+          ),
+        );
+  }
+
+  @override
+  Future<void> removeTrustedImageSender(String senderEmail) async {
+    await (_db.delete(_db.imageTrustedSenders)
+          ..where((t) => t.senderEmail.equals(senderEmail.toLowerCase())))
+        .go();
+  }
+
+  static pref.UserPreferences _rowToModel(UserPreferencesRow? row) {
+    if (row == null) return const pref.UserPreferences();
+    return pref.UserPreferences(
+      menuPosition: pref.MenuPosition.values.firstWhere(
+        (e) => e.name == row.menuPosition,
+        orElse: () => pref.MenuPosition.bottom,
+      ),
+      mailViewButtonPosition: pref.MenuPosition.values.firstWhere(
+        (e) => e.name == row.mailViewButtonPosition,
+        orElse: () => pref.MenuPosition.bottom,
+      ),
+      afterMailViewAction: pref.AfterMailViewAction.values.firstWhere(
+        (e) => e.name == row.afterMailViewAction,
+        orElse: () => pref.AfterMailViewAction.nextMessage,
+      ),
+      prefetchMode: pref.PrefetchMode.fromString(row.prefetchMode),
+      bodyCacheLimitMb: row.bodyCacheLimitMb,
+    );
+  }
+}

lib/di.dart

@@ -5,6 +5,7 @@ import 'package:http/http.dart' as http;
 import 'package:sharedinbox/core/models/account.dart' as model;
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/draft_repository.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
@@ -13,6 +14,7 @@ import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/core/repositories/undo_repository.dart';
+import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
 import 'package:sharedinbox/core/services/managesieve_probe_service.dart';
@@ -21,7 +23,8 @@ import 'package:sharedinbox/core/services/undo_service.dart';
 import 'package:sharedinbox/core/storage/secure_storage.dart';
 import 'package:sharedinbox/core/sync/account_sync_manager.dart';
 import 'package:sharedinbox/core/sync/reliability_runner.dart';
-import 'package:sharedinbox/data/db/database.dart' hide Email, EmailBody;
+import 'package:sharedinbox/data/db/database.dart'
+    hide Email, EmailBody, UserPreferences;
 import 'package:sharedinbox/data/db/local_sieve_repository.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 import 'package:sharedinbox/data/jmap/sieve_repository.dart';
@@ -33,6 +36,7 @@ import 'package:sharedinbox/data/repositories/search_history_repository_impl.dar
 import 'package:sharedinbox/data/repositories/share_key_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/sync_log_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/undo_repository_impl.dart';
+import 'package:sharedinbox/data/repositories/user_preferences_repository_impl.dart';
 import 'package:sharedinbox/data/storage/flutter_secure_storage_impl.dart';
 
 /// Swappable IMAP connection factory — override in tests to use plaintext.
@@ -97,8 +101,9 @@ final undoRepositoryProvider = Provider<UndoRepository>((ref) {
   return UndoRepositoryImpl(ref.watch(dbProvider));
 });
 
-final searchHistoryRepositoryProvider =
-    Provider<SearchHistoryRepository>((ref) {
+final searchHistoryRepositoryProvider = Provider<SearchHistoryRepository>((
+  ref,
+) {
   return SearchHistoryRepositoryImpl(ref.watch(dbProvider));
 });
 
@@ -131,8 +136,10 @@ final syncHealthProvider =
       .watchSingleOrNull();
 });
 
-final isSyncingProvider =
-    StreamProvider.autoDispose.family<bool, String>((ref, accountId) {
+final isSyncingProvider = StreamProvider.autoDispose.family<bool, String>((
+  ref,
+  accountId,
+) {
   return ref.watch(syncManagerProvider).watchSyncing(accountId);
 });
 
@@ -181,8 +188,9 @@ final manageSieveProbeServiceProvider = Provider<ManageSieveProbeService>((
   return ManageSieveProbeService(ref.watch(accountRepositoryProvider));
 });
 
-final undoServiceProvider =
-    NotifierProvider<UndoService, List<UndoAction>>(UndoService.new);
+final undoServiceProvider = NotifierProvider<UndoService, List<UndoAction>>(
+  UndoService.new,
+);
 
 /// Loads email header + body and marks the email as seen.
 /// Owned by [EmailDetailScreen]; decouples data loading from the widget tree.
@@ -203,10 +211,38 @@ class EmailDetailNotifier extends AsyncNotifier<(Email?, EmailBody)> {
       repo.getEmailBody(_emailId),
     ]);
     unawaited(repo.setFlag(_emailId, seen: true));
+    final header = results[0] as Email?;
+    if (header != null) {
+      unawaited(_prefetchNextEmailBody(repo, header));
+    }
     return (results[0] as Email?, results[1] as EmailBody);
   }
+
+  Future<void> _prefetchNextEmailBody(
+    EmailRepository repo,
+    Email header,
+  ) async {
+    final prefs = ref.read(userPreferencesProvider).value;
+    final action =
+        prefs?.afterMailViewAction ?? AfterMailViewAction.nextMessage;
+    if (action != AfterMailViewAction.nextMessage) return;
+
+    final threads =
+        await repo.observeThreads(header.accountId, header.mailboxPath).first;
+    final currentIndex = threads.indexWhere(
+      (t) => t.emailIds.contains(_emailId),
+    );
+    if (currentIndex < 0 || currentIndex + 1 >= threads.length) return;
+
+    final nextId = threads[currentIndex + 1].latestEmailId;
+    await repo.getEmailBody(nextId);
+  }
 }
 
+final allAccountsProvider = StreamProvider<List<model.Account>>((ref) {
+  return ref.watch(accountRepositoryProvider).observeAccounts();
+});
+
 final accountByIdProvider =
     StreamProvider.autoDispose.family<model.Account?, String>((ref, accountId) {
   return ref.watch(accountRepositoryProvider).observeAccounts().map(
@@ -227,3 +263,22 @@ final accountConnectionStatusProvider =
       .read(connectionTestServiceProvider)
       .testConnection(account, password);
 });
+
+final userPreferencesRepositoryProvider = Provider<UserPreferencesRepository>((
+  ref,
+) {
+  return UserPreferencesRepositoryImpl(ref.watch(dbProvider));
+});
+
+final userPreferencesProvider = StreamProvider.autoDispose<UserPreferences>((
+  ref,
+) {
+  return ref.watch(userPreferencesRepositoryProvider).observePreferences();
+});
+
+final trustedImageSendersProvider =
+    StreamProvider.autoDispose<List<String>>((ref) {
+  return ref
+      .watch(userPreferencesRepositoryProvider)
+      .observeTrustedImageSenders();
+});

lib/main.dart

@@ -5,19 +5,30 @@ import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_riverpod/misc.dart' show Override;
 
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/services/notification_service.dart';
 import 'package:sharedinbox/core/sync/background_sync.dart';
 import 'package:sharedinbox/data/db/database.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/router.dart';
 import 'package:sharedinbox/ui/screens/crash_screen.dart';
+import 'package:stack_trace/stack_trace.dart' as stack_trace;
 
-void main({List<Override> overrides = const []}) async {
+void main({List<Override> overrides = const []}) {
   unawaited(
     runZonedGuarded(
       () async {
         WidgetsFlutterBinding.ensureInitialized();
 
+        // Dart's async machinery propagates stack traces in chain format
+        // (with '===== asynchronous gap =====' separators). Flutter's
+        // StackFrame parser asserts on those lines, so strip them first.
+        FlutterError.demangleStackTrace = (StackTrace s) {
+          if (s is stack_trace.Chain) return s.toTrace().vmTrace;
+          if (s is stack_trace.Trace) return s.vmTrace;
+          return s;
+        };
+
         // Catch errors during build (e.g. layout exceptions) and show CrashScreen.
         ErrorWidget.builder = (details) => CrashScreen(
               exception: details.exception,
@@ -39,19 +50,35 @@ void main({List<Override> overrides = const []}) async {
         if (Platform.isAndroid) {
           await initNotifications();
           await registerBackgroundSync();
+          await _registerPrefetchTaskFromStoredPrefs();
         }
         runApp(
           ProviderScope(overrides: overrides, child: const SharedInboxApp()),
         );
       },
-      (error, stack) {
-        // Catch unhandled async errors.
-        runApp(CrashScreen(exception: error, stackTrace: stack));
-      },
+      // This handler runs in the parent zone — runApp cannot be called here.
+      // Framework errors are already handled by FlutterError.onError above.
+      (error, stack) => FlutterError.reportError(
+        FlutterErrorDetails(exception: error, stack: stack),
+      ),
     ),
   );
 }
 
+/// Reads the stored prefetch preference and registers the WorkManager task
+/// with the correct network constraint for it. Opens and immediately closes
+/// a temporary DB connection; safe because initDatabasePath() has already run.
+Future<void> _registerPrefetchTaskFromStoredPrefs() async {
+  final db = AppDatabase();
+  try {
+    final row = await db.select(db.userPreferences).getSingleOrNull();
+    final mode = PrefetchMode.fromString(row?.prefetchMode);
+    await registerBodyPrefetchTask(mode);
+  } finally {
+    await db.close();
+  }
+}
+
 class SharedInboxApp extends ConsumerStatefulWidget {
   const SharedInboxApp({super.key});
 

lib/ui/router.dart

@@ -8,7 +8,9 @@ import 'package:sharedinbox/ui/screens/account_receive_screen.dart';
 import 'package:sharedinbox/ui/screens/account_send_screen.dart';
 import 'package:sharedinbox/ui/screens/add_account_screen.dart';
 import 'package:sharedinbox/ui/screens/address_emails_screen.dart';
+import 'package:sharedinbox/ui/screens/bug_report_screen.dart';
 import 'package:sharedinbox/ui/screens/changelog_screen.dart';
+import 'package:sharedinbox/ui/screens/combined_inbox_screen.dart';
 import 'package:sharedinbox/ui/screens/compose_screen.dart';
 import 'package:sharedinbox/ui/screens/edit_account_screen.dart';
 import 'package:sharedinbox/ui/screens/email_detail_screen.dart';
@@ -19,15 +21,21 @@ import 'package:sharedinbox/ui/screens/sieve_script_edit_screen.dart';
 import 'package:sharedinbox/ui/screens/sieve_scripts_screen.dart';
 import 'package:sharedinbox/ui/screens/sync_log_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
+import 'package:sharedinbox/ui/screens/trusted_image_senders_screen.dart';
 import 'package:sharedinbox/ui/screens/undo_log_screen.dart';
+import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 import 'package:sharedinbox/ui/widgets/undo_shell.dart';
 
 final router = GoRouter(
-  initialLocation: '/accounts',
+  initialLocation: '/inbox',
   routes: [
     ShellRoute(
       builder: (ctx, state, child) => UndoShell(child: child),
       routes: [
+        GoRoute(
+          path: '/inbox',
+          builder: (ctx, state) => const CombinedInboxScreen(),
+        ),
         GoRoute(
           path: '/accounts',
           builder: (ctx, state) => const AccountListScreen(),
@@ -56,6 +64,16 @@ final router = GoRouter(
               path: 'about',
               builder: (ctx, state) => const AboutScreen(),
             ),
+            GoRoute(
+              path: 'preferences',
+              builder: (ctx, state) => const UserPreferencesScreen(),
+            ),
+            GoRoute(
+              path: 'trusted-senders',
+              builder: (ctx, state) => TrustedImageSendersScreen(
+                highlightedSender: state.extra as String?,
+              ),
+            ),
             GoRoute(
               path: ':accountId/edit',
               builder: (ctx, state) => EditAccountScreen(
@@ -159,6 +177,12 @@ final router = GoRouter(
             );
           },
         ),
+        GoRoute(
+          path: '/bug-report',
+          builder: (ctx, state) => BugReportScreen(
+            emailId: state.uri.queryParameters['emailId'],
+          ),
+        ),
       ],
     ),
   ],

lib/ui/screens/about_screen.dart

@@ -4,6 +4,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:go_router/go_router.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/di.dart';
@@ -72,8 +73,10 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
 
   Future<void> _launchUrl(BuildContext context, Uri url) async {
     try {
-      final launched =
-          await launchUrl(url, mode: LaunchMode.externalApplication);
+      final launched = await launchUrl(
+        url,
+        mode: LaunchMode.externalApplication,
+      );
       if (!launched && context.mounted) {
         ScaffoldMessenger.of(context).showSnackBar(
           const SnackBar(
@@ -121,8 +124,10 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
       'https://codeberg.org/guettli/sharedinbox/issues/new?body=$body',
     );
     try {
-      final launched =
-          await launchUrl(url, mode: LaunchMode.externalApplication);
+      final launched = await launchUrl(
+        url,
+        mode: LaunchMode.externalApplication,
+      );
       if (!launched && context.mounted) {
         ScaffoldMessenger.of(context).showSnackBar(
           const SnackBar(
@@ -176,9 +181,7 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
                       selectable: true,
                       onTapLink: (text, href, title) {
                         if (href != null) {
-                          unawaited(
-                            _launchUrl(context, Uri.parse(href)),
-                          );
+                          unawaited(_launchUrl(context, Uri.parse(href)));
                         }
                       },
                     );
@@ -195,22 +198,30 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
                     Expanded(
                       child: OutlinedButton.icon(
                         icon: const Icon(Icons.copy),
-                        label: const Text('Copy to clipboard'),
+                        label: const Text('Copy info'),
                         onPressed: () => unawaited(
                           _copyToClipboard(context, imapCount, jmapCount),
                         ),
                       ),
                     ),
-                    const SizedBox(width: 8),
+                    const SizedBox(width: 4),
                     Expanded(
-                      child: FilledButton.icon(
-                        icon: const Icon(Icons.bug_report),
-                        label: const Text('Create issue'),
+                      child: OutlinedButton.icon(
+                        icon: const Icon(Icons.bug_report_outlined),
+                        label: const Text('Public issue'),
                         onPressed: () => unawaited(
                           _createIssue(context, imapCount, jmapCount),
                         ),
                       ),
                     ),
+                    const SizedBox(width: 4),
+                    Expanded(
+                      child: FilledButton.icon(
+                        icon: const Icon(Icons.feedback_outlined),
+                        label: const Text('Report bug'),
+                        onPressed: () => context.push('/bug-report'),
+                      ),
+                    ),
                   ],
                 ),
               ),

lib/ui/screens/account_list_screen.dart

@@ -1,4 +1,5 @@
 import 'dart:async';
+import 'dart:convert';
 
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
@@ -66,6 +67,14 @@ class AccountListScreen extends ConsumerWidget {
                 unawaited(context.push('/accounts/about'));
               },
             ),
+            ListTile(
+              leading: const Icon(Icons.settings),
+              title: const Text('Preferences'),
+              onTap: () {
+                Navigator.pop(context); // Close drawer
+                unawaited(context.push('/accounts/preferences'));
+              },
+            ),
           ],
         ),
       ),
@@ -111,20 +120,80 @@ class _AccountTile extends ConsumerWidget {
     final health = ref.watch(syncHealthProvider(account.id));
     final typeLabel = account.type == AccountType.jmap ? 'JMAP' : 'IMAP';
 
-    return ListTile(
-      leading: const Icon(Icons.account_circle),
-      title: Text(account.displayName),
-      subtitle: Column(
-        crossAxisAlignment: CrossAxisAlignment.start,
-        children: [
-          Text('${account.email}\n$typeLabel'),
-          const SizedBox(height: 4),
-          health.when(
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        ListTile(
+          leading: const Icon(Icons.account_circle),
+          title: Text(account.displayName),
+          subtitle: Text('${account.email}\n$typeLabel'),
+          isThreeLine: true,
+          trailing: Row(
+            mainAxisSize: MainAxisSize.min,
+            children: [
+              status.when(
+                loading: () => const SizedBox(
+                  width: 20,
+                  height: 20,
+                  child: CircularProgressIndicator(strokeWidth: 2),
+                ),
+                data: (_) =>
+                    const Icon(Icons.check_circle, color: Colors.green),
+                error: (e, _) => Tooltip(
+                  message: e.toString(),
+                  child: const Icon(Icons.error_outline, color: Colors.red),
+                ),
+              ),
+              PopupMenuButton<_AccountAction>(
+                onSelected: (action) => _onAction(context, action),
+                itemBuilder: (_) => [
+                  const PopupMenuItem(
+                    value: _AccountAction.syncLog,
+                    child: Text('Sync log'),
+                  ),
+                  const PopupMenuItem(
+                    value: _AccountAction.verifySync,
+                    child: Text('Verify sync health'),
+                  ),
+                  const PopupMenuItem(
+                    value: _AccountAction.forceSync,
+                    child: Text('Force full sync'),
+                  ),
+                  const PopupMenuItem(
+                    value: _AccountAction.edit,
+                    child: Text('Edit'),
+                  ),
+                  if (_sieveSupported(account))
+                    const PopupMenuItem(
+                      value: _AccountAction.emailFiltersRemote,
+                      child: Text('Server email filters'),
+                    ),
+                  const PopupMenuItem(
+                    value: _AccountAction.emailFiltersLocal,
+                    child: Text('Local email filters'),
+                  ),
+                  const PopupMenuItem(
+                    value: _AccountAction.send,
+                    child: Text('Send accounts'),
+                  ),
+                  const PopupMenuDivider(),
+                  const PopupMenuItem(
+                    value: _AccountAction.delete,
+                    child: Text('Delete'),
+                  ),
+                ],
+              ),
+            ],
+          ),
+          onTap: () => context.push('/accounts/${account.id}/mailboxes'),
+        ),
+        Padding(
+          padding: const EdgeInsets.fromLTRB(72, 0, 16, 8),
+          child: health.when(
             data: (h) {
               if (h == null) return const Text('Sync health: Not verified yet');
               final date = h.lastVerifiedAt.toLocal().toString().split('.')[0];
               return Row(
-                mainAxisSize: MainAxisSize.min,
                 children: [
                   const Text('Sync health: '),
                   Icon(
@@ -133,7 +202,13 @@ class _AccountTile extends ConsumerWidget {
                     color: h.isHealthy ? Colors.green : Colors.orange,
                   ),
                   const SizedBox(width: 4),
-                  Text(h.isHealthy ? 'Healthy' : 'Discrepancies found'),
+                  Expanded(
+                    child: Text(
+                      h.isHealthy
+                          ? 'Healthy'
+                          : _formatDiscrepancies(h.discrepancySummary),
+                    ),
+                  ),
                   Text(' ($date)', style: const TextStyle(fontSize: 10)),
                 ],
               );
@@ -141,66 +216,8 @@ class _AccountTile extends ConsumerWidget {
             loading: () => const Text('Sync health: checking...'),
             error: (e, _) => Text('Sync health error: $e'),
           ),
-        ],
-      ),
-      isThreeLine: true,
-      trailing: Row(
-        mainAxisSize: MainAxisSize.min,
-        children: [
-          status.when(
-            loading: () => const SizedBox(
-              width: 20,
-              height: 20,
-              child: CircularProgressIndicator(strokeWidth: 2),
-            ),
-            data: (_) => const Icon(Icons.check_circle, color: Colors.green),
-            error: (e, _) => Tooltip(
-              message: e.toString(),
-              child: const Icon(Icons.error_outline, color: Colors.red),
-            ),
-          ),
-          PopupMenuButton<_AccountAction>(
-            onSelected: (action) => _onAction(context, action),
-            itemBuilder: (_) => [
-              const PopupMenuItem(
-                value: _AccountAction.syncLog,
-                child: Text('Sync log'),
-              ),
-              const PopupMenuItem(
-                value: _AccountAction.verifySync,
-                child: Text('Verify sync health'),
-              ),
-              const PopupMenuItem(
-                value: _AccountAction.forceSync,
-                child: Text('Force full sync'),
-              ),
-              const PopupMenuItem(
-                value: _AccountAction.edit,
-                child: Text('Edit'),
-              ),
-              if (_sieveSupported(account))
-                const PopupMenuItem(
-                  value: _AccountAction.emailFiltersRemote,
-                  child: Text('Server email filters'),
-                ),
-              const PopupMenuItem(
-                value: _AccountAction.emailFiltersLocal,
-                child: Text('Local email filters'),
-              ),
-              const PopupMenuItem(
-                value: _AccountAction.send,
-                child: Text('Send accounts'),
-              ),
-              const PopupMenuDivider(),
-              const PopupMenuItem(
-                value: _AccountAction.delete,
-                child: Text('Delete'),
-              ),
-            ],
-          ),
-        ],
-      ),
-      onTap: () => context.push('/accounts/${account.id}/mailboxes'),
+        ),
+      ],
     );
   }
 
@@ -293,6 +310,30 @@ class _AccountTile extends ConsumerWidget {
   }
 }
 
+String _formatDiscrepancies(String? summary) {
+  if (summary == null) return 'Discrepancies found';
+  try {
+    final decoded = jsonDecode(summary) as Map<String, dynamic>;
+    var missingLocally = 0;
+    var missingOnServer = 0;
+    var flagMismatches = 0;
+    for (final v in decoded.values) {
+      final m = v as Map<String, dynamic>;
+      missingLocally += (m['missingLocally'] as int? ?? 0);
+      missingOnServer += (m['missingOnServer'] as int? ?? 0);
+      flagMismatches += (m['flagMismatches'] as int? ?? 0);
+    }
+    final parts = <String>[];
+    if (missingLocally > 0) parts.add('missing locally: $missingLocally');
+    if (missingOnServer > 0) parts.add('missing on server: $missingOnServer');
+    if (flagMismatches > 0) parts.add('flag mismatches: $flagMismatches');
+    if (parts.isEmpty) return 'Discrepancies found';
+    return 'Discrepancies found (${parts.join(', ')})';
+  } catch (_) {
+    return 'Discrepancies found';
+  }
+}
+
 class _OnboardingView extends StatelessWidget {
   const _OnboardingView();
 

lib/ui/screens/account_receive_screen.dart

@@ -219,11 +219,7 @@ class _AccountReceiveScreenState extends ConsumerState<AccountReceiveScreen> {
             ),
           ),
         _Step.done => const Center(
-            child: Icon(
-              Icons.check_circle,
-              size: 64,
-              color: Colors.green,
-            ),
+            child: Icon(Icons.check_circle, size: 64, color: Colors.green),
           ),
         _Step.error => Center(
             child: Padding(

lib/ui/screens/account_send_screen.dart

@@ -158,10 +158,7 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
     for (final account in selected) {
       final password = await repo.getPassword(account.id);
       payloads.add(
-        AccountPayload(
-          accountJson: account.toJson(),
-          password: password,
-        ),
+        AccountPayload(accountJson: account.toJson(), password: password),
       );
     }
 
@@ -361,9 +358,7 @@ class _AccountSendScreenState extends ConsumerState<AccountSendScreen> {
               unawaited(Clipboard.setData(ClipboardData(text: _encryptedQr!)));
               ScaffoldMessenger.of(context).showSnackBar(
                 const SnackBar(
-                  content: Text(
-                    'Encrypted code copied to clipboard',
-                  ),
+                  content: Text('Encrypted code copied to clipboard'),
                 ),
               );
             },

lib/ui/screens/bug_report_screen.dart

@@ -0,0 +1,635 @@
+import 'dart:async';
+import 'dart:convert';
+
+import 'package:file_picker/file_picker.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:go_router/go_router.dart';
+import 'package:http/http.dart' as http;
+import 'package:package_info_plus/package_info_plus.dart';
+import 'package:sharedinbox/core/models/account.dart';
+import 'package:sharedinbox/core/models/email.dart';
+import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
+import 'package:sharedinbox/di.dart';
+import 'package:sharedinbox/ui/utils/about_markdown.dart';
+
+const _bugReportApiUrl = String.fromEnvironment(
+  'BUG_REPORT_API_URL',
+  defaultValue: 'https://sharedinbox.de/api/v1/bug-reports',
+);
+
+class BugReportScreen extends ConsumerStatefulWidget {
+  const BugReportScreen({super.key, this.emailId});
+
+  final String? emailId;
+
+  @override
+  ConsumerState<BugReportScreen> createState() => _BugReportScreenState();
+}
+
+class _BugReportScreenState extends ConsumerState<BugReportScreen> {
+  final _formKey = GlobalKey<FormState>();
+  final _descriptionController = TextEditingController();
+  final _emailController = TextEditingController();
+
+  final Future<PackageInfo> _packageInfoFuture = PackageInfo.fromPlatform();
+  late final Future<String?> _deviceModelFuture = getDeviceModel();
+
+  final List<PlatformFile> _attachments = [];
+  bool _includeEmail = false;
+  bool _includeSyncLog = false;
+  bool _submitting = false;
+
+  Email? _attachedEmail;
+  List<Account> _accounts = [];
+  String? _selectedAccountId;
+  String? _deviceModel;
+  bool _loadingEmail = false;
+
+  @override
+  void initState() {
+    super.initState();
+    unawaited(_loadInitialData());
+  }
+
+  @override
+  void dispose() {
+    _descriptionController.dispose();
+    _emailController.dispose();
+    super.dispose();
+  }
+
+  Future<void> _loadInitialData() async {
+    setState(() => _loadingEmail = true);
+    try {
+      _deviceModel = await _deviceModelFuture;
+      _accounts =
+          await ref.read(accountRepositoryProvider).observeAccounts().first;
+
+      if (widget.emailId != null) {
+        final email =
+            await ref.read(emailRepositoryProvider).getEmail(widget.emailId!);
+        if (mounted && email != null) {
+          _attachedEmail = email;
+          _selectedAccountId = email.accountId;
+          final fromStr =
+              email.from.isNotEmpty ? email.from.first.toString() : 'unknown';
+          final subjectStr = email.subject ?? '(no subject)';
+          _descriptionController.text =
+              'Problem with email from $fromStr: "$subjectStr"\n\n';
+        }
+      }
+
+      if (_selectedAccountId == null && _accounts.isNotEmpty) {
+        _selectedAccountId = _accounts.first.id;
+      }
+
+      if (_selectedAccountId != null) {
+        final matching =
+            _accounts.where((a) => a.id == _selectedAccountId).firstOrNull;
+        if (matching != null) {
+          _emailController.text = matching.email;
+        }
+      }
+    } catch (_) {}
+    if (mounted) {
+      setState(() => _loadingEmail = false);
+    }
+  }
+
+  int get _totalAttachmentSize {
+    return _attachments.fold(0, (sum, f) => sum + f.size);
+  }
+
+  String _formatSize(int bytes) {
+    if (bytes < 1024) return '$bytes B';
+    if (bytes < 1024 * 1024) return '${(bytes / 1024).toStringAsFixed(1)} KB';
+    return '${(bytes / (1024 * 1024)).toStringAsFixed(2)} MB';
+  }
+
+  Future<void> _pickAttachments() async {
+    try {
+      final result = await FilePicker.pickFiles();
+      if (result == null) return;
+      final newFiles =
+          result.files.where((PlatformFile f) => f.path != null).toList();
+      if (!mounted) return;
+      setState(() {
+        _attachments.addAll(newFiles);
+      });
+    } catch (e) {
+      if (mounted) {
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(content: Text('Failed to pick files: $e')),
+        );
+      }
+    }
+  }
+
+  void _removeAttachment(int index) {
+    setState(() {
+      _attachments.removeAt(index);
+    });
+  }
+
+  String _serializeSyncLogs(List<SyncLogEntry> entries) {
+    final sb = StringBuffer();
+    for (final entry in entries.take(50)) {
+      sb.writeln('ID: ${entry.id}');
+      sb.writeln('Started: ${entry.startedAt.toIso8601String()}');
+      sb.writeln('Finished: ${entry.finishedAt.toIso8601String()}');
+      sb.writeln('Result: ${entry.result}');
+      if (entry.errorMessage != null) {
+        sb.writeln('Error: ${entry.errorMessage}');
+      }
+      if (entry.stackTrace != null) {
+        sb.writeln('StackTrace:\n${entry.stackTrace}');
+      }
+      sb.writeln('Protocol: ${entry.protocol}');
+      sb.writeln(
+        'Fetched: ${entry.emailsFetched}, Skipped: ${entry.emailsSkipped}',
+      );
+      if (entry.protocolLog != null) {
+        sb.writeln('Protocol Log:\n${entry.protocolLog}');
+      }
+      sb.writeln('---');
+    }
+    return sb.toString();
+  }
+
+  Future<void> _submitReport() async {
+    if (!_formKey.currentState!.validate()) return;
+
+    final totalSize = _totalAttachmentSize;
+    if (totalSize > 20 * 1024 * 1024) {
+      ScaffoldMessenger.of(context).showSnackBar(
+        const SnackBar(
+          content: Text(
+            'Total attachments size exceeds the 20 MB limit. Please remove some files.',
+          ),
+          backgroundColor: Colors.red,
+        ),
+      );
+      return;
+    }
+
+    setState(() => _submitting = true);
+
+    try {
+      final client = ref.read(httpClientProvider);
+      final uri = Uri.parse(_bugReportApiUrl);
+      final request = http.MultipartRequest('POST', uri);
+
+      // Description
+      request.fields['description'] = _descriptionController.text;
+
+      // Email Data if from email view
+      if (_attachedEmail != null) {
+        final emailMap = {
+          'id': _attachedEmail!.id,
+          'subject': _attachedEmail!.subject,
+          'from': _attachedEmail!.from.map((e) => e.toString()).toList(),
+          'date': _attachedEmail!.sentAt?.toIso8601String() ??
+              _attachedEmail!.receivedAt.toIso8601String(),
+          'preview': _attachedEmail!.preview,
+        };
+        request.fields['email_data'] = jsonEncode(emailMap);
+      }
+
+      // Contact Email
+      if (_includeEmail) {
+        request.fields['email'] = _emailController.text;
+      }
+
+      // About Info
+      PackageInfo? pkg;
+      try {
+        pkg = await _packageInfoFuture;
+      } catch (_) {}
+      final imapCount =
+          _accounts.where((a) => a.type == AccountType.imap).length;
+      final jmapCount =
+          _accounts.where((a) => a.type == AccountType.jmap).length;
+
+      if (!mounted) return;
+      final aboutInfo = buildAboutMarkdown(
+        context: context,
+        pkg: pkg,
+        imapCount: imapCount,
+        jmapCount: jmapCount,
+        deviceModel: _deviceModel,
+      );
+      request.fields['about_info'] = aboutInfo;
+
+      // Sync Log
+      if (_includeSyncLog && _selectedAccountId != null) {
+        final syncLogs = await ref
+            .read(syncLogRepositoryProvider)
+            .observeSyncLogs(_selectedAccountId!)
+            .first;
+        request.fields['sync_log'] = _serializeSyncLogs(syncLogs);
+      }
+
+      // Attachments
+      for (final file in _attachments) {
+        final multipartFile = await http.MultipartFile.fromPath(
+          'attachments[]',
+          file.path!,
+          filename: file.name,
+        );
+        request.files.add(multipartFile);
+      }
+
+      final streamedResponse = await client.send(request);
+      final response = await http.Response.fromStream(streamedResponse);
+
+      if (!mounted) return;
+
+      if (response.statusCode == 201) {
+        final resData = jsonDecode(response.body) as Map<String, dynamic>;
+        final reportId = resData['id'] as String;
+        _showSuccessDialog(reportId);
+      } else if (response.statusCode == 429) {
+        final retryAfter = response.headers['retry-after'] ?? '6';
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text('Rate limited. Please retry in $retryAfter seconds.'),
+            backgroundColor: Colors.orange,
+          ),
+        );
+      } else {
+        String errorMsg =
+            'Failed to submit report. Server returned status: ${response.statusCode}';
+        try {
+          final resData = jsonDecode(response.body) as Map<String, dynamic>;
+          if (resData['error'] != null) {
+            errorMsg = resData['error'] as String;
+          }
+        } catch (_) {}
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text(errorMsg),
+            backgroundColor: Colors.red,
+          ),
+        );
+      }
+    } catch (e) {
+      if (mounted) {
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text('An error occurred: $e'),
+            backgroundColor: Colors.red,
+          ),
+        );
+      }
+    } finally {
+      if (mounted) {
+        setState(() => _submitting = false);
+      }
+    }
+  }
+
+  void _showSuccessDialog(String reportId) {
+    unawaited(
+      showDialog<void>(
+        context: context,
+        barrierDismissible: false,
+        builder: (context) {
+          return AlertDialog(
+            title: const Text('Bug Report Submitted'),
+            content: SingleChildScrollView(
+              child: ListBody(
+                children: [
+                  const Text('Thank you for helping us improve SharedInbox!'),
+                  const SizedBox(height: 12),
+                  Text(
+                    'Your Report ID is:\n$reportId',
+                    style: const TextStyle(fontWeight: FontWeight.bold),
+                    textAlign: TextAlign.center,
+                  ),
+                  const SizedBox(height: 12),
+                  const Text(
+                    'Your report is handled confidentially and has not been posted to the public issue tracker.',
+                  ),
+                ],
+              ),
+            ),
+            actions: [
+              TextButton(
+                onPressed: () {
+                  Navigator.of(context).pop(); // Dismiss dialog
+                  context.pop(); // Go back to previous screen
+                },
+                child: const Text('Close'),
+              ),
+            ],
+          );
+        },
+      ),
+    );
+  }
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+    final totalSize = _totalAttachmentSize;
+    const sizeLimit = 20 * 1024 * 1024;
+    final approachingLimit = totalSize > 15 * 1024 * 1024;
+
+    return Scaffold(
+      appBar: AppBar(
+        title: const Text('Report a Bug'),
+      ),
+      body: _loadingEmail
+          ? const Center(child: CircularProgressIndicator())
+          : Form(
+              key: _formKey,
+              child: ListView(
+                padding: const EdgeInsets.all(16.0),
+                children: [
+                  // Confidentiality info card
+                  Card(
+                    elevation: 0,
+                    color: theme.colorScheme.secondaryContainer
+                        .withValues(alpha: 0.4),
+                    shape: RoundedRectangleBorder(
+                      side: BorderSide(
+                        color:
+                            theme.colorScheme.secondary.withValues(alpha: 0.4),
+                      ),
+                      borderRadius: BorderRadius.circular(12),
+                    ),
+                    child: Padding(
+                      padding: const EdgeInsets.all(16.0),
+                      child: Row(
+                        children: [
+                          Icon(
+                            Icons.lock_outline,
+                            color: theme.colorScheme.secondary,
+                          ),
+                          const SizedBox(width: 16),
+                          const Expanded(
+                            child: Text(
+                              'Your report is handled confidentially and will not be posted to the public issue tracker.',
+                              style: TextStyle(height: 1.3),
+                            ),
+                          ),
+                        ],
+                      ),
+                    ),
+                  ),
+                  const SizedBox(height: 20),
+
+                  // Description Text Field
+                  TextFormField(
+                    controller: _descriptionController,
+                    autofocus: true,
+                    maxLines: 8,
+                    minLines: 4,
+                    decoration: const InputDecoration(
+                      labelText: 'What went wrong?',
+                      alignLabelWithHint: true,
+                      border: OutlineInputBorder(),
+                      helperText:
+                          'Please describe the problem and how to reproduce it.',
+                    ),
+                    validator: (value) {
+                      if (value == null || value.trim().isEmpty) {
+                        return 'Please enter a description.';
+                      }
+                      return null;
+                    },
+                  ),
+                  const SizedBox(height: 20),
+
+                  // Email info chip if email is attached
+                  if (_attachedEmail != null) ...[
+                    Card(
+                      elevation: 0,
+                      color: theme.colorScheme.surfaceContainerHighest,
+                      child: Padding(
+                        padding: const EdgeInsets.symmetric(
+                          horizontal: 12.0,
+                          vertical: 8.0,
+                        ),
+                        child: Row(
+                          children: [
+                            Icon(
+                              Icons.email_outlined,
+                              size: 20,
+                              color: theme.colorScheme.primary,
+                            ),
+                            const SizedBox(width: 12),
+                            const Expanded(
+                              child: Text(
+                                'The current email metadata will be attached automatically.',
+                                style: TextStyle(fontSize: 13),
+                              ),
+                            ),
+                          ],
+                        ),
+                      ),
+                    ),
+                    const SizedBox(height: 16),
+                  ],
+
+                  // Attachments Section
+                  Text(
+                    'Attachments',
+                    style: theme.textTheme.titleMedium,
+                  ),
+                  const SizedBox(height: 8),
+                  Row(
+                    crossAxisAlignment: CrossAxisAlignment.start,
+                    children: [
+                      OutlinedButton.icon(
+                        onPressed: _submitting ? null : _pickAttachments,
+                        icon: const Icon(Icons.add_a_photo_outlined),
+                        label: const Text('Add screenshots'),
+                      ),
+                      const SizedBox(width: 16),
+                      const Expanded(
+                        child: Text(
+                          'Screenshots help us understand the problem faster.',
+                          style: TextStyle(fontSize: 12, color: Colors.grey),
+                        ),
+                      ),
+                    ],
+                  ),
+                  if (_attachments.isNotEmpty) ...[
+                    const SizedBox(height: 12),
+                    SizedBox(
+                      height: 48,
+                      child: ListView.builder(
+                        scrollDirection: Axis.horizontal,
+                        itemCount: _attachments.length,
+                        itemBuilder: (context, index) {
+                          final file = _attachments[index];
+                          return Padding(
+                            padding: const EdgeInsets.only(right: 8.0),
+                            child: InputChip(
+                              label: Text(
+                                '${file.name} (${_formatSize(file.size)})',
+                              ),
+                              onDeleted: _submitting
+                                  ? null
+                                  : () => _removeAttachment(index),
+                            ),
+                          );
+                        },
+                      ),
+                    ),
+                    const SizedBox(height: 8),
+                    Row(
+                      children: [
+                        Text(
+                          'Total Attachment Size: ${_formatSize(totalSize)} / ${_formatSize(sizeLimit)}',
+                          style: TextStyle(
+                            fontSize: 12,
+                            color: totalSize > sizeLimit
+                                ? Colors.red
+                                : approachingLimit
+                                    ? Colors.orange
+                                    : Colors.grey,
+                            fontWeight: approachingLimit
+                                ? FontWeight.bold
+                                : FontWeight.normal,
+                          ),
+                        ),
+                        if (totalSize > sizeLimit) ...[
+                          const SizedBox(width: 8),
+                          const Icon(
+                            Icons.error_outline,
+                            size: 16,
+                            color: Colors.red,
+                          ),
+                        ],
+                      ],
+                    ),
+                  ],
+                  const SizedBox(height: 24),
+
+                  // Email opt-in
+                  CheckboxListTile(
+                    title: const Text('Include my email for follow-up'),
+                    value: _includeEmail,
+                    onChanged: _submitting
+                        ? null
+                        : (val) {
+                            setState(() => _includeEmail = val ?? false);
+                          },
+                    controlAffinity: ListTileControlAffinity.leading,
+                    contentPadding: EdgeInsets.zero,
+                  ),
+                  if (_includeEmail) ...[
+                    Padding(
+                      padding: const EdgeInsets.only(bottom: 16.0),
+                      child: TextFormField(
+                        controller: _emailController,
+                        keyboardType: TextInputType.emailAddress,
+                        decoration: const InputDecoration(
+                          labelText: 'Contact Email Address',
+                          border: OutlineInputBorder(),
+                        ),
+                        validator: (value) {
+                          if (_includeEmail &&
+                              (value == null || value.trim().isEmpty)) {
+                            return 'Please enter an email address.';
+                          }
+                          return null;
+                        },
+                      ),
+                    ),
+                  ],
+
+                  // Sync log opt-in
+                  if (_selectedAccountId != null) ...[
+                    CheckboxListTile(
+                      title: const Text('Include recent sync log'),
+                      subtitle: const Text(
+                        'Helps diagnose connection and protocol issues.',
+                      ),
+                      value: _includeSyncLog,
+                      onChanged: _submitting
+                          ? null
+                          : (val) {
+                              setState(() => _includeSyncLog = val ?? false);
+                            },
+                      controlAffinity: ListTileControlAffinity.leading,
+                      contentPadding: EdgeInsets.zero,
+                    ),
+                    const SizedBox(height: 12),
+                  ],
+
+                  // System info section
+                  FutureBuilder<PackageInfo>(
+                    future: _packageInfoFuture,
+                    builder: (context, snapshot) {
+                      final imapCount = _accounts
+                          .where((a) => a.type == AccountType.imap)
+                          .length;
+                      final jmapCount = _accounts
+                          .where((a) => a.type == AccountType.jmap)
+                          .length;
+                      final aboutMd = buildAboutMarkdown(
+                        context: context,
+                        pkg: snapshot.data,
+                        imapCount: imapCount,
+                        jmapCount: jmapCount,
+                        deviceModel: _deviceModel,
+                      );
+                      return Card(
+                        elevation: 0,
+                        shape: RoundedRectangleBorder(
+                          side: BorderSide(
+                            color: theme.dividerColor.withValues(alpha: 0.1),
+                          ),
+                          borderRadius: BorderRadius.circular(8),
+                        ),
+                        child: ExpansionTile(
+                          title: const Text(
+                            'System Info (attached automatically)',
+                            style: TextStyle(fontSize: 14),
+                          ),
+                          children: [
+                            Padding(
+                              padding: const EdgeInsets.all(12.0),
+                              child: Align(
+                                alignment: Alignment.topLeft,
+                                child: MarkdownBody(data: aboutMd),
+                              ),
+                            ),
+                          ],
+                        ),
+                      );
+                    },
+                  ),
+                  const SizedBox(height: 32),
+
+                  // Submit Button
+                  FilledButton(
+                    onPressed: _submitting ? null : _submitReport,
+                    child: Padding(
+                      padding: const EdgeInsets.symmetric(vertical: 12.0),
+                      child: _submitting
+                          ? const SizedBox(
+                              height: 20,
+                              width: 20,
+                              child: CircularProgressIndicator(
+                                strokeWidth: 2,
+                                color: Colors.white,
+                              ),
+                            )
+                          : const Text(
+                              'Send Bug Report',
+                              style: TextStyle(fontSize: 16),
+                            ),
+                    ),
+                  ),
+                ],
+              ),
+            ),
+    );
+  }
+}

lib/ui/screens/changelog_screen.dart

@@ -12,8 +12,9 @@ class ChangeLogScreen extends StatelessWidget {
     return Scaffold(
       appBar: AppBar(title: const Text('ChangeLog')),
       body: FutureBuilder<String>(
-        future:
-            DefaultAssetBundle.of(context).loadString('assets/changelog.txt'),
+        future: DefaultAssetBundle.of(
+          context,
+        ).loadString('assets/changelog.txt'),
         builder: (context, snapshot) {
           if (snapshot.connectionState == ConnectionState.waiting) {
             return const Center(child: CircularProgressIndicator());

lib/ui/screens/combined_inbox_screen.dart

@@ -0,0 +1,422 @@
+import 'dart:async';
+
+import 'package:flutter/material.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:go_router/go_router.dart';
+
+import 'package:sharedinbox/core/models/account.dart';
+import 'package:sharedinbox/core/models/email.dart';
+import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/di.dart';
+import 'package:sharedinbox/ui/widgets/email_thread_tile.dart';
+
+class CombinedInboxScreen extends ConsumerStatefulWidget {
+  const CombinedInboxScreen({super.key});
+
+  @override
+  ConsumerState<CombinedInboxScreen> createState() =>
+      _CombinedInboxScreenState();
+}
+
+class _CombinedInboxScreenState extends ConsumerState<CombinedInboxScreen> {
+  static const _pageSize = 50;
+  int _limit = _pageSize;
+
+  // Thread-level selection (key = threadId).
+  final Set<String> _selectedThreadIds = {};
+  // Last-emitted thread list, used to resolve emailIds for batch operations.
+  List<EmailThread> _currentThreads = [];
+
+  bool get _selecting => _selectedThreadIds.isNotEmpty;
+
+  void _toggleThreadSelection(EmailThread thread) {
+    setState(() {
+      if (_selectedThreadIds.contains(thread.threadId)) {
+        _selectedThreadIds.remove(thread.threadId);
+      } else {
+        _selectedThreadIds.add(thread.threadId);
+      }
+    });
+  }
+
+  void _clearSelection() => setState(() => _selectedThreadIds.clear());
+
+  void _selectAll() {
+    setState(
+      () => _selectedThreadIds.addAll(_currentThreads.map((t) => t.threadId)),
+    );
+  }
+
+  @override
+  Widget build(BuildContext context) {
+    final accountsAsync = ref.watch(allAccountsProvider);
+
+    return accountsAsync.when(
+      loading: () => const Scaffold(
+        body: Center(child: CircularProgressIndicator()),
+      ),
+      error: (e, _) => Scaffold(
+        body: Center(child: Text('Error: $e')),
+      ),
+      data: (accounts) {
+        if (accounts.isEmpty) {
+          WidgetsBinding.instance.addPostFrameCallback((_) {
+            if (context.mounted) context.go('/accounts');
+          });
+          return const Scaffold(
+            body: Center(child: CircularProgressIndicator()),
+          );
+        }
+
+        final accountNames = {
+          for (final a in accounts) a.id: a.displayName,
+        };
+        final showAccount = accounts.length > 1;
+
+        return Scaffold(
+          appBar: _buildAppBar(accounts),
+          drawer: _selecting ? null : _buildDrawer(context, accounts),
+          bottomNavigationBar: _selecting ? _selectionBottomBar() : null,
+          body: _buildBody(accountNames, showAccount),
+          floatingActionButton: _selecting
+              ? null
+              : FloatingActionButton(
+                  onPressed: () => context.push('/compose'),
+                  child: const Icon(Icons.edit),
+                ),
+        );
+      },
+    );
+  }
+
+  PreferredSizeWidget _buildAppBar(List<Account> accounts) {
+    if (_selecting) {
+      return AppBar(
+        leading: IconButton(
+          icon: const Icon(Icons.close),
+          onPressed: _clearSelection,
+        ),
+        title: Text('${_selectedThreadIds.length} selected'),
+        actions: [
+          IconButton(
+            icon: const Icon(Icons.select_all),
+            tooltip: 'Select all',
+            onPressed: _selectAll,
+          ),
+        ],
+      );
+    }
+
+    return AppBar(
+      title: const Text('Combined Inbox'),
+      actions: [
+        IconButton(
+          icon: const Icon(Icons.search),
+          tooltip: 'Search',
+          onPressed: () => context.push('/search'),
+        ),
+        IconButton(
+          icon: const Icon(Icons.sync),
+          tooltip: 'Sync all',
+          onPressed: () {
+            for (final a in accounts) {
+              ref.read(syncManagerProvider).syncNow(a.id);
+            }
+          },
+        ),
+      ],
+    );
+  }
+
+  Widget _selectionBottomBar() {
+    return BottomAppBar(
+      child: Row(
+        mainAxisAlignment: MainAxisAlignment.spaceEvenly,
+        children: [
+          IconButton(
+            icon: const Icon(Icons.archive),
+            tooltip: 'Archive',
+            onPressed: _batchArchive,
+          ),
+          IconButton(
+            icon: const Icon(Icons.delete),
+            tooltip: 'Delete',
+            onPressed: _batchDelete,
+          ),
+        ],
+      ),
+    );
+  }
+
+  Widget _buildDrawer(BuildContext context, List<Account> accounts) {
+    return Drawer(
+      child: ListView(
+        padding: EdgeInsets.zero,
+        children: [
+          const DrawerHeader(
+            decoration: BoxDecoration(color: Colors.blueGrey),
+            child: Text(
+              'sharedinbox.de',
+              style: TextStyle(color: Colors.white, fontSize: 24),
+            ),
+          ),
+          ListTile(
+            leading: const Icon(Icons.manage_accounts),
+            title: const Text('Accounts'),
+            onTap: () {
+              Navigator.pop(context);
+              context.go('/accounts');
+            },
+          ),
+          ListTile(
+            leading: const Icon(Icons.person_add),
+            title: const Text('Add account'),
+            onTap: () {
+              Navigator.pop(context);
+              unawaited(context.push('/accounts/add'));
+            },
+          ),
+          const Divider(),
+          for (final account in accounts)
+            ListTile(
+              leading: const Icon(Icons.inbox),
+              title: Text(account.displayName),
+              subtitle: Text(account.email),
+              onTap: () {
+                Navigator.pop(context);
+                unawaited(context.push('/accounts/${account.id}/mailboxes'));
+              },
+            ),
+          const Divider(),
+          ListTile(
+            leading: const Icon(Icons.settings),
+            title: const Text('Preferences'),
+            onTap: () {
+              Navigator.pop(context);
+              unawaited(context.push('/accounts/preferences'));
+            },
+          ),
+          ListTile(
+            leading: const Icon(Icons.history),
+            title: const Text('Undo Log'),
+            onTap: () {
+              Navigator.pop(context);
+              unawaited(context.push('/accounts/undo-log'));
+            },
+          ),
+          ListTile(
+            leading: const Icon(Icons.info_outline),
+            title: const Text('About'),
+            onTap: () {
+              Navigator.pop(context);
+              unawaited(context.push('/accounts/about'));
+            },
+          ),
+        ],
+      ),
+    );
+  }
+
+  Widget _buildBody(Map<String, String> accountNames, bool showAccount) {
+    final emailRepo = ref.watch(emailRepositoryProvider);
+    return RefreshIndicator(
+      onRefresh: () async {
+        final accounts = ref.read(allAccountsProvider).value ?? [];
+        for (final a in accounts) {
+          ref.read(syncManagerProvider).syncNow(a.id);
+        }
+      },
+      child: StreamBuilder<List<EmailThread>>(
+        stream: emailRepo.observeAllInboxThreads(limit: _limit),
+        builder: (ctx, snap) {
+          if (!snap.hasData) {
+            return const Center(child: CircularProgressIndicator());
+          }
+          final threads = snap.data!;
+          _currentThreads = threads;
+          if (threads.isEmpty) {
+            return ListView(
+              children: const [
+                SizedBox(
+                  height: 300,
+                  child: Center(child: Text('No emails')),
+                ),
+              ],
+            );
+          }
+          return _buildThreadList(threads, accountNames, showAccount);
+        },
+      ),
+    );
+  }
+
+  Widget _buildThreadList(
+    List<EmailThread> threads,
+    Map<String, String> accountNames,
+    bool showAccount,
+  ) {
+    final hasMore = threads.length == _limit;
+    return ListView.builder(
+      itemCount: threads.length + (hasMore ? 1 : 0),
+      itemBuilder: (ctx, i) {
+        if (i == threads.length) {
+          return TextButton(
+            onPressed: () => setState(() => _limit += _pageSize),
+            child: const Text('Load more'),
+          );
+        }
+        final t = threads[i];
+        return EmailThreadTile(
+          thread: t,
+          isSelected: _selectedThreadIds.contains(t.threadId),
+          isSelecting: _selecting,
+          showAccount: showAccount,
+          accountName: accountNames[t.accountId],
+          onTap: _selecting
+              ? () => _toggleThreadSelection(t)
+              : t.messageCount > 1
+                  ? () => context.push(
+                        '/accounts/${t.accountId}/mailboxes'
+                        '/${Uri.encodeComponent(t.mailboxPath)}'
+                        '/threads/${Uri.encodeComponent(t.threadId)}',
+                      )
+                  : () => context.push(
+                        '/accounts/${t.accountId}/mailboxes'
+                        '/${Uri.encodeComponent(t.mailboxPath)}'
+                        '/emails/${Uri.encodeComponent(t.latestEmailId)}',
+                      ),
+          onLongPress: () => _toggleThreadSelection(t),
+          onDismissed: (direction) => _onSwipeDismissed(t, direction),
+        );
+      },
+    );
+  }
+
+  Future<void> _onSwipeDismissed(
+    EmailThread t,
+    DismissDirection direction,
+  ) async {
+    final repo = ref.read(emailRepositoryProvider);
+
+    final originalEmails = (await Future.wait(
+      t.emailIds.map((id) => repo.getEmail(id)),
+    ))
+        .whereType<Email>()
+        .toList();
+
+    if (direction == DismissDirection.startToEnd) {
+      final archive = await ref
+          .read(mailboxRepositoryProvider)
+          .findMailboxByRole(t.accountId, 'archive');
+      if (!mounted || archive == null) return;
+
+      for (final id in t.emailIds) {
+        await repo.moveEmail(id, archive.path);
+      }
+      final action = UndoAction(
+        id: DateTime.now().toIso8601String(),
+        accountId: t.accountId,
+        type: UndoType.move,
+        emailIds: t.emailIds,
+        sourceMailboxPath: t.mailboxPath,
+        destinationMailboxPath: archive.path,
+        originalEmails: originalEmails,
+      );
+      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+      return;
+    }
+
+    String? lastDestPath;
+    for (final id in t.emailIds) {
+      lastDestPath = await repo.deleteEmail(id);
+    }
+    final action = UndoAction(
+      id: DateTime.now().toIso8601String(),
+      accountId: t.accountId,
+      type: UndoType.delete,
+      emailIds: t.emailIds,
+      sourceMailboxPath: t.mailboxPath,
+      destinationMailboxPath: lastDestPath,
+      originalEmails: originalEmails,
+    );
+    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+  }
+
+  Future<void> _batchArchive() async {
+    final repo = ref.read(emailRepositoryProvider);
+    final mailboxRepo = ref.read(mailboxRepositoryProvider);
+
+    // Group selected threads by accountId so we look up each account's archive once.
+    final byAccount = <String, List<EmailThread>>{};
+    for (final t in _currentThreads) {
+      if (!_selectedThreadIds.contains(t.threadId)) continue;
+      (byAccount[t.accountId] ??= []).add(t);
+    }
+
+    _clearSelection();
+
+    for (final entry in byAccount.entries) {
+      final accountId = entry.key;
+      final threads = entry.value;
+      final archive = await mailboxRepo.findMailboxByRole(accountId, 'archive');
+      if (!mounted || archive == null) continue;
+
+      for (final t in threads) {
+        final originalEmails = (await Future.wait(
+          t.emailIds.map((id) => repo.getEmail(id)),
+        ))
+            .whereType<Email>()
+            .toList();
+
+        for (final id in t.emailIds) {
+          await repo.moveEmail(id, archive.path);
+        }
+
+        final action = UndoAction(
+          id: DateTime.now().toIso8601String(),
+          accountId: accountId,
+          type: UndoType.move,
+          emailIds: t.emailIds,
+          sourceMailboxPath: t.mailboxPath,
+          destinationMailboxPath: archive.path,
+          originalEmails: originalEmails,
+        );
+        unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+      }
+    }
+  }
+
+  Future<void> _batchDelete() async {
+    final repo = ref.read(emailRepositoryProvider);
+
+    final selectedThreads = _currentThreads
+        .where((t) => _selectedThreadIds.contains(t.threadId))
+        .toList();
+
+    _clearSelection();
+
+    for (final t in selectedThreads) {
+      final originalEmails = (await Future.wait(
+        t.emailIds.map((id) => repo.getEmail(id)),
+      ))
+          .whereType<Email>()
+          .toList();
+
+      String? lastDestPath;
+      for (final id in t.emailIds) {
+        lastDestPath = await repo.deleteEmail(id);
+      }
+
+      final action = UndoAction(
+        id: DateTime.now().toIso8601String(),
+        accountId: t.accountId,
+        type: UndoType.delete,
+        emailIds: t.emailIds,
+        sourceMailboxPath: t.mailboxPath,
+        destinationMailboxPath: lastDestPath,
+        originalEmails: originalEmails,
+      );
+      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+    }
+  }
+}

lib/ui/screens/compose_screen.dart

@@ -194,9 +194,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
       await OpenFilex.open(path);
     } catch (e) {
       if (!mounted) return;
-      ScaffoldMessenger.of(
-        context,
-      ).showSnackBar(
+      ScaffoldMessenger.of(context).showSnackBar(
         SnackBar(
           duration: const Duration(seconds: 5),
           content: Text('Failed to open file: $e'),
@@ -213,9 +211,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
 
   Future<void> _send() async {
     if (_accountId == null) {
-      ScaffoldMessenger.of(
-        context,
-      ).showSnackBar(
+      ScaffoldMessenger.of(context).showSnackBar(
         const SnackBar(
           duration: Duration(seconds: 5),
           content: Text('Select an account first'),
@@ -255,9 +251,7 @@ class _ComposeScreenState extends ConsumerState<ComposeScreen> {
       if (mounted) context.pop();
     } catch (e) {
       if (!mounted) return;
-      ScaffoldMessenger.of(
-        context,
-      ).showSnackBar(
+      ScaffoldMessenger.of(context).showSnackBar(
         SnackBar(
           duration: const Duration(seconds: 5),
           content: Text('Send failed: $e'),

lib/ui/screens/crash_screen.dart

@@ -81,9 +81,9 @@ class CrashScreen extends StatelessWidget {
                   builder: (context, snapshot) => Text(
                     'v${snapshot.data ?? '…'}  •  $_buildMode  •  '
                     '${Platform.operatingSystem} ${Platform.operatingSystemVersion}',
-                    style: Theme.of(context).textTheme.bodySmall?.copyWith(
-                          color: Colors.grey[600],
-                        ),
+                    style: Theme.of(
+                      context,
+                    ).textTheme.bodySmall?.copyWith(color: Colors.grey[600]),
                     textAlign: TextAlign.center,
                   ),
                 ),

lib/ui/screens/email_action_helpers.dart

@@ -0,0 +1,80 @@
+import 'package:flutter/material.dart';
+
+import 'package:sharedinbox/core/models/mailbox.dart';
+import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
+
+enum _MissingFolderChoice { chooseExisting, createNew }
+
+/// Resolves a mailbox by role, prompting the user to choose or create one when
+/// the role is not found.  Returns the target [Mailbox], or null if cancelled.
+Future<Mailbox?> resolveMailboxByRole(
+  BuildContext context,
+  MailboxRepository mailboxRepo,
+  String accountId,
+  String currentMailboxPath,
+  String role, {
+  required String dialogTitle,
+  required String createFolderName,
+}) async {
+  Mailbox? mailbox = await mailboxRepo.findMailboxByRole(accountId, role);
+  if (!context.mounted) return null;
+  if (mailbox != null) return mailbox;
+
+  final choice = await showDialog<_MissingFolderChoice>(
+    context: context,
+    builder: (ctx) => AlertDialog(
+      title: Text(dialogTitle),
+      actions: [
+        TextButton(
+          onPressed: () =>
+              Navigator.pop(ctx, _MissingFolderChoice.chooseExisting),
+          child: const Text('Choose existing folder'),
+        ),
+        FilledButton(
+          onPressed: () => Navigator.pop(ctx, _MissingFolderChoice.createNew),
+          child: Text('Create "$createFolderName"'),
+        ),
+      ],
+    ),
+  );
+  if (!context.mounted || choice == null) return null;
+
+  switch (choice) {
+    case _MissingFolderChoice.chooseExisting:
+      final mailboxes = await mailboxRepo.observeMailboxes(accountId).first;
+      if (!context.mounted) return null;
+      final chosen = await showModalBottomSheet<String>(
+        context: context,
+        builder: (ctx) => ListView(
+          shrinkWrap: true,
+          children: [
+            const ListTile(
+              title: Text(
+                'Move to…',
+                style: TextStyle(fontWeight: FontWeight.bold),
+              ),
+            ),
+            for (final m in mailboxes.where(
+              (m) => m.path != currentMailboxPath,
+            ))
+              ListTile(
+                leading: const Icon(Icons.folder_outlined),
+                title: Text(m.name),
+                onTap: () => Navigator.pop(ctx, m.path),
+              ),
+          ],
+        ),
+      );
+      if (chosen == null || !context.mounted) return null;
+      mailbox = mailboxes.firstWhere((m) => m.path == chosen);
+    case _MissingFolderChoice.createNew:
+      mailbox = await mailboxRepo.createMailboxWithRole(
+        accountId,
+        createFolderName,
+        role,
+      );
+      if (!context.mounted) return null;
+  }
+
+  return mailbox;
+}

lib/ui/screens/email_detail_screen.dart

@@ -13,9 +13,12 @@ import 'package:share_plus/share_plus.dart';
 
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/format_utils.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
+import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
+import 'package:sharedinbox/ui/widgets/email_headers_dialog.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
 import 'package:url_launcher/url_launcher.dart';
@@ -70,26 +73,40 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
             onPressed: header == null
                 ? null
                 : () {
-                    unawaited(
-                      _replyWithRecipientDialog(context, header, body),
-                    );
+                    unawaited(_replyWithRecipientDialog(context, header, body));
                   },
           ),
           IconButton(
-            icon: const Icon(Icons.forward),
-            tooltip: 'Forward',
+            icon: const Icon(Icons.archive),
+            tooltip: 'Archive',
             onPressed: header == null
                 ? null
                 : () {
-                    unawaited(_forward(context, header, body));
+                    unawaited(_archive(context, header));
                   },
           ),
           IconButton(
-            icon: const Icon(Icons.mark_email_unread_outlined),
-            tooltip: 'Mark as unread',
+            icon: const Icon(Icons.delete),
+            tooltip: 'Delete',
             onPressed: () async {
-              await repo.setFlag(widget.emailId, seen: false);
-              if (context.mounted) context.pop();
+              final nextEmailId = await _getNextEmailIdIfNeeded(header);
+              final destPath = await repo.deleteEmail(widget.emailId);
+
+              if (header != null) {
+                await ref.read(undoServiceProvider.notifier).pushAction(
+                      UndoAction(
+                        id: DateTime.now().toIso8601String(),
+                        accountId: header.accountId,
+                        type: UndoType.delete,
+                        emailIds: [widget.emailId],
+                        sourceMailboxPath: header.mailboxPath,
+                        destinationMailboxPath: destPath,
+                        originalEmails: [header],
+                      ),
+                    );
+              }
+
+              if (context.mounted) _navigateTo(context, header, nextEmailId);
             },
           ),
           IconButton(
@@ -104,52 +121,17 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               if (mounted) setState(() => _isFlagged = next);
             },
           ),
-          IconButton(
-            icon: const Icon(Icons.drive_file_move_outline),
-            tooltip: 'Move to folder',
-            onPressed: header == null ? null : () => _moveTo(context, header),
-          ),
-          IconButton(
-            icon: const Icon(Icons.access_time),
-            tooltip: 'Snooze',
-            onPressed: header == null ? null : () => _snooze(context, header),
-          ),
-          IconButton(
-            icon: const Icon(Icons.report_outlined),
-            tooltip: 'Mark as spam',
-            onPressed: header == null
-                ? null
-                : () {
-                    unawaited(_markAsSpam(context, header));
-                  },
-          ),
-          IconButton(
-            icon: const Icon(Icons.delete),
-            tooltip: 'Delete',
-            onPressed: () async {
-              final destPath = await repo.deleteEmail(widget.emailId);
-
-              if (header != null) {
-                unawaited(
-                  ref.read(undoServiceProvider.notifier).pushAction(
-                        UndoAction(
-                          id: DateTime.now().toIso8601String(),
-                          accountId: header.accountId,
-                          type: UndoType.delete,
-                          emailIds: [widget.emailId],
-                          sourceMailboxPath: header.mailboxPath,
-                          destinationMailboxPath: destPath,
-                          originalEmails: [header],
-                        ),
-                      ),
-                );
-              }
-
-              if (context.mounted) context.pop();
-            },
-          ),
           PopupMenuButton<String>(
             itemBuilder: (ctx) => [
+              const PopupMenuItem(value: 'forward', child: Text('Forward')),
+              const PopupMenuItem(value: 'move', child: Text('Move to folder')),
+              const PopupMenuItem(value: 'snooze', child: Text('Snooze')),
+              const PopupMenuItem(value: 'spam', child: Text('Mark as spam')),
+              const PopupMenuItem(
+                value: 'mark_unread',
+                child: Text('Mark as unread'),
+              ),
+              const PopupMenuDivider(),
               const PopupMenuItem(
                 value: 'headers',
                 child: Text('Show Mail Headers'),
@@ -158,18 +140,36 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                 value: 'structure',
                 child: Text('Show Mail Structure'),
               ),
+              const PopupMenuItem(value: 'rfc', child: Text('Show Raw Email')),
+              const PopupMenuDivider(),
               const PopupMenuItem(
-                value: 'rfc',
-                child: Text('Show Raw Email'),
+                value: 'bug_report',
+                child: Text('Report a Bug'),
               ),
             ],
-            onSelected: (value) {
-              if (value == 'headers' && body != null) {
+            onSelected: (value) async {
+              if (value == 'forward' && header != null) {
+                unawaited(_forward(context, header, body));
+              } else if (value == 'move' && header != null) {
+                unawaited(_moveTo(context, header));
+              } else if (value == 'snooze' && header != null) {
+                unawaited(_snooze(context, header));
+              } else if (value == 'spam' && header != null) {
+                unawaited(_markAsSpam(context, header));
+              } else if (value == 'mark_unread') {
+                final nextEmailId = await _getNextEmailIdIfNeeded(header);
+                await repo.setFlag(widget.emailId, seen: false);
+                if (context.mounted) _navigateTo(context, header, nextEmailId);
+              } else if (value == 'headers' && body != null) {
                 _showHeaders(context, body);
               } else if (value == 'structure' && body != null) {
                 _showStructure(context, body);
               } else if (value == 'rfc') {
                 unawaited(_showRaw(context, header));
+              } else if (value == 'bug_report') {
+                unawaited(
+                  context.push('/bug-report?emailId=${widget.emailId}'),
+                );
               }
             },
           ),
@@ -178,19 +178,35 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
       body: detail.when(
         loading: () => const Center(child: CircularProgressIndicator()),
         error: (e, _) => Center(child: Text('Error: $e')),
-        data: (d) => _buildBody(context, d.$1, d.$2),
+        data: (d) {
+          final trusted =
+              ref.watch(trustedImageSendersProvider).value ?? const <String>[];
+          return _buildBody(context, d.$1, d.$2, trusted);
+        },
       ),
     );
   }
 
-  Widget _buildBody(BuildContext ctx, Email? header, EmailBody body) {
+  Widget _buildBody(
+    BuildContext ctx,
+    Email? header,
+    EmailBody body,
+    List<String> trustedSenders,
+  ) {
     final hasHtml = (body.htmlBody ?? '').trim().isNotEmpty;
+    final senderEmail = header?.from.isNotEmpty == true
+        ? header!.from.first.email.toLowerCase()
+        : null;
+    final isTrusted =
+        senderEmail != null && trustedSenders.contains(senderEmail);
+    final effectiveLoadImages = _loadRemoteImages || isTrusted;
+
     return ListView(
       padding: const EdgeInsets.all(16),
       children: [
         if (header != null) ...[_buildHeader(ctx, header), const Divider()],
         if (hasHtml) ...[
-          if (!_loadRemoteImages)
+          if (!effectiveLoadImages)
             Align(
               alignment: Alignment.centerLeft,
               child: Padding(
@@ -198,13 +214,43 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                 child: OutlinedButton.icon(
                   icon: const Icon(Icons.image_outlined, size: 18),
                   label: const Text('Load remote images'),
-                  onPressed: () => setState(() => _loadRemoteImages = true),
+                  onPressed: () {
+                    setState(() => _loadRemoteImages = true);
+                    if (senderEmail != null) {
+                      unawaited(
+                        ref
+                            .read(userPreferencesRepositoryProvider)
+                            .addTrustedImageSender(senderEmail),
+                      );
+                      ScaffoldMessenger.of(ctx).showSnackBar(
+                        SnackBar(
+                          duration: const Duration(seconds: 3),
+                          content: const Text(
+                            'Images will be loaded automatically for this sender.',
+                          ),
+                          action: SnackBarAction(
+                            label: 'View',
+                            onPressed: () {
+                              if (mounted) {
+                                unawaited(
+                                  context.push(
+                                    '/accounts/trusted-senders',
+                                    extra: senderEmail,
+                                  ),
+                                );
+                              }
+                            },
+                          ),
+                        ),
+                      );
+                    }
+                  },
                 ),
               ),
             ),
           SecureEmailWebView(
             htmlBody: body.htmlBody!,
-            loadRemoteImages: _loadRemoteImages,
+            loadRemoteImages: effectiveLoadImages,
           ),
         ] else
           SelectableText(
@@ -243,6 +289,40 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     );
   }
 
+  Future<String?> _getNextEmailIdIfNeeded(Email? header) async {
+    if (header == null) return null;
+    final prefs = ref.read(userPreferencesProvider).value;
+    final action =
+        prefs?.afterMailViewAction ?? AfterMailViewAction.nextMessage;
+    if (action != AfterMailViewAction.nextMessage) return null;
+
+    final threads = await ref
+        .read(emailRepositoryProvider)
+        .observeThreads(header.accountId, header.mailboxPath)
+        .first;
+
+    final currentIndex = threads.indexWhere(
+      (t) => t.emailIds.contains(widget.emailId),
+    );
+    if (currentIndex >= 0 && currentIndex + 1 < threads.length) {
+      return threads[currentIndex + 1].latestEmailId;
+    }
+    return null;
+  }
+
+  void _navigateTo(BuildContext context, Email? header, String? nextEmailId) {
+    if (!context.mounted) return;
+    if (nextEmailId != null && header != null) {
+      context.go(
+        '/accounts/${header.accountId}'
+        '/mailboxes/${Uri.encodeComponent(header.mailboxPath)}'
+        '/emails/${Uri.encodeComponent(nextEmailId)}',
+      );
+    } else {
+      context.pop();
+    }
+  }
+
   Future<void> _downloadAndOpen(EmailAttachment att) async {
     setState(() => _downloading.add(att.filename));
     try {
@@ -393,21 +473,25 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     );
   }
 
-  Future<void> _markAsSpam(BuildContext context, Email header) async {
-    final mailboxRepo = ref.read(mailboxRepositoryProvider);
-    final junk = await mailboxRepo.findMailboxByRole(header.accountId, 'junk');
+  Future<void> _archive(BuildContext context, Email header) async {
+    final nextEmailId = await _getNextEmailIdIfNeeded(header);
+    if (!context.mounted) return;
 
-    if (junk == null) {
-      if (!context.mounted) return;
-      ScaffoldMessenger.of(context).showSnackBar(
-        const SnackBar(content: Text('No Junk folder found')),
-      );
-      return;
-    }
+    final mailbox = await resolveMailboxByRole(
+      context,
+      ref.read(mailboxRepositoryProvider),
+      header.accountId,
+      header.mailboxPath,
+      'archive',
+      dialogTitle: 'No archive folder found',
+      createFolderName: 'Archive',
+    );
+
+    if (mailbox == null || !context.mounted) return;
 
     await ref
         .read(emailRepositoryProvider)
-        .moveEmail(widget.emailId, junk.path);
+        .moveEmail(widget.emailId, mailbox.path);
 
     unawaited(
       ref.read(undoServiceProvider.notifier).pushAction(
@@ -417,12 +501,48 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               type: UndoType.move,
               emailIds: [widget.emailId],
               sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: junk.path,
+              destinationMailboxPath: mailbox.path,
             ),
           ),
     );
 
-    if (context.mounted) context.pop();
+    if (context.mounted) _navigateTo(context, header, nextEmailId);
+  }
+
+  Future<void> _markAsSpam(BuildContext context, Email header) async {
+    final nextEmailId = await _getNextEmailIdIfNeeded(header);
+    if (!context.mounted) return;
+
+    final mailbox = await resolveMailboxByRole(
+      context,
+      ref.read(mailboxRepositoryProvider),
+      header.accountId,
+      header.mailboxPath,
+      'junk',
+      dialogTitle: 'No spam folder found',
+      createFolderName: 'Junk',
+    );
+
+    if (mailbox == null || !context.mounted) return;
+
+    await ref
+        .read(emailRepositoryProvider)
+        .moveEmail(widget.emailId, mailbox.path);
+
+    unawaited(
+      ref.read(undoServiceProvider.notifier).pushAction(
+            UndoAction(
+              id: DateTime.now().toIso8601String(),
+              accountId: header.accountId,
+              type: UndoType.move,
+              emailIds: [widget.emailId],
+              sourceMailboxPath: header.mailboxPath,
+              destinationMailboxPath: mailbox.path,
+            ),
+          ),
+    );
+
+    if (context.mounted) _navigateTo(context, header, nextEmailId);
   }
 
   Future<void> _forward(
@@ -438,15 +558,50 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     unawaited(
       context.push(
         '/compose',
-        extra: {
-          'prefillSubject': subject,
-          'prefillBody': quoted,
-        },
+        extra: {'prefillSubject': subject, 'prefillBody': quoted},
       ),
     );
   }
 
+  Future<String?> _promptNewFolderName(BuildContext context) async {
+    final controller = TextEditingController();
+    try {
+      return await showDialog<String>(
+        context: context,
+        builder: (ctx) => AlertDialog(
+          title: const Text('Create new folder'),
+          content: TextField(
+            controller: controller,
+            autofocus: true,
+            decoration: const InputDecoration(hintText: 'Folder name'),
+            textCapitalization: TextCapitalization.words,
+            onSubmitted: (value) {
+              if (value.trim().isNotEmpty) Navigator.pop(ctx, value.trim());
+            },
+          ),
+          actions: [
+            TextButton(
+              onPressed: () => Navigator.pop(ctx),
+              child: const Text('Cancel'),
+            ),
+            FilledButton(
+              onPressed: () {
+                final name = controller.text.trim();
+                if (name.isNotEmpty) Navigator.pop(ctx, name);
+              },
+              child: const Text('Create'),
+            ),
+          ],
+        ),
+      );
+    } finally {
+      controller.dispose();
+    }
+  }
+
   Future<void> _moveTo(BuildContext context, Email header) async {
+    final nextEmailId = await _getNextEmailIdIfNeeded(header);
+
     final mailboxRepo = ref.read(mailboxRepositoryProvider);
     final mailboxes =
         await mailboxRepo.observeMailboxes(header.accountId).first;
@@ -457,6 +612,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
 
     if (!context.mounted) return;
 
+    const createNewSentinel = '__create_new__';
+
     final chosen = await showModalBottomSheet<String>(
       context: context,
       builder: (ctx) => ListView(
@@ -474,13 +631,28 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               title: Text(m.name),
               onTap: () => Navigator.pop(ctx, m.path),
             ),
+          ListTile(
+            leading: const Icon(Icons.create_new_folder_outlined),
+            title: const Text('Create new folder…'),
+            onTap: () => Navigator.pop(ctx, createNewSentinel),
+          ),
         ],
       ),
     );
 
     if (chosen == null || !context.mounted) return;
 
-    await ref.read(emailRepositoryProvider).moveEmail(widget.emailId, chosen);
+    String destination = chosen;
+    if (chosen == createNewSentinel) {
+      final name = await _promptNewFolderName(context);
+      if (name == null || !context.mounted) return;
+      final mailbox = await mailboxRepo.createMailbox(header.accountId, name);
+      destination = mailbox.path;
+    }
+
+    await ref
+        .read(emailRepositoryProvider)
+        .moveEmail(widget.emailId, destination);
 
     unawaited(
       ref.read(undoServiceProvider.notifier).pushAction(
@@ -490,15 +662,18 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               type: UndoType.move,
               emailIds: [widget.emailId],
               sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: chosen,
+              destinationMailboxPath: destination,
             ),
           ),
     );
 
-    if (context.mounted) context.pop();
+    if (context.mounted) _navigateTo(context, header, nextEmailId);
   }
 
   Future<void> _snooze(BuildContext context, Email header) async {
+    final nextEmailId = await _getNextEmailIdIfNeeded(header);
+    if (!context.mounted) return;
+
     final until = await showModalBottomSheet<DateTime>(
       context: context,
       builder: (ctx) => const SnoozePicker(),
@@ -526,7 +701,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
           ),
         ),
       );
-      context.pop();
+      _navigateTo(context, header, nextEmailId);
     }
   }
 
@@ -538,9 +713,9 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
           .fetchRawRfc822(widget.emailId);
     } catch (e) {
       if (!context.mounted) return;
-      ScaffoldMessenger.of(context).showSnackBar(
-        SnackBar(content: Text('Failed to fetch raw email: $e')),
-      );
+      ScaffoldMessenger.of(
+        context,
+      ).showSnackBar(SnackBar(content: Text('Failed to fetch raw email: $e')));
       return;
     }
 
@@ -654,47 +829,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     unawaited(
       showDialog<void>(
         context: context,
-        builder: (ctx) => AlertDialog(
-          title: const Text('Mail Headers'),
-          content: SizedBox(
-            width: double.maxFinite,
-            child: ListView.builder(
-              shrinkWrap: true,
-              itemCount: body.headers.length,
-              itemBuilder: (ctx, i) {
-                final header = body.headers[i];
-                return Container(
-                  color: i.isEven
-                      ? Theme.of(ctx).colorScheme.surfaceContainerHighest
-                      : Theme.of(ctx).colorScheme.surface,
-                  padding: const EdgeInsets.symmetric(
-                    vertical: 4,
-                    horizontal: 8,
-                  ),
-                  child: Row(
-                    crossAxisAlignment: CrossAxisAlignment.start,
-                    children: [
-                      Expanded(
-                        child: SelectableText(
-                          header.name,
-                          style: const TextStyle(fontWeight: FontWeight.bold),
-                        ),
-                      ),
-                      const SizedBox(width: 8),
-                      Expanded(flex: 2, child: SelectableText(header.value)),
-                    ],
-                  ),
-                );
-              },
-            ),
-          ),
-          actions: [
-            TextButton(
-              onPressed: () => Navigator.pop(ctx),
-              child: const Text('Close'),
-            ),
-          ],
-        ),
+        builder: (ctx) => EmailHeadersDialog(headers: body.headers),
       ),
     );
   }
@@ -705,9 +840,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
       ScaffoldMessenger.of(context).showSnackBar(
         const SnackBar(
           duration: Duration(seconds: 5),
-          content: Text(
-            'Structure not available. Try re-syncing the email.',
-          ),
+          content: Text('Structure not available. Try re-syncing the email.'),
         ),
       );
       return;
@@ -719,12 +852,13 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     unawaited(
       showDialog<void>(
         context: context,
-        builder: (ctx) => AlertDialog(
-          title: const Text('Mail Structure'),
-          content: SizedBox(
-            width: double.maxFinite,
-            child: ListView.builder(
-              shrinkWrap: true,
+        builder: (ctx) => Dialog.fullscreen(
+          child: Scaffold(
+            appBar: AppBar(
+              title: const Text('Mail Structure'),
+              leading: const CloseButton(),
+            ),
+            body: ListView.builder(
               itemCount: rows.length,
               itemBuilder: (ctx, i) {
                 final row = rows[i];
@@ -753,12 +887,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               },
             ),
           ),
-          actions: [
-            TextButton(
-              onPressed: () => Navigator.pop(ctx),
-              child: const Text('Close'),
-            ),
-          ],
         ),
       ),
     );
@@ -816,14 +944,8 @@ class _ReplyAllDialogState extends State<_ReplyAllDialog> {
                     SegmentedButton<_Placement>(
                       showSelectedIcon: false,
                       segments: const [
-                        ButtonSegment(
-                          value: _Placement.to,
-                          label: Text('To'),
-                        ),
-                        ButtonSegment(
-                          value: _Placement.cc,
-                          label: Text('Cc'),
-                        ),
+                        ButtonSegment(value: _Placement.to, label: Text('To')),
+                        ButtonSegment(value: _Placement.cc, label: Text('Cc')),
                         ButtonSegment(
                           value: _Placement.skip,
                           label: Text('Skip'),
@@ -895,10 +1017,13 @@ class _UnsubscribeChip extends StatelessWidget {
   Widget build(BuildContext context) {
     final uri = _parseUnsubscribeUri(header);
     if (uri == null) return const SizedBox.shrink();
-    return ActionChip(
-      avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
-      label: const Text('Unsubscribe'),
-      onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
+    return Tooltip(
+      message: uri.toString(),
+      child: ActionChip(
+        avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
+        label: const Text('Unsubscribe'),
+        onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
+      ),
     );
   }
 }

lib/ui/screens/email_list_screen.dart

@@ -8,21 +8,14 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
+import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
+import 'package:sharedinbox/ui/widgets/email_thread_tile.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
-
-final _dateFmt = DateFormat('MMM d');
-// Cache formatted dates by local calendar day so DateFormat.format is called
-// at most once per unique date rather than once per list item per rebuild.
-final _formattedDates = <int, String>{};
-
-int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
-
-String _fmtDate(DateTime dt) =>
-    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
+import 'package:sharedinbox/ui/widgets/thread_tile.dart';
 
 class EmailListScreen extends ConsumerStatefulWidget {
   const EmailListScreen({
@@ -147,16 +140,21 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
   Widget build(BuildContext context) {
     final repo = ref.watch(emailRepositoryProvider);
     final accountAsync = ref.watch(accountByIdProvider(widget.accountId));
+    final prefs =
+        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
+    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;
 
     return Scaffold(
-      appBar: _buildAppBar(repo, accountAsync),
+      appBar: _buildAppBar(repo, accountAsync, menuAtBottom: menuAtBottom),
       drawer: _selecting
           ? null
           : FolderDrawer(
               accountId: widget.accountId,
               currentMailboxPath: widget.mailboxPath,
             ),
-      bottomNavigationBar: _selecting ? _selectionBottomBar() : null,
+      bottomNavigationBar: _selecting
+          ? _selectionBottomBar()
+          : (menuAtBottom ? _folderNavBottomBar() : null),
       body: Column(
         children: [
           _buildSyncErrorBanner(),
@@ -172,12 +170,14 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
 
   PreferredSizeWidget _buildAppBar(
     EmailRepository emailRepo,
-    AsyncValue<Account?> accountAsync,
-  ) {
+    AsyncValue<Account?> accountAsync, {
+    required bool menuAtBottom,
+  }) {
     final selectionCount =
         _searching ? _selectedSearchIds.length : _selectedThreadIds.length;
 
     return AppBar(
+      automaticallyImplyLeading: !menuAtBottom,
       leading: _selecting
           ? IconButton(
               icon: const Icon(Icons.close),
@@ -300,6 +300,22 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
     );
   }
 
+  Widget _folderNavBottomBar() {
+    return BottomAppBar(
+      child: Row(
+        children: [
+          Builder(
+            builder: (context) => IconButton(
+              icon: const Icon(Icons.menu),
+              tooltip: 'Open folders',
+              onPressed: () => Scaffold.of(context).openDrawer(),
+            ),
+          ),
+        ],
+      ),
+    );
+  }
+
   Widget _selectionBottomBar() {
     return BottomAppBar(
       child: Row(
@@ -356,11 +372,7 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
     }
     return MaterialBanner(
       padding: const EdgeInsets.fromLTRB(16, 8, 8, 8),
-      content: Text(
-        error,
-        maxLines: 2,
-        overflow: TextOverflow.ellipsis,
-      ),
+      content: Text(error, maxLines: 2, overflow: TextOverflow.ellipsis),
       leading: Icon(
         Icons.sync_problem,
         color: Theme.of(context).colorScheme.error,
@@ -374,9 +386,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
           child: const Text('Retry'),
         ),
         TextButton(
-          onPressed: () => context.push(
-            '/accounts/${widget.accountId}/sync-log',
-          ),
+          onPressed: () =>
+              context.push('/accounts/${widget.accountId}/sync-log'),
           child: const Text('View log'),
         ),
         TextButton(
@@ -420,24 +431,26 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
     );
   }
 
-  Future<void> _batchMoveToRole(String role, String notFoundMessage) async {
+  Future<void> _batchMoveToRole(
+    String role, {
+    required String dialogTitle,
+    required String createFolderName,
+  }) async {
     final ids = _selectedEmailIds;
     _clearSelection();
-    final mailbox = await ref
-        .read(mailboxRepositoryProvider)
-        .findMailboxByRole(widget.accountId, role);
-    if (!mounted) return;
-    if (mailbox == null) {
-      ScaffoldMessenger.of(
-        context,
-      ).showSnackBar(
-        SnackBar(
-          duration: const Duration(seconds: 5),
-          content: Text(notFoundMessage),
-        ),
-      );
-      return;
-    }
+
+    final mailbox = await resolveMailboxByRole(
+      context,
+      ref.read(mailboxRepositoryProvider),
+      widget.accountId,
+      widget.mailboxPath,
+      role,
+      dialogTitle: dialogTitle,
+      createFolderName: createFolderName,
+    );
+
+    if (!mounted || mailbox == null) return;
+
     final repo = ref.read(emailRepositoryProvider);
 
     // Fetch full email data before moving so we can restore them if user clicks Undo.
@@ -463,8 +476,11 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
     unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
   }
 
-  Future<void> _batchArchive() =>
-      _batchMoveToRole('archive', 'No archive folder found');
+  Future<void> _batchArchive() => _batchMoveToRole(
+        'archive',
+        dialogTitle: 'No archive folder found',
+        createFolderName: 'Archive',
+      );
 
   Future<void> _refreshSearchAndPopIfEmpty() async {
     if (!mounted || !_searching) return;
@@ -543,8 +559,11 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
     }
   }
 
-  Future<void> _batchMarkSpam() =>
-      _batchMoveToRole('junk', 'No spam folder found');
+  Future<void> _batchMarkSpam() => _batchMoveToRole(
+        'junk',
+        dialogTitle: 'No spam folder found',
+        createFolderName: 'Junk',
+      );
 
   Future<void> _batchMove() async {
     final ids = _selectedEmailIds;
@@ -660,177 +679,93 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
           );
         }
         final t = threads[i];
-        final isSelected = _selectedThreadIds.contains(t.threadId);
-        final senderNames =
-            t.participants.map((a) => a.name ?? a.email).take(3).join(', ');
-
-        final tile = ListTile(
-          leading: SizedBox(
-            width: 40,
-            child: _selecting
-                ? Checkbox(
-                    value: isSelected,
-                    onChanged: (_) => _toggleThreadSelection(t),
-                  )
-                : Icon(
-                    t.hasUnread ? Icons.mail : Icons.mail_outline,
-                    color:
-                        t.hasUnread ? Theme.of(ctx).colorScheme.primary : null,
-                  ),
-          ),
-          title: Row(
-            children: [
-              Expanded(
-                child: Text(
-                  senderNames.isEmpty ? '(unknown)' : senderNames,
-                  style: t.hasUnread
-                      ? const TextStyle(fontWeight: FontWeight.bold)
-                      : null,
-                  overflow: TextOverflow.ellipsis,
-                ),
-              ),
-              if (t.messageCount > 1)
-                Padding(
-                  padding: const EdgeInsets.only(left: 4),
-                  child: Text(
-                    '[${t.messageCount}]',
-                    style: Theme.of(ctx).textTheme.bodySmall,
-                  ),
-                ),
-            ],
-          ),
-          subtitle: Column(
-            crossAxisAlignment: CrossAxisAlignment.start,
-            children: [
-              Text(
-                t.subject ?? '(no subject)',
-                maxLines: 1,
-                overflow: TextOverflow.ellipsis,
-                style: t.hasUnread
-                    ? const TextStyle(fontWeight: FontWeight.bold)
-                    : null,
-              ),
-              if (t.preview != null && t.preview!.isNotEmpty)
-                Text(
-                  t.preview!,
-                  maxLines: 1,
-                  overflow: TextOverflow.ellipsis,
-                  style: Theme.of(ctx).textTheme.bodySmall,
-                ),
-            ],
-          ),
-          selected: isSelected,
-          trailing: Row(
-            mainAxisSize: MainAxisSize.min,
-            children: [
-              if (t.isFlagged)
-                const Icon(Icons.star, color: Colors.amber, size: 16),
-              const SizedBox(width: 4),
-              Text(
-                _fmtDate(t.latestDate),
-                style: Theme.of(ctx).textTheme.bodySmall,
-              ),
-            ],
-          ),
+        return EmailThreadTile(
+          thread: t,
+          isSelected: _selectedThreadIds.contains(t.threadId),
+          isSelecting: _selecting,
           onTap: _selecting
               ? () => _toggleThreadSelection(t)
               : t.messageCount > 1
                   ? () => context.push(
-                        '/accounts/${widget.accountId}/mailboxes/${Uri.encodeComponent(widget.mailboxPath)}/threads/${Uri.encodeComponent(t.threadId)}',
+                        '/accounts/${widget.accountId}/mailboxes'
+                        '/${Uri.encodeComponent(widget.mailboxPath)}'
+                        '/threads/${Uri.encodeComponent(t.threadId)}',
                       )
                   : () => context.push(
-                        '/accounts/${widget.accountId}/mailboxes/${Uri.encodeComponent(widget.mailboxPath)}/emails/${Uri.encodeComponent(t.latestEmailId)}',
+                        '/accounts/${widget.accountId}/mailboxes'
+                        '/${Uri.encodeComponent(widget.mailboxPath)}'
+                        '/emails/${Uri.encodeComponent(t.latestEmailId)}',
                       ),
           onLongPress: () => _toggleThreadSelection(t),
-        );
-
-        // For swipe actions on threads, operate on the latest email only
-        // (single-email threads) or the whole thread.
-        return Dismissible(
-          key: ValueKey(t.threadId),
-          direction:
-              _selecting ? DismissDirection.none : DismissDirection.horizontal,
-          background: _swipeBackground(
-            alignment: Alignment.centerLeft,
-            color: Colors.green,
-            icon: Icons.archive,
-            label: 'Archive',
-          ),
-          secondaryBackground: _swipeBackground(
-            alignment: Alignment.centerRight,
-            color: Colors.red,
-            icon: Icons.delete,
-            label: 'Delete',
-          ),
-          onDismissed: (direction) async {
-            final repo = ref.read(emailRepositoryProvider);
-            final type = direction == DismissDirection.startToEnd
-                ? UndoType.move
-                : UndoType.delete;
-
-            // Fetch full email data before moving/deleting.
-            final originalEmails = (await Future.wait(
-              t.emailIds.map((id) => repo.getEmail(id)),
-            ))
-                .whereType<Email>()
-                .toList();
-
-            if (direction == DismissDirection.startToEnd) {
-              final archive = await ref
-                  .read(mailboxRepositoryProvider)
-                  .findMailboxByRole(widget.accountId, 'archive');
-              if (!mounted || archive == null) return;
-              for (final id in t.emailIds) {
-                await repo.moveEmail(id, archive.path);
-              }
-
-              final action = UndoAction(
-                id: DateTime.now().toIso8601String(),
-                accountId: widget.accountId,
-                type: type,
-                emailIds: t.emailIds,
-                sourceMailboxPath: widget.mailboxPath,
-                destinationMailboxPath: archive.path,
-                originalEmails: originalEmails,
-              );
-              unawaited(
-                ref.read(undoServiceProvider.notifier).pushAction(action),
-              );
-            } else {
-              String? lastDestPath;
-              for (final id in t.emailIds) {
-                lastDestPath = await repo.deleteEmail(id);
-              }
-
-              final action = UndoAction(
-                id: DateTime.now().toIso8601String(),
-                accountId: widget.accountId,
-                type: type,
-                emailIds: t.emailIds,
-                sourceMailboxPath: widget.mailboxPath,
-                destinationMailboxPath: lastDestPath,
-                originalEmails: originalEmails,
-              );
-              unawaited(
-                ref.read(undoServiceProvider.notifier).pushAction(action),
-              );
-            }
-          },
-          child: tile,
+          onDismissed: (direction) => _onSwipeDismissed(t, direction),
         );
       },
     );
   }
 
+  Future<void> _onSwipeDismissed(
+    EmailThread t,
+    DismissDirection direction,
+  ) async {
+    final repo = ref.read(emailRepositoryProvider);
+    final type = direction == DismissDirection.startToEnd
+        ? UndoType.move
+        : UndoType.delete;
+
+    // Fetch full email data before moving/deleting.
+    final originalEmails = (await Future.wait(
+      t.emailIds.map((id) => repo.getEmail(id)),
+    ))
+        .whereType<Email>()
+        .toList();
+
+    if (direction == DismissDirection.startToEnd) {
+      final archive = await ref
+          .read(mailboxRepositoryProvider)
+          .findMailboxByRole(widget.accountId, 'archive');
+      if (!mounted || archive == null) return;
+      for (final id in t.emailIds) {
+        await repo.moveEmail(id, archive.path);
+      }
+      final action = UndoAction(
+        id: DateTime.now().toIso8601String(),
+        accountId: widget.accountId,
+        type: type,
+        emailIds: t.emailIds,
+        sourceMailboxPath: widget.mailboxPath,
+        destinationMailboxPath: archive.path,
+        originalEmails: originalEmails,
+      );
+      unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+      return;
+    }
+
+    String? lastDestPath;
+    for (final id in t.emailIds) {
+      lastDestPath = await repo.deleteEmail(id);
+    }
+    final action = UndoAction(
+      id: DateTime.now().toIso8601String(),
+      accountId: widget.accountId,
+      type: type,
+      emailIds: t.emailIds,
+      sourceMailboxPath: widget.mailboxPath,
+      destinationMailboxPath: lastDestPath,
+      originalEmails: originalEmails,
+    );
+    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
+  }
+
   // Used for search results, which are individual emails.
   Widget _buildEmailList(List<Email> emails) {
     return ListView.builder(
       itemCount: emails.length,
       itemBuilder: (ctx, i) {
         final e = emails[i];
+        final t = EmailThread.fromEmail(e);
         final isSelected = _selectedSearchIds.contains(e.id);
-        return EmailTile(
-          email: e,
+        return ThreadTile(
+          thread: t,
           selected: isSelected,
           leading: SizedBox(
             width: 40,
@@ -849,25 +784,4 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
       },
     );
   }
-
-  Widget _swipeBackground({
-    required AlignmentGeometry alignment,
-    required Color color,
-    required IconData icon,
-    required String label,
-  }) {
-    return Container(
-      color: color,
-      alignment: alignment,
-      padding: const EdgeInsets.symmetric(horizontal: 20),
-      child: Row(
-        mainAxisSize: MainAxisSize.min,
-        children: [
-          Icon(icon, color: Colors.white),
-          const SizedBox(width: 8),
-          Text(label, style: const TextStyle(color: Colors.white)),
-        ],
-      ),
-    );
-  }
 }

lib/ui/screens/mailbox_list_screen.dart

@@ -4,6 +4,7 @@ import 'package:go_router/go_router.dart';
 
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
@@ -17,8 +18,12 @@ class MailboxListScreen extends ConsumerWidget {
     final mailboxRepo = ref.watch(mailboxRepositoryProvider);
     final emailRepo = ref.watch(emailRepositoryProvider);
     final accountAsync = ref.watch(accountByIdProvider(accountId));
+    final prefs =
+        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
+    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;
     return Scaffold(
       appBar: AppBar(
+        automaticallyImplyLeading: !menuAtBottom,
         title: const Text('Folders'),
         actions: [
           IconButton(
@@ -42,6 +47,21 @@ class MailboxListScreen extends ConsumerWidget {
         ],
       ),
       drawer: FolderDrawer(accountId: accountId),
+      bottomNavigationBar: menuAtBottom
+          ? BottomAppBar(
+              child: Row(
+                children: [
+                  Builder(
+                    builder: (ctx) => IconButton(
+                      icon: const Icon(Icons.menu),
+                      tooltip: 'Open folders',
+                      onPressed: () => Scaffold.of(ctx).openDrawer(),
+                    ),
+                  ),
+                ],
+              ),
+            )
+          : null,
       body: Column(
         children: [
           // ── Failed-mutation banner ───────────────────────────────────────

lib/ui/screens/search_screen.dart

@@ -8,10 +8,11 @@ import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/utils/logger.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
+import 'package:sharedinbox/ui/widgets/thread_tile.dart';
 
-final _searchHistoryProvider =
-    FutureProvider.autoDispose<List<String>>((ref) async {
+final _searchHistoryProvider = FutureProvider.autoDispose<List<String>>((
+  ref,
+) async {
   return ref.watch(searchHistoryRepositoryProvider).getRecentSearches();
 });
 
@@ -188,9 +189,9 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
         if (r.emails.isNotEmpty) ...[
           const _SectionHeader('Messages'),
           for (final e in r.emails)
-            EmailTile(
-              email: e,
-              showLocation: true,
+            ThreadTile(
+              thread: EmailThread.fromEmail(e),
+              locationLabel: '${e.accountId} • ${e.mailboxPath}',
               onTap: () => context.push(
                 '/accounts/${e.accountId}/mailboxes'
                 '/${Uri.encodeComponent(e.mailboxPath)}'

lib/ui/screens/sieve_scripts_screen.dart

@@ -137,9 +137,7 @@ class _SieveScriptsScreenState extends ConsumerState<SieveScriptsScreen> {
   Widget build(BuildContext context) {
     return Scaffold(
       appBar: AppBar(
-        title: Text(
-          widget.isLocal ? 'Local Filters' : 'Remote Filters',
-        ),
+        title: Text(widget.isLocal ? 'Local Filters' : 'Remote Filters'),
       ),
       body: _buildBody(),
       floatingActionButton: FloatingActionButton(

lib/ui/screens/thread_detail_screen.dart

@@ -7,6 +7,7 @@ import 'package:intl/intl.dart';
 
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
@@ -28,9 +29,16 @@ class ThreadDetailScreen extends ConsumerWidget {
   @override
   Widget build(BuildContext context, WidgetRef ref) {
     final repo = ref.watch(emailRepositoryProvider);
+    final prefs =
+        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
+    final buttonAtBottom = prefs.mailViewButtonPosition == MenuPosition.bottom;
 
     return Scaffold(
-      appBar: AppBar(title: const Text('Thread')),
+      appBar: AppBar(
+        title: const Text('Thread'),
+        automaticallyImplyLeading: !buttonAtBottom,
+      ),
+      bottomNavigationBar: buttonAtBottom ? _buildBackButtonBar(context) : null,
       body: StreamBuilder<List<Email>>(
         stream: repo.observeEmailsInThread(accountId, mailboxPath, threadId),
         builder: (context, snapshot) {
@@ -60,6 +68,20 @@ class ThreadDetailScreen extends ConsumerWidget {
       ),
     );
   }
+
+  Widget _buildBackButtonBar(BuildContext context) {
+    return BottomAppBar(
+      child: Row(
+        children: [
+          IconButton(
+            icon: const Icon(Icons.arrow_back),
+            tooltip: 'Back',
+            onPressed: () => context.pop(),
+          ),
+        ],
+      ),
+    );
+  }
 }
 
 class _EmailMessageCard extends ConsumerStatefulWidget {
@@ -91,6 +113,14 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
 
   @override
   Widget build(BuildContext context) {
+    final trustedSenders =
+        ref.watch(trustedImageSendersProvider).value ?? const <String>[];
+    final senderEmail = widget.email.from.isNotEmpty
+        ? widget.email.from.first.email.toLowerCase()
+        : null;
+    final isTrusted =
+        senderEmail != null && trustedSenders.contains(senderEmail);
+
     return Card(
       margin: const EdgeInsets.symmetric(vertical: 4),
       child: Column(
@@ -125,13 +155,13 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
               ],
             ),
           ),
-          if (_expanded) _buildExpandedBody(),
+          if (_expanded) _buildExpandedBody(isTrusted, senderEmail),
         ],
       ),
     );
   }
 
-  Widget _buildExpandedBody() {
+  Widget _buildExpandedBody(bool isTrusted, String? senderEmail) {
     return Padding(
       padding: const EdgeInsets.fromLTRB(16, 0, 16, 16),
       child: Column(
@@ -141,6 +171,17 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
           FutureBuilder<EmailBody>(
             future: _bodyFuture,
             builder: (context, snapshot) {
+              if (snapshot.hasError) {
+                return Padding(
+                  padding: const EdgeInsets.all(16),
+                  child: Text(
+                    'Failed to load email: ${snapshot.error}',
+                    style: TextStyle(
+                      color: Theme.of(context).colorScheme.error,
+                    ),
+                  ),
+                );
+              }
               if (!snapshot.hasData) {
                 return const Center(
                   child: Padding(
@@ -151,21 +192,51 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
               }
               final body = snapshot.data!;
               final hasHtml = (body.htmlBody ?? '').trim().isNotEmpty;
+              final effectiveLoadImages = _loadRemoteImages || isTrusted;
 
               return Column(
                 crossAxisAlignment: CrossAxisAlignment.start,
                 children: [
                   if (hasHtml) ...[
-                    if (!_loadRemoteImages)
+                    if (!effectiveLoadImages)
                       TextButton.icon(
                         icon: const Icon(Icons.image_outlined, size: 16),
                         label: const Text('Load remote images'),
-                        onPressed: () =>
-                            setState(() => _loadRemoteImages = true),
+                        onPressed: () {
+                          setState(() => _loadRemoteImages = true);
+                          if (senderEmail != null) {
+                            unawaited(
+                              ref
+                                  .read(userPreferencesRepositoryProvider)
+                                  .addTrustedImageSender(senderEmail),
+                            );
+                            ScaffoldMessenger.of(context).showSnackBar(
+                              SnackBar(
+                                duration: const Duration(seconds: 3),
+                                content: const Text(
+                                  'Images will be loaded automatically for this sender.',
+                                ),
+                                action: SnackBarAction(
+                                  label: 'View',
+                                  onPressed: () {
+                                    if (mounted) {
+                                      unawaited(
+                                        context.push(
+                                          '/accounts/trusted-senders',
+                                          extra: senderEmail,
+                                        ),
+                                      );
+                                    }
+                                  },
+                                ),
+                              ),
+                            );
+                          }
+                        },
                       ),
                     SecureEmailWebView(
                       htmlBody: body.htmlBody!,
-                      loadRemoteImages: _loadRemoteImages,
+                      loadRemoteImages: effectiveLoadImages,
                     ),
                   ] else
                     SelectableText(
@@ -229,47 +300,27 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
   }
 
   Future<void> _delete() async {
-    final confirmed = await showDialog<bool>(
-      context: context,
-      builder: (ctx) => AlertDialog(
-        title: const Text('Delete email'),
-        content: const Text('Move this email to Trash?'),
-        actions: [
-          TextButton(
-            onPressed: () => Navigator.pop(ctx, false),
-            child: const Text('Cancel'),
-          ),
-          TextButton(
-            onPressed: () => Navigator.pop(ctx, true),
-            child: const Text('Delete'),
-          ),
-        ],
-      ),
-    );
+    final repo = ref.read(emailRepositoryProvider);
+    // Fetch data first for IMAP undo support
+    final original = await repo.getEmail(widget.email.id);
+
+    final destPath = await repo.deleteEmail(widget.email.id);
+
     if (!mounted) return;
-    if (confirmed == true) {
-      final repo = ref.read(emailRepositoryProvider);
-      // Fetch data first for IMAP undo support
-      final original = await repo.getEmail(widget.email.id);
-
-      final destPath = await repo.deleteEmail(widget.email.id);
-
-      if (!mounted) return;
-      if (original != null) {
-        unawaited(
-          ref.read(undoServiceProvider.notifier).pushAction(
-                UndoAction(
-                  id: DateTime.now().toIso8601String(),
-                  accountId: widget.email.accountId,
-                  type: UndoType.delete,
-                  emailIds: [widget.email.id],
-                  sourceMailboxPath: widget.email.mailboxPath,
-                  destinationMailboxPath: destPath,
-                  originalEmails: [original],
-                ),
+    if (original != null) {
+      unawaited(
+        ref.read(undoServiceProvider.notifier).pushAction(
+              UndoAction(
+                id: DateTime.now().toIso8601String(),
+                accountId: widget.email.accountId,
+                type: UndoType.delete,
+                emailIds: [widget.email.id],
+                sourceMailboxPath: widget.email.mailboxPath,
+                destinationMailboxPath: destPath,
+                originalEmails: [original],
               ),
-        );
-      }
+            ),
+      );
     }
   }
 }

lib/ui/screens/trusted_image_senders_screen.dart

@@ -0,0 +1,63 @@
+import 'dart:async';
+
+import 'package:flutter/material.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+
+import 'package:sharedinbox/di.dart';
+
+class TrustedImageSendersScreen extends ConsumerWidget {
+  const TrustedImageSendersScreen({super.key, this.highlightedSender});
+
+  final String? highlightedSender;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final trustedSendersAsync = ref.watch(trustedImageSendersProvider);
+
+    return Scaffold(
+      appBar: AppBar(title: const Text('Allowed addresses for images')),
+      body: trustedSendersAsync.when(
+        loading: () => const Center(child: CircularProgressIndicator()),
+        error: (_, __) =>
+            const Center(child: Text('Error loading trusted senders')),
+        data: (senders) {
+          if (senders.isEmpty) {
+            return const Padding(
+              padding: EdgeInsets.all(16),
+              child: Text(
+                'No addresses added yet. '
+                'Tap "Load remote images" in an email to add the sender.',
+              ),
+            );
+          }
+          return ListView.builder(
+            itemCount: senders.length,
+            itemBuilder: (context, index) {
+              final sender = senders[index];
+              final isHighlighted = sender == highlightedSender;
+              return ListTile(
+                title: Text(
+                  sender,
+                  style: isHighlighted
+                      ? const TextStyle(fontWeight: FontWeight.bold)
+                      : null,
+                ),
+                trailing: IconButton(
+                  icon: const Icon(Icons.delete_outline),
+                  tooltip: 'Remove',
+                  onPressed: () {
+                    unawaited(
+                      ref
+                          .read(userPreferencesRepositoryProvider)
+                          .removeTrustedImageSender(sender),
+                    );
+                  },
+                ),
+              );
+            },
+          );
+        },
+      ),
+    );
+  }
+}

lib/ui/screens/undo_log_screen.dart

@@ -84,9 +84,7 @@ class _UndoActionTile extends ConsumerWidget {
               .read(undoServiceProvider.notifier)
               .undo(actionId: action.id);
           if (context.mounted) {
-            ScaffoldMessenger.of(
-              context,
-            ).showSnackBar(
+            ScaffoldMessenger.of(context).showSnackBar(
               const SnackBar(
                 duration: Duration(seconds: 5),
                 content: Text('Action undone.'),

lib/ui/screens/user_preferences_screen.dart

@@ -0,0 +1,241 @@
+import 'dart:async';
+
+import 'package:flutter/material.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:go_router/go_router.dart';
+
+import 'package:sharedinbox/core/models/user_preferences.dart';
+import 'package:sharedinbox/core/sync/background_sync.dart';
+import 'package:sharedinbox/di.dart';
+
+class UserPreferencesScreen extends ConsumerWidget {
+  const UserPreferencesScreen({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final prefsAsync = ref.watch(userPreferencesProvider);
+    final trustedSendersAsync = ref.watch(trustedImageSendersProvider);
+    final trustedCount = trustedSendersAsync.value?.length ?? 0;
+
+    return Scaffold(
+      appBar: AppBar(title: const Text('Preferences')),
+      body: prefsAsync.when(
+        loading: () => const Center(child: CircularProgressIndicator()),
+        error: (_, __) =>
+            const Center(child: Text('Error loading preferences')),
+        data: (prefs) => ListView(
+          children: [
+            ListTile(
+              title: Text(
+                'Menu bar position',
+                style: Theme.of(context).textTheme.titleSmall,
+              ),
+              subtitle: const Text(
+                'Where the folder navigation menu is shown in the mailbox view.',
+              ),
+            ),
+            RadioGroup<MenuPosition>(
+              groupValue: prefs.menuPosition,
+              onChanged: (value) {
+                if (value == null) return;
+                unawaited(
+                  ref
+                      .read(userPreferencesRepositoryProvider)
+                      .updateMenuPosition(value),
+                );
+              },
+              child: const Column(
+                children: [
+                  RadioListTile<MenuPosition>(
+                    title: Text('Bottom (default)'),
+                    subtitle: Text(
+                      'Open folder navigation from a button at the bottom of the screen.',
+                    ),
+                    value: MenuPosition.bottom,
+                  ),
+                  RadioListTile<MenuPosition>(
+                    title: Text('Top'),
+                    subtitle: Text(
+                      'Open folder navigation from the hamburger icon in the top bar.',
+                    ),
+                    value: MenuPosition.top,
+                  ),
+                ],
+              ),
+            ),
+            const Divider(),
+            ListTile(
+              title: Text(
+                'Single mail view button position',
+                style: Theme.of(context).textTheme.titleSmall,
+              ),
+              subtitle: const Text(
+                'Where the back button is shown in the single mail view.',
+              ),
+            ),
+            RadioGroup<MenuPosition>(
+              groupValue: prefs.mailViewButtonPosition,
+              onChanged: (value) {
+                if (value == null) return;
+                unawaited(
+                  ref
+                      .read(userPreferencesRepositoryProvider)
+                      .updateMailViewButtonPosition(value),
+                );
+              },
+              child: const Column(
+                children: [
+                  RadioListTile<MenuPosition>(
+                    title: Text('Bottom (default)'),
+                    subtitle: Text(
+                      'Show the back button at the bottom of the screen.',
+                    ),
+                    value: MenuPosition.bottom,
+                  ),
+                  RadioListTile<MenuPosition>(
+                    title: Text('Top'),
+                    subtitle: Text('Show the back button in the top bar.'),
+                    value: MenuPosition.top,
+                  ),
+                ],
+              ),
+            ),
+            const Divider(),
+            ListTile(
+              title: Text(
+                'After mail action',
+                style: Theme.of(context).textTheme.titleSmall,
+              ),
+              subtitle: const Text(
+                'What to show after deleting, archiving, or otherwise handling a message.',
+              ),
+            ),
+            RadioGroup<AfterMailViewAction>(
+              groupValue: prefs.afterMailViewAction,
+              onChanged: (value) {
+                if (value == null) return;
+                unawaited(
+                  ref
+                      .read(userPreferencesRepositoryProvider)
+                      .updateAfterMailViewAction(value),
+                );
+              },
+              child: const Column(
+                children: [
+                  RadioListTile<AfterMailViewAction>(
+                    title: Text('Next message (default)'),
+                    subtitle: Text('Show the next message in the mailbox.'),
+                    value: AfterMailViewAction.nextMessage,
+                  ),
+                  RadioListTile<AfterMailViewAction>(
+                    title: Text('Return to mailbox'),
+                    subtitle: Text('Return to the message list.'),
+                    value: AfterMailViewAction.showMailbox,
+                  ),
+                ],
+              ),
+            ),
+            const Divider(),
+            ListTile(
+              title: Text(
+                'Offline email cache',
+                style: Theme.of(context).textTheme.titleSmall,
+              ),
+              subtitle: const Text(
+                'Pre-fetch email bodies in the background so they are available offline.',
+              ),
+            ),
+            RadioGroup<PrefetchMode>(
+              groupValue: prefs.prefetchMode,
+              onChanged: (value) {
+                if (value == null) return;
+                unawaited(
+                  ref
+                      .read(userPreferencesRepositoryProvider)
+                      .updatePrefetchMode(value),
+                );
+                unawaited(registerBodyPrefetchTask(value));
+              },
+              child: const Column(
+                children: [
+                  RadioListTile<PrefetchMode>(
+                    title: Text('Wi-Fi only (default)'),
+                    subtitle: Text(
+                      'Pre-fetch bodies in the background when connected to Wi-Fi.',
+                    ),
+                    value: PrefetchMode.wifiOnly,
+                  ),
+                  RadioListTile<PrefetchMode>(
+                    title: Text('Any network'),
+                    subtitle: Text(
+                      'Pre-fetch bodies on Wi-Fi and mobile data.',
+                    ),
+                    value: PrefetchMode.always,
+                  ),
+                  RadioListTile<PrefetchMode>(
+                    title: Text('Disabled'),
+                    subtitle: Text(
+                      'Do not pre-fetch email bodies in the background.',
+                    ),
+                    value: PrefetchMode.disabled,
+                  ),
+                ],
+              ),
+            ),
+            if (prefs.prefetchMode != PrefetchMode.disabled) ...[
+              const SizedBox(height: 4),
+              Padding(
+                padding: const EdgeInsets.symmetric(horizontal: 16),
+                child: Row(
+                  children: [
+                    const Text('Cache size limit:'),
+                    const SizedBox(width: 16),
+                    DropdownButton<int>(
+                      value: _nearestCacheOption(prefs.bodyCacheLimitMb),
+                      items: const [
+                        DropdownMenuItem(value: 50, child: Text('50 MB')),
+                        DropdownMenuItem(value: 100, child: Text('100 MB')),
+                        DropdownMenuItem(value: 200, child: Text('200 MB')),
+                        DropdownMenuItem(value: 500, child: Text('500 MB')),
+                      ],
+                      onChanged: (value) {
+                        if (value == null) return;
+                        unawaited(
+                          ref
+                              .read(userPreferencesRepositoryProvider)
+                              .updateBodyCacheLimitMb(value),
+                        );
+                      },
+                    ),
+                  ],
+                ),
+              ),
+              const SizedBox(height: 8),
+            ],
+            const Divider(),
+            ListTile(
+              title: Text(
+                'Allowed addresses for images',
+                style: Theme.of(context).textTheme.titleSmall,
+              ),
+              subtitle: Text(
+                trustedCount == 0
+                    ? 'No addresses added yet.'
+                    : '$trustedCount address${trustedCount == 1 ? '' : 'es'}',
+              ),
+              trailing: const Icon(Icons.chevron_right),
+              onTap: () => context.push('/accounts/trusted-senders'),
+            ),
+          ],
+        ),
+      ),
+    );
+  }
+
+  int _nearestCacheOption(int mb) {
+    const options = [50, 100, 200, 500];
+    return options.reduce(
+      (a, b) => (a - mb).abs() <= (b - mb).abs() ? a : b,
+    );
+  }
+}

lib/ui/utils/about_markdown.dart

@@ -26,8 +26,9 @@ String buildAboutMarkdown({
   final osName = _capitalize(Platform.operatingSystem);
   final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
   final locale = Localizations.localeOf(context).toString();
-  final textScale =
-      MediaQuery.of(context).textScaler.scale(1.0).toStringAsFixed(1);
+  final textScale = MediaQuery.of(
+    context,
+  ).textScaler.scale(1.0).toStringAsFixed(1);
 
   final gitCommitLine = _gitHash.isNotEmpty
       ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'

lib/ui/widgets/email_headers_dialog.dart

@@ -0,0 +1,258 @@
+import 'package:flutter/material.dart';
+import 'package:intl/intl.dart';
+
+import 'package:sharedinbox/core/models/email.dart';
+
+/// Full-screen dialog for browsing email headers, organised into groups.
+class EmailHeadersDialog extends StatelessWidget {
+  const EmailHeadersDialog({super.key, required this.headers});
+  final List<EmailHeader> headers;
+
+  @override
+  Widget build(BuildContext context) {
+    return Dialog.fullscreen(
+      child: Scaffold(
+        appBar: AppBar(
+          title: const Text('Mail Headers'),
+          leading: const CloseButton(),
+        ),
+        body: _HeadersBody(headers: headers),
+      ),
+    );
+  }
+}
+
+class _HeadersBody extends StatelessWidget {
+  const _HeadersBody({required this.headers});
+  final List<EmailHeader> headers;
+
+  @override
+  Widget build(BuildContext context) {
+    final receivedHeaders = <EmailHeader>[];
+    final listHeaders = <EmailHeader>[];
+    final arcHeaders = <EmailHeader>[];
+    final otherHeaders = <EmailHeader>[];
+    // Maps X- prefix (e.g. "X-Google") → headers with that prefix.
+    final xByPrefix = <String, List<EmailHeader>>{};
+
+    for (final h in headers) {
+      final lower = h.name.toLowerCase();
+      if (lower == 'received') {
+        receivedHeaders.add(h);
+        continue;
+      }
+      if (lower.startsWith('list-')) {
+        listHeaders.add(h);
+        continue;
+      }
+      if (lower.startsWith('arc-')) {
+        arcHeaders.add(h);
+        continue;
+      }
+      if (lower.startsWith('x-')) {
+        final parts = h.name.split('-');
+        // "X-Foo-Bar-Baz" → prefix "X-Foo"; "X-Single" → prefix "X-Single".
+        final prefix = parts.length >= 3 ? '${parts[0]}-${parts[1]}' : h.name;
+        xByPrefix.putIfAbsent(prefix, () => []).add(h);
+        continue;
+      }
+      otherHeaders.add(h);
+    }
+
+    final sections = <Widget>[];
+
+    if (otherHeaders.isNotEmpty) {
+      sections.add(_HeadersSection(title: 'Headers', headers: otherHeaders));
+    }
+    if (listHeaders.isNotEmpty) {
+      sections.add(
+        _HeadersSection(title: 'List- Headers', headers: listHeaders),
+      );
+    }
+    if (receivedHeaders.isNotEmpty) {
+      sections.add(_ReceivedSection(headers: receivedHeaders));
+    }
+    if (arcHeaders.isNotEmpty) {
+      sections.add(
+        _HeadersSection(title: 'ARC- Headers', headers: arcHeaders),
+      );
+    }
+
+    // X- headers at bottom, each prefix in its own collapsible group.
+    final sortedPrefixes = xByPrefix.keys.toList()
+      ..sort((a, b) => a.toLowerCase().compareTo(b.toLowerCase()));
+    for (final prefix in sortedPrefixes) {
+      sections.add(
+        _HeadersSection(
+          title: '$prefix Headers',
+          headers: xByPrefix[prefix]!,
+        ),
+      );
+    }
+
+    return ListView(children: sections);
+  }
+}
+
+class _HeadersSection extends StatelessWidget {
+  const _HeadersSection({required this.title, required this.headers});
+
+  final String title;
+  final List<EmailHeader> headers;
+
+  @override
+  Widget build(BuildContext context) {
+    return ExpansionTile(
+      title: Text('$title (${headers.length})'),
+      children: [
+        for (var i = 0; i < headers.length; i++)
+          _HeaderRow(header: headers[i], index: i),
+      ],
+    );
+  }
+}
+
+/// Received headers section — collapsed by default; shows inter-hop delays.
+class _ReceivedSection extends StatelessWidget {
+  const _ReceivedSection({required this.headers});
+  final List<EmailHeader> headers;
+
+  @override
+  Widget build(BuildContext context) {
+    final entries = _buildEntries(headers);
+    return ExpansionTile(
+      title: Text('Received (${headers.length})'),
+      children: [
+        for (var i = 0; i < entries.length; i++) ...[
+          _HeaderRow(header: entries[i].header, index: i),
+          if (entries[i].delay != null) _DelayRow(delay: entries[i].delay!),
+        ],
+      ],
+    );
+  }
+
+  static List<_ReceivedEntry> _buildEntries(List<EmailHeader> headers) {
+    final timestamps =
+        headers.map((h) => _parseReceivedTimestamp(h.value)).toList();
+    return [
+      for (var i = 0; i < headers.length; i++)
+        _ReceivedEntry(
+          header: headers[i],
+          delay: _computeDelay(timestamps, i),
+        ),
+    ];
+  }
+
+  static Duration? _computeDelay(List<DateTime?> timestamps, int i) {
+    if (i >= timestamps.length - 1) return null;
+    final current = timestamps[i];
+    final next = timestamps[i + 1];
+    if (current == null || next == null) return null;
+    final d = current.difference(next);
+    return d.isNegative ? Duration.zero : d;
+  }
+}
+
+class _ReceivedEntry {
+  const _ReceivedEntry({required this.header, this.delay});
+  final EmailHeader header;
+  final Duration? delay;
+}
+
+class _HeaderRow extends StatelessWidget {
+  const _HeaderRow({required this.header, required this.index});
+  final EmailHeader header;
+  final int index;
+
+  @override
+  Widget build(BuildContext context) {
+    final bg = index.isEven
+        ? Theme.of(context).colorScheme.surfaceContainerHighest
+        : Theme.of(context).colorScheme.surface;
+    return Container(
+      color: bg,
+      padding: const EdgeInsets.symmetric(vertical: 4, horizontal: 8),
+      child: Row(
+        crossAxisAlignment: CrossAxisAlignment.start,
+        children: [
+          Expanded(
+            child: SelectableText(
+              header.name,
+              style: const TextStyle(fontWeight: FontWeight.bold),
+            ),
+          ),
+          const SizedBox(width: 8),
+          Expanded(flex: 2, child: SelectableText(header.value)),
+        ],
+      ),
+    );
+  }
+}
+
+class _DelayRow extends StatelessWidget {
+  const _DelayRow({required this.delay});
+  final Duration delay;
+
+  @override
+  Widget build(BuildContext context) {
+    final color = _delayColor(delay);
+    return Padding(
+      padding: const EdgeInsets.symmetric(horizontal: 16, vertical: 2),
+      child: Row(
+        children: [
+          Icon(Icons.arrow_downward, size: 14, color: color),
+          const SizedBox(width: 4),
+          Text(
+            _formatDuration(delay),
+            style: TextStyle(
+              fontSize: 12,
+              color: color,
+              fontWeight:
+                  delay.inSeconds >= 30 ? FontWeight.bold : FontWeight.normal,
+            ),
+          ),
+        ],
+      ),
+    );
+  }
+}
+
+/// Parses the RFC 2822 timestamp from a Received header value.
+///
+/// Received headers end with `; date`, e.g.:
+///   by mx.example.com; Mon, 1 Jan 2024 12:00:00 +0000 (UTC)
+DateTime? _parseReceivedTimestamp(String value) {
+  final semiIndex = value.lastIndexOf(';');
+  if (semiIndex < 0) return null;
+  var s = value.substring(semiIndex + 1).trim();
+  // Strip parenthesised comments like (UTC).
+  s = s.replaceAll(RegExp(r'\([^)]*\)'), ' ').trim();
+  // Strip leading day-of-week abbreviation like "Mon, ".
+  s = s.replaceFirst(RegExp(r'^[A-Za-z]{2,4},\s*'), '');
+  // Collapse runs of whitespace.
+  s = s.replaceAll(RegExp(r'\s+'), ' ').trim();
+
+  for (final fmt in [
+    DateFormat('dd MMM yyyy HH:mm:ss Z', 'en_US'),
+    DateFormat('d MMM yyyy HH:mm:ss Z', 'en_US'),
+    DateFormat('dd MMM yyyy HH:mm:ss', 'en_US'),
+    DateFormat('d MMM yyyy HH:mm:ss', 'en_US'),
+  ]) {
+    try {
+      return fmt.parse(s);
+    } catch (_) {}
+  }
+  return null;
+}
+
+String _formatDuration(Duration d) {
+  if (d.inSeconds < 60) return '${d.inSeconds}s';
+  if (d.inMinutes < 60) return '${d.inMinutes}m ${d.inSeconds.remainder(60)}s';
+  return '${d.inHours}h ${d.inMinutes.remainder(60)}m';
+}
+
+Color _delayColor(Duration d) {
+  if (d.inSeconds < 30) return Colors.green;
+  if (d.inSeconds < 300) return Colors.orange;
+  return Colors.red;
+}

lib/ui/widgets/email_thread_tile.dart

@@ -0,0 +1,171 @@
+import 'package:flutter/material.dart';
+import 'package:intl/intl.dart';
+
+import 'package:sharedinbox/core/models/email.dart';
+
+final _dateFmt = DateFormat('MMM d');
+final _formattedDates = <int, String>{};
+
+int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
+
+String _fmtDate(DateTime dt) =>
+    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
+
+/// A swipeable list tile for an [EmailThread].
+///
+/// Handles the [Dismissible] wrapper (archive left, delete right) and
+/// selection-mode checkbox. Pass [showAccount] to display an extra subtitle
+/// line with the account name — used in the combined-inbox view.
+class EmailThreadTile extends StatelessWidget {
+  const EmailThreadTile({
+    super.key,
+    required this.thread,
+    required this.isSelected,
+    required this.isSelecting,
+    required this.onTap,
+    required this.onLongPress,
+    required this.onDismissed,
+    this.showAccount = false,
+    this.accountName,
+  });
+
+  final EmailThread thread;
+  final bool isSelected;
+  final bool isSelecting;
+  final VoidCallback onTap;
+  final VoidCallback onLongPress;
+  final Future<void> Function(DismissDirection) onDismissed;
+
+  /// When true, renders an extra subtitle line with [accountName].
+  final bool showAccount;
+  final String? accountName;
+
+  @override
+  Widget build(BuildContext context) {
+    final t = thread;
+    final senderNames =
+        t.participants.map((a) => a.name ?? a.email).take(3).join(', ');
+
+    final tile = ListTile(
+      leading: SizedBox(
+        width: 40,
+        child: isSelecting
+            ? Checkbox(
+                value: isSelected,
+                onChanged: (_) => onTap(),
+              )
+            : Icon(
+                t.hasUnread ? Icons.mail : Icons.mail_outline,
+                color:
+                    t.hasUnread ? Theme.of(context).colorScheme.primary : null,
+              ),
+      ),
+      title: Row(
+        children: [
+          Expanded(
+            child: Text(
+              senderNames.isEmpty ? '(unknown)' : senderNames,
+              style: t.hasUnread
+                  ? const TextStyle(fontWeight: FontWeight.bold)
+                  : null,
+              overflow: TextOverflow.ellipsis,
+            ),
+          ),
+          if (t.messageCount > 1)
+            Padding(
+              padding: const EdgeInsets.only(left: 4),
+              child: Text(
+                '[${t.messageCount}]',
+                style: Theme.of(context).textTheme.bodySmall,
+              ),
+            ),
+        ],
+      ),
+      subtitle: Column(
+        crossAxisAlignment: CrossAxisAlignment.start,
+        children: [
+          Text(
+            t.subject ?? '(no subject)',
+            maxLines: 1,
+            overflow: TextOverflow.ellipsis,
+            style: t.hasUnread
+                ? const TextStyle(fontWeight: FontWeight.bold)
+                : null,
+          ),
+          if (t.preview != null && t.preview!.isNotEmpty)
+            Text(
+              t.preview!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall,
+            ),
+          if (showAccount && accountName != null)
+            Text(
+              accountName!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall?.copyWith(
+                    color: Theme.of(context).colorScheme.primary,
+                  ),
+            ),
+        ],
+      ),
+      selected: isSelected,
+      trailing: Row(
+        mainAxisSize: MainAxisSize.min,
+        children: [
+          if (t.isFlagged)
+            const Icon(Icons.star, color: Colors.amber, size: 16),
+          const SizedBox(width: 4),
+          Text(
+            _fmtDate(t.latestDate),
+            style: Theme.of(context).textTheme.bodySmall,
+          ),
+        ],
+      ),
+      onTap: onTap,
+      onLongPress: onLongPress,
+    );
+
+    return Dismissible(
+      key: ValueKey('${t.accountId}:${t.threadId}'),
+      direction:
+          isSelecting ? DismissDirection.none : DismissDirection.horizontal,
+      background: _swipeBackground(
+        alignment: Alignment.centerLeft,
+        color: Colors.green,
+        icon: Icons.archive,
+        label: 'Archive',
+      ),
+      secondaryBackground: _swipeBackground(
+        alignment: Alignment.centerRight,
+        color: Colors.red,
+        icon: Icons.delete,
+        label: 'Delete',
+      ),
+      onDismissed: onDismissed,
+      child: tile,
+    );
+  }
+
+  static Widget _swipeBackground({
+    required AlignmentGeometry alignment,
+    required Color color,
+    required IconData icon,
+    required String label,
+  }) {
+    return Container(
+      color: color,
+      alignment: alignment,
+      padding: const EdgeInsets.symmetric(horizontal: 20),
+      child: Row(
+        mainAxisSize: MainAxisSize.min,
+        children: [
+          Icon(icon, color: Colors.white),
+          const SizedBox(width: 8),
+          Text(label, style: const TextStyle(color: Colors.white)),
+        ],
+      ),
+    );
+  }
+}

lib/ui/widgets/secure_email_webview.dart

@@ -31,10 +31,13 @@ String buildEmailHtml(String htmlBody, {bool loadRemoteImages = false}) {
 <meta name="color-scheme" content="light">
 <meta http-equiv="Content-Security-Policy" content="$csp">
 <style>
-body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; color-scheme: light; background-color: #ffffff; color: #000000; }
+body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; overflow-x: hidden; color-scheme: light; background-color: #ffffff; color: #000000; }
 img { max-width: 100%; height: auto; }
 a { color: #1976D2; }
-* { box-sizing: border-box; }
+* { box-sizing: border-box; max-width: 100%; }
+table { width: 100%; border-collapse: collapse; }
+td, th { overflow-wrap: break-word; word-break: break-word; }
+pre { white-space: pre-wrap; word-break: break-word; overflow-x: auto; }
 </style>
 </head>
 <body>
@@ -108,12 +111,16 @@ class _SecureEmailWebViewState extends State<SecureEmailWebView> {
       );
 
   Future<void> _measureHeight(String _) async {
-    final result = await _controller!.runJavaScriptReturningResult(
-      'document.documentElement.scrollHeight',
-    );
-    final h = double.tryParse(result.toString());
-    if (h != null && h > 0 && mounted) {
-      setState(() => _height = h);
+    try {
+      final result = await _controller!.runJavaScriptReturningResult(
+        'document.documentElement.scrollHeight',
+      );
+      final h = double.tryParse(result.toString());
+      if (h != null && h > 0 && mounted) {
+        setState(() => _height = h);
+      }
+    } catch (_) {
+      // WebView not ready yet; height stays at default
     }
   }
 
@@ -184,12 +191,14 @@ class _SecureEmailWebViewState extends State<SecureEmailWebView> {
     );
 
     if (confirmed == true && mounted) {
-      final launched =
-          await launchUrl(uri, mode: LaunchMode.externalApplication);
+      final launched = await launchUrl(
+        uri,
+        mode: LaunchMode.externalApplication,
+      );
       if (!launched && mounted) {
-        ScaffoldMessenger.of(context).showSnackBar(
-          SnackBar(content: Text('Could not open: $url')),
-        );
+        ScaffoldMessenger.of(
+          context,
+        ).showSnackBar(SnackBar(content: Text('Could not open: $url')));
       }
     }
   }

lib/ui/widgets/thread_tile.dart

@@ -0,0 +1,121 @@
+import 'package:flutter/material.dart';
+import 'package:intl/intl.dart';
+
+import 'package:sharedinbox/core/models/email.dart';
+
+final _dateFmt = DateFormat('MMM d');
+// Cache formatted dates by local calendar day to avoid repeated DateFormat.format calls.
+final _formattedDates = <int, String>{};
+
+int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
+
+String _fmtDate(DateTime dt) =>
+    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
+
+/// A list tile for an [EmailThread].
+///
+/// Used in inbox lists, combined inbox, and search result lists.
+/// Pass a custom [leading] widget to support selection-mode checkboxes.
+/// Pass [locationLabel] to show an extra subtitle line (e.g. account name or
+/// "accountId • mailboxPath") — useful in cross-mailbox views.
+class ThreadTile extends StatelessWidget {
+  const ThreadTile({
+    super.key,
+    required this.thread,
+    required this.onTap,
+    this.leading,
+    this.selected = false,
+    this.onLongPress,
+    this.locationLabel,
+  });
+
+  final EmailThread thread;
+  final VoidCallback onTap;
+  final Widget? leading;
+  final bool selected;
+  final VoidCallback? onLongPress;
+
+  /// When non-null, appended as an extra subtitle line in primary colour.
+  final String? locationLabel;
+
+  @override
+  Widget build(BuildContext context) {
+    final senderNames = thread.participants.isEmpty
+        ? '(unknown)'
+        : thread.participants.map((a) => a.name ?? a.email).take(3).join(', ');
+
+    return ListTile(
+      leading: leading ??
+          Icon(
+            thread.hasUnread ? Icons.mail : Icons.mail_outline,
+            color:
+                thread.hasUnread ? Theme.of(context).colorScheme.primary : null,
+          ),
+      title: Row(
+        children: [
+          Expanded(
+            child: Text(
+              senderNames,
+              style: thread.hasUnread
+                  ? const TextStyle(fontWeight: FontWeight.bold)
+                  : null,
+              overflow: TextOverflow.ellipsis,
+            ),
+          ),
+          if (thread.messageCount > 1)
+            Padding(
+              padding: const EdgeInsets.only(left: 4),
+              child: Text(
+                '[${thread.messageCount}]',
+                style: Theme.of(context).textTheme.bodySmall,
+              ),
+            ),
+        ],
+      ),
+      subtitle: Column(
+        crossAxisAlignment: CrossAxisAlignment.start,
+        children: [
+          Text(
+            thread.subject ?? '(no subject)',
+            maxLines: 1,
+            overflow: TextOverflow.ellipsis,
+            style: thread.hasUnread
+                ? const TextStyle(fontWeight: FontWeight.bold)
+                : null,
+          ),
+          if (thread.preview != null && thread.preview!.isNotEmpty)
+            Text(
+              thread.preview!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall,
+            ),
+          if (locationLabel != null)
+            Text(
+              locationLabel!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall?.copyWith(
+                    color: Theme.of(context).colorScheme.primary,
+                  ),
+            ),
+        ],
+      ),
+      trailing: Row(
+        mainAxisSize: MainAxisSize.min,
+        children: [
+          if (thread.isFlagged)
+            const Icon(Icons.star, color: Colors.amber, size: 16),
+          const SizedBox(width: 4),
+          Text(
+            _fmtDate(thread.latestDate),
+            style: Theme.of(context).textTheme.bodySmall,
+          ),
+        ],
+      ),
+      selected: selected,
+      onTap: onTap,
+      onLongPress: onLongPress,
+    );
+  }
+}

plan.md

@@ -1,66 +0,0 @@
-# Next
-
-## Introduction
-
-Continue the momentum from the safety hardening and infrastructure work.
-The focus is on making the app ready for real-world use with robust error
-handling and performance optimizations.
-
-Create several small commits. Every commit should be self contained.
-
-while working create/append to plan.log, so that the user sees what you are working on.
-
-## Tasks
-
-### 0. deploy-android
-
-Make `task deploy-android` work.
-
-### 0.5 Debug duration of deploy-android
-
-Is there a way to make deploy-android faster?
-
-Use `task --verbose` to see what gets done.
-
-Maybe avoid doing things again, when nothing changed.
-Taskfile has features to avoid calling things again, when the input has not changed.
-
-### 1. Fix Android E2E Race Condition (aliceTile)
-
-The Android E2E test `integration_test/app_e2e_test.dart` is flaky. It fails
-at `tap(aliceTile)` with "0 widgets" even though `pumpUntil` found it.
-The current "double pumpUntil" fix isn't reliable enough.
-Investigate if the animation state or the Drift stream propagation is the
-culprit.
-
-### 2. Implement Global Crash Screen
-
-Wrap `main()` in `runZonedGuarded` to catch unhandled async errors.
-Implement a `CrashScreen` widget that shows the stack trace and a
-"Copy to Clipboard" button for user reporting.
-
-### 3. Database-Backed Threading
-
-Currently, emails are grouped into threads in-memory in the repository.
-Refactor to store thread relationships in the local SQLite database.
-This is necessary for performance on mailboxes with thousands of messages.
-
-### 4. Implement Undo for Bulk Actions
-
-Add a global "Undo" snackbar after deleting or moving emails.
-The system needs to handle the three sync states:
-- Queued (easy to undo)
-- In-progress (cancel network call)
-- Finished (requires a reverse move/un-delete)
-
-### 5. Transition to Real Account Testing
-
-Prepare the integration tests to run against a real test account
-(`si3e2e@thomas-guettler.de`) instead of the local Stalwart server.
-This verifies the app against real-world network latency and RFC edge cases.
-
-### 6. Coverage Gate Maintenance
-
-Reduce the `_excluded` list in `scripts/check_coverage.dart`.
-Add a test to ensure the exclusion list doesn't contain files that no longer
-exist ("ghost paths").

pubspec.lock

@@ -1021,7 +1021,7 @@ packages:
     source: hosted
     version: "0.44.4"
   stack_trace:
-    dependency: transitive
+    dependency: "direct main"
     description:
       name: stack_trace
       sha256: "8b27215b45d22309b5cddda1aa2b19bdfec9df0e765f2de506401c071d38d1b1"

pubspec.yaml

@@ -33,7 +33,7 @@ dependencies:
   flutter_secure_storage: ^10.0.0
 
   # Date formatting
-  intl: any
+  intl: ^0.20.2
 
   # File picking (compose attachments) and opening downloaded attachments
   file_picker: ^12.0.0-beta.4
@@ -58,6 +58,9 @@ dependencies:
   flutter_local_notifications: ^21.0.0
   workmanager: ^0.9.0
 
+  # Stack trace chain-to-VM conversion for FlutterError.demangleStackTrace
+  stack_trace: ^1.12.1
+
   # App version metadata for crash reports
   package_info_plus: ^10.1.0
   share_plus: ^13.1.0

renovate.json

@@ -5,6 +5,35 @@
   ],
   "labels": ["dependencies"],
   "github-actions": {
-    "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"]
-  }
+    "enabled": false
+  },
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest", "lockFileMaintenance"],
+      "addLabels": ["automerge"]
+    },
+    {
+      "matchManagers": ["gomod"],
+      "matchFileNames": ["ci/**"],
+      "enabled": false
+    }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": ["^\\.forgejo/Dockerfile$"],
+      "matchStrings": ["DAGGER_VERSION=(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)"],
+      "depNameTemplate": "dagger/dagger",
+      "datasourceTemplate": "github-releases",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "fileMatch": ["^DAGGER\\.md$"],
+      "matchStrings": ["github:dagger/nix/v(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)#dagger"],
+      "depNameTemplate": "dagger/dagger",
+      "datasourceTemplate": "github-releases",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    }
+  ]
 }

scripts/build_android_bundle_local.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+tmp=$(mktemp /dev/shm/keystore.XXXXXX.jks)
+trap "rm -f $tmp" EXIT
+
+printf '%s' "$ANDROID_KEYSTORE_BASE64" | base64 -d > "$tmp"
+
+ANDROID_KEYSTORE_PATH="$tmp" \
+ANDROID_HOME="${ANDROID_HOME:-$HOME/Android/Sdk}" \
+fvm flutter build appbundle --release --no-pub \
+  --build-number "$(date +%s)" \
+  --build-name "$(date +%y%m%d-%H%M)" \
+  --dart-define="GIT_HASH=$(git rev-parse --short HEAD)" \
+  | grep -Ev "was tree-shaken|Tree-shaking can be disabled"

scripts/check_ci_images.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# Verify that every container image referenced in ci/main.go is reachable.
+# Runs skopeo inspect (manifest-only, no layer pull) for each From("...") call.
+set -euo pipefail
+
+ROOT=$(git rev-parse --show-toplevel)
+FILE="$ROOT/ci/main.go"
+
+# Static images from From("...") literals in ci/main.go
+static_images=$(grep -oP 'From\("\K[^"]+' "$FILE" | grep -v ':$' | sort -u)
+
+# Dynamic Flutter image derived from .fvmrc (not a literal in main.go)
+FVMRC="$ROOT/.fvmrc"
+flutter_version=$(python3 -c "import json; print(json.load(open('$FVMRC'))['flutter'])" 2>/dev/null || true)
+flutter_image=""
+if [ -n "$flutter_version" ]; then
+  flutter_image="ghcr.io/cirruslabs/flutter:$flutter_version"
+fi
+
+images=$(printf '%s\n%s\n' "$static_images" "$flutter_image" | grep -v '^$' | sort -u)
+
+if [ -z "$images" ]; then
+  echo "check-ci-images: no From() image references found in $FILE"
+  exit 0
+fi
+
+fail=0
+while IFS= read -r image; do
+  printf "check-ci-images: %-55s" "$image"
+  if skopeo inspect --no-creds "docker://$image" > /dev/null 2>&1; then
+    echo "OK"
+  else
+    echo "NOT FOUND"
+    fail=1
+  fi
+done <<< "$images"
+
+if [ "$fail" -eq 1 ]; then
+  echo ""
+  echo "ERROR: one or more container images in ci/main.go could not be resolved."
+  echo "Fix the image tag before committing."
+  exit 1
+fi

scripts/check_coverage.dart

@@ -20,7 +20,9 @@ const _noCode = {
   'lib/core/repositories/sync_log_repository.dart',
   'lib/core/repositories/undo_repository.dart',
   'lib/core/repositories/search_history_repository.dart',
+  'lib/core/repositories/user_preferences_repository.dart',
   'lib/core/models/undo_action.dart',
+  'lib/core/models/user_preferences.dart',
   'lib/core/storage/secure_storage.dart',
 };
 
@@ -39,7 +41,9 @@ const _excluded = {
   'lib/ui/screens/account_send_screen.dart',
   'lib/ui/screens/add_account_screen.dart',
   'lib/ui/screens/address_emails_screen.dart',
+  'lib/ui/screens/bug_report_screen.dart',
   'lib/ui/screens/changelog_screen.dart',
+  'lib/ui/screens/combined_inbox_screen.dart',
   'lib/ui/screens/compose_screen.dart',
   'lib/ui/screens/crash_screen.dart',
   'lib/ui/screens/edit_account_screen.dart',
@@ -58,7 +62,9 @@ const _excluded = {
   'lib/ui/widgets/try_connection_button.dart',
   'lib/ui/widgets/undo_shell.dart',
   'lib/ui/screens/about_screen.dart',
+  'lib/ui/screens/email_action_helpers.dart',
   'lib/ui/utils/about_markdown.dart',
+  'lib/ui/widgets/email_headers_dialog.dart',
   'lib/ui/widgets/email_tile.dart',
   'lib/core/sync/account_sync_manager.dart',
   'lib/core/sync/background_sync.dart',
@@ -72,7 +78,12 @@ const _excluded = {
   'lib/data/repositories/sync_log_repository_impl.dart',
   'lib/data/repositories/undo_repository_impl.dart',
   'lib/data/repositories/search_history_repository_impl.dart',
+  'lib/data/repositories/user_preferences_repository_impl.dart',
+  'lib/ui/screens/user_preferences_screen.dart',
   'lib/core/services/update_service.dart',
+  'lib/ui/widgets/email_thread_tile.dart',
+  'lib/ui/screens/trusted_image_senders_screen.dart',
+  'lib/ui/widgets/thread_tile.dart',
 };
 
 void main() {

scripts/run_firebase_test.sh

@@ -34,7 +34,7 @@ _filter_noise() {
 _run() {
     : > "$OUT" ; : > "$RC_FILE"
     {
-        dagger call --progress=plain -q -m ci --source=. test-android-firebase \
+        timeout --kill-after=10 2400 dagger call --progress=plain -q -m ci --source=. test-android-firebase \
             --service-account-key env:FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY \
             --project-id "$FIREBASE_PROJECT_ID"
         echo $? > "$RC_FILE"
@@ -44,6 +44,10 @@ _run() {
 for attempt in 1 2 3; do
     _run && break
     RC=$(cat "$RC_FILE" 2>/dev/null || echo 1)
+    if [ "$RC" -eq 124 ]; then
+        echo "::warning::[firebase] attempt $attempt/3 timed out after 2400s" >&2
+        exit 124
+    fi
     if [ "$attempt" -lt 3 ] && grep -qE "connection reset|context canceled|connection refused|No Dagger server responded" "$OUT"; then
         echo "[firebase] dagger connectivity error on attempt $attempt/3, retrying..." >&2
     else

scripts/setup_dagger_remote.sh

@@ -1,102 +1,91 @@
 #!/usr/bin/env bash
-# Establishes a secure tunnel to a remote Dagger Engine via stunnel.
 set -euo pipefail
+[ "${CI:-}" = "true" ] || [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
-if [ -z "${DAGGER_STUNNEL_URL:-}" ]; then
-    echo "Error: DAGGER_STUNNEL_URL must be set."
+if [ -z "${SOPS_AGE_KEY:-}" ]; then
+    echo "Error: SOPS_AGE_KEY must be set."
     exit 1
 fi
 
-# Parse host and port (e.g., example.com:8774 or just example.com)
-host=$(echo "$DAGGER_STUNNEL_URL" | cut -d: -f1)
-port=$(echo "$DAGGER_STUNNEL_URL" | cut -d: -f2)
-if [ "$host" == "$port" ]; then
-    port="8774"
-fi
+echo "Decrypting secrets with SOPS..."
+export SOPS_AGE_KEY="$SOPS_AGE_KEY"
+SECRETS_JSON=$(mktemp)
+trap "rm -f $SECRETS_JSON" EXIT
 
-MAX_PROBE_ATTEMPTS=5
-PROBE_DELAY=30
-for attempt in $(seq 1 $MAX_PROBE_ATTEMPTS); do
-    echo "Probing $host:$port (attempt $attempt/$MAX_PROBE_ATTEMPTS)..."
-    if nc -zw 5 "$host" "$port" 2>/dev/null; then
-        echo "Found active server on $host:$port"
-        break
-    fi
-    if [ "$attempt" -eq "$MAX_PROBE_ATTEMPTS" ]; then
-        echo "Warning: No Dagger server responded on $host:$port after $MAX_PROBE_ATTEMPTS attempts"
-        echo "Remote engine unavailable — CI will use the local Dagger engine."
-        exit 0
-    fi
-    echo "Dagger server not responding, waiting ${PROBE_DELAY}s before retry..."
-    sleep $PROBE_DELAY
-done
+sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 
-# 2a. Try plain TCP connection first (works when server is a plain TCP proxy, no TLS)
-echo "Trying plain TCP Dagger connection at tcp://$host:$port..."
-if _DAGGER_RUNNER_HOST="tcp://$host:$port" \
-   _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port" \
-   timeout 8 dagger version >/dev/null 2>&1; then
-    echo "Plain TCP Dagger connection succeeded — no TLS stunnel needed."
+DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
+DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
+
+# Export all CI secrets to the GitHub Actions environment so subsequent steps
+# can use them without referencing Forgejo secrets directly.
+export_secret() {
+    local name="$1"
+    local value
+    value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
     if [ -n "${GITHUB_ENV:-}" ]; then
-        echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
-        echo "_DAGGER_RUNNER_HOST=tcp://$host:$port" >> "$GITHUB_ENV"
-    else
-        export _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://$host:$port"
-        export _DAGGER_RUNNER_HOST="tcp://$host:$port"
-        echo "Dagger configured at tcp://$host:$port (plain TCP)"
+        # Use heredoc syntax for multiline-safe export.
+        # Avoid adding a second trailing newline for values that already end with one
+        # (e.g. SSH private keys), which can corrupt PEM parsing.
+        {
+            printf '%s<<__EOF__\n' "$name"
+            printf '%s' "$value"
+            [ "${value%$'\n'}" = "$value" ] && printf '\n'
+            printf '__EOF__\n'
+        } >> "$GITHUB_ENV"
     fi
-    exit 0
+    printf '[secrets] exported %s (%d chars)\n' "$name" "${#value}"
+}
+
+export_secret "SSH_PRIVATE_KEY"
+export_secret "SSH_KNOWN_HOSTS"
+export_secret "SSH_USER"
+export_secret "SSH_HOST"
+export_secret "WEBSITE_SSH_HOST"
+export_secret "PLAY_STORE_CONFIG_JSON"
+export_secret "ANDROID_KEYSTORE_BASE64"
+export_secret "ANDROID_KEYSTORE_PASSWORD"
+export_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
+export_secret "RENOVATE_FORGEJO_TOKEN"
+
+# Setup SSH directory and keys
+mkdir -p ~/.ssh
+chmod 700 ~/.ssh
+rm -f ~/.ssh/dagger_key
+echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
+chmod 600 ~/.ssh/dagger_key
+
+# Add remote host to known_hosts
+_t0=$SECONDS
+timeout 30 ssh-keyscan -H "$DAGGER_ENGINE_HOST" >> ~/.ssh/known_hosts 2>/dev/null
+_elapsed=$(( SECONDS - _t0 ))
+if [ "$_elapsed" -gt 10 ]; then
+    echo "::warning::ssh-keyscan took ${_elapsed}s — Dagger engine host may be slow to respond"
 fi
-echo "Plain TCP connection not available; trying TLS stunnel..."
 
-# 2b. Setup TLS credentials (passed as env vars from secrets)
-mkdir -p /tmp/dagger-tls
-echo "$DAGGER_CA_CERT" > /tmp/dagger-tls/ca.crt
-echo "$DAGGER_CLIENT_CERT" > /tmp/dagger-tls/client.crt
-echo "$DAGGER_CLIENT_KEY" > /tmp/dagger-tls/client.key
-chmod 600 /tmp/dagger-tls/client.key
+# Create a background SSH tunnel to the Dagger engine.
+# We map local port 8080 to remote port 1774 (where our socat bridge is listening).
+echo "Establishing SSH tunnel to $DAGGER_ENGINE_HOST..."
+_t0=$SECONDS
+timeout 30 ssh -i ~/.ssh/dagger_key -o StrictHostKeyChecking=no -f -N -L 8080:localhost:1774 "dagger@$DAGGER_ENGINE_HOST"
+_elapsed=$(( SECONDS - _t0 ))
+if [ "$_elapsed" -gt 10 ]; then
+    echo "::warning::SSH tunnel setup took ${_elapsed}s"
+fi
 
-# 3. Configure and start stunnel
-STUNNEL_CONF="/tmp/stunnel-dagger.conf"
-cat << EOF > "$STUNNEL_CONF"
-client = yes
-foreground = yes
-pid = /tmp/stunnel.pid
-debug = warning
-; TCP keepalive on the remote side to prevent NAT/firewall from resetting the connection
-socket = r:SO_KEEPALIVE=1
-socket = r:TCP_KEEPIDLE=10
-socket = r:TCP_KEEPINTVL=5
-socket = r:TCP_KEEPCNT=3
+# Export _EXPERIMENTAL_DAGGER_RUNNER_HOST to use the tunnel.
+export _EXPERIMENTAL_DAGGER_RUNNER_HOST="tcp://localhost:8080"
+if [ -n "${GITHUB_ENV:-}" ]; then
+    echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://localhost:8080" >> "$GITHUB_ENV"
+fi
 
-[dagger]
-accept = 127.0.0.1:1774
-connect = $host:$port
-CAfile = /tmp/dagger-tls/ca.crt
-cert = /tmp/dagger-tls/client.crt
-key = /tmp/dagger-tls/client.key
-verifyChain = yes
-EOF
-
-# Start stunnel in the background
-stunnel "$STUNNEL_CONF" &
-TUNNEL_PID=$!
-
-# Give it a moment to establish
-sleep 2
-
-if ! kill -0 "$TUNNEL_PID" 2>/dev/null; then
-    echo "Error: stunnel failed to start"
+# Verify the connection
+echo "Verifying connection to Dagger engine via SSH tunnel..."
+# Use a simple command that doesn't require complex GraphQL operations.
+if ! timeout 45 dagger core --help >/dev/null 2>&1 ; then
+    echo "Error: Dagger engine unreachable via tunnel at localhost:8080"
+    # Debug
+    ps aux | grep ssh
     exit 1
 fi
-
-# 4. Export environment for subsequent CI steps
-if [ -n "${GITHUB_ENV:-}" ]; then
-    echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774" >> "$GITHUB_ENV"
-    echo "_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774" >> "$GITHUB_ENV"
-    echo "Tunnel established. Dagger is configured to use the remote engine."
-else
-    export _EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774
-    export _DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774
-    echo "Tunnel established. Run: export _DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774"
-fi
+echo "Dagger connection verified successfully."

scripts/test_agent_loop.py

@@ -1,938 +0,0 @@
-#!/usr/bin/env python3
-"""Tests for agent_loop.py."""
-import contextlib
-import io
-import json
-import os
-import tempfile
-import unittest
-from datetime import datetime, timedelta, timezone
-from pathlib import Path
-from unittest.mock import MagicMock, patch
-
-import sys
-sys.path.insert(0, str(Path(__file__).parent))
-
-import agent_loop
-
-
-class TestUrlHelpers(unittest.TestCase):
-    def test_issue_url(self):
-        url = agent_loop._issue_url(128)
-        self.assertEqual(url, "https://codeberg.org/guettli/sharedinbox/issues/128")
-
-    def test_ci_run_url(self):
-        url = agent_loop._ci_run_url(4145144)
-        self.assertEqual(url, "https://codeberg.org/guettli/sharedinbox/actions/runs/4145144")
-
-
-class TestStateFile(unittest.TestCase):
-    def setUp(self):
-        self._tmp = tempfile.NamedTemporaryFile(delete=False, suffix=".json")
-        self._tmp.close()
-        self._orig = agent_loop.STATE_FILE
-        agent_loop.STATE_FILE = Path(self._tmp.name)
-        Path(self._tmp.name).unlink()  # Start with no state file.
-
-    def tearDown(self):
-        agent_loop.STATE_FILE = self._orig
-        Path(self._tmp.name).unlink(missing_ok=True)
-
-    def test_write_state_stores_pid(self):
-        agent_loop._write_state(12345, 91, "issue")
-        data = json.loads(Path(self._tmp.name).read_text())
-        self.assertEqual(data["pid"], 12345)
-        self.assertNotIn("tmux_session", data)
-
-    def test_write_state_stores_issue_and_kind(self):
-        agent_loop._write_state(99, 7, "ci-fix")
-        data = json.loads(Path(self._tmp.name).read_text())
-        self.assertEqual(data["issue"], 7)
-        self.assertEqual(data["type"], "ci-fix")
-        self.assertIn("started_at", data)
-
-    def test_read_state_returns_none_when_missing(self):
-        self.assertIsNone(agent_loop._read_state())
-
-    def test_read_and_write_roundtrip(self):
-        agent_loop._write_state(42, 10, "issue")
-        state = agent_loop._read_state()
-        self.assertIsNotNone(state)
-        self.assertEqual(state["pid"], 42)
-        self.assertEqual(state["issue"], 10)
-
-    def test_clear_state_removes_file(self):
-        agent_loop._write_state(1, None, "ci-fix")
-        agent_loop._clear_state()
-        self.assertIsNone(agent_loop._read_state())
-
-    def test_write_state_stores_issue_title(self):
-        agent_loop._write_state(42, 10, "issue", "My Test Issue")
-        data = json.loads(Path(self._tmp.name).read_text())
-        self.assertEqual(data["issue_title"], "My Test Issue")
-
-    def test_write_state_omits_issue_title_when_none(self):
-        agent_loop._write_state(42, None, "ci-fix")
-        data = json.loads(Path(self._tmp.name).read_text())
-        self.assertNotIn("issue_title", data)
-
-
-class TestAgentAlive(unittest.TestCase):
-    def test_own_pid_is_alive(self):
-        self.assertTrue(agent_loop._agent_alive({"pid": os.getpid()}))
-
-    def test_nonexistent_pid_is_dead(self):
-        self.assertFalse(agent_loop._agent_alive({"pid": 999999999}))
-
-    def test_missing_pid_returns_false(self):
-        self.assertFalse(agent_loop._agent_alive({}))
-        self.assertFalse(agent_loop._agent_alive({"pid": None}))
-
-
-class TestIsClaudeProcess(unittest.TestCase):
-    def test_returns_true_for_claude_comm(self):
-        with patch.object(agent_loop.Path, "read_text", return_value="claude\n"):
-            self.assertTrue(agent_loop._is_claude_process(1234))
-
-    def test_returns_true_for_node_comm(self):
-        with patch.object(agent_loop.Path, "read_text", return_value="node\n"):
-            self.assertTrue(agent_loop._is_claude_process(1234))
-
-    def test_returns_false_for_other_process(self):
-        with patch.object(agent_loop.Path, "read_text", return_value="bash\n"):
-            self.assertFalse(agent_loop._is_claude_process(1234))
-
-    def test_returns_false_when_proc_missing(self):
-        with patch.object(agent_loop.Path, "read_text", side_effect=OSError):
-            self.assertFalse(agent_loop._is_claude_process(1234))
-
-
-class TestKillAgent(unittest.TestCase):
-    def test_kill_sends_sigkill(self):
-        with patch("agent_loop._is_claude_process", return_value=True):
-            with patch("agent_loop.os.kill") as mock_kill:
-                agent_loop._kill_agent({"pid": 1234})
-                mock_kill.assert_called_once_with(1234, 9)
-
-    def test_kill_ignores_missing_process(self):
-        with patch("agent_loop._is_claude_process", return_value=True):
-            with patch("agent_loop.os.kill", side_effect=ProcessLookupError):
-                agent_loop._kill_agent({"pid": 1234})  # Should not raise.
-
-    def test_kill_noop_when_no_pid(self):
-        with patch("agent_loop.os.kill") as mock_kill:
-            agent_loop._kill_agent({})
-            mock_kill.assert_not_called()
-
-    def test_kill_skips_recycled_pid(self):
-        with patch("agent_loop._is_claude_process", return_value=False):
-            with patch("agent_loop.os.kill") as mock_kill:
-                agent_loop._kill_agent({"pid": 1234})
-                mock_kill.assert_not_called()
-
-
-class TestStartAgent(unittest.TestCase):
-    def _make_mock_proc(self, pid=42):
-        proc = MagicMock()
-        proc.pid = pid
-        proc.stdin = io.BytesIO()
-        return proc
-
-    def test_start_agent_returns_pid(self):
-        mock_proc = self._make_mock_proc(pid=42)
-        with tempfile.TemporaryDirectory() as tmpdir:
-            with patch("agent_loop.subprocess.Popen", return_value=mock_proc):
-                with patch.object(agent_loop.Path, "home", return_value=Path(tmpdir)):
-                    result = agent_loop._start_agent("do something", "issue-99")
-        self.assertEqual(result, 42)
-
-    def test_start_agent_uses_popen_not_tmux(self):
-        mock_proc = self._make_mock_proc(pid=7)
-        with tempfile.TemporaryDirectory() as tmpdir:
-            with patch("agent_loop.subprocess.Popen", return_value=mock_proc) as mock_popen:
-                with patch("agent_loop.subprocess.run") as mock_run:
-                    with patch.object(agent_loop.Path, "home", return_value=Path(tmpdir)):
-                        agent_loop._start_agent("prompt", "ci-fix")
-            mock_popen.assert_called_once()
-            mock_run.assert_not_called()
-
-    def test_start_agent_passes_session_name_to_claude(self):
-        mock_proc = self._make_mock_proc(pid=7)
-        with tempfile.TemporaryDirectory() as tmpdir:
-            with patch("agent_loop.subprocess.Popen", return_value=mock_proc) as mock_popen:
-                with patch.object(agent_loop.Path, "home", return_value=Path(tmpdir)):
-                    agent_loop._start_agent("prompt", "issue-55")
-            cmd = mock_popen.call_args[0][0]
-            self.assertIn("issue-55", cmd)
-            self.assertIn("claude", cmd[0])
-
-    def test_start_agent_uses_start_new_session(self):
-        mock_proc = self._make_mock_proc(pid=7)
-        with tempfile.TemporaryDirectory() as tmpdir:
-            with patch("agent_loop.subprocess.Popen", return_value=mock_proc) as mock_popen:
-                with patch.object(agent_loop.Path, "home", return_value=Path(tmpdir)):
-                    agent_loop._start_agent("prompt", "issue-55")
-            kwargs = mock_popen.call_args[1]
-            self.assertTrue(kwargs.get("start_new_session"))
-
-
-class TestMain(unittest.TestCase):
-    """Tests for the main() flow."""
-
-    def _make_mock_proc(self, pid=42):
-        proc = MagicMock()
-        proc.pid = pid
-        proc.stdin = io.BytesIO()
-        return proc
-
-    def _make_issue(self, number=10, title="Do something"):
-        return {"number": number, "title": title, "body": "", "labels": []}
-
-    def test_sets_in_progress_before_starting_agent(self):
-        """_set_labels(InProgress) must be called before _start_agent."""
-        call_order = []
-        mock_proc = self._make_mock_proc(pid=55)
-
-        def fake_set_labels(issue, add, remove):
-            call_order.append(("set_labels", add, remove))
-
-        def fake_start_agent(prompt, session_name):
-            call_order.append(("start_agent", session_name))
-            return 55
-
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[self._make_issue(10)]), \
-             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
-             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
-             patch("agent_loop._write_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        labels_idx = next(
-            i for i, c in enumerate(call_order) if c[0] == "set_labels"
-        )
-        agent_idx = next(
-            i for i, c in enumerate(call_order) if c[0] == "start_agent"
-        )
-        self.assertLess(labels_idx, agent_idx,
-                        "_set_labels must be called before _start_agent")
-
-    def test_sets_in_progress_label_and_removes_ready(self):
-        """The InProgress label is added and the Ready label is removed."""
-        captured = {}
-
-        def fake_set_labels(issue, add, remove):
-            captured["add"] = add
-            captured["remove"] = remove
-
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[self._make_issue(7)]), \
-             patch("agent_loop._set_labels", side_effect=fake_set_labels), \
-             patch("agent_loop._start_agent", return_value=99), \
-             patch("agent_loop._write_state"):
-            agent_loop._run_loop()
-
-        self.assertIn(agent_loop.LABEL_IN_PROGRESS, captured.get("add", []))
-        self.assertIn(agent_loop.LABEL_READY, captured.get("remove", []))
-
-    def test_no_ready_issues_does_nothing(self):
-        """main() exits cleanly with 0 when there are no ready issues."""
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]), \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._start_agent") as mock_start:
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_labels.assert_not_called()
-        mock_start.assert_not_called()
-
-    def test_prompt_does_not_tell_agent_to_close_issue(self):
-        """Agents must not close issues; the loop handles closing after CI passes."""
-        captured_prompt = {}
-
-        def fake_start_agent(prompt, session_name):
-            captured_prompt["prompt"] = prompt
-            return 77
-
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[self._make_issue(42)]), \
-             patch("agent_loop._set_labels"), \
-             patch("agent_loop._start_agent", side_effect=fake_start_agent), \
-             patch("agent_loop._write_state"):
-            agent_loop._run_loop()
-
-        prompt = captured_prompt.get("prompt", "")
-        # "do NOT close the issue" (blocker instruction) is fine; what must be
-        # absent is any affirmative instruction to close on completion.
-        self.assertNotIn("close the issue and stop", prompt.lower())
-
-
-class TestPendingCi(unittest.TestCase):
-    """Tests for the pending-CI state: issue closed only after CI passes."""
-
-    def _dead_state(self, issue: int, kind: str = "issue") -> dict:
-        return {
-            "pid": 999999999,  # non-existent PID
-            "issue": issue,
-            "started_at": "2026-01-01T00:00:00+00:00",
-            "type": kind,
-        }
-
-    def _open_pr(self, branch: str = "issue-10-fix") -> dict:
-        return {"number": 5, "head": {"ref": branch}, "created_at": "2026-01-01T00:00:00+00:00"}
-
-    def _find_pr_open(self, branch, state="open"):
-        if state == "open":
-            return self._open_pr(branch)
-        return None
-
-    def test_closes_issue_when_ci_passes_after_agent_finishes(self):
-        """After issue agent finishes, loop merges the PR and closes the issue once CI is green."""
-        # First call: PR found open. Second call (post-merge verification): PR closed.
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_merge.assert_called_once_with(5)
-        mock_close.assert_called_once_with(10)
-
-    def test_ci_passed_output_includes_ci_run_url(self):
-        """'CI passed' line includes the CI run URL when a run is available."""
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 4145144, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._close_issue"), \
-             patch("agent_loop._clear_state"), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144", output)
-        self.assertIn("https://codeberg.org/guettli/sharedinbox/issues/10", output)
-
-    def test_already_merged_pr_closes_issue_without_ci_url(self):
-        """When the PR was already merged, the issue is closed and no CI run URL appears."""
-        def find_pr(branch, state="open"):
-            if state == "closed":
-                return {"number": 5, "merged": True}
-            return None
-
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=find_pr), \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"), \
-             contextlib.redirect_stdout(buf):
-            result = agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertEqual(result, 0)
-        mock_close.assert_called_once_with(10)
-        self.assertIn("already merged", output)
-        self.assertNotIn("/actions/runs/", output)
-
-    def test_no_pr_found_sets_question_label(self):
-        """When no open or merged PR exists for the pending branch, set State/Question."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", return_value=None), \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._comment_issue") as mock_comment, \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_not_called()
-        mock_labels.assert_called_once_with(
-            10,
-            add=[agent_loop.LABEL_QUESTION],
-            remove=[agent_loop.LABEL_IN_PROGRESS],
-        )
-        mock_comment.assert_called_once()
-        self.assertIn("issue-10-fix", mock_comment.call_args[0][1])
-
-    def test_does_not_close_issue_when_ci_fails(self):
-        """After issue agent finishes, loop must NOT close the issue if CI failed on PR branch."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "failure"}), \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._start_agent", return_value=55), \
-             patch("agent_loop._write_state"), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_not_called()
-
-    def test_saves_pending_ci_state_while_ci_running(self):
-        """When CI is still running on PR branch after agent finishes, pending issue is preserved."""
-        written = {}
-
-        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
-            written["pid"] = pid
-            written["issue"] = issue
-            written["kind"] = kind
-
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "running"}), \
-             patch("agent_loop._write_state", side_effect=fake_write_state), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        self.assertEqual(written.get("issue"), 10)
-        self.assertEqual(written.get("kind"), "pending-ci")
-        self.assertIsNone(written.get("pid"))
-
-    def test_ci_fix_preserves_pending_issue_in_state(self):
-        """When CI fails on PR branch after agent finishes, ci-fix state includes the pending issue."""
-        written = {}
-
-        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
-            written["pid"] = pid
-            written["issue"] = issue
-            written["kind"] = kind
-
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=self._find_pr_open), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "failure"}), \
-             patch("agent_loop._start_agent", return_value=55), \
-             patch("agent_loop._write_state", side_effect=fake_write_state), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        self.assertEqual(written.get("issue"), 10)
-        self.assertEqual(written.get("kind"), "ci-fix")
-
-    def test_closes_issue_after_ci_fix_and_ci_passes(self):
-        """After ci-fix agent finishes and CI passes on PR branch, the pending issue is closed."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10, "ci-fix")), \
-             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), None]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_merge.assert_called_once_with(5)
-        mock_close.assert_called_once_with(10)
-
-    def test_no_pending_issue_ci_fix_without_issue(self):
-        """ci-fix for a manual push (no pending issue) does not try to close anything."""
-        with patch("agent_loop._read_state", return_value={
-            "pid": 999999999, "issue": None, "started_at": "2026-01-01T00:00:00+00:00",
-            "type": "ci-fix",
-        }), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._ready_issues", return_value=[]), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_not_called()
-
-
-class TestOutputFormat(unittest.TestCase):
-    """Verify output format: no [agent_loop] prefix, URLs in output."""
-
-    def test_output_starts_with_header(self):
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        first_line = buf.getvalue().splitlines()[0]
-        self.assertTrue(first_line.startswith("---------------------- Starting "),
-                        f"Unexpected first line: {first_line!r}")
-
-    def test_no_agent_loop_prefix_in_output(self):
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        self.assertNotIn("[agent_loop]", buf.getvalue())
-
-    def test_ci_run_output_contains_url(self):
-        run = {"id": 4145144, "status": "running"}
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=run), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144",
-                      buf.getvalue())
-
-    def test_issue_output_contains_url_and_title(self):
-        issue = {"number": 128, "title": "Fix something", "body": "", "labels": []}
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[issue]), \
-             patch("agent_loop._set_labels"), \
-             patch("agent_loop._start_agent", return_value=99), \
-             patch("agent_loop._write_state"), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertIn("https://codeberg.org/guettli/sharedinbox/issues/128", output)
-        self.assertIn("Fix something", output)
-
-
-class TestLatestMainCiRun(unittest.TestCase):
-    """_latest_main_ci_run() must return only ci.yml push-to-main runs."""
-
-    def _ci_run(self, run_id, status="success"):
-        return {"event": "push", "prettyref": "main", "workflow_id": "ci.yml",
-                "status": status, "id": run_id}
-
-    def _deploy_run(self, run_id, status="success"):
-        return {"event": "push", "prettyref": "main", "workflow_id": "deploy.yml",
-                "status": status, "id": run_id}
-
-    def test_skips_deploy_run_returns_ci_run(self):
-        # Forgejo reports deploy.yml schedule runs as event=push/prettyref=main;
-        # must be excluded by workflow_id filter.
-        runs = [self._deploy_run(1), self._ci_run(2)]
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
-            result = agent_loop._latest_main_ci_run()
-        self.assertIsNotNone(result)
-        self.assertEqual(result["id"], 2)
-
-    def test_returns_none_when_only_deploy_runs_exist(self):
-        runs = [self._deploy_run(1)]
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
-            result = agent_loop._latest_main_ci_run()
-        self.assertIsNone(result)
-
-    def test_returns_none_when_only_schedule_runs_exist(self):
-        runs = [{"event": "schedule", "prettyref": "main", "workflow_id": "deploy.yml",
-                 "status": "success", "id": 1}]
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
-            result = agent_loop._latest_main_ci_run()
-        self.assertIsNone(result)
-
-    def test_returns_ci_push_to_main_run(self):
-        runs = [self._ci_run(42, status="running")]
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
-            result = agent_loop._latest_main_ci_run()
-        self.assertIsNotNone(result)
-        self.assertEqual(result["id"], 42)
-
-
-class TestLatestCiRunForBranch(unittest.TestCase):
-    """Tests for _latest_ci_run_for_branch — Forgejo API field mapping."""
-
-    def _make_pr_run(self, branch: str, status: str = "success") -> dict:
-        payload = json.dumps({"pull_request": {"head": {"ref": branch}}})
-        return {"event": "pull_request", "event_payload": payload, "status": status, "id": 1}
-
-    def _make_push_run(self, prettyref: str, status: str = "success") -> dict:
-        return {"event": "push", "prettyref": prettyref, "status": status, "id": 2}
-
-    def _mock_tea_runs(self, runs):
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}) as m:
-            yield m
-
-    def test_pr_event_matches_via_event_payload(self):
-        run = self._make_pr_run("issue-166-fix")
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNotNone(result)
-        self.assertEqual(result["id"], 1)
-
-    def test_pr_event_does_not_match_wrong_branch(self):
-        run = self._make_pr_run("issue-99-fix")
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNone(result)
-
-    def test_push_event_matches_via_prettyref(self):
-        run = self._make_push_run("issue-166-fix")
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNotNone(result)
-        self.assertEqual(result["id"], 2)
-
-    def test_push_event_prettyref_pr_number_does_not_match_branch(self):
-        # Forgejo sets prettyref="#169" for PR runs — must not match branch name.
-        run = {"event": "push", "prettyref": "#169", "status": "success", "id": 3}
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNone(result)
-
-    def test_head_branch_field_absent_still_works(self):
-        # Regression: the old code used run.get("head_branch") which is absent in Forgejo.
-        run = self._make_pr_run("issue-166-fix")
-        self.assertNotIn("head_branch", run)
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNotNone(result)
-
-    def test_returns_none_when_no_runs(self):
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": []}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertIsNone(result)
-
-    def test_returns_first_matching_run(self):
-        runs = [
-            self._make_pr_run("issue-166-fix", status="success"),
-            self._make_pr_run("issue-166-fix", status="failure"),
-        ]
-        runs[0]["id"] = 10
-        runs[1]["id"] = 11
-        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
-            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
-        self.assertEqual(result["id"], 10)
-
-
-class TestFindSessionUuid(unittest.TestCase):
-    """Tests for _find_session_uuid()."""
-
-    def _write_jsonl(self, directory: Path, filename: str, entries: list) -> Path:
-        path = directory / filename
-        with path.open("w") as fh:
-            for entry in entries:
-                fh.write(json.dumps(entry) + "\n")
-        return path
-
-    def test_returns_uuid_for_matching_session_name(self):
-        with tempfile.TemporaryDirectory() as tmpdir:
-            projects_dir = Path(tmpdir)
-            self._write_jsonl(projects_dir, "abc123.jsonl", [
-                {"type": "agent-name", "agentName": "issue-91", "sessionId": "uuid-abc-123"},
-            ])
-            orig = agent_loop.CLAUDE_PROJECTS_DIR
-            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
-            try:
-                result = agent_loop._find_session_uuid("issue-91")
-            finally:
-                agent_loop.CLAUDE_PROJECTS_DIR = orig
-        self.assertEqual(result, "uuid-abc-123")
-
-    def test_returns_none_when_name_does_not_match(self):
-        with tempfile.TemporaryDirectory() as tmpdir:
-            projects_dir = Path(tmpdir)
-            self._write_jsonl(projects_dir, "abc123.jsonl", [
-                {"type": "agent-name", "agentName": "issue-99", "sessionId": "uuid-abc-123"},
-            ])
-            orig = agent_loop.CLAUDE_PROJECTS_DIR
-            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
-            try:
-                result = agent_loop._find_session_uuid("issue-91")
-            finally:
-                agent_loop.CLAUDE_PROJECTS_DIR = orig
-        self.assertIsNone(result)
-
-    def test_returns_none_when_directory_missing(self):
-        orig = agent_loop.CLAUDE_PROJECTS_DIR
-        agent_loop.CLAUDE_PROJECTS_DIR = Path("/nonexistent/path/that/does/not/exist")
-        try:
-            result = agent_loop._find_session_uuid("issue-91")
-        finally:
-            agent_loop.CLAUDE_PROJECTS_DIR = orig
-        self.assertIsNone(result)
-
-    def test_returns_none_when_no_agent_name_entry(self):
-        with tempfile.TemporaryDirectory() as tmpdir:
-            projects_dir = Path(tmpdir)
-            self._write_jsonl(projects_dir, "abc123.jsonl", [
-                {"type": "message", "content": "hello"},
-            ])
-            orig = agent_loop.CLAUDE_PROJECTS_DIR
-            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
-            try:
-                result = agent_loop._find_session_uuid("issue-91")
-            finally:
-                agent_loop.CLAUDE_PROJECTS_DIR = orig
-        self.assertIsNone(result)
-
-    def test_scans_multiple_files_to_find_match(self):
-        with tempfile.TemporaryDirectory() as tmpdir:
-            projects_dir = Path(tmpdir)
-            self._write_jsonl(projects_dir, "aaa.jsonl", [
-                {"type": "agent-name", "agentName": "issue-10", "sessionId": "uuid-10"},
-            ])
-            self._write_jsonl(projects_dir, "bbb.jsonl", [
-                {"type": "agent-name", "agentName": "issue-91", "sessionId": "uuid-91"},
-            ])
-            orig = agent_loop.CLAUDE_PROJECTS_DIR
-            agent_loop.CLAUDE_PROJECTS_DIR = projects_dir
-            try:
-                result = agent_loop._find_session_uuid("issue-91")
-            finally:
-                agent_loop.CLAUDE_PROJECTS_DIR = orig
-        self.assertEqual(result, "uuid-91")
-
-
-class TestRunLoopResumeCommand(unittest.TestCase):
-    """Tests that _run_loop() shows a UUID-based resume command when agent is running."""
-
-    def _alive_state(self, session_name="issue-91"):
-        return {
-            "pid": os.getpid(),  # own PID is always alive
-            "issue": 91,
-            "started_at": "2026-05-23T12:00:00+00:00",
-            "type": "issue",
-            "session_name": session_name,
-        }
-
-    def test_resume_shows_uuid_when_found(self):
-        buf = io.StringIO()
-        fake_uuid = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
-        with patch("agent_loop._read_state", return_value=self._alive_state()), \
-             patch("agent_loop._agent_alive", return_value=True), \
-             patch("agent_loop._agent_age_seconds", return_value=600), \
-             patch("agent_loop._find_session_uuid", return_value=fake_uuid), \
-             patch("agent_loop._git_summary", return_value=""), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertIn(f"claude --resume {fake_uuid}", output)
-
-    def test_resume_shows_list_hint_when_uuid_not_found(self):
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=self._alive_state()), \
-             patch("agent_loop._agent_alive", return_value=True), \
-             patch("agent_loop._agent_age_seconds", return_value=600), \
-             patch("agent_loop._find_session_uuid", return_value=None), \
-             patch("agent_loop._git_summary", return_value=""), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertIn("scripts/agent_loop.py list", output)
-        # Must NOT show the session name as a valid resume argument.
-        self.assertNotIn("claude --resume issue-91", output)
-
-    def test_resume_not_shown_when_no_session_name(self):
-        state = self._alive_state()
-        del state["session_name"]
-        buf = io.StringIO()
-        with patch("agent_loop._read_state", return_value=state), \
-             patch("agent_loop._agent_alive", return_value=True), \
-             patch("agent_loop._agent_age_seconds", return_value=600), \
-             patch("agent_loop._find_session_uuid", return_value=None), \
-             patch("agent_loop._git_summary", return_value=""), \
-             contextlib.redirect_stdout(buf):
-            agent_loop._run_loop()
-        output = buf.getvalue()
-        self.assertNotIn("Resume:", output)
-
-
-
-class TestCatchupSkipsQuestionIssues(unittest.TestCase):
-    """Catch-up must not retry merging a PR whose issue is already State/Question."""
-
-    def _make_pr(self, pr_number=50, branch="issue-10-fix"):
-        return {"number": pr_number, "head": {"ref": branch}}
-
-    def test_skips_merge_when_issue_has_question_label(self):
-        pr = self._make_pr()
-        ci_run = {"id": 999, "status": "success"}
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[pr]), \
-             patch("agent_loop._latest_ci_run_for_pr", return_value=ci_run), \
-             patch("agent_loop._get_issue_labels", return_value=[agent_loop.LABEL_QUESTION]), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._comment_issue") as mock_comment, \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]):
-            result = agent_loop._run_loop()
-        self.assertEqual(result, 0)
-        mock_merge.assert_not_called()
-        mock_comment.assert_not_called()
-        mock_labels.assert_not_called()
-
-    def test_proceeds_with_merge_when_issue_lacks_question_label(self):
-        pr = self._make_pr()
-        ci_run = {"id": 999, "status": "success"}
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[pr]), \
-             patch("agent_loop._latest_ci_run_for_pr", return_value=ci_run), \
-             patch("agent_loop._get_issue_labels", return_value=[agent_loop.LABEL_IN_PROGRESS]), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._find_pr_for_branch", return_value=None), \
-             patch("agent_loop._close_issue"):
-            result = agent_loop._run_loop()
-        self.assertEqual(result, 0)
-        mock_merge.assert_called_once_with(50)
-
-
-class TestMergeFailsOpen(unittest.TestCase):
-    """Tests for auto-resolution when a PR is still open after the merge command."""
-
-    def _dead_state(self, issue: int, kind: str = "issue") -> dict:
-        return {
-            "pid": 999999999,
-            "issue": issue,
-            "started_at": "2026-01-01T00:00:00+00:00",
-            "type": kind,
-        }
-
-    def _open_pr(self, branch: str = "issue-10-fix") -> dict:
-        return {"number": 5, "head": {"ref": branch}, "created_at": "2026-01-01T00:00:00+00:00"}
-
-    def test_merge_fails_open_with_conflicts_spawns_rebase_agent(self):
-        """mergeable=false → rebase agent spawned, state written as pending-ci."""
-        written_state = {}
-
-        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
-            written_state["pid"] = pid
-            written_state["issue"] = issue
-            written_state["kind"] = kind
-            written_state["session_name"] = session_name
-
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), self._open_pr()]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": False}), \
-             patch("agent_loop._start_agent", return_value=77) as mock_start, \
-             patch("agent_loop._write_state", side_effect=fake_write_state), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_start.assert_called_once()
-        prompt = mock_start.call_args[0][0]
-        self.assertIn("Rebase branch", prompt)
-        self.assertIn("issue-10-fix", prompt)
-        self.assertEqual(written_state.get("kind"), "pending-ci")
-        self.assertEqual(written_state.get("issue"), 10)
-
-    def test_merge_fails_open_no_conflicts_retries_and_succeeds(self):
-        """mergeable=true, second attempt succeeds → issue closed."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch",
-                   side_effect=[self._open_pr(), self._open_pr(), None]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": True}), \
-             patch("agent_loop.time.sleep"), \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_called_once_with(10)
-
-    def test_merge_fails_open_no_conflicts_all_retries_exhausted(self):
-        """All retries exhausted with PR still open → falls through to State/Question."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch",
-                   side_effect=[self._open_pr(), self._open_pr(),
-                                 self._open_pr(), self._open_pr()]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": True}), \
-             patch("agent_loop.time.sleep"), \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._comment_issue") as mock_comment, \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_not_called()
-        mock_labels.assert_called_once_with(
-            10,
-            add=[agent_loop.LABEL_QUESTION],
-            remove=[agent_loop.LABEL_IN_PROGRESS],
-        )
-        mock_comment.assert_called_once()
-
-
-class TestHeartbeat(unittest.TestCase):
-    """Tests for _update_heartbeat() and cmd_monitor()."""
-
-    def setUp(self):
-        self._tmp = tempfile.NamedTemporaryFile(delete=False, suffix=".heartbeat")
-        self._tmp.close()
-        self._orig = agent_loop.HEARTBEAT_FILE
-        agent_loop.HEARTBEAT_FILE = Path(self._tmp.name)
-        Path(self._tmp.name).unlink()  # Start with no heartbeat file.
-
-    def tearDown(self):
-        agent_loop.HEARTBEAT_FILE = self._orig
-        Path(self._tmp.name).unlink(missing_ok=True)
-
-    def test_update_heartbeat_writes_timestamp(self):
-        agent_loop._update_heartbeat()
-        content = Path(self._tmp.name).read_text().strip()
-        dt = datetime.fromisoformat(content)
-        age = (datetime.now(timezone.utc) - dt).total_seconds()
-        self.assertLess(age, 5)
-
-    def test_update_heartbeat_creates_file(self):
-        self.assertFalse(Path(self._tmp.name).exists())
-        agent_loop._update_heartbeat()
-        self.assertTrue(Path(self._tmp.name).exists())
-
-    def test_monitor_healthy_when_recent(self):
-        agent_loop._update_heartbeat()
-        result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 0)
-
-    def test_monitor_warns_when_heartbeat_missing(self):
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_monitor_warns_when_stale(self):
-        stale = (datetime.now(timezone.utc) - timedelta(hours=3)).isoformat()
-        Path(self._tmp.name).write_text(stale)
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_monitor_warns_when_corrupted(self):
-        Path(self._tmp.name).write_text("not-a-timestamp")
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_run_loop_updates_heartbeat(self):
-        self.assertFalse(Path(self._tmp.name).exists())
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]):
-            agent_loop._run_loop()
-        self.assertTrue(Path(self._tmp.name).exists())
-
-
-if __name__ == "__main__":
-    unittest.main()

scripts/test_verify_playstore_deploy.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+"""Tests for verify_playstore_deploy.py."""
+import os
+import sys
+import time
+import unittest
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+sys.path.insert(0, str(Path(__file__).parent))
+
+import verify_playstore_deploy
+
+
+def _make_session(version_code, track="internal"):
+    """Return a mock AuthorizedSession with the given version code on the track."""
+    session = MagicMock()
+
+    edit_resp = MagicMock()
+    edit_resp.json.return_value = {"id": "edit-99"}
+    session.post.return_value = edit_resp
+
+    track_resp = MagicMock()
+    track_resp.json.return_value = {
+        "releases": [{"versionCodes": [str(version_code)], "status": "completed"}]
+    }
+    session.get.return_value = track_resp
+    session.delete.return_value = MagicMock()
+
+    return session
+
+
+class TestMissingEnv(unittest.TestCase):
+    def test_missing_env_exits(self):
+        with patch.dict(os.environ, {}, clear=True):
+            with self.assertRaises(SystemExit) as ctx:
+                verify_playstore_deploy.main()
+        self.assertEqual(ctx.exception.code, 1)
+
+
+class TestRecentDeploy(unittest.TestCase):
+    def _run(self, version_code):
+        session = _make_session(version_code)
+        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
+            with patch("verify_playstore_deploy.service_account.Credentials.from_service_account_info"):
+                with patch("verify_playstore_deploy.AuthorizedSession", return_value=session):
+                    verify_playstore_deploy.main()
+
+    def test_recent_version_code_passes(self):
+        # Version code is Unix timestamp — a very recent one should pass.
+        recent_vc = int(time.time()) - 60  # 1 minute ago
+        self._run(recent_vc)
+
+    def test_old_version_code_fails(self):
+        old_vc = int(time.time()) - 7200  # 2 hours ago
+        with self.assertRaises(SystemExit) as ctx:
+            self._run(old_vc)
+        self.assertEqual(ctx.exception.code, 1)
+
+
+class TestEmptyTrack(unittest.TestCase):
+    def _run_empty(self, releases):
+        session = MagicMock()
+        session.post.return_value = MagicMock(**{"json.return_value": {"id": "edit-1"}})
+        session.get.return_value = MagicMock(**{"json.return_value": {"releases": releases}})
+        session.delete.return_value = MagicMock()
+
+        with patch.dict(os.environ, {"PLAY_STORE_CONFIG_JSON": '{"type":"service_account"}'}):
+            with patch("verify_playstore_deploy.service_account.Credentials.from_service_account_info"):
+                with patch("verify_playstore_deploy.AuthorizedSession", return_value=session):
+                    verify_playstore_deploy.main()
+
+    def test_no_releases_exits(self):
+        with self.assertRaises(SystemExit) as ctx:
+            self._run_empty([])
+        self.assertEqual(ctx.exception.code, 1)
+
+    def test_release_with_no_version_codes_exits(self):
+        with self.assertRaises(SystemExit) as ctx:
+            self._run_empty([{"status": "completed", "versionCodes": []}])
+        self.assertEqual(ctx.exception.code, 1)
+
+
+if __name__ == "__main__":
+    unittest.main()

scripts/verify_playstore_deploy.py

@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+"""Verify that the Android app was recently published to the Play Store internal track.
+
+The publish-android pipeline sets versionCode = int(time.Now().Unix()), so a
+freshly deployed release always has a version code close to the current Unix
+timestamp.  This script queries the internal track and fails if the latest
+version code is older than _MAX_DEPLOY_AGE_SECONDS, which would mean the
+deployment silently did not land.
+"""
+
+import json
+import os
+import sys
+import time
+
+from google.auth.transport.requests import AuthorizedSession
+from google.oauth2 import service_account
+
+PACKAGE_NAME = "de.sharedinbox.mua"
+TRACK = "internal"
+_BASE = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications"
+# Allow up to one hour for the build + upload to complete.
+_MAX_DEPLOY_AGE_SECONDS = 3600
+
+
+def main():
+    config_json = os.environ.get("PLAY_STORE_CONFIG_JSON")
+    if not config_json:
+        print("Error: PLAY_STORE_CONFIG_JSON environment variable not set", file=sys.stderr)
+        sys.exit(1)
+
+    creds = service_account.Credentials.from_service_account_info(
+        json.loads(config_json),
+        scopes=["https://www.googleapis.com/auth/androidpublisher"],
+    )
+    session = AuthorizedSession(creds)
+
+    # Open a read-only edit to query the current track state.
+    edit_resp = session.post(f"{_BASE}/{PACKAGE_NAME}/edits", json={}, timeout=30)
+    edit_resp.raise_for_status()
+    edit_id = edit_resp.json()["id"]
+
+    try:
+        track_resp = session.get(
+            f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}/tracks/{TRACK}",
+            timeout=30,
+        )
+        track_resp.raise_for_status()
+        track_data = track_resp.json()
+    finally:
+        # Discard the edit — we made no changes.
+        try:
+            session.delete(f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}", timeout=30)
+        except Exception:
+            pass
+
+    releases = track_data.get("releases", [])
+    if not releases:
+        print(
+            f"ERROR: No releases found on {TRACK} track — deploy may have failed silently",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    all_version_codes = [
+        int(vc)
+        for release in releases
+        for vc in release.get("versionCodes", [])
+    ]
+    if not all_version_codes:
+        print("ERROR: Latest release has no version codes", file=sys.stderr)
+        sys.exit(1)
+
+    latest_vc = max(all_version_codes)
+    now = int(time.time())
+    # versionCode is set to Unix timestamp by PublishAndroid in ci/main.go.
+    age_seconds = now - latest_vc
+
+    print(f"Latest version code on {TRACK} track: {latest_vc}")
+    print(f"Current time: {now} — version code age: {age_seconds}s")
+
+    if age_seconds > _MAX_DEPLOY_AGE_SECONDS:
+        print(
+            f"::error::Latest version code {latest_vc} is {age_seconds}s old "
+            f"(limit: {_MAX_DEPLOY_AGE_SECONDS}s). The deploy may have failed silently.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    print(f"OK: version {latest_vc} verified on {TRACK} track ({age_seconds}s old)")
+
+
+if __name__ == "__main__":
+    main()

server/bugreport/main.go

@@ -0,0 +1,266 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"sync"
+	"time"
+)
+
+// BugReport represents the data stored in report.json
+type BugReport struct {
+	Description string    `json:"description"`
+	AboutInfo   string    `json:"about_info"`
+	EmailData   string    `json:"email_data,omitempty"`
+	SyncLog     string    `json:"sync_log,omitempty"`
+	Timestamp   time.Time `json:"timestamp"`
+}
+
+var (
+	rateLimitMu  sync.Mutex
+	requestTimes []time.Time
+)
+
+// checkRateLimit implements a sliding window rate limiter: max 10 requests per minute globally.
+func checkRateLimit() (bool, time.Duration) {
+	rateLimitMu.Lock()
+	defer rateLimitMu.Unlock()
+
+	now := time.Now()
+	// Clean up timestamps older than 1 minute
+	var valid []time.Time
+	for _, t := range requestTimes {
+		if now.Sub(t) < time.Minute {
+			valid = append(valid, t)
+		}
+	}
+	requestTimes = valid
+
+	if len(requestTimes) >= 10 {
+		// Calculate time until the oldest request in the window falls out of it
+		oldest := requestTimes[0]
+		remaining := time.Minute - now.Sub(oldest)
+		if remaining < 0 {
+			remaining = 0
+		}
+		return false, remaining
+	}
+
+	requestTimes = append(requestTimes, now)
+	return true, 0
+}
+
+func generateUUID() (string, error) {
+	b := make([]byte, 16)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	// Format as UUID v4 structure
+	b[6] = (b[6] & 0x0f) | 0x40 // Version 4
+	b[8] = (b[8] & 0x3f) | 0x80 // Variant is 10
+	return fmt.Sprintf("%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]), nil
+}
+
+func bugReportHandler(storageDir string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Enable CORS so the web app (if applicable) can upload
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		if r.Method != http.MethodPost {
+			http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		// Rate limiting check
+		allowed, waitTime := checkRateLimit()
+		if !allowed {
+			retryAfter := int(waitTime.Seconds())
+			if retryAfter < 1 {
+				retryAfter = 1
+			}
+			w.Header().Set("Retry-After", strconv.Itoa(retryAfter))
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusTooManyRequests)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "Too many requests. Please try again later."})
+			return
+		}
+
+		// Limit body size to 20 MB (20 * 1024 * 1024 bytes)
+		const maxBodySize = 20 * 1024 * 1024
+		r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
+
+		// Parse the multipart form
+		err := r.ParseMultipartForm(maxBodySize)
+		if err != nil {
+			log.Printf("Failed to parse multipart form: %v", err)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusRequestEntityTooLarge)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "Request body too large or invalid multipart form."})
+			return
+		}
+		defer func() {
+			_ = r.MultipartForm.RemoveAll()
+		}()
+
+		description := r.FormValue("description")
+		aboutInfo := r.FormValue("about_info")
+
+		if description == "" || aboutInfo == "" {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(map[string]string{"error": "description and about_info are required fields."})
+			return
+		}
+
+		email := r.FormValue("email")
+		emailData := r.FormValue("email_data")
+		syncLog := r.FormValue("sync_log")
+
+		uuidVal, err := generateUUID()
+		if err != nil {
+			log.Printf("Failed to generate UUID: %v", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		now := time.Now()
+		timestampStr := now.Format("20060102_150405")
+		dirName := fmt.Sprintf("%s_%s", timestampStr, uuidVal)
+		reportDir := filepath.Join(storageDir, dirName)
+
+		err = os.MkdirAll(reportDir, 0750)
+		if err != nil {
+			log.Printf("Failed to create report directory: %v", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		// Write report.json
+		report := BugReport{
+			Description: description,
+			AboutInfo:   aboutInfo,
+			EmailData:   emailData,
+			SyncLog:     syncLog,
+			Timestamp:   now,
+		}
+
+		reportJSONPath := filepath.Join(reportDir, "report.json")
+		reportJSONFile, err := os.OpenFile(reportJSONPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
+		if err != nil {
+			log.Printf("Failed to create report.json: %v", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+		defer reportJSONFile.Close()
+
+		enc := json.NewEncoder(reportJSONFile)
+		enc.SetIndent("", "  ")
+		err = enc.Encode(report)
+		if err != nil {
+			log.Printf("Failed to write report.json: %v", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		// Write contact email to mail.eml (kept separate from report.json to isolate PII)
+		if email != "" {
+			mailEmlPath := filepath.Join(reportDir, "mail.eml")
+			err = os.WriteFile(mailEmlPath, []byte(email), 0600)
+			if err != nil {
+				log.Printf("Failed to write mail.eml: %v", err)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		// Save attachments
+		form := r.MultipartForm
+		files := form.File["attachments[]"]
+		for i, fileHeader := range files {
+			file, err := fileHeader.Open()
+			if err != nil {
+				log.Printf("Failed to open attachment %d: %v", i, err)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+			defer file.Close()
+
+			// Sanitize filename to avoid directory traversal
+			baseName := filepath.Base(fileHeader.Filename)
+			attachmentName := fmt.Sprintf("attachment_%d_%s", i, baseName)
+			attachmentPath := filepath.Join(reportDir, attachmentName)
+
+			destFile, err := os.OpenFile(attachmentPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
+			if err != nil {
+				log.Printf("Failed to create attachment file %s: %v", attachmentName, err)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+			defer destFile.Close()
+
+			_, err = io.Copy(destFile, file)
+			if err != nil {
+				log.Printf("Failed to copy attachment content to %s: %v", attachmentName, err)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusCreated)
+		_ = json.NewEncoder(w).Encode(map[string]string{"id": uuidVal})
+	}
+}
+
+func main() {
+	port := os.Getenv("BUGREPORT_PORT")
+	if port == "" {
+		port = "8090"
+	}
+
+	storageDir := os.Getenv("BUGREPORT_STORAGE_DIR")
+	if storageDir == "" {
+		storageDir = "./reports"
+	}
+
+	// Create storage directory if it doesn't exist
+	err := os.MkdirAll(storageDir, 0750)
+	if err != nil {
+		log.Fatalf("Failed to create storage directory %s: %v", storageDir, err)
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/api/v1/bug-reports", bugReportHandler(storageDir))
+
+	addr := net.JoinHostPort("127.0.0.1", port)
+	log.Printf("Bug report server starting on %s...", addr)
+	log.Printf("Reports storage directory: %s", storageDir)
+
+	server := &http.Server{
+		Addr:         addr,
+		Handler:      mux,
+		ReadTimeout:  15 * time.Second,
+		WriteTimeout: 15 * time.Second,
+		IdleTimeout:  60 * time.Second,
+	}
+
+	if err := server.ListenAndServe(); err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}

stalwart-dev/integration_android_test.sh

@@ -7,6 +7,7 @@
 # Run inside nix develop:
 #   stalwart-dev/integration_android_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 _SCRIPT_START=$(date +%s%3N)
 ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; }

stalwart-dev/integration_ui_test.sh

@@ -5,6 +5,7 @@
 #
 # Run inside nix develop: stalwart-dev/integration_ui_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 # Timing helper: prints elapsed seconds since script start with a label.
 _SCRIPT_START=$(date +%s%3N)

stalwart-dev/test.sh

@@ -2,6 +2,7 @@
 # Starts Stalwart in the background on fresh random ports, runs Flutter
 # integration tests, then stops it.
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR
 
 export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}"

test/backend/account_sync_manager_test.dart

@@ -20,63 +20,67 @@ Future<imap.ImapClient> _fakeImapConnect(
     throw const SocketException('fake — no real IMAP server in tests');
 
 void main() {
-  test('AccountSyncManager schedules IMAP sync for multiple accounts',
-      () async {
-    final accounts = _FakeAccounts('pw');
-    final mailboxes = _FakeMailboxes();
-    final emails = _FakeEmails();
-    final logs = _FakeLogs();
+  test(
+    'AccountSyncManager schedules IMAP sync for multiple accounts',
+    () async {
+      final accounts = _FakeAccounts('pw');
+      final mailboxes = _FakeMailboxes();
+      final emails = _FakeEmails();
+      final logs = _FakeLogs();
 
-    final manager = AccountSyncManager(
-      accounts,
-      mailboxes,
-      emails,
-      syncLog: logs,
-      imapConnect: _fakeImapConnect,
-    );
+      final manager = AccountSyncManager(
+        accounts,
+        mailboxes,
+        emails,
+        syncLog: logs,
+        imapConnect: _fakeImapConnect,
+      );
 
-    final a1 = _account('1');
-    final a2 = _account('2');
+      final a1 = _account('1');
+      final a2 = _account('2');
 
-    manager.start();
-    accounts.push([a1, a2]);
+      manager.start();
+      accounts.push([a1, a2]);
 
-    // Allow some time for listeners to fire.
-    await Future<void>.delayed(const Duration(milliseconds: 100));
+      // Allow some time for listeners to fire.
+      await Future<void>.delayed(const Duration(milliseconds: 100));
 
-    expect(emails.syncCounts['1'], greaterThanOrEqualTo(1));
-    expect(emails.syncCounts['2'], greaterThanOrEqualTo(1));
+      expect(emails.syncCounts['1'], greaterThanOrEqualTo(1));
+      expect(emails.syncCounts['2'], greaterThanOrEqualTo(1));
 
-    manager.dispose();
-  });
+      manager.dispose();
+    },
+  );
 
-  test('AccountSyncManager schedules JMAP sync for multiple accounts',
-      () async {
-    final accounts = _FakeAccounts('pw');
-    final mailboxes = _FakeMailboxes();
-    final emails = _FakeEmails();
-    final logs = _FakeLogs();
+  test(
+    'AccountSyncManager schedules JMAP sync for multiple accounts',
+    () async {
+      final accounts = _FakeAccounts('pw');
+      final mailboxes = _FakeMailboxes();
+      final emails = _FakeEmails();
+      final logs = _FakeLogs();
 
-    final manager = AccountSyncManager(
-      accounts,
-      mailboxes,
-      emails,
-      syncLog: logs,
-    );
+      final manager = AccountSyncManager(
+        accounts,
+        mailboxes,
+        emails,
+        syncLog: logs,
+      );
 
-    final a1 = _jmapAccount('1');
-    final a2 = _jmapAccount('2');
+      final a1 = _jmapAccount('1');
+      final a2 = _jmapAccount('2');
 
-    manager.start();
-    accounts.push([a1, a2]);
+      manager.start();
+      accounts.push([a1, a2]);
 
-    await Future<void>.delayed(const Duration(milliseconds: 100));
+      await Future<void>.delayed(const Duration(milliseconds: 100));
 
-    expect(emails.syncCounts['1'], greaterThanOrEqualTo(1));
-    expect(emails.syncCounts['2'], greaterThanOrEqualTo(1));
+      expect(emails.syncCounts['1'], greaterThanOrEqualTo(1));
+      expect(emails.syncCounts['2'], greaterThanOrEqualTo(1));
 
-    manager.dispose();
-  });
+      manager.dispose();
+    },
+  );
 }
 
 Account _account(String id) => Account(
@@ -149,17 +153,38 @@ class _FakeMailboxes implements MailboxRepository {
 
   @override
   Future<void> clearForResync(String accountId) async {}
+
+  @override
+  Future<Mailbox> createMailboxWithRole(
+    String accountId,
+    String name,
+    String role,
+  ) async =>
+      Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        role: role,
+        unreadCount: 0,
+        totalCount: 0,
+      );
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async => Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        unreadCount: 0,
+        totalCount: 0,
+      );
 }
 
 class _FakeEmails implements EmailRepository {
   final syncCounts = <String, int>{};
 
   @override
-  Stream<List<Email>> observeEmails(
-    String a,
-    String m, {
-    int limit = 50,
-  }) =>
+  Stream<List<Email>> observeEmails(String a, String m, {int limit = 50}) =>
       Stream.value([]);
 
   @override
@@ -170,6 +195,10 @@ class _FakeEmails implements EmailRepository {
   }) =>
       Stream.value([]);
 
+  @override
+  Stream<List<EmailThread>> observeAllInboxThreads({int limit = 50}) =>
+      Stream.value([]);
+
   @override
   Stream<List<Email>> observeEmailsInThread(String a, String m, String t) =>
       Stream.value([]);

test/backend/email_repository_imap_test.dart

@@ -566,59 +566,61 @@ void main() {
     expect(pending.first.changeType, 'delete');
   });
 
-  test('downloadAttachment fetches binary attachment bytes from IMAP',
-      () async {
-    final attachmentBytes = Uint8List.fromList(
-      List.generate(32, (i) => i + 1),
-    );
-    const attachmentName = 'hello.bin';
-    const attachmentMime = 'application/octet-stream';
-
-    // Build a multipart email with a binary attachment and append it.
-    final client = await _imapConnect(
-      host: imapHost,
-      port: imapPort,
-      user: userEmail,
-      pass: userPass,
-    );
-    try {
-      final builder = MessageBuilder()
-        ..from = [MailAddress('Alice', userEmail)]
-        ..to = [MailAddress('Alice', userEmail)]
-        ..subject = 'attach-${DateTime.now().millisecondsSinceEpoch}'
-        ..text = 'See attachment.';
-      builder.addBinary(
-        attachmentBytes,
-        MediaType.fromText(attachmentMime),
-        filename: attachmentName,
+  test(
+    'downloadAttachment fetches binary attachment bytes from IMAP',
+    () async {
+      final attachmentBytes = Uint8List.fromList(
+        List.generate(32, (i) => i + 1),
       );
-      await client.appendMessage(
-        builder.buildMimeMessage(),
-        targetMailboxPath: 'INBOX',
+      const attachmentName = 'hello.bin';
+      const attachmentMime = 'application/octet-stream';
+
+      // Build a multipart email with a binary attachment and append it.
+      final client = await _imapConnect(
+        host: imapHost,
+        port: imapPort,
+        user: userEmail,
+        pass: userPass,
       );
-    } finally {
-      await client.logout();
-    }
+      try {
+        final builder = MessageBuilder()
+          ..from = [MailAddress('Alice', userEmail)]
+          ..to = [MailAddress('Alice', userEmail)]
+          ..subject = 'attach-${DateTime.now().millisecondsSinceEpoch}'
+          ..text = 'See attachment.';
+        builder.addBinary(
+          attachmentBytes,
+          MediaType.fromText(attachmentMime),
+          filename: attachmentName,
+        );
+        await client.appendMessage(
+          builder.buildMimeMessage(),
+          targetMailboxPath: 'INBOX',
+        );
+      } finally {
+        await client.logout();
+      }
 
-    final r = makeRepo();
-    await r.accounts.addAccount(account, userPass);
-    await r.emails.syncEmails('test', 'INBOX');
+      final r = makeRepo();
+      await r.accounts.addAccount(account, userPass);
+      await r.emails.syncEmails('test', 'INBOX');
 
-    final emails = await r.emails.observeEmails('test', 'INBOX').first;
-    expect(emails, hasLength(1));
-    expect(emails.first.hasAttachment, isTrue);
+      final emails = await r.emails.observeEmails('test', 'INBOX').first;
+      expect(emails, hasLength(1));
+      expect(emails.first.hasAttachment, isTrue);
 
-    final body = await r.emails.getEmailBody(emails.first.id);
-    expect(body.attachments, hasLength(1));
-    expect(body.attachments.first.filename, attachmentName);
-    expect(body.attachments.first.contentType, attachmentMime);
-    expect(body.attachments.first.fetchPartId, isNotEmpty);
+      final body = await r.emails.getEmailBody(emails.first.id);
+      expect(body.attachments, hasLength(1));
+      expect(body.attachments.first.filename, attachmentName);
+      expect(body.attachments.first.contentType, attachmentMime);
+      expect(body.attachments.first.fetchPartId, isNotEmpty);
 
-    final path = await r.emails.downloadAttachment(
-      emails.first.id,
-      body.attachments.first,
-    );
-    final downloaded = await File(path).readAsBytes();
-    expect(downloaded, equals(attachmentBytes));
-  });
+      final path = await r.emails.downloadAttachment(
+        emails.first.id,
+        body.attachments.first,
+      );
+      final downloaded = await File(path).readAsBytes();
+      expect(downloaded, equals(attachmentBytes));
+    },
+  );
 }

test/flutter_test_config.dart

@@ -0,0 +1,43 @@
+// Loads Material fonts (Roboto + MaterialIcons) before any test runs so that
+// golden/screenshot tests render real text instead of placeholder boxes.
+//
+// Flutter widget tests don't load fonts by default. This file is discovered
+// automatically by `flutter test` for every test under test/.
+
+import 'dart:async';
+import 'dart:io';
+
+import 'package:flutter/services.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+Future<void> testExecutable(FutureOr<void> Function() testMain) async {
+  setUpAll(_loadMaterialFonts);
+  await testMain();
+}
+
+Future<void> _loadMaterialFonts() async {
+  // Locate Flutter's cached material fonts relative to the flutter_tester executable.
+  // Layout: <flutter-root>/bin/cache/artifacts/engine/linux-x64/flutter_tester
+  //          <flutter-root>/bin/cache/artifacts/material_fonts/
+  final cacheDir =
+      File(Platform.resolvedExecutable).parent.parent.parent.parent;
+  final fontsDir = '${cacheDir.path}/artifacts/material_fonts';
+
+  Future<ByteData> load(String name) async {
+    final bytes = await File('$fontsDir/$name').readAsBytes();
+    return ByteData.view(bytes.buffer);
+  }
+
+  await (FontLoader('Roboto')
+        ..addFont(load('Roboto-Regular.ttf'))
+        ..addFont(load('Roboto-Medium.ttf'))
+        ..addFont(load('Roboto-Bold.ttf'))
+        ..addFont(load('Roboto-Italic.ttf'))
+        ..addFont(load('Roboto-MediumItalic.ttf'))
+        ..addFont(load('Roboto-BoldItalic.ttf')))
+      .load();
+
+  await (FontLoader('MaterialIcons')
+        ..addFont(load('MaterialIcons-Regular.otf')))
+      .load();
+}