feat: keep secrets in sync via age-encrypted master key (#208 )

Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: add build mode, Dart version, timestamp to crash report (#205 )
2026-05-24 16:32:27 +02:00 · 2026-05-24 16:06:32 +02:00 · 2026-05-24 15:47:21 +02:00 · 2026-05-24 15:11:56 +02:00
83 changed files with 914 additions and 4008 deletions
@@ -10,6 +10,7 @@ FROM ghcr.io/catthehacker/ubuntu:go-24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    stunnel4 \
    netcat-openbsd \
+    age \
    && rm -rf /var/lib/apt/lists/*

 # Dagger CLI — pinned to match the engine version on the runner host
@@ -109,51 +109,3 @@ jobs:
      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
-
-  merge-renovate:
-    name: Auto-merge Renovate PR
-    needs: [check]
-    if: github.event_name == 'pull_request' && startsWith(github.head_ref, 'renovate/')
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-
-    steps:
-      - name: Merge if automerge label is set
-        env:
-          FORGEJO_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          python3 - << 'PYEOF'
-          import os, json, urllib.request, urllib.error, sys
-
-          token = os.environ["FORGEJO_TOKEN"]
-          url_base = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
-          repo = os.environ.get("GITHUB_REPOSITORY", "")
-          pr_number = os.environ["PR_NUMBER"]
-          api = f"{url_base}/api/v1/repos/{repo}"
-          headers = {"Authorization": f"token {token}", "Content-Type": "application/json"}
-
-          req = urllib.request.Request(f"{api}/issues/{pr_number}/labels", headers=headers)
-          with urllib.request.urlopen(req) as r:
-              labels = [l["name"] for l in json.loads(r.read())]
-
-          if "automerge" not in labels:
-              print(f"PR #{pr_number}: no 'automerge' label — major update, skipping")
-              sys.exit(0)
-
-          body = json.dumps({"Do": "merge"}).encode()
-          req = urllib.request.Request(
-              f"{api}/pulls/{pr_number}/merge",
-              data=body, headers=headers, method="POST"
-          )
-          try:
-              with urllib.request.urlopen(req) as r:
-                  print(f"PR #{pr_number} merged successfully")
-          except urllib.error.HTTPError as e:
-              err = e.read().decode()
-              if "already been merged" in err or "has been merged" in err:
-                  print(f"PR #{pr_number} already merged — OK")
-              else:
-                  print(f"Merge failed: {err}")
-                  sys.exit(1)
-          PYEOF
@@ -22,8 +22,6 @@ jobs:
      - name: Detect Android and Linux changes
        id: diff
        shell: bash
-        env:
-          FORGEJO_TOKEN: ${{ github.token }}
        run: |
          # On workflow_dispatch always build everything
          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
@@ -32,38 +30,6 @@ jobs:
            exit 0
          fi

-          HEAD_SHA=$(git rev-parse HEAD)
-
-          # Skip if this exact commit was already successfully deployed (prevents
-          # hourly schedule from redeploying the same commit on every tick).
-          LAST_DEPLOYED_SHA=$(python3 - << 'PYEOF'
-          import json, os, sys, urllib.request
-          token = os.environ.get("FORGEJO_TOKEN", "")
-          server = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
-          repo = os.environ.get("GITHUB_REPOSITORY", "")
-          url = f"{server}/api/v1/repos/{repo}/actions/runs?workflow_id=deploy.yml&status=success&limit=5"
-          req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
-          try:
-              with urllib.request.urlopen(req) as r:
-                  data = json.loads(r.read())
-              runs = [
-                  r for r in data.get("workflow_runs", [])
-                  if r.get("workflow_id") == "deploy.yml" and r.get("status") == "success"
-              ]
-              print(runs[0].get("commit_sha") or "")
-          except Exception as e:
-              print(f"API check failed: {e}", file=sys.stderr)
-              print("")
-          PYEOF
-          )
-
-          if [ -n "$LAST_DEPLOYED_SHA" ] && [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
-            echo "HEAD $HEAD_SHA already successfully deployed — skipping"
-            echo "android=false" >> "$GITHUB_OUTPUT"
-            echo "linux=false"   >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
          # Diff the HEAD commit against its parent; fall back to listing HEAD's files
          # when the parent is unavailable (initial commit, shallow clone).
          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null \
@@ -72,7 +38,7 @@ jobs:
          echo "Changed files:"
          echo "$CHANGED"

-          android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/|scripts/deploy_playstore\.py)'
+          android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/)'
          linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'

          echo "$CHANGED" | grep -qE "$android_re" \
@@ -83,6 +49,49 @@ jobs:
            && echo "linux=true"   >> "$GITHUB_OUTPUT" \
            || echo "linux=false"  >> "$GITHUB_OUTPUT"

+  test-android-firebase:
+    name: Android Instrumented Tests (Firebase Test Lab)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.android == 'true'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Check runner tools
+        run: |
+          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
+
+      - name: Setup Dagger Remote Engine (via stunnel)
+        env:
+          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
+          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
+          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
+          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
+        run: scripts/setup_dagger_remote.sh
+
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Run Android Tests on Firebase Test Lab
+        if: env.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != ''
+        env:
+          DAGGER_NO_NAG: "1"
+        run: task test-android-firebase
+
+      - name: Cleanup TLS credentials
+        if: always()
+        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
+
  deploy-playstore:
    name: Build & Deploy to Play Store
    runs-on: ubuntu-latest
@@ -93,12 +102,13 @@ jobs:
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 100
+          fetch-depth: 1

      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -109,12 +119,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Publish Android to Play Store
-        if: ${{ secrets.PLAY_STORE_CONFIG_JSON != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Publish Android to Play Store
+        if: env.PLAY_STORE_CONFIG_JSON != ''
        env:
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
-          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          DAGGER_NO_NAG: "1"
        run: task publish-android

@@ -132,12 +145,13 @@ jobs:
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 100
+          fetch-depth: 1

      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -148,15 +162,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Build & Deploy APK to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Build & Deploy APK to server
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          DAGGER_NO_NAG: "1"
        run: task deploy-apk

@@ -174,12 +188,13 @@ jobs:
    steps:
      - uses: actions/checkout@v4
        with:
-          fetch-depth: 100
+          fetch-depth: 1

      - name: Check runner tools
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -190,13 +205,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Build & Deploy Linux to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Build & Deploy Linux to server
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task deploy-linux

@@ -222,6 +239,7 @@ jobs:
        run: |
          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
+          command -v age     >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }

      - name: Setup Dagger Remote Engine (via stunnel)
@@ -232,13 +250,15 @@ jobs:
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

-      - name: Generate build history and deploy website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Decrypt production secrets
+        if: ${{ secrets.SECRETS_AGE_KEY != '' }}
+        env:
+          SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
+        run: scripts/secrets-decrypt.sh
+
+      - name: Generate build history and deploy website
+        if: env.SSH_PRIVATE_KEY != ''
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task publish-website

@@ -249,9 +269,10 @@ jobs:
  label-deploy-health:
    name: Update Deploy Health Label
    runs-on: ubuntu-latest
-    needs: [deploy-playstore, deploy-apk, build-linux]
+    needs: [test-android-firebase, deploy-playstore, deploy-apk, build-linux]
    if: |
      always() && vars.DEPLOY_HEALTH_ISSUE != '' && (
+        needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'failure' ||
        needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'failure' ||
        needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'failure' ||
        needs.build-linux.result == 'success' || needs.build-linux.result == 'failure'
@@ -264,7 +285,7 @@ jobs:
          FORGEJO_TOKEN: ${{ github.token }}
          FORGEJO_URL: ${{ github.server_url }}
          DEPLOY_HEALTH_ISSUE: ${{ vars.DEPLOY_HEALTH_ISSUE }}
-          ALL_SUCCEEDED: ${{ (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
+          ALL_SUCCEEDED: ${{ (needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'skipped') && (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
        run: |
          python3 - << 'PYEOF'
          import os, json, urllib.request, urllib.error
@@ -1,132 +0,0 @@
-name: Firebase Tests
-
-on:
-  schedule:
-    - cron: '0 3 * * *'   # once per day at 3 AM
-  workflow_dispatch:
-
-jobs:
-  check-changes:
-    name: Detect Firebase-Relevant Changes
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      has_changes: ${{ steps.diff.outputs.has_changes }}
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Detect Firebase-relevant changes in last 24 hours
-        id: diff
-        shell: bash
-        run: |
-          # On workflow_dispatch always run
-          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          SINCE=$(date -u -d '24 hours ago' '+%Y-%m-%dT%H:%M:%S')
-          CHANGED=$(git log --since="$SINCE" --name-only --format= -- \
-            'android/' 'integration_test/' 'lib/' 'pubspec.yaml' 'pubspec.lock' 'drift_schemas/' \
-            | sort -u | grep -v '^$')
-
-          if [ -n "$CHANGED" ]; then
-            echo "Firebase-relevant files changed since $SINCE:"
-            echo "$CHANGED"
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "No Firebase-relevant changes in the last 24 hours — skipping tests"
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-          fi
-
-  test-android-firebase:
-    name: Android Instrumented Tests (Firebase Test Lab)
-    runs-on: ubuntu-latest
-    timeout-minutes: 60
-    needs: [check-changes]
-    if: needs.check-changes.outputs.has_changes == 'true'
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Check runner tools
-        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-
-      - name: Setup Dagger Remote Engine (via stunnel)
-        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
-        run: scripts/setup_dagger_remote.sh
-
-      - name: Run Android Tests on Firebase Test Lab
-        if: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != '' }}
-        env:
-          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
-          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
-          DAGGER_NO_NAG: "1"
-        run: task test-android-firebase
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
-
-      - name: Create issue on test failure
-        if: failure()
-        env:
-          FORGEJO_TOKEN: ${{ github.token }}
-          FORGEJO_URL: ${{ github.server_url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: |
-          python3 - << 'PYEOF'
-          import os, json, urllib.request, urllib.error
-
-          token = os.environ["FORGEJO_TOKEN"]
-          url_base = os.environ["FORGEJO_URL"].rstrip("/")
-          run_url = os.environ["RUN_URL"]
-
-          headers = {"Authorization": f"token {token}", "Content-Type": "application/json"}
-          api = f"{url_base}/api/v1/repos/guettli/sharedinbox"
-
-          def api_get(path):
-              req = urllib.request.Request(f"{api}{path}", headers=headers)
-              with urllib.request.urlopen(req) as r:
-                  return json.loads(r.read())
-
-          def api_post(path, body):
-              data = json.dumps(body).encode()
-              req = urllib.request.Request(f"{api}{path}", data=data, headers=headers, method="POST")
-              with urllib.request.urlopen(req) as r:
-                  return json.loads(r.read())
-
-          repo_labels = api_get("/labels")
-          label_map = {l["name"]: l["id"] for l in repo_labels}
-
-          label_ids = [label_map["Ready"]] if "Ready" in label_map else []
-
-          title = "Firebase Tests failed — find root cause and fix"
-          body = (
-              "Firebase instrumented tests failed in the daily run.\n\n"
-              f"**Failed run:** {run_url}\n\n"
-              "## Steps to resolve\n\n"
-              "1. **Find the root cause**: Check the test run logs linked above and identify which test(s) failed and why.\n"
-              "2. **Fix if possible**: If the failure is caused by a code bug, create a fix. If it is a flaky or infrastructure issue, document the findings.\n"
-              "3. Close this issue once the root cause is resolved and the tests pass.\n"
-          )
-
-          issue = api_post("/issues", {
-              "title": title,
-              "body": body,
-              "labels": label_ids,
-          })
-          print(f"Created issue #{issue['number']}: {issue['html_url']}")
-          PYEOF
@@ -1,18 +0,0 @@
-name: Monitor Agent Loop
-
-on:
-  schedule:
-    - cron: '0 */2 * * *'  # every 2 hours
-  workflow_dispatch:
-
-jobs:
-  monitor:
-    name: Check Agent Loop Health
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check agent loop heartbeat
-        run: python3 scripts/agent_loop.py monitor
@@ -1,39 +0,0 @@
-name: Renovate
-
-on:
-  schedule:
-    - cron: '0 6 * * *'
-  workflow_dispatch:
-
-jobs:
-  renovate:
-    name: Renovate
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check runner tools
-        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-
-      - name: Setup Dagger Remote Engine (via stunnel)
-        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
-        run: scripts/setup_dagger_remote.sh
-
-      - name: Run Renovate
-        env:
-          DAGGER_NO_NAG: "1"
-          RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
-        run: task renovate
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
@@ -1,4 +1,4 @@
-name: Update Website
+name: Deploy Website

 on:
  push:
@@ -11,45 +11,22 @@ on:

 jobs:
  deploy:
-    name: Build & Update Website
+    name: Build & Deploy Website
    runs-on: ubuntu-latest
-    timeout-minutes: 60

    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive

-      - name: Check runner tools
-        run: |
-          command -v dagger  >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          command -v task    >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
-          dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
-
-      - name: Setup Dagger Remote Engine (via stunnel)
-        env:
-          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
-          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
-          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
-          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
-        run: scripts/setup_dagger_remote.sh
-
-      - name: Build & Update Website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
+      - name: Build & Deploy Website
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
-          DAGGER_NO_NAG: "1"
-        run: task publish-website
+        run: task website-deploy

      - name: Verify Website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
          SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
        run: scripts/website-verify.sh
-
-      - name: Cleanup TLS credentials
-        if: always()
-        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
@@ -1,3 +1,3 @@
 {
-  "flutter": "3.44.0"
+  "flutter": "3.41.6"
 }
@@ -22,14 +22,14 @@ assets/changelog.txt
 .env.local
 .envrc
 .direnv/
+secrets.env      # plaintext secrets — encrypted version (secrets.age) is committed

 # --- Android ---
 android/.gradle/
 android/local.properties
 android/app/google-services.json
 android/key.properties
-# android/app/src/main/java/io/flutter/plugins/ intentionally tracked so that
-# GeneratedPluginRegistrant.java (catch Throwable) is committed and used by CI.
+android/app/src/main/java/io/flutter/plugins/
 .android/
 Android/
 .gradle/
@@ -33,12 +33,12 @@ repos:
      - id: ci-no-direct-dagger
        name: check for direct dagger calls in workflows (use Task instead)
        language: system
-        entry: "bash -c 'git --no-pager grep \"dagger call\" .forgejo/workflows/ && echo \"ERROR: Direct dagger calls found in workflows. Use Taskfile instead.\" && exit 1 || exit 0'"
+        entry: "bash -c 'git grep \"dagger call\" .forgejo/workflows/ && echo \"ERROR: Direct dagger calls found in workflows. Use Taskfile instead.\" && exit 1 || exit 0'"
        pass_filenames: false
        always_run: true
      - id: dagger-progress-plain
        name: ensure all dagger calls use --progress=plain
        language: system
-        entry: "bash -c 'git --no-pager grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
+        entry: "bash -c 'git grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
        pass_filenames: false
        always_run: true
@@ -10,21 +10,9 @@ CLI tool `fgj` is available to query issues/PRs/actions.

 We use issues, follow this label state machine:

- **State/ToPlan** — Issue needs a plan written by an agent before implementation
- **State/Planned** — Plan has been posted as a comment; awaiting human review
- **State/Ready** — Issue is approved and ready for implementation
- **State/InProgress** — Set while an agent (or human) is actively working
- **State/Question** — Agent hit a blocker or needs clarification
-
-Full lifecycle:
-
-```
-State/ToPlan → State/Planned   (automated: agent_loop.py runs a planning agent)
-State/Planned → State/Ready    (manual: human reviews the plan and approves)
-State/Ready → State/InProgress (automated: agent_loop.py before starting implementation)
-State/InProgress → closed      (automated: after PR is merged and CI passes)
-any state → State/Question     (automated or manual: when blocked)
-```
+- **State/Ready** — Issue is available to pick up
+- **State/InProgress** — Set this when you start working on an issue
+- **State/Question** — Set this when you hit a blocker or need clarification

 List open issues ready to pick up:

@@ -34,11 +22,9 @@ fgj issue list --json --state open | jq '[.[] | select(.labels[].name == "State/

 Rules:

- Never start implementation on an issue without `State/Ready`
- Planning agents only post a plan comment — they do NOT write code or open PRs
- After `State/Planned`, a human must review the plan and manually add `State/Ready`
- When working via the agent loop: label transitions are set automatically
-  by `agent_loop.py` — do **not** set them yourself.
+- Never start work on an issue without `State/Ready`
+- When working via the agent loop: `State/Ready` → `State/InProgress` is set automatically
+  by `agent_loop.py` before the agent starts — do **not** set it yourself.
 - When working manually: switch to `State/InProgress` as your **first action**:
  ```bash
  fgj issue edit <NUMBER> --remove-label "State/Ready" --add-label "State/InProgress"
@@ -174,10 +174,70 @@ Run a secret manager co-located with the Dagger host. The CI job authenticates w
 - Vault itself becomes a security-critical single point of failure.
 - Operational overhead likely disproportionate for a small single-developer project.

+### Option 5: Encrypted secrets file (age) — **implemented**
+
+Store all production secrets in a file (`secrets.env`) that is encrypted with
+[age](https://age-encryption.org/) into `secrets.age`. The encrypted file is
+committed to the repository. Only the age private key — a single string — is
+stored in Codeberg as `SECRETS_AGE_KEY`. Any CI job or developer with the key
+can decrypt the file and obtain all secrets.
+
+**How it works:**
+
+1. Generate a key pair once:
+   ```bash
+   age-keygen -o ~/.config/age/sharedinbox.key
+   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
+   ```
+2. Copy `secrets.env.example` to `secrets.env`, fill in all values, then encrypt:
+   ```bash
+   scripts/secrets-encrypt.sh   # reads public key from .age-public-key
+   git add secrets.age && git commit -m "chore: update encrypted secrets"
+   ```
+3. Add the private key content as `SECRETS_AGE_KEY` in Codeberg repository secrets.
+4. CI jobs call `scripts/secrets-decrypt.sh` (with `SECRETS_AGE_KEY` set) before
+   any step that needs production credentials. The script writes each variable
+   to `$GITHUB_ENV` so subsequent steps see them automatically.
+
+**Keeping local and CI in sync:**
+When you rotate a secret locally, update `secrets.env`, re-run
+`scripts/secrets-encrypt.sh`, and commit the new `secrets.age`. CI will pick
+up the fresh secrets on the next push — no manual CI variable updates needed.
+
+Multi-line values (SSH keys, certificates) must be stored as a single line
+with `\n` escape sequences inside double quotes. Example:
+```
+SSH_PRIVATE_KEY="<header>\n<base64 key body>\n<footer>"
+```
+
+**Pro:**
+- One secret (`SECRETS_AGE_KEY`) in Codeberg instead of many.
+- Encrypted secrets are version-controlled — rotating a secret is a git commit.
+- Local dev environment and CI always use the same encrypted source of truth.
+- `age` is a simple, audited tool with no server infrastructure.
+- The private key never appears in workflow files or logs.
+
+**Con:**
+- `secrets.age` exposes the list of variable *names* (visible in the encrypted
+  file if the format leaks, though not the values).
+- All credentials share a single key — compromising `SECRETS_AGE_KEY` exposes
+  everything at once.
+- Key rotation requires re-encrypting `secrets.age` and updating the CI secret.
+
 ### Recommendation

-**Option 1** (runner-level env vars) or **Option 2** (secret files) are the pragmatic starting point for a single self-hosted runner. They require no new infrastructure and move all production secrets off Codeberg immediately.
+**Option 5** (encrypted secrets file) is now the active approach. It reduces
+Codeberg secrets to exactly two categories:
+- **Dagger access credentials** — `DAGGER_STUNNEL_URL`, `DAGGER_CA_CERT`,
+  `DAGGER_CLIENT_CERT`, `DAGGER_CLIENT_KEY`.
+- **Master key** — `SECRETS_AGE_KEY`.

-**Option 3** (Dagger host as orchestrator) is worth considering once the trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest security boundary at the cost of reduced CI observability.
+**Option 1** (runner-level env vars) or **Option 2** (secret files) remain
+valid if you prefer not to commit an encrypted file to the repository.

-**Option 4** (Vault) becomes worthwhile if the project grows to multiple runners or team members who each need audited access to deploy credentials.
+**Option 3** (Dagger host as orchestrator) is worth considering once the
+trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest
+security boundary at the cost of reduced CI observability.
+
+**Option 4** (Vault) becomes worthwhile if the project grows to multiple
+runners or team members who each need audited access to deploy credentials.
@@ -224,7 +224,7 @@ tasks:
    desc: Build AAB via Dagger (cached, versionCode=1 placeholder) and export locally
    cmds:
      - mkdir -p build/app/outputs/bundle/release
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. build-android-release --commit-hash "$HASH" -o build/app/outputs/bundle/release/app-release.aab
+      - dagger call --progress=plain -q -m ci --source=. build-android-release -o build/app/outputs/bundle/release/app-release.aab

  upload-android-bundle:
    desc: Upload AAB from build/ to Play Store via Dagger
@@ -238,7 +238,6 @@ tasks:

  publish-android:
    desc: Build cached AAB, stamp versionCode, sign, and publish to Play Store via Dagger
-    deps: [generate-changelog]
    preconditions:
      - sh: test -n "$PLAY_STORE_CONFIG_JSON"
        msg: "PLAY_STORE_CONFIG_JSON is not set"
@@ -247,7 +246,7 @@ tasks:
      - sh: test -n "$ANDROID_KEYSTORE_PASSWORD"
        msg: "ANDROID_KEYSTORE_PASSWORD is not set"
    cmds:
-      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD --commit-hash "$HASH"
+      - dagger call --progress=plain -q -m ci --source=. publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON --keystore-base64 env:ANDROID_KEYSTORE_BASE64 --keystore-password env:ANDROID_KEYSTORE_PASSWORD

  deploy-apk:
    desc: Build and deploy Android APK via Dagger
@@ -336,14 +335,6 @@ tasks:
      - |
        dagger query '{ engine { localCache { prune(maxUsedSpace: "75gb", targetSpace: "50gb") } } }'

-  renovate:
-    desc: Run Renovate bot against the repository via Dagger
-    preconditions:
-      - sh: test -n "$RENOVATE_FORGEJO_TOKEN"
-        msg: "RENOVATE_FORGEJO_TOKEN is not set"
-    cmds:
-      - dagger call --progress=plain -q -m ci --source=. renovate --renovate-token env:RENOVATE_FORGEJO_TOKEN
-
  integration-android:
    desc: UI integration tests on a connected Android emulator (Stalwart on host, emulator reaches it via 10.0.2.2)
    deps: [_preflight, _android-sdk-check, _android-avd-setup]
@@ -664,7 +655,12 @@ tasks:

  check-fast:
    desc: Pre-commit checks — analyze + unit+widget tests + coverage gate (no build, no integration)
-    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks]
+    deps: [analyze, check-coverage, check-hygiene, check-layers, check-mocks, check-secrets]
+
+  check-secrets:
+    desc: Test secrets encrypt/decrypt scripts (requires age)
+    cmds:
+      - bash scripts/test_secrets.sh

  check-layers:
    desc: Enforce architecture — ui/ must not import data/ (only core/ interfaces allowed)
@@ -4,6 +4,7 @@ gradle-wrapper.jar
 /gradlew
 /gradlew.bat
 /local.properties
+GeneratedPluginRegistrant.java
 .cxx/

 # Remember to never publicly share your keystore.
@@ -67,7 +67,7 @@ flutter {

 dependencies {
    // Required for flutter_local_notifications and other plugins that need Java 8+ APIs on API < 26.
-    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.5")
+    coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:2.1.4")
    // integration_test is a dev dependency; the Flutter plugin loader adds it as
    // debugImplementation only, but GeneratedPluginRegistrant.java (in src/main)
    // references its class in all variants. Make it available for release compilation
@@ -1,89 +0,0 @@
-package io.flutter.plugins;
-
-import androidx.annotation.Keep;
-import androidx.annotation.NonNull;
-import io.flutter.Log;
-
-import io.flutter.embedding.engine.FlutterEngine;
-
-/**
- * Generated file. Do not edit.
- * This file is generated by the Flutter tool based on the
- * plugins that support the Android platform.
- */
-@Keep
-public final class GeneratedPluginRegistrant {
-  private static final String TAG = "GeneratedPluginRegistrant";
-  public static void registerWith(@NonNull FlutterEngine flutterEngine) {
-    try {
-      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.device_info.DeviceInfoPlusPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin device_info_plus, dev.fluttercommunity.plus.device_info.DeviceInfoPlusPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new com.mr.flutter.plugin.filepicker.FilePickerPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin file_picker, com.mr.flutter.plugin.filepicker.FilePickerPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin flutter_local_notifications, com.dexterous.flutterlocalnotifications.FlutterLocalNotificationsPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin flutter_plugin_android_lifecycle, io.flutter.plugins.flutter_plugin_android_lifecycle.FlutterAndroidLifecyclePlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin flutter_secure_storage, com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new dev.flutter.plugins.integration_test.IntegrationTestPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin integration_test, dev.flutter.plugins.integration_test.IntegrationTestPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new dev.steenbakker.mobile_scanner.MobileScannerPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin mobile_scanner, dev.steenbakker.mobile_scanner.MobileScannerPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new com.crazecoder.openfile.OpenFilePlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin open_filex, com.crazecoder.openfile.OpenFilePlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin package_info_plus, dev.fluttercommunity.plus.packageinfo.PackageInfoPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new io.flutter.plugins.pathprovider.PathProviderPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin path_provider_android, io.flutter.plugins.pathprovider.PathProviderPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new dev.fluttercommunity.plus.share.SharePlusPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin share_plus, dev.fluttercommunity.plus.share.SharePlusPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new io.flutter.plugins.urllauncher.UrlLauncherPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin url_launcher_android, io.flutter.plugins.urllauncher.UrlLauncherPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new io.flutter.plugins.webviewflutter.WebViewFlutterPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin webview_flutter_android, io.flutter.plugins.webviewflutter.WebViewFlutterPlugin", e);
-    }
-    try {
-      flutterEngine.getPlugins().add(new dev.fluttercommunity.workmanager.WorkmanagerPlugin());
-    } catch (Exception e) {
-      Log.e(TAG, "Error registering plugin workmanager_android, dev.fluttercommunity.workmanager.WorkmanagerPlugin", e);
-    }
-  }
-}
@@ -2,4 +2,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.5-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-all.zip
@@ -44,10 +44,10 @@ require (
 	google.golang.org/protobuf v1.36.11 // indirect
 )

-replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0
+replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0

-replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0
+replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0

-replace go.opentelemetry.io/otel/log => go.opentelemetry.io/otel/log v0.19.0
+replace go.opentelemetry.io/otel/log => go.opentelemetry.io/otel/log v0.16.0

-replace go.opentelemetry.io/otel/sdk/log => go.opentelemetry.io/otel/sdk/log v0.19.0
+replace go.opentelemetry.io/otel/sdk/log => go.opentelemetry.io/otel/sdk/log v0.16.0
@@ -183,7 +183,7 @@ func (m *Ci) toolchain() *dagger.Container {
 	return dag.Container().
 		From("ghcr.io/cirruslabs/flutter:3.41.6").
 		WithExec([]string{"apt-get", "-qq", "update"}).
-		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld"}).
+		WithExec([]string{"apt-get", "install", "-y", "-qq", "clang", "cmake", "ninja-build", "pkg-config", "libgtk-3-dev", "liblzma-dev", "libsecret-1-dev", "libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "iproute2", "netcat-openbsd", "xvfb", "libosmesa6", "libegl1", "lld", "age"}).
 		WithExec([]string{"useradd", "-m", "-s", "/bin/bash", "ci"}).
 		WithExec([]string{"/bin/sh", "-c",
 			`flutter_dir=$(dirname $(dirname $(which flutter))); ` +
@@ -286,21 +286,6 @@ func (m *Ci) firebaseSrc() *dagger.Directory {
 	})
 }

-// androidBase wraps setup(androidSrc()) with the Gradle named-cache so that
-// Gradle dependencies survive across Dagger execution-cache misses.
-func (m *Ci) androidBase() *dagger.Container {
-	return m.setup(m.androidSrc()).
-		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"),
-			dagger.ContainerWithMountedCacheOpts{Owner: "ci"})
-}
-
-// firebaseBase wraps setup(firebaseSrc()) with the Gradle named-cache.
-func (m *Ci) firebaseBase() *dagger.Container {
-	return m.setup(m.firebaseSrc()).
-		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"),
-			dagger.ContainerWithMountedCacheOpts{Owner: "ci"})
-}
-
 // linuxSrc is the source subset for Linux builds and integration tests.
 func (m *Ci) linuxSrc() *dagger.Directory {
 	return m.Source.Filter(dagger.DirectoryFilterOpts{
@@ -396,6 +381,21 @@ func (m *Ci) CheckHygiene(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }

+// CheckSecrets verifies the secrets encrypt/decrypt scripts work correctly.
+func (m *Ci) CheckSecrets(ctx context.Context) (string, error) {
+	scriptSrc := m.Source.Filter(dagger.DirectoryFilterOpts{
+		Include: []string{"scripts/secrets-encrypt.sh", "scripts/secrets-decrypt.sh", "scripts/test_secrets.sh"},
+	})
+	return dag.Container().
+		From("ghcr.io/cirruslabs/flutter:3.41.6").
+		WithExec([]string{"apt-get", "-qq", "update"}).
+		WithExec([]string{"apt-get", "install", "-y", "-qq", "age"}).
+		WithDirectory("/src", scriptSrc).
+		WithWorkdir("/src").
+		WithExec([]string{"bash", "scripts/test_secrets.sh"}).
+		Stdout(ctx)
+}
+
 // CheckLayers enforces that ui/ does not import data/.
 func (m *Ci) CheckLayers(ctx context.Context) (string, error) {
 	return m.Base().
@@ -486,6 +486,9 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 	if _, err := m.CheckLayers(ctx); err != nil {
 		return "Layer check failed", err
 	}
+	if _, err := m.CheckSecrets(ctx); err != nil {
+		return "Secrets script check failed", err
+	}

 	checkSetup := m.setup(m.checkSrc())

@@ -599,17 +602,9 @@ func (m *Ci) BuildLinux() *dagger.Directory {
 }

 // BuildLinuxRelease builds the Linux release bundle.
-func (m *Ci) BuildLinuxRelease(
-	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
-	// +optional
-	commitHash string,
-) *dagger.Directory {
-	args := []string{"flutter", "build", "linux", "--release"}
-	if commitHash != "" {
-		args = append(args, "--dart-define=GIT_HASH="+commitHash)
-	}
+func (m *Ci) BuildLinuxRelease() *dagger.Directory {
 	return m.setup(m.linuxSrc()).
-		WithExec(args).
+		WithExec([]string{"flutter", "build", "linux", "--release"}).
 		Directory("build/linux/x64/release/bundle")
 }

@@ -622,7 +617,7 @@ func (m *Ci) DeployLinux(
 	sshHost string,
 	commitHash string,
 ) (string, error) {
-	bundle := m.BuildLinuxRelease(commitHash)
+	bundle := m.BuildLinuxRelease()

 	datePath := time.Now().Format("2006/01/02")
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
@@ -638,27 +633,16 @@ func (m *Ci) DeployLinux(

 // setupKeystore decodes the base64 keystore into the android build container.
 func (m *Ci) setupKeystore(keystoreBase64 *dagger.Secret, keystorePassword *dagger.Secret) *dagger.Container {
-	return m.androidBase().
+	return m.setup(m.androidSrc()).
 		WithSecretVariable("ANDROID_KEYSTORE_BASE64", keystoreBase64).
 		WithSecretVariable("ANDROID_KEYSTORE_PASSWORD", keystorePassword).
 		WithExec([]string{"/bin/sh", "-c", `echo "$ANDROID_KEYSTORE_BASE64" | base64 -d > android/app/upload-keystore.jks`})
 }

 // BuildAndroidApk builds a release APK signed with the upload key.
-func (m *Ci) BuildAndroidApk(
-	keystoreBase64 *dagger.Secret,
-	keystorePassword *dagger.Secret,
-	buildNumber string,
-	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
-	// +optional
-	commitHash string,
-) *dagger.File {
-	args := []string{"flutter", "build", "apk", "--release", "--no-pub", "--build-number", buildNumber}
-	if commitHash != "" {
-		args = append(args, "--dart-define=GIT_HASH="+commitHash)
-	}
+func (m *Ci) BuildAndroidApk(keystoreBase64 *dagger.Secret, keystorePassword *dagger.Secret, buildNumber string) *dagger.File {
 	return m.setupKeystore(keystoreBase64, keystorePassword).
-		WithExec(args).
+		WithExec([]string{"flutter", "build", "apk", "--release", "--no-pub", "--build-number", buildNumber}).
 		File("build/app/outputs/flutter-apk/app-release.apk")
 }

@@ -674,7 +658,7 @@ func (m *Ci) DeployApk(
 	keystorePassword *dagger.Secret,
 	buildNumber string,
 ) (string, error) {
-	apk := m.BuildAndroidApk(keystoreBase64, keystorePassword, buildNumber, commitHash)
+	apk := m.BuildAndroidApk(keystoreBase64, keystorePassword, buildNumber)

 	datePath := time.Now().Format("2006/01/02")
 	remoteDir := fmt.Sprintf("public_html/builds/%s", datePath)
@@ -690,7 +674,8 @@ func (m *Ci) DeployApk(
 // BuildAndroidDebugApks builds the debug app APK and the androidTest APK needed for Firebase Test Lab.
 // Returns a flat directory with app-debug.apk and app-debug-androidTest.apk.
 func (m *Ci) BuildAndroidDebugApks() *dagger.Directory {
-	built := m.firebaseBase().
+	built := m.setup(m.firebaseSrc()).
+		WithMountedCache("/home/ci/.gradle", dag.CacheVolume("gradle-cache"), dagger.ContainerWithMountedCacheOpts{Owner: "ci"}).
 		WithExec([]string{"flutter", "build", "apk", "--debug", "--no-pub"}).
 		WithWorkdir("/src/android").
 		// --no-daemon avoids connecting to a stale daemon whose registry file was
@@ -749,17 +734,9 @@ func (m *Ci) TestAndroidFirebase(

 // BuildAndroidRelease builds the AAB with a fixed build-number so Dagger can cache it.
 // versionCode and signing are applied separately via StampAndroidVersionCode + SignAndroidBundle.
-func (m *Ci) BuildAndroidRelease(
-	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
-	// +optional
-	commitHash string,
-) *dagger.File {
-	args := []string{"flutter", "build", "appbundle", "--release", "--no-pub", "--build-number", "1"}
-	if commitHash != "" {
-		args = append(args, "--dart-define=GIT_HASH="+commitHash)
-	}
-	return m.androidBase().
-		WithExec(args).
+func (m *Ci) BuildAndroidRelease() *dagger.File {
+	return m.setup(m.androidSrc()).
+		WithExec([]string{"flutter", "build", "appbundle", "--release", "--no-pub", "--build-number", "1"}).
 		File("build/app/outputs/bundle/release/app-release.aab")
 }

@@ -831,41 +808,14 @@ func (m *Ci) PublishAndroid(
 	playStoreConfig *dagger.Secret,
 	keystoreBase64 *dagger.Secret,
 	keystorePassword *dagger.Secret,
-	// Git commit hash injected as GIT_HASH dart-define so the About page can display it.
-	// +optional
-	commitHash string,
 ) (string, error) {
 	versionCode := int(time.Now().Unix())
-	aab := m.BuildAndroidRelease(commitHash)
+	aab := m.BuildAndroidRelease()
 	stamped := m.StampAndroidVersionCode(aab, versionCode)
 	signed := m.SignAndroidBundle(stamped, keystoreBase64, keystorePassword)
 	return m.UploadToPlayStore(ctx, signed, playStoreConfig)
 }

-// Renovate runs Renovate bot against the repository on Forgejo/Codeberg.
-func (m *Ci) Renovate(ctx context.Context, renovateToken *dagger.Secret) (string, error) {
-	// Codeberg's GET /pulls?state=all&limit=100 times out with a 504, but limit=10
-	// completes in ~9 s. Patch the compiled pr-cache.js to use 10 instead of the
-	// hardcoded 20/100 values before launching renovate.
-	const patchCmd = `for f in \
-			/usr/local/renovate/dist/modules/platform/forgejo/pr-cache.js \
-			/usr/local/renovate/dist/modules/platform/gitea/pr-cache.js; do \
-		sed -i 's/limit: this\.items\.length ? 20 : 100/limit: this.items.length ? 10 : 10/' "$f" && echo "patched $f"; \
-		done`
-	return dag.Container().
-		From("renovate/renovate:43").
-		WithSecretVariable("RENOVATE_TOKEN", renovateToken).
-		WithEnvVariable("RENOVATE_PLATFORM", "forgejo").
-		WithEnvVariable("RENOVATE_ENDPOINT", "https://codeberg.org").
-		WithEnvVariable("RENOVATE_REPOSITORIES", "guettli/sharedinbox").
-		WithEnvVariable("LOG_LEVEL", "info").
-		WithUser("root").
-		WithExec([]string{"/bin/sh", "-c", patchCmd}).
-		WithUser("ubuntu").
-		WithExec([]string{"renovate"}).
-		Stdout(ctx)
-}
-
 // Graph returns a Mermaid diagram of the CI pipeline structure.
 // Paste the output into any Mermaid renderer (codeberg, github, mermaid.live)
 // or save it as a .md file to get a rendered diagram.
@@ -889,6 +839,7 @@ flowchart TD

        pubGet --> hygiene["CheckHygiene"]
        pubGet --> layers["CheckLayers"]
+        pubGet --> secrets["CheckSecrets\nage encrypt/decrypt"]
        pubGet --> mocks["CheckMocks\n(own build_runner run)"]

        codegen --> fmt["Format"]
@@ -902,6 +853,7 @@ flowchart TD

        hygiene    --> check{{"✓ Check"}}
        layers     --> check
+        secrets    --> check
        fmt        --> check
        analyze    --> check
        mocks      --> check
@@ -13,7 +13,7 @@ export SSH_PRIVATE_KEY=$(cat "$HOME/.ssh/id_ed25519")

 # Add nix profile and nix store tools (task, dagger) to PATH
 export PATH="$HOME/.nix-profile/bin:$PATH"
-for pkg in "*go-task-*/bin/task" "*dagger-*/bin/dagger" "*fgj-*/bin/fgj"; do
+for pkg in "*go-task-*/bin/task" "*dagger-*/bin/dagger"; do
    bin=$(ls -d /nix/store/$pkg 2>/dev/null | sort -V | tail -1)
    [ -n "$bin" ] && export PATH="$(dirname "$bin"):$PATH"
 done
@@ -4,16 +4,6 @@ This file contains tasks which got implemented.

 Tasks get moved from next.md to done.md

-## Tasks (2026-05-26)
-
- **Renovate Bot (Issue #257)**: Renovate Bot runs daily via Forgejo Actions to keep
-  dependencies up to date. All required components are in main:
-  - `renovate.json` — Renovate configuration covering pub, Dockerfile, and Forgejo Actions
-  - `ci/main.go` — `Renovate()` Dagger function using Forgejo platform and Codeberg endpoint
-  - `.forgejo/workflows/renovate.yml` — daily cron (06:00 UTC) workflow
-  - `Taskfile.yml` — `renovate` task
-  - Issue #257 closed.
-
 ## Tasks (2026-05-11)

 - **Stabilize Email List UI during Selection (Issue #14)**: Prevented layout shifts when entering
@@ -87,6 +87,9 @@
            # Website
            hugo

+            # Secrets management (master-key encryption for CI sync)
+            age
+
            # Utilities
            git
            curl
@@ -317,7 +317,7 @@ void main() {

      // ── Check Sent folder ──────────────────────────────────────────────────
      // Use the drawer to switch folders (no back button on Linux desktop).
-      await tester.tap(find.byTooltip('Open folders'));
+      await tester.tap(find.byTooltip('Open navigation menu'));
      await tester.pumpAndSettle();
      await tester.tap(find.text('Sent'));
      await tester.pumpAndSettle();
@@ -331,7 +331,7 @@ void main() {
      expect(find.text(subject), findsOneWidget);

      // ── Check Inbox ────────────────────────────────────────────────────────
-      await tester.tap(find.byTooltip('Open folders'));
+      await tester.tap(find.byTooltip('Open navigation menu'));
      await tester.pumpAndSettle();
      await tester.tap(find.text('INBOX'));
      await tester.pumpAndSettle();
@@ -1 +0,0 @@
-const int dbSchemaVersion = 36;
@@ -1,14 +0,0 @@
-enum MenuPosition { bottom, top }
-
-enum AfterMailViewAction { nextMessage, showMailbox }
-
-class UserPreferences {
-  const UserPreferences({
-    this.menuPosition = MenuPosition.bottom,
-    this.mailViewButtonPosition = MenuPosition.bottom,
-    this.afterMailViewAction = AfterMailViewAction.nextMessage,
-  });
-  final MenuPosition menuPosition;
-  final MenuPosition mailViewButtonPosition;
-  final AfterMailViewAction afterMailViewAction;
-}
@@ -11,13 +11,4 @@ abstract class MailboxRepository {

  /// Deletes all locally-cached mailbox rows for [accountId].
  Future<void> clearForResync(String accountId);
-
-  /// Creates a new mailbox named [name] for [accountId] and tags it with
-  /// [role] in the local database. For JMAP accounts the role is also sent
-  /// to the server. Returns the newly created [Mailbox].
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  );
 }
@@ -19,8 +19,6 @@ class SyncLogEntry {
    required this.id,
    required this.result,
    this.errorMessage,
-    this.stackTrace,
-    this.isPermanent = false,
    required this.protocol,
    required this.emailsFetched,
    required this.emailsSkipped,
@@ -36,8 +34,6 @@ class SyncLogEntry {
  final int id;
  final String result; // 'ok' or 'error'
  final String? errorMessage;
-  final String? stackTrace;
-  final bool isPermanent;
  final String protocol; // 'imap' or 'jmap'
  final int emailsFetched;
  final int emailsSkipped;
@@ -58,8 +54,6 @@ abstract class SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -87,8 +81,6 @@ class NoOpSyncLogRepository implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -1,8 +0,0 @@
-import 'package:sharedinbox/core/models/user_preferences.dart';
-
-abstract class UserPreferencesRepository {
-  Stream<UserPreferences> observePreferences();
-  Future<void> updateMenuPosition(MenuPosition position);
-  Future<void> updateMailViewButtonPosition(MenuPosition position);
-  Future<void> updateAfterMailViewAction(AfterMailViewAction action);
-}
@@ -260,8 +260,6 @@ class _AccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
-            stackTrace: st.toString(),
-            isPermanent: isPermanent,
            protocol: 'imap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -515,8 +513,6 @@ class _JmapAccountSync implements _SyncLoop {
            accountId: account.id,
            success: false,
            errorMessage: e.toString(),
-            stackTrace: st.toString(),
-            isPermanent: isPermanent,
            protocol: 'jmap',
            emailsFetched: 0,
            emailsSkipped: 0,
@@ -6,7 +6,6 @@ import 'package:drift/native.dart';
 import 'package:flutter/services.dart';
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
-import 'package:sharedinbox/core/db_schema_version.dart';

 part 'database.g.dart';

@@ -193,9 +192,6 @@ class SyncLogs extends Table {
  DateTimeColumn get finishedAt => dateTime()();
  // Added in schema v13: raw protocol log when account.verbose == true.
  TextColumn get protocolLog => text().nullable()();
-  // Added in schema v33: stack trace and permanent flag for error entries.
-  TextColumn get errorStackTrace => text().nullable()();
-  BoolColumn get isPermanent => boolean().withDefault(const Constant(false))();
 }

 /// Per-mailbox breakdown for a single sync cycle.
@@ -307,23 +303,6 @@ class LocalSieveApplied extends Table {
  Set<Column> get primaryKey => {accountId, messageId};
 }

-/// App-wide user preferences, stored as a singleton row (id always 1).
-@DataClassName('UserPreferencesRow')
-class UserPreferences extends Table {
-  IntColumn get id => integer()();
-  // 'bottom' (default) | 'top'
-  TextColumn get menuPosition => text().withDefault(const Constant('bottom'))();
-  // Added in schema v35: 'bottom' (default) | 'top'
-  TextColumn get mailViewButtonPosition =>
-      text().withDefault(const Constant('bottom'))();
-  // Added in schema v36: 'nextMessage' (default) | 'showMailbox'
-  TextColumn get afterMailViewAction =>
-      text().withDefault(const Constant('nextMessage'))();
-
-  @override
-  Set<Column> get primaryKey => {id};
-}
-
 // ── Database ──────────────────────────────────────────────────────────────────

@DriftDatabase(
@@ -344,14 +323,13 @@ class UserPreferences extends Table {
    LocalSieveScripts,
    LocalSieveApplied,
    ShareKeys,
-    UserPreferences,
  ],
 )
 class AppDatabase extends _$AppDatabase {
  AppDatabase([QueryExecutor? executor]) : super(executor ?? _openConnection());

  @override
-  int get schemaVersion => dbSchemaVersion;
+  int get schemaVersion => 32;

  Future<void> _createEmailFts() async {
    await customStatement('''
@@ -592,25 +570,6 @@ class AppDatabase extends _$AppDatabase {
          if (from < 32) {
            await m.createTable(localSieveApplied);
          }
-          if (from >= 7 && from < 33) {
-            await m.addColumn(syncLogs, syncLogs.errorStackTrace);
-            await m.addColumn(syncLogs, syncLogs.isPermanent);
-          }
-          if (from < 34) {
-            await m.createTable(userPreferences);
-          }
-          if (from >= 34 && from < 35) {
-            await m.addColumn(
-              userPreferences,
-              userPreferences.mailViewButtonPosition,
-            );
-          }
-          if (from >= 34 && from < 36) {
-            await m.addColumn(
-              userPreferences,
-              userPreferences.afterMailViewAction,
-            );
-          }
        },
      );
 }
@@ -79,14 +79,6 @@ class MailboxRepositoryImpl implements MailboxRepository {
    );
    try {
      final mailboxes = await client.listMailboxes(recursive: true);
-
-      // Pre-load existing DB roles so we can preserve manually-set roles for
-      // folders the server doesn't tag with a special-use attribute.
-      final existingRows = await (_db.select(_db.mailboxes)
-            ..where((t) => t.accountId.equals(account.id)))
-          .get();
-      final existingRoles = {for (final r in existingRows) r.id: r.role};
-
      for (final mb in mailboxes) {
        final path = mb.path;
        final id = '${account.id}:$path';
@@ -104,12 +96,6 @@ class MailboxRepositoryImpl implements MailboxRepository {
          log('STATUS skipped for $path: $e');
        }

-        // Use the server-assigned role when available; fall back to the
-        // existing DB role so that manually-created folders (e.g. a user
-        // who just created their Archive folder) keep their role across syncs
-        // when the IMAP server does not expose a special-use attribute.
-        final role = _imapRole(mb) ?? existingRoles[id];
-
        await _db.into(_db.mailboxes).insertOnConflictUpdate(
              MailboxesCompanion.insert(
                id: id,
@@ -118,7 +104,7 @@ class MailboxRepositoryImpl implements MailboxRepository {
                name: mb.name,
                unreadCount: Value(unread),
                totalCount: Value(total),
-                role: Value(role),
+                role: Value(_imapRole(mb)),
              ),
            );
      }
@@ -324,104 +310,4 @@ class MailboxRepositoryImpl implements MailboxRepository {
          ..where((t) => t.accountId.equals(accountId)))
        .go();
  }
-
-  @override
-  Future<model.Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async {
-    final account = (await _accounts.getAccount(accountId))!;
-    final password = await _accounts.getPassword(accountId);
-    switch (account.type) {
-      case account_model.AccountType.imap:
-        return _createMailboxWithRoleImap(account, password, name, role);
-      case account_model.AccountType.jmap:
-        return _createMailboxWithRoleJmap(account, password, name, role);
-    }
-  }
-
-  Future<model.Mailbox> _createMailboxWithRoleImap(
-    account_model.Account account,
-    String password,
-    String name,
-    String role,
-  ) async {
-    final client = await _imapConnect(
-      account,
-      _effectiveUsername(account),
-      password,
-    );
-    try {
-      await client.createMailbox(name);
-    } finally {
-      await client.logout();
-    }
-    final id = '${account.id}:$name';
-    await _db.into(_db.mailboxes).insertOnConflictUpdate(
-          MailboxesCompanion.insert(
-            id: id,
-            accountId: account.id,
-            path: name,
-            name: name,
-            role: Value(role),
-          ),
-        );
-    final row = await (_db.select(_db.mailboxes)..where((t) => t.id.equals(id)))
-        .getSingle();
-    return _toModel(row);
-  }
-
-  Future<model.Mailbox> _createMailboxWithRoleJmap(
-    account_model.Account account,
-    String password,
-    String name,
-    String role,
-  ) async {
-    final jmapUrl = account.jmapUrl;
-    if (jmapUrl == null || jmapUrl.isEmpty) {
-      throw Exception('JMAP account ${account.id} has no jmapUrl');
-    }
-    final jmap = await JmapClient.connect(
-      httpClient: _httpClient,
-      jmapUrl: Uri.parse(jmapUrl),
-      username: _effectiveUsername(account),
-      password: password,
-    );
-    final responses = await jmap.call([
-      [
-        'Mailbox/set',
-        {
-          'accountId': jmap.accountId,
-          'create': {
-            'new-mailbox': {'name': name, 'role': role},
-          },
-        },
-        '0',
-      ],
-    ]);
-    final result = _responseArgs(responses, 0, 'Mailbox/set');
-    final created = result['created'] as Map<String, dynamic>?;
-    final newId =
-        (created?['new-mailbox'] as Map<String, dynamic>?)?['id'] as String?;
-    if (newId == null) {
-      throw Exception(
-        'Failed to create mailbox "$name": server returned no ID',
-      );
-    }
-    final dbId = '${account.id}:$newId';
-    await _db.into(_db.mailboxes).insertOnConflictUpdate(
-          MailboxesCompanion.insert(
-            id: dbId,
-            accountId: account.id,
-            path: newId,
-            name: name,
-            role: Value(role),
-          ),
-        );
-    final row = await (_db.select(_db.mailboxes)
-          ..where((t) => t.id.equals(dbId)))
-        .getSingle();
-    return _toModel(row);
-  }
 }
@@ -13,8 +13,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -32,8 +30,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
              accountId: accountId,
              result: success ? 'ok' : 'error',
              errorMessage: Value(errorMessage),
-              errorStackTrace: Value(stackTrace),
-              isPermanent: Value(isPermanent),
              protocol: Value(protocol),
              itemsSynced: Value(emailsFetched),
              emailsSkipped: Value(emailsSkipped),
@@ -79,8 +75,6 @@ class SyncLogRepositoryImpl implements SyncLogRepository {
            id: r.id,
            result: r.result,
            errorMessage: r.errorMessage,
-            stackTrace: r.errorStackTrace,
-            isPermanent: r.isPermanent,
            protocol: r.protocol,
            emailsFetched: r.itemsSynced,
            emailsSkipped: r.emailsSkipped,
@@ -1,68 +0,0 @@
-import 'package:drift/drift.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart' as pref;
-import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
-import 'package:sharedinbox/data/db/database.dart';
-
-class UserPreferencesRepositoryImpl implements UserPreferencesRepository {
-  UserPreferencesRepositoryImpl(this._db);
-
-  final AppDatabase _db;
-  static const _rowId = 1;
-
-  @override
-  Stream<pref.UserPreferences> observePreferences() {
-    return (_db.select(_db.userPreferences)..where((t) => t.id.equals(_rowId)))
-        .watchSingleOrNull()
-        .map(_rowToModel);
-  }
-
-  @override
-  Future<void> updateMenuPosition(pref.MenuPosition position) async {
-    await _db.into(_db.userPreferences).insertOnConflictUpdate(
-          UserPreferencesCompanion(
-            id: const Value(_rowId),
-            menuPosition: Value(position.name),
-          ),
-        );
-  }
-
-  @override
-  Future<void> updateMailViewButtonPosition(pref.MenuPosition position) async {
-    await _db.into(_db.userPreferences).insertOnConflictUpdate(
-          UserPreferencesCompanion(
-            id: const Value(_rowId),
-            mailViewButtonPosition: Value(position.name),
-          ),
-        );
-  }
-
-  @override
-  Future<void> updateAfterMailViewAction(
-    pref.AfterMailViewAction action,
-  ) async {
-    await _db.into(_db.userPreferences).insertOnConflictUpdate(
-          UserPreferencesCompanion(
-            id: const Value(_rowId),
-            afterMailViewAction: Value(action.name),
-          ),
-        );
-  }
-
-  static pref.UserPreferences _rowToModel(UserPreferencesRow? row) {
-    if (row == null) return const pref.UserPreferences();
-    return pref.UserPreferences(
-      menuPosition: pref.MenuPosition.values.firstWhere(
-        (e) => e.name == row.menuPosition,
-        orElse: () => pref.MenuPosition.bottom,
-      ),
-      mailViewButtonPosition: pref.MenuPosition.values.firstWhere(
-        (e) => e.name == row.mailViewButtonPosition,
-        orElse: () => pref.MenuPosition.bottom,
-      ),
-      afterMailViewAction: pref.AfterMailViewAction.values.firstWhere(
-        (e) => e.name == row.afterMailViewAction,
-        orElse: () => pref.AfterMailViewAction.nextMessage,
-      ),
-    );
-  }
-}
@@ -5,7 +5,6 @@ import 'package:http/http.dart' as http;
 import 'package:sharedinbox/core/models/account.dart' as model;
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/draft_repository.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
@@ -14,7 +13,6 @@ import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/core/repositories/undo_repository.dart';
-import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
 import 'package:sharedinbox/core/services/managesieve_probe_service.dart';
@@ -23,8 +21,7 @@ import 'package:sharedinbox/core/services/undo_service.dart';
 import 'package:sharedinbox/core/storage/secure_storage.dart';
 import 'package:sharedinbox/core/sync/account_sync_manager.dart';
 import 'package:sharedinbox/core/sync/reliability_runner.dart';
-import 'package:sharedinbox/data/db/database.dart'
-    hide Email, EmailBody, UserPreferences;
+import 'package:sharedinbox/data/db/database.dart' hide Email, EmailBody;
 import 'package:sharedinbox/data/db/local_sieve_repository.dart';
 import 'package:sharedinbox/data/imap/imap_client_factory.dart';
 import 'package:sharedinbox/data/jmap/sieve_repository.dart';
@@ -36,7 +33,6 @@ import 'package:sharedinbox/data/repositories/search_history_repository_impl.dar
 import 'package:sharedinbox/data/repositories/share_key_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/sync_log_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/undo_repository_impl.dart';
-import 'package:sharedinbox/data/repositories/user_preferences_repository_impl.dart';
 import 'package:sharedinbox/data/storage/flutter_secure_storage_impl.dart';

 /// Swappable IMAP connection factory — override in tests to use plaintext.
@@ -231,13 +227,3 @@ final accountConnectionStatusProvider =
      .read(connectionTestServiceProvider)
      .testConnection(account, password);
 });
-
-final userPreferencesRepositoryProvider =
-    Provider<UserPreferencesRepository>((ref) {
-  return UserPreferencesRepositoryImpl(ref.watch(dbProvider));
-});
-
-final userPreferencesProvider =
-    StreamProvider.autoDispose<UserPreferences>((ref) {
-  return ref.watch(userPreferencesRepositoryProvider).observePreferences();
-});
@@ -20,7 +20,6 @@ import 'package:sharedinbox/ui/screens/sieve_scripts_screen.dart';
 import 'package:sharedinbox/ui/screens/sync_log_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/undo_log_screen.dart';
-import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 import 'package:sharedinbox/ui/widgets/undo_shell.dart';

 final router = GoRouter(
@@ -57,10 +56,6 @@ final router = GoRouter(
              path: 'about',
              builder: (ctx, state) => const AboutScreen(),
            ),
-            GoRoute(
-              path: 'preferences',
-              builder: (ctx, state) => const UserPreferencesScreen(),
-            ),
            GoRoute(
              path: ':accountId/edit',
              builder: (ctx, state) => EditAccountScreen(
@@ -1,4 +1,5 @@
 import 'dart:async';
+import 'dart:io';

 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
@@ -7,7 +8,6 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/utils/about_markdown.dart';
 import 'package:url_launcher/url_launcher.dart';

 class AboutScreen extends ConsumerStatefulWidget {
@@ -19,22 +19,57 @@ class AboutScreen extends ConsumerStatefulWidget {

 class _AboutScreenState extends ConsumerState<AboutScreen> {
  final Future<PackageInfo> _packageInfoFuture = PackageInfo.fromPlatform();
-  late final Future<String?> _deviceModelFuture;
  late final Stream<List<Account>> _accountsStream;
-  String? _deviceModel;
+
+  static const _gitHash = String.fromEnvironment('GIT_HASH');

  @override
  void initState() {
    super.initState();
    _accountsStream = ref.read(accountRepositoryProvider).observeAccounts();
-    _deviceModelFuture = getDeviceModel();
-    unawaited(
-      _deviceModelFuture.then((model) {
-        if (mounted) setState(() => _deviceModel = model);
-      }),
-    );
  }

+  String _buildMarkdown(
+    BuildContext context,
+    PackageInfo? pkg,
+    int imapCount,
+    int jmapCount,
+  ) {
+    final size = MediaQuery.of(context).size;
+    final pixelRatio = MediaQuery.of(context).devicePixelRatio;
+    final physW = (size.width * pixelRatio).toInt();
+    final physH = (size.height * pixelRatio).toInt();
+    final version =
+        pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
+    final versionDisplay = _gitHash.isNotEmpty
+        ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
+        : version;
+    final osName = _capitalize(Platform.operatingSystem);
+    final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
+
+    final gitCommitLine = _gitHash.isNotEmpty
+        ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
+        : '';
+    return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
+        '| Property | Value |\n'
+        '|----------|-------|\n'
+        '| App Version | $versionDisplay |\n'
+        '$gitCommitLine'
+        '| Platform | ${Platform.operatingSystem} |\n'
+        '| $osName Version | ${Platform.operatingSystemVersion} |\n'
+        '| Resolution | ${physW}x$physH px'
+        ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
+        ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
+        '| Dart Version | ${Platform.version.split(' ').first} |\n'
+        '| Processors | ${Platform.numberOfProcessors} |\n'
+        '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
+        '| IMAP Accounts | $imapCount |\n'
+        '| JMAP Accounts | $jmapCount |\n';
+  }
+
+  static String _capitalize(String s) =>
+      s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
+
  Future<void> _copyToClipboard(
    BuildContext context,
    int imapCount,
@@ -44,20 +79,10 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
-    String? deviceModel;
-    try {
-      deviceModel = await _deviceModelFuture;
-    } catch (_) {}
    if (!context.mounted) return;
    await Clipboard.setData(
      ClipboardData(
-        text: buildAboutMarkdown(
-          context: context,
-          pkg: pkg,
-          imapCount: imapCount,
-          jmapCount: jmapCount,
-          deviceModel: deviceModel,
-        ),
+        text: _buildMarkdown(context, pkg, imapCount, jmapCount),
      ),
    );
    if (context.mounted) {
@@ -70,30 +95,6 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    }
  }

-  Future<void> _launchUrl(BuildContext context, Uri url) async {
-    try {
-      final launched =
-          await launchUrl(url, mode: LaunchMode.externalApplication);
-      if (!launched && context.mounted) {
-        ScaffoldMessenger.of(context).showSnackBar(
-          const SnackBar(
-            duration: Duration(seconds: 5),
-            content: Text('Could not open browser.'),
-          ),
-        );
-      }
-    } catch (e) {
-      if (context.mounted) {
-        ScaffoldMessenger.of(context).showSnackBar(
-          SnackBar(
-            duration: const Duration(seconds: 5),
-            content: Text('Error: $e'),
-          ),
-        );
-      }
-    }
-  }
-
  Future<void> _createIssue(
    BuildContext context,
    int imapCount,
@@ -103,19 +104,9 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
    try {
      pkg = await _packageInfoFuture;
    } catch (_) {}
-    String? deviceModel;
-    try {
-      deviceModel = await _deviceModelFuture;
-    } catch (_) {}
    if (!context.mounted) return;
    final body = Uri.encodeComponent(
-      buildAboutMarkdown(
-        context: context,
-        pkg: pkg,
-        imapCount: imapCount,
-        jmapCount: jmapCount,
-        deviceModel: deviceModel,
-      ),
+      _buildMarkdown(context, pkg, imapCount, jmapCount),
    );
    final url = Uri.parse(
      'https://codeberg.org/guettli/sharedinbox/issues/new?body=$body',
@@ -166,18 +157,20 @@ class _AboutScreenState extends ConsumerState<AboutScreen> {
                      return const Center(child: CircularProgressIndicator());
                    }
                    return Markdown(
-                      data: buildAboutMarkdown(
-                        context: context,
-                        pkg: snapshot.data,
-                        imapCount: imapCount,
-                        jmapCount: jmapCount,
-                        deviceModel: _deviceModel,
+                      data: _buildMarkdown(
+                        context,
+                        snapshot.data,
+                        imapCount,
+                        jmapCount,
                      ),
                      selectable: true,
                      onTapLink: (text, href, title) {
                        if (href != null) {
                          unawaited(
-                            _launchUrl(context, Uri.parse(href)),
+                            launchUrl(
+                              Uri.parse(href),
+                              mode: LaunchMode.externalApplication,
+                            ),
                          );
                        }
                      },
@@ -1,5 +1,4 @@
 import 'dart:async';
-import 'dart:convert';

 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
@@ -67,14 +66,6 @@ class AccountListScreen extends ConsumerWidget {
                unawaited(context.push('/accounts/about'));
              },
            ),
-            ListTile(
-              leading: const Icon(Icons.settings),
-              title: const Text('Preferences'),
-              onTap: () {
-                Navigator.pop(context); // Close drawer
-                unawaited(context.push('/accounts/preferences'));
-              },
-            ),
          ],
        ),
      ),
@@ -133,6 +124,7 @@ class _AccountTile extends ConsumerWidget {
              if (h == null) return const Text('Sync health: Not verified yet');
              final date = h.lastVerifiedAt.toLocal().toString().split('.')[0];
              return Row(
+                mainAxisSize: MainAxisSize.min,
                children: [
                  const Text('Sync health: '),
                  Icon(
@@ -141,13 +133,7 @@ class _AccountTile extends ConsumerWidget {
                    color: h.isHealthy ? Colors.green : Colors.orange,
                  ),
                  const SizedBox(width: 4),
-                  Flexible(
-                    child: Text(
-                      h.isHealthy
-                          ? 'Healthy'
-                          : _formatDiscrepancies(h.discrepancySummary),
-                    ),
-                  ),
+                  Text(h.isHealthy ? 'Healthy' : 'Discrepancies found'),
                  Text(' ($date)', style: const TextStyle(fontSize: 10)),
                ],
              );
@@ -307,30 +293,6 @@ class _AccountTile extends ConsumerWidget {
  }
 }

-String _formatDiscrepancies(String? summary) {
-  if (summary == null) return 'Discrepancies found';
-  try {
-    final decoded = jsonDecode(summary) as Map<String, dynamic>;
-    var missingLocally = 0;
-    var missingOnServer = 0;
-    var flagMismatches = 0;
-    for (final v in decoded.values) {
-      final m = v as Map<String, dynamic>;
-      missingLocally += (m['missingLocally'] as int? ?? 0);
-      missingOnServer += (m['missingOnServer'] as int? ?? 0);
-      flagMismatches += (m['flagMismatches'] as int? ?? 0);
-    }
-    final parts = <String>[];
-    if (missingLocally > 0) parts.add('missing locally: $missingLocally');
-    if (missingOnServer > 0) parts.add('missing on server: $missingOnServer');
-    if (flagMismatches > 0) parts.add('flag mismatches: $flagMismatches');
-    if (parts.isEmpty) return 'Discrepancies found';
-    return 'Discrepancies found (${parts.join(', ')})';
-  } catch (_) {
-    return 'Discrepancies found';
-  }
-}
-
 class _OnboardingView extends StatelessWidget {
  const _OnboardingView();

@@ -1,6 +1,7 @@
 import 'dart:async';

 import 'package:flutter/material.dart';
+import 'package:flutter/services.dart' show rootBundle;
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
 import 'package:url_launcher/url_launcher.dart';

@@ -12,8 +13,7 @@ class ChangeLogScreen extends StatelessWidget {
    return Scaffold(
      appBar: AppBar(title: const Text('ChangeLog')),
      body: FutureBuilder<String>(
-        future:
-            DefaultAssetBundle.of(context).loadString('assets/changelog.txt'),
+        future: rootBundle.loadString('assets/changelog.txt'),
        builder: (context, snapshot) {
          if (snapshot.connectionState == ConnectionState.waiting) {
            return const Center(child: CircularProgressIndicator());
@@ -37,14 +37,11 @@ class CrashScreen extends StatelessWidget {
    final version = await _fetchVersion();
    final platform =
        '${Platform.operatingSystem} ${Platform.operatingSystemVersion}';
-    final versionDisplay = gitHash.isNotEmpty
-        ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)'
-        : version;
    final gitLine = gitHash.isNotEmpty
        ? 'Git Commit: [$gitHash](https://codeberg.org/guettli/sharedinbox/commit/$gitHash)\n'
        : '';
    final timestamp = DateTime.now().toUtc().toIso8601String();
-    return 'App Version: $versionDisplay\n'
+    return 'App Version: $version\n'
        'Build Mode: $_buildMode\n'
        '$gitLine'
        'Platform: $platform\n'
@@ -89,35 +86,6 @@ class CrashScreen extends StatelessWidget {
                ),
                if (gitHash.isNotEmpty) ...[
                  const SizedBox(height: 8),
-                  FutureBuilder<PackageInfo>(
-                    future: PackageInfo.fromPlatform(),
-                    builder: (_, snapshot) {
-                      if (!snapshot.hasData) return const SizedBox.shrink();
-                      final version =
-                          '${snapshot.data!.version}+${snapshot.data!.buildNumber}';
-                      return GestureDetector(
-                        onTap: () async {
-                          final url = Uri.parse(
-                            'https://codeberg.org/guettli/sharedinbox/commit/$gitHash',
-                          );
-                          await launchUrl(
-                            url,
-                            mode: LaunchMode.externalApplication,
-                          );
-                        },
-                        child: Text(
-                          'App Version: $version',
-                          style: const TextStyle(
-                            fontSize: 12,
-                            color: Colors.blue,
-                            decoration: TextDecoration.underline,
-                          ),
-                          textAlign: TextAlign.center,
-                        ),
-                      );
-                    },
-                  ),
-                  const SizedBox(height: 4),
                  GestureDetector(
                    onTap: () async {
                      final url = Uri.parse(
@@ -38,7 +38,6 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
  var _sieveSsl = true;
  var _verbose = false;
  final _jmapUrlCtrl = TextEditingController();
-  bool _hasStoredPassword = false;

  // -- "Try connection" state ------------------------------------------------
  bool _tryTesting = false;
@@ -51,7 +50,6 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
    _smtpHostCtrl.addListener(_rebuild);
    _sieveHostCtrl.addListener(_rebuild);
    _imapHostCtrl.addListener(_rebuild);
-    _passwordCtrl.addListener(_rebuild);
    unawaited(_load());
  }

@@ -65,11 +63,6 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
      context.pop();
      return;
    }
-    try {
-      await repo.getPassword(account.id);
-      _hasStoredPassword = true;
-    } catch (_) {}
-    if (!mounted) return;
    _account = account;
    _displayNameCtrl.text = account.displayName;
    _usernameCtrl.text = account.username;
@@ -91,7 +84,6 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
    _smtpHostCtrl.removeListener(_rebuild);
    _sieveHostCtrl.removeListener(_rebuild);
    _imapHostCtrl.removeListener(_rebuild);
-    _passwordCtrl.removeListener(_rebuild);
    for (final c in [
      _displayNameCtrl,
      _usernameCtrl,
@@ -275,12 +267,10 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
            ),
            _field(
              _passwordCtrl,
-              _hasStoredPassword
-                  ? 'New password (leave blank to keep)'
-                  : 'Password',
+              'New password (leave blank to keep)',
              key: const Key('editPasswordField'),
              obscure: true,
-              required: !_hasStoredPassword,
+              required: false,
            ),
            if (account.type == AccountType.jmap) ...[
              const Divider(height: 32),
@@ -355,17 +345,10 @@ class _EditAccountScreenState extends ConsumerState<EditAccountScreen> {
              testing: _tryTesting,
              okMessage: _tryOk,
              errorMessage: _tryErr,
-              onPressed: _hasStoredPassword || _passwordCtrl.text.isNotEmpty
-                  ? _tryConnection
-                  : null,
+              onPressed: _tryConnection,
            ),
            const SizedBox(height: 8),
-            FilledButton(
-              onPressed: _hasStoredPassword || _passwordCtrl.text.isNotEmpty
-                  ? _save
-                  : null,
-              child: const Text('Save'),
-            ),
+            FilledButton(onPressed: _save, child: const Text('Save')),
          ],
        ),
      ),
@@ -1,79 +0,0 @@
-import 'package:flutter/material.dart';
-
-import 'package:sharedinbox/core/models/mailbox.dart';
-import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
-
-enum _MissingFolderChoice { chooseExisting, createNew }
-
-/// Resolves a mailbox by role, prompting the user to choose or create one when
-/// the role is not found.  Returns the target [Mailbox], or null if cancelled.
-Future<Mailbox?> resolveMailboxByRole(
-  BuildContext context,
-  MailboxRepository mailboxRepo,
-  String accountId,
-  String currentMailboxPath,
-  String role, {
-  required String dialogTitle,
-  required String createFolderName,
-}) async {
-  Mailbox? mailbox = await mailboxRepo.findMailboxByRole(accountId, role);
-  if (!context.mounted) return null;
-  if (mailbox != null) return mailbox;
-
-  final choice = await showDialog<_MissingFolderChoice>(
-    context: context,
-    builder: (ctx) => AlertDialog(
-      title: Text(dialogTitle),
-      actions: [
-        TextButton(
-          onPressed: () =>
-              Navigator.pop(ctx, _MissingFolderChoice.chooseExisting),
-          child: const Text('Choose existing folder'),
-        ),
-        FilledButton(
-          onPressed: () => Navigator.pop(ctx, _MissingFolderChoice.createNew),
-          child: Text('Create "$createFolderName"'),
-        ),
-      ],
-    ),
-  );
-  if (!context.mounted || choice == null) return null;
-
-  switch (choice) {
-    case _MissingFolderChoice.chooseExisting:
-      final mailboxes = await mailboxRepo.observeMailboxes(accountId).first;
-      if (!context.mounted) return null;
-      final chosen = await showModalBottomSheet<String>(
-        context: context,
-        builder: (ctx) => ListView(
-          shrinkWrap: true,
-          children: [
-            const ListTile(
-              title: Text(
-                'Move to…',
-                style: TextStyle(fontWeight: FontWeight.bold),
-              ),
-            ),
-            for (final m
-                in mailboxes.where((m) => m.path != currentMailboxPath))
-              ListTile(
-                leading: const Icon(Icons.folder_outlined),
-                title: Text(m.name),
-                onTap: () => Navigator.pop(ctx, m.path),
-              ),
-          ],
-        ),
-      );
-      if (chosen == null || !context.mounted) return null;
-      mailbox = mailboxes.firstWhere((m) => m.path == chosen);
-    case _MissingFolderChoice.createNew:
-      mailbox = await mailboxRepo.createMailboxWithRole(
-        accountId,
-        createFolderName,
-        role,
-      );
-      if (!context.mounted) return null;
-  }
-
-  return mailbox;
-}
@@ -13,11 +13,9 @@ import 'package:share_plus/share_plus.dart';

 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/format_utils.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
 import 'package:url_launcher/url_launcher.dart';
@@ -72,9 +70,16 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
            onPressed: header == null
                ? null
                : () {
-                    unawaited(
-                      _replyWithRecipientDialog(context, header, body),
-                    );
+                    unawaited(_reply(context, header, body, replyAll: false));
+                  },
+          ),
+          IconButton(
+            icon: const Icon(Icons.reply_all),
+            tooltip: 'Reply all',
+            onPressed: header == null
+                ? null
+                : () {
+                    unawaited(_reply(context, header, body, replyAll: true));
                  },
          ),
          IconButton(
@@ -87,19 +92,39 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                  },
          ),
          IconButton(
-            icon: const Icon(Icons.archive),
-            tooltip: 'Archive',
-            onPressed: header == null
-                ? null
-                : () {
-                    unawaited(_archive(context, header));
-                  },
+            icon: const Icon(Icons.mark_email_unread_outlined),
+            tooltip: 'Mark as unread',
+            onPressed: () async {
+              await repo.setFlag(widget.emailId, seen: false);
+              if (context.mounted) context.pop();
+            },
+          ),
+          IconButton(
+            icon: Icon(
+              _isFlagged ? Icons.star : Icons.star_border,
+              color: _isFlagged ? Colors.amber : null,
+            ),
+            tooltip: _isFlagged ? 'Unflag' : 'Flag',
+            onPressed: () async {
+              final next = !_isFlagged;
+              await repo.setFlag(widget.emailId, flagged: next);
+              if (mounted) setState(() => _isFlagged = next);
+            },
+          ),
+          IconButton(
+            icon: const Icon(Icons.drive_file_move_outline),
+            tooltip: 'Move to folder',
+            onPressed: header == null ? null : () => _moveTo(context, header),
+          ),
+          IconButton(
+            icon: const Icon(Icons.access_time),
+            tooltip: 'Snooze',
+            onPressed: header == null ? null : () => _snooze(context, header),
          ),
          IconButton(
            icon: const Icon(Icons.delete),
            tooltip: 'Delete',
            onPressed: () async {
-              final nextEmailId = await _getNextEmailIdIfNeeded(header);
              final destPath = await repo.deleteEmail(widget.emailId);

              if (header != null) {
@@ -118,46 +143,11 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                );
              }

-              if (context.mounted) _navigateTo(context, header, nextEmailId);
-            },
-          ),
-          IconButton(
-            icon: const Icon(Icons.report_outlined),
-            tooltip: 'Mark as spam',
-            onPressed: header == null
-                ? null
-                : () {
-                    unawaited(_markAsSpam(context, header));
-                  },
-          ),
-          IconButton(
-            icon: const Icon(Icons.drive_file_move_outline),
-            tooltip: 'Move to folder',
-            onPressed: header == null ? null : () => _moveTo(context, header),
-          ),
-          IconButton(
-            icon: const Icon(Icons.access_time),
-            tooltip: 'Snooze',
-            onPressed: header == null ? null : () => _snooze(context, header),
-          ),
-          IconButton(
-            icon: Icon(
-              _isFlagged ? Icons.star : Icons.star_border,
-              color: _isFlagged ? Colors.amber : null,
-            ),
-            tooltip: _isFlagged ? 'Unflag' : 'Flag',
-            onPressed: () async {
-              final next = !_isFlagged;
-              await repo.setFlag(widget.emailId, flagged: next);
-              if (mounted) setState(() => _isFlagged = next);
+              if (context.mounted) context.pop();
            },
          ),
          PopupMenuButton<String>(
            itemBuilder: (ctx) => [
-              const PopupMenuItem(
-                value: 'mark_unread',
-                child: Text('Mark as unread'),
-              ),
              const PopupMenuItem(
                value: 'headers',
                child: Text('Show Mail Headers'),
@@ -171,12 +161,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
                child: Text('Show Raw Email'),
              ),
            ],
-            onSelected: (value) async {
-              if (value == 'mark_unread') {
-                final nextEmailId = await _getNextEmailIdIfNeeded(header);
-                await repo.setFlag(widget.emailId, seen: false);
-                if (context.mounted) _navigateTo(context, header, nextEmailId);
-              } else if (value == 'headers' && body != null) {
+            onSelected: (value) {
+              if (value == 'headers' && body != null) {
                _showHeaders(context, body);
              } else if (value == 'structure' && body != null) {
                _showStructure(context, body);
@@ -255,39 +241,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    );
  }

-  Future<String?> _getNextEmailIdIfNeeded(Email? header) async {
-    if (header == null) return null;
-    final prefs = ref.read(userPreferencesProvider).value;
-    final action =
-        prefs?.afterMailViewAction ?? AfterMailViewAction.nextMessage;
-    if (action != AfterMailViewAction.nextMessage) return null;
-
-    final threads = await ref
-        .read(emailRepositoryProvider)
-        .observeThreads(header.accountId, header.mailboxPath)
-        .first;
-
-    final currentIndex =
-        threads.indexWhere((t) => t.emailIds.contains(widget.emailId));
-    if (currentIndex >= 0 && currentIndex + 1 < threads.length) {
-      return threads[currentIndex + 1].latestEmailId;
-    }
-    return null;
-  }
-
-  void _navigateTo(BuildContext context, Email? header, String? nextEmailId) {
-    if (!context.mounted) return;
-    if (nextEmailId != null && header != null) {
-      context.go(
-        '/accounts/${header.accountId}'
-        '/mailboxes/${Uri.encodeComponent(header.mailboxPath)}'
-        '/emails/${Uri.encodeComponent(nextEmailId)}',
-      );
-    } else {
-      context.pop();
-    }
-  }
-
  Future<void> _downloadAndOpen(EmailAttachment att) async {
    setState(() => _downloading.add(att.filename));
    try {
@@ -350,78 +303,17 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    return '\n\n— On $date, $from wrote:\n$quoted';
  }

-  Future<void> _replyWithRecipientDialog(
-    BuildContext context,
-    Email header,
-    EmailBody? body,
-  ) async {
-    final account =
-        await ref.read(accountRepositoryProvider).getAccount(header.accountId);
-    final ownEmail = account?.email.toLowerCase() ?? '';
-
-    final seen = <String>{};
-    final candidates = <_Candidate>[];
-
-    void addIfNew(EmailAddress addr, _Placement defaultPlacement) {
-      final key = addr.email.toLowerCase();
-      if (key == ownEmail || seen.contains(key)) return;
-      seen.add(key);
-      candidates.add(_Candidate(addr, defaultPlacement));
-    }
-
-    for (final addr in header.from) {
-      addIfNew(addr, _Placement.to);
-    }
-    for (final addr in header.to) {
-      addIfNew(addr, _Placement.to);
-    }
-    for (final addr in header.cc) {
-      addIfNew(addr, _Placement.cc);
-    }
-
-    if (!context.mounted) return;
-
-    if (candidates.length <= 1) {
-      final to = candidates
-          .where((c) => c.placement == _Placement.to)
-          .map((c) => c.address.email)
-          .join(', ');
-      final cc = candidates
-          .where((c) => c.placement == _Placement.cc)
-          .map((c) => c.address.email)
-          .join(', ');
-      await _composeReply(context, header, body, to: to, cc: cc);
-      return;
-    }
-
-    final confirmed = await showDialog<List<_Candidate>>(
-      context: context,
-      builder: (ctx) => _ReplyAllDialog(candidates: candidates),
-    );
-
-    if (confirmed == null || !context.mounted) return;
-
-    final to = confirmed
-        .where((c) => c.placement == _Placement.to)
-        .map((c) => c.address.email)
-        .join(', ');
-    final cc = confirmed
-        .where((c) => c.placement == _Placement.cc)
-        .map((c) => c.address.email)
-        .join(', ');
-    await _composeReply(context, header, body, to: to, cc: cc);
-  }
-
-  Future<void> _composeReply(
+  Future<void> _reply(
    BuildContext context,
    Email header,
    EmailBody? body, {
-    required String to,
-    required String cc,
+    required bool replyAll,
  }) async {
+    final to = header.from.isNotEmpty ? header.from.first.email : '';
    final subject = (header.subject?.startsWith('Re:') ?? false)
        ? header.subject!
        : 'Re: ${header.subject ?? ''}';
+    final cc = replyAll ? header.to.map((a) => a.email).join(', ') : '';
    final quoted = await _quotedBody(header, body);
    if (!context.mounted) return;
    unawaited(
@@ -438,78 +330,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
    );
  }

-  Future<void> _archive(BuildContext context, Email header) async {
-    final nextEmailId = await _getNextEmailIdIfNeeded(header);
-    if (!context.mounted) return;
-
-    final mailbox = await resolveMailboxByRole(
-      context,
-      ref.read(mailboxRepositoryProvider),
-      header.accountId,
-      header.mailboxPath,
-      'archive',
-      dialogTitle: 'No archive folder found',
-      createFolderName: 'Archive',
-    );
-
-    if (mailbox == null || !context.mounted) return;
-
-    await ref
-        .read(emailRepositoryProvider)
-        .moveEmail(widget.emailId, mailbox.path);
-
-    unawaited(
-      ref.read(undoServiceProvider.notifier).pushAction(
-            UndoAction(
-              id: DateTime.now().toIso8601String(),
-              accountId: header.accountId,
-              type: UndoType.move,
-              emailIds: [widget.emailId],
-              sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: mailbox.path,
-            ),
-          ),
-    );
-
-    if (context.mounted) _navigateTo(context, header, nextEmailId);
-  }
-
-  Future<void> _markAsSpam(BuildContext context, Email header) async {
-    final nextEmailId = await _getNextEmailIdIfNeeded(header);
-    if (!context.mounted) return;
-
-    final mailbox = await resolveMailboxByRole(
-      context,
-      ref.read(mailboxRepositoryProvider),
-      header.accountId,
-      header.mailboxPath,
-      'junk',
-      dialogTitle: 'No spam folder found',
-      createFolderName: 'Junk',
-    );
-
-    if (mailbox == null || !context.mounted) return;
-
-    await ref
-        .read(emailRepositoryProvider)
-        .moveEmail(widget.emailId, mailbox.path);
-
-    unawaited(
-      ref.read(undoServiceProvider.notifier).pushAction(
-            UndoAction(
-              id: DateTime.now().toIso8601String(),
-              accountId: header.accountId,
-              type: UndoType.move,
-              emailIds: [widget.emailId],
-              sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: mailbox.path,
-            ),
-          ),
-    );
-
-    if (context.mounted) _navigateTo(context, header, nextEmailId);
-  }
-
  Future<void> _forward(
    BuildContext context,
    Email header,
@@ -532,8 +352,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
  }

  Future<void> _moveTo(BuildContext context, Email header) async {
-    final nextEmailId = await _getNextEmailIdIfNeeded(header);
-
    final mailboxRepo = ref.read(mailboxRepositoryProvider);
    final mailboxes =
        await mailboxRepo.observeMailboxes(header.accountId).first;
@@ -582,13 +400,10 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
          ),
    );

-    if (context.mounted) _navigateTo(context, header, nextEmailId);
+    if (context.mounted) context.pop();
  }

  Future<void> _snooze(BuildContext context, Email header) async {
-    final nextEmailId = await _getNextEmailIdIfNeeded(header);
-    if (!context.mounted) return;
-
    final until = await showModalBottomSheet<DateTime>(
      context: context,
      builder: (ctx) => const SnoozePicker(),
@@ -616,7 +431,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
          ),
        ),
      );
-      _navigateTo(context, header, nextEmailId);
+      context.pop();
    }
  }

@@ -855,94 +670,6 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
  }
 }

-enum _Placement { to, cc, skip }
-
-class _Candidate {
-  _Candidate(this.address, this.placement);
-  final EmailAddress address;
-  _Placement placement;
-}
-
-class _ReplyAllDialog extends StatefulWidget {
-  const _ReplyAllDialog({required this.candidates});
-  final List<_Candidate> candidates;
-
-  @override
-  State<_ReplyAllDialog> createState() => _ReplyAllDialogState();
-}
-
-class _ReplyAllDialogState extends State<_ReplyAllDialog> {
-  late final List<_Candidate> _candidates;
-
-  @override
-  void initState() {
-    super.initState();
-    _candidates = [
-      for (final c in widget.candidates) _Candidate(c.address, c.placement),
-    ];
-  }
-
-  @override
-  Widget build(BuildContext context) {
-    return AlertDialog(
-      title: const Text('Reply All'),
-      content: SizedBox(
-        width: double.maxFinite,
-        child: ListView(
-          shrinkWrap: true,
-          children: [
-            for (final c in _candidates)
-              Padding(
-                padding: const EdgeInsets.symmetric(vertical: 4),
-                child: Row(
-                  children: [
-                    Expanded(
-                      child: Text(
-                        c.address.toString(),
-                        overflow: TextOverflow.ellipsis,
-                      ),
-                    ),
-                    const SizedBox(width: 8),
-                    SegmentedButton<_Placement>(
-                      showSelectedIcon: false,
-                      segments: const [
-                        ButtonSegment(
-                          value: _Placement.to,
-                          label: Text('To'),
-                        ),
-                        ButtonSegment(
-                          value: _Placement.cc,
-                          label: Text('Cc'),
-                        ),
-                        ButtonSegment(
-                          value: _Placement.skip,
-                          label: Text('Skip'),
-                        ),
-                      ],
-                      selected: {c.placement},
-                      onSelectionChanged: (s) =>
-                          setState(() => c.placement = s.first),
-                    ),
-                  ],
-                ),
-              ),
-          ],
-        ),
-      ),
-      actions: [
-        TextButton(
-          onPressed: () => Navigator.pop(context),
-          child: const Text('Cancel'),
-        ),
-        TextButton(
-          onPressed: () => Navigator.pop(context, _candidates),
-          child: const Text('Reply'),
-        ),
-      ],
-    );
-  }
-}
-
 class _MimeRow {
  const _MimeRow(this.depth, this.label);
  final int depth;
@@ -985,13 +712,10 @@ class _UnsubscribeChip extends StatelessWidget {
  Widget build(BuildContext context) {
    final uri = _parseUnsubscribeUri(header);
    if (uri == null) return const SizedBox.shrink();
-    return Tooltip(
-      message: uri.toString(),
-      child: ActionChip(
-        avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
-        label: const Text('Unsubscribe'),
-        onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
-      ),
+    return ActionChip(
+      avatar: const Icon(Icons.unsubscribe_outlined, size: 16),
+      label: const Text('Unsubscribe'),
+      onPressed: () => launchUrl(uri, mode: LaunchMode.externalApplication),
    );
  }
 }
@@ -8,10 +8,8 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
 import 'package:sharedinbox/ui/widgets/email_tile.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
@@ -149,21 +147,16 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
  Widget build(BuildContext context) {
    final repo = ref.watch(emailRepositoryProvider);
    final accountAsync = ref.watch(accountByIdProvider(widget.accountId));
-    final prefs =
-        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
-    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;

    return Scaffold(
-      appBar: _buildAppBar(repo, accountAsync, menuAtBottom: menuAtBottom),
+      appBar: _buildAppBar(repo, accountAsync),
      drawer: _selecting
          ? null
          : FolderDrawer(
              accountId: widget.accountId,
              currentMailboxPath: widget.mailboxPath,
            ),
-      bottomNavigationBar: _selecting
-          ? _selectionBottomBar()
-          : (menuAtBottom ? _folderNavBottomBar() : null),
+      bottomNavigationBar: _selecting ? _selectionBottomBar() : null,
      body: Column(
        children: [
          _buildSyncErrorBanner(),
@@ -179,14 +172,12 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {

  PreferredSizeWidget _buildAppBar(
    EmailRepository emailRepo,
-    AsyncValue<Account?> accountAsync, {
-    required bool menuAtBottom,
-  }) {
+    AsyncValue<Account?> accountAsync,
+  ) {
    final selectionCount =
        _searching ? _selectedSearchIds.length : _selectedThreadIds.length;

    return AppBar(
-      automaticallyImplyLeading: !menuAtBottom,
      leading: _selecting
          ? IconButton(
              icon: const Icon(Icons.close),
@@ -309,22 +300,6 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    );
  }

-  Widget _folderNavBottomBar() {
-    return BottomAppBar(
-      child: Row(
-        children: [
-          Builder(
-            builder: (context) => IconButton(
-              icon: const Icon(Icons.menu),
-              tooltip: 'Open folders',
-              onPressed: () => Scaffold.of(context).openDrawer(),
-            ),
-          ),
-        ],
-      ),
-    );
-  }
-
  Widget _selectionBottomBar() {
    return BottomAppBar(
      child: Row(
@@ -445,26 +420,24 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    );
  }

-  Future<void> _batchMoveToRole(
-    String role, {
-    required String dialogTitle,
-    required String createFolderName,
-  }) async {
+  Future<void> _batchMoveToRole(String role, String notFoundMessage) async {
    final ids = _selectedEmailIds;
    _clearSelection();
-
-    final mailbox = await resolveMailboxByRole(
-      context,
-      ref.read(mailboxRepositoryProvider),
-      widget.accountId,
-      widget.mailboxPath,
-      role,
-      dialogTitle: dialogTitle,
-      createFolderName: createFolderName,
-    );
-
-    if (!mounted || mailbox == null) return;
-
+    final mailbox = await ref
+        .read(mailboxRepositoryProvider)
+        .findMailboxByRole(widget.accountId, role);
+    if (!mounted) return;
+    if (mailbox == null) {
+      ScaffoldMessenger.of(
+        context,
+      ).showSnackBar(
+        SnackBar(
+          duration: const Duration(seconds: 5),
+          content: Text(notFoundMessage),
+        ),
+      );
+      return;
+    }
    final repo = ref.read(emailRepositoryProvider);

    // Fetch full email data before moving so we can restore them if user clicks Undo.
@@ -490,11 +463,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    unawaited(ref.read(undoServiceProvider.notifier).pushAction(action));
  }

-  Future<void> _batchArchive() => _batchMoveToRole(
-        'archive',
-        dialogTitle: 'No archive folder found',
-        createFolderName: 'Archive',
-      );
+  Future<void> _batchArchive() =>
+      _batchMoveToRole('archive', 'No archive folder found');

  Future<void> _refreshSearchAndPopIfEmpty() async {
    if (!mounted || !_searching) return;
@@ -573,11 +543,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
    }
  }

-  Future<void> _batchMarkSpam() => _batchMoveToRole(
-        'junk',
-        dialogTitle: 'No spam folder found',
-        createFolderName: 'Junk',
-      );
+  Future<void> _batchMarkSpam() =>
+      _batchMoveToRole('junk', 'No spam folder found');

  Future<void> _batchMove() async {
    final ids = _selectedEmailIds;
@@ -4,7 +4,6 @@ import 'package:go_router/go_router.dart';

 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
@@ -18,12 +17,8 @@ class MailboxListScreen extends ConsumerWidget {
    final mailboxRepo = ref.watch(mailboxRepositoryProvider);
    final emailRepo = ref.watch(emailRepositoryProvider);
    final accountAsync = ref.watch(accountByIdProvider(accountId));
-    final prefs =
-        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
-    final menuAtBottom = prefs.menuPosition == MenuPosition.bottom;
    return Scaffold(
      appBar: AppBar(
-        automaticallyImplyLeading: !menuAtBottom,
        title: const Text('Folders'),
        actions: [
          IconButton(
@@ -47,19 +42,6 @@ class MailboxListScreen extends ConsumerWidget {
        ],
      ),
      drawer: FolderDrawer(accountId: accountId),
-      bottomNavigationBar: menuAtBottom
-          ? BottomAppBar(
-              child: Row(
-                children: [
-                  IconButton(
-                    icon: const Icon(Icons.menu),
-                    tooltip: 'Open folders',
-                    onPressed: () => Scaffold.of(context).openDrawer(),
-                  ),
-                ],
-              ),
-            )
-          : null,
      body: Column(
        children: [
          // ── Failed-mutation banner ───────────────────────────────────────
@@ -1,15 +1,11 @@
 import 'dart:async';

 import 'package:flutter/material.dart';
-import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:intl/intl.dart';
-import 'package:package_info_plus/package_info_plus.dart';

-import 'package:sharedinbox/core/models/account.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/utils/about_markdown.dart';

 final _timeFmt = DateFormat('MMM d, HH:mm:ss');

@@ -25,57 +21,6 @@ String _fmtBytes(int bytes) {
  return '${(bytes / (1024 * 1024)).toStringAsFixed(1)} MB';
 }

-String _buildSyncEntryMarkdown(SyncLogEntry entry) {
-  final buf = StringBuffer();
-  buf.writeln('## Sync Entry');
-  buf.writeln();
-  buf.writeln('| Property | Value |');
-  buf.writeln('|----------|-------|');
-  buf.writeln('| Started | ${_timeFmt.format(entry.startedAt)} |');
-  buf.writeln('| Finished | ${_timeFmt.format(entry.finishedAt)} |');
-  buf.writeln('| Duration | ${_fmtDuration(entry.duration)} |');
-  if (entry.protocol.isNotEmpty) {
-    buf.writeln('| Protocol | ${entry.protocol.toUpperCase()} |');
-  }
-  final statusLabel = entry.isOk
-      ? 'OK'
-      : entry.isPermanent
-          ? 'Error (permanent)'
-          : 'Error';
-  buf.writeln('| Status | $statusLabel |');
-  buf.writeln('| Emails fetched | ${entry.emailsFetched} |');
-  buf.writeln('| Emails up-to-date | ${entry.emailsSkipped} |');
-  buf.writeln('| Mailboxes synced | ${entry.mailboxesSynced} |');
-  buf.writeln('| Pending changes flushed | ${entry.pendingFlushed} |');
-  buf.writeln('| Data transferred | ${_fmtBytes(entry.bytesTransferred)} |');
-  if (entry.mailboxStats.isNotEmpty) {
-    buf.writeln();
-    buf.writeln('### Per mailbox');
-    buf.writeln();
-    buf.writeln('| Mailbox | Fetched | Up-to-date | Duration |');
-    buf.writeln('|---------|---------|------------|----------|');
-    for (final m in entry.mailboxStats) {
-      final dur = m.duration != null ? _fmtDuration(m.duration!) : '-';
-      buf.writeln('| ${m.mailboxPath} | ${m.fetched} | ${m.skipped} | $dur |');
-    }
-  }
-  if (entry.errorMessage != null) {
-    buf.writeln();
-    buf.writeln('**Error:**');
-    buf.writeln();
-    buf.writeln(entry.errorMessage);
-  }
-  if (entry.stackTrace != null) {
-    buf.writeln();
-    buf.writeln('**Stack trace:**');
-    buf.writeln();
-    buf.writeln('```');
-    buf.write(entry.stackTrace);
-    buf.writeln('```');
-  }
-  return buf.toString();
-}
-
 class SyncLogScreen extends ConsumerStatefulWidget {
  const SyncLogScreen({super.key, required this.accountId});

@@ -124,41 +69,6 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
    ref.read(syncManagerProvider).syncNow(widget.accountId);
  }

-  Future<void> _copyEntry(SyncLogEntry entry, BuildContext context) async {
-    final accounts =
-        await ref.read(accountRepositoryProvider).observeAccounts().first;
-    final imapCount = accounts.where((a) => a.type == AccountType.imap).length;
-    final jmapCount = accounts.where((a) => a.type == AccountType.jmap).length;
-
-    PackageInfo? pkg;
-    try {
-      pkg = await PackageInfo.fromPlatform();
-    } catch (_) {}
-
-    final deviceModel = await getDeviceModel();
-
-    if (!context.mounted) return;
-
-    final syncMd = _buildSyncEntryMarkdown(entry);
-    final aboutMd = buildAboutMarkdown(
-      context: context,
-      pkg: pkg,
-      imapCount: imapCount,
-      jmapCount: jmapCount,
-      deviceModel: deviceModel,
-    );
-    await Clipboard.setData(ClipboardData(text: '$syncMd\n$aboutMd'));
-
-    if (context.mounted) {
-      ScaffoldMessenger.of(context).showSnackBar(
-        const SnackBar(
-          duration: Duration(seconds: 3),
-          content: Text('Copied to clipboard'),
-        ),
-      );
-    }
-  }
-
  @override
  Widget build(BuildContext context) {
    return Scaffold(
@@ -186,20 +96,16 @@ class _SyncLogScreenState extends ConsumerState<SyncLogScreen> {
          ? const Center(child: Text('No sync entries yet'))
          : ListView.builder(
              itemCount: _entries.length,
-              itemBuilder: (ctx, i) => _SyncLogTile(
-                entry: _entries[i],
-                onCopy: () => _copyEntry(_entries[i], ctx),
-              ),
+              itemBuilder: (ctx, i) => _SyncLogTile(entry: _entries[i]),
            ),
    );
  }
 }

 class _SyncLogTile extends StatelessWidget {
-  const _SyncLogTile({required this.entry, required this.onCopy});
+  const _SyncLogTile({required this.entry});

  final SyncLogEntry entry;
-  final VoidCallback onCopy;

  @override
  Widget build(BuildContext context) {
@@ -209,12 +115,6 @@ class _SyncLogTile extends StatelessWidget {
    final theme = Theme.of(context);
    final errorColor = theme.colorScheme.error;

-    final subtitleText = entry.isOk
-        ? '${entry.emailsFetched} new · ${entry.emailsSkipped} up-to-date · took $durationLabel'
-        : entry.isPermanent
-            ? 'Error (permanent) · took $durationLabel'
-            : 'Error · took $durationLabel';
-
    return ExpansionTile(
      leading: Icon(
        entry.isOk ? Icons.check_circle : Icons.error_outline,
@@ -225,20 +125,11 @@ class _SyncLogTile extends StatelessWidget {
        style: entry.isOk ? null : TextStyle(color: errorColor),
      ),
      subtitle: Text(
-        subtitleText,
+        entry.isOk
+            ? '${entry.emailsFetched} new · ${entry.emailsSkipped} up-to-date · took $durationLabel'
+            : 'Error · took $durationLabel',
        style: TextStyle(fontSize: 12, color: entry.isOk ? null : errorColor),
      ),
-      trailing: Row(
-        mainAxisSize: MainAxisSize.min,
-        children: [
-          IconButton(
-            icon: const Icon(Icons.copy, size: 18),
-            tooltip: 'Copy as markdown',
-            onPressed: onCopy,
-          ),
-          const Icon(Icons.expand_more),
-        ],
-      ),
      children: [
        Padding(
          padding: const EdgeInsets.fromLTRB(72, 0, 16, 12),
@@ -280,31 +171,6 @@ class _SyncLogTile extends StatelessWidget {
                    style: TextStyle(color: errorColor, fontSize: 12),
                  ),
                ),
-              if (entry.stackTrace != null) ...[
-                const Padding(
-                  padding: EdgeInsets.only(top: 6, bottom: 2),
-                  child: Text(
-                    'Stack trace',
-                    style: TextStyle(fontSize: 12, color: Colors.grey),
-                  ),
-                ),
-                Container(
-                  width: double.infinity,
-                  padding: const EdgeInsets.all(8),
-                  decoration: BoxDecoration(
-                    color: Colors.black87,
-                    borderRadius: BorderRadius.circular(4),
-                  ),
-                  child: Text(
-                    entry.stackTrace!,
-                    style: TextStyle(
-                      fontSize: 10,
-                      fontFamily: 'monospace',
-                      color: Colors.red[300],
-                    ),
-                  ),
-                ),
-              ],
              if (entry.protocolLog != null) ...[
                const Padding(
                  padding: EdgeInsets.only(top: 6, bottom: 2),
@@ -7,7 +7,6 @@ import 'package:intl/intl.dart';

 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
@@ -29,16 +28,9 @@ class ThreadDetailScreen extends ConsumerWidget {
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    final repo = ref.watch(emailRepositoryProvider);
-    final prefs =
-        ref.watch(userPreferencesProvider).value ?? const UserPreferences();
-    final buttonAtBottom = prefs.mailViewButtonPosition == MenuPosition.bottom;

    return Scaffold(
-      appBar: AppBar(
-        title: const Text('Thread'),
-        automaticallyImplyLeading: !buttonAtBottom,
-      ),
-      bottomNavigationBar: buttonAtBottom ? _buildBackButtonBar(context) : null,
+      appBar: AppBar(title: const Text('Thread')),
      body: StreamBuilder<List<Email>>(
        stream: repo.observeEmailsInThread(accountId, mailboxPath, threadId),
        builder: (context, snapshot) {
@@ -68,20 +60,6 @@ class ThreadDetailScreen extends ConsumerWidget {
      ),
    );
  }
-
-  Widget _buildBackButtonBar(BuildContext context) {
-    return BottomAppBar(
-      child: Row(
-        children: [
-          IconButton(
-            icon: const Icon(Icons.arrow_back),
-            tooltip: 'Back',
-            onPressed: () => context.pop(),
-          ),
-        ],
-      ),
-    );
-  }
 }

 class _EmailMessageCard extends ConsumerStatefulWidget {
@@ -1,145 +0,0 @@
-import 'dart:async';
-
-import 'package:flutter/material.dart';
-import 'package:flutter_riverpod/flutter_riverpod.dart';
-
-import 'package:sharedinbox/core/models/user_preferences.dart';
-import 'package:sharedinbox/di.dart';
-
-class UserPreferencesScreen extends ConsumerWidget {
-  const UserPreferencesScreen({super.key});
-
-  @override
-  Widget build(BuildContext context, WidgetRef ref) {
-    final prefsAsync = ref.watch(userPreferencesProvider);
-
-    return Scaffold(
-      appBar: AppBar(title: const Text('Preferences')),
-      body: prefsAsync.when(
-        loading: () => const Center(child: CircularProgressIndicator()),
-        error: (_, __) =>
-            const Center(child: Text('Error loading preferences')),
-        data: (prefs) => ListView(
-          children: [
-            ListTile(
-              title: Text(
-                'Menu bar position',
-                style: Theme.of(context).textTheme.titleSmall,
-              ),
-              subtitle: const Text(
-                'Where the folder navigation menu is shown in the mailbox view.',
-              ),
-            ),
-            RadioGroup<MenuPosition>(
-              groupValue: prefs.menuPosition,
-              onChanged: (value) {
-                if (value == null) return;
-                unawaited(
-                  ref
-                      .read(userPreferencesRepositoryProvider)
-                      .updateMenuPosition(value),
-                );
-              },
-              child: const Column(
-                children: [
-                  RadioListTile<MenuPosition>(
-                    title: Text('Bottom (default)'),
-                    subtitle: Text(
-                      'Open folder navigation from a button at the bottom of the screen.',
-                    ),
-                    value: MenuPosition.bottom,
-                  ),
-                  RadioListTile<MenuPosition>(
-                    title: Text('Top'),
-                    subtitle: Text(
-                      'Open folder navigation from the hamburger icon in the top bar.',
-                    ),
-                    value: MenuPosition.top,
-                  ),
-                ],
-              ),
-            ),
-            const Divider(),
-            ListTile(
-              title: Text(
-                'Single mail view button position',
-                style: Theme.of(context).textTheme.titleSmall,
-              ),
-              subtitle: const Text(
-                'Where the back button is shown in the single mail view.',
-              ),
-            ),
-            RadioGroup<MenuPosition>(
-              groupValue: prefs.mailViewButtonPosition,
-              onChanged: (value) {
-                if (value == null) return;
-                unawaited(
-                  ref
-                      .read(userPreferencesRepositoryProvider)
-                      .updateMailViewButtonPosition(value),
-                );
-              },
-              child: const Column(
-                children: [
-                  RadioListTile<MenuPosition>(
-                    title: Text('Bottom (default)'),
-                    subtitle: Text(
-                      'Show the back button at the bottom of the screen.',
-                    ),
-                    value: MenuPosition.bottom,
-                  ),
-                  RadioListTile<MenuPosition>(
-                    title: Text('Top'),
-                    subtitle: Text(
-                      'Show the back button in the top bar.',
-                    ),
-                    value: MenuPosition.top,
-                  ),
-                ],
-              ),
-            ),
-            const Divider(),
-            ListTile(
-              title: Text(
-                'After mail action',
-                style: Theme.of(context).textTheme.titleSmall,
-              ),
-              subtitle: const Text(
-                'What to show after deleting, archiving, or otherwise handling a message.',
-              ),
-            ),
-            RadioGroup<AfterMailViewAction>(
-              groupValue: prefs.afterMailViewAction,
-              onChanged: (value) {
-                if (value == null) return;
-                unawaited(
-                  ref
-                      .read(userPreferencesRepositoryProvider)
-                      .updateAfterMailViewAction(value),
-                );
-              },
-              child: const Column(
-                children: [
-                  RadioListTile<AfterMailViewAction>(
-                    title: Text('Next message (default)'),
-                    subtitle: Text(
-                      'Show the next message in the mailbox.',
-                    ),
-                    value: AfterMailViewAction.nextMessage,
-                  ),
-                  RadioListTile<AfterMailViewAction>(
-                    title: Text('Return to mailbox'),
-                    subtitle: Text(
-                      'Return to the message list.',
-                    ),
-                    value: AfterMailViewAction.showMailbox,
-                  ),
-                ],
-              ),
-            ),
-          ],
-        ),
-      ),
-    );
-  }
-}
@@ -1,75 +0,0 @@
-import 'dart:io';
-
-import 'package:device_info_plus/device_info_plus.dart';
-import 'package:flutter/material.dart';
-import 'package:package_info_plus/package_info_plus.dart';
-import 'package:sharedinbox/core/db_schema_version.dart';
-
-const _gitHash = String.fromEnvironment('GIT_HASH');
-
-/// Builds the About markdown table used in [AboutScreen] and sync log copies.
-String buildAboutMarkdown({
-  required BuildContext context,
-  PackageInfo? pkg,
-  required int imapCount,
-  required int jmapCount,
-  String? deviceModel,
-}) {
-  final size = MediaQuery.of(context).size;
-  final pixelRatio = MediaQuery.of(context).devicePixelRatio;
-  final physW = (size.width * pixelRatio).toInt();
-  final physH = (size.height * pixelRatio).toInt();
-  final version = pkg != null ? '${pkg.version}+${pkg.buildNumber}' : 'unknown';
-  final versionDisplay = _gitHash.isNotEmpty
-      ? '[$version](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash)'
-      : version;
-  final osName = _capitalize(Platform.operatingSystem);
-  final isDark = MediaQuery.of(context).platformBrightness == Brightness.dark;
-  final locale = Localizations.localeOf(context).toString();
-  final textScale =
-      MediaQuery.of(context).textScaler.scale(1.0).toStringAsFixed(1);
-
-  final gitCommitLine = _gitHash.isNotEmpty
-      ? '| Git Commit | [$_gitHash](https://codeberg.org/guettli/sharedinbox/commit/$_gitHash) |\n'
-      : '';
-  final deviceModelLine =
-      deviceModel != null ? '| Device Model | $deviceModel |\n' : '';
-
-  return '## [sharedinbox.de](https://sharedinbox.de)\n\n'
-      '| Property | Value |\n'
-      '|----------|-------|\n'
-      '| App Version | $versionDisplay |\n'
-      '$gitCommitLine'
-      '| Platform | ${Platform.operatingSystem} |\n'
-      '| $osName Version | ${Platform.operatingSystemVersion} |\n'
-      '$deviceModelLine'
-      '| Resolution | ${physW}x$physH px'
-      ' (logical: ${size.width.toInt()}x${size.height.toInt()} pt,'
-      ' ratio: ${pixelRatio.toStringAsFixed(1)}x) |\n'
-      '| Dart Version | ${Platform.version.split(' ').first} |\n'
-      '| Processors | ${Platform.numberOfProcessors} |\n'
-      '| Dark Mode | ${isDark ? 'yes' : 'no'} |\n'
-      '| Locale | $locale |\n'
-      '| Text Scale | $textScale× |\n'
-      '| DB Schema Version | $dbSchemaVersion |\n'
-      '| IMAP Accounts | $imapCount |\n'
-      '| JMAP Accounts | $jmapCount |\n';
-}
-
-/// Fetches device model string, or null when unavailable.
-Future<String?> getDeviceModel() async {
-  try {
-    final info = DeviceInfoPlugin();
-    if (Platform.isAndroid) {
-      final android = await info.androidInfo;
-      return '${android.manufacturer} / ${android.model}';
-    } else if (Platform.isIOS) {
-      final ios = await info.iosInfo;
-      return ios.utsname.machine;
-    }
-  } catch (_) {}
-  return null;
-}
-
-String _capitalize(String s) =>
-    s.isEmpty ? s : '${s[0].toUpperCase()}${s.substring(1)}';
@@ -31,13 +31,10 @@ String buildEmailHtml(String htmlBody, {bool loadRemoteImages = false}) {
 <meta name="color-scheme" content="light">
 <meta http-equiv="Content-Security-Policy" content="$csp">
 <style>
-body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; overflow-x: hidden; color-scheme: light; background-color: #ffffff; color: #000000; }
+body { margin: 0; padding: 0; font-family: sans-serif; word-break: break-word; color-scheme: light; background-color: #ffffff; color: #000000; }
 img { max-width: 100%; height: auto; }
 a { color: #1976D2; }
-* { box-sizing: border-box; max-width: 100%; }
-table { width: 100%; border-collapse: collapse; }
-td, th { overflow-wrap: break-word; word-break: break-word; }
-pre { white-space: pre-wrap; word-break: break-word; overflow-x: auto; }
+* { box-sizing: border-box; }
 </style>
 </head>
 <body>
@@ -249,22 +249,6 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "0.7.12"
-  device_info_plus:
-    dependency: "direct main"
-    description:
-      name: device_info_plus
-      sha256: "6a642e1daa10190af89ba6cb6386c0df7d071a3592080bfe1e44faa63ae1df65"
-      url: "https://pub.dev"
-    source: hosted
-    version: "13.1.0"
-  device_info_plus_platform_interface:
-    dependency: transitive
-    description:
-      name: device_info_plus_platform_interface
-      sha256: "04b173a92e2d9161dfead145667037c8d834db725ce2e7b942bfe18fd2f45a46"
-      url: "https://pub.dev"
-    source: hosted
-    version: "8.1.0"
  drift:
    dependency: "direct main"
    description:
@@ -659,10 +643,10 @@ packages:
    dependency: transitive
    description:
      name: meta
-      sha256: "1741988757a65eb6b36abe716829688cf01910bbf91c34354ff7ec1c3de2b349"
+      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
      url: "https://pub.dev"
    source: hosted
-    version: "1.18.0"
+    version: "1.17.0"
  mime:
    dependency: "direct main"
    description:
@@ -1088,26 +1072,26 @@ packages:
    dependency: "direct dev"
    description:
      name: test
-      sha256: "8d9ceddbab833f180fbefed08afa76d7c03513dfdba87ffcec2718b02bbcbf20"
+      sha256: "280d6d890011ca966ad08df7e8a4ddfab0fb3aa49f96ed6de56e3521347a9ae7"
      url: "https://pub.dev"
    source: hosted
-    version: "1.31.0"
+    version: "1.30.0"
  test_api:
    dependency: transitive
    description:
      name: test_api
-      sha256: "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e"
+      sha256: "8161c84903fd860b26bfdefb7963b3f0b68fee7adea0f59ef805ecca346f0c7a"
      url: "https://pub.dev"
    source: hosted
-    version: "0.7.11"
+    version: "0.7.10"
  test_core:
    dependency: transitive
    description:
      name: test_core
-      sha256: "1991d4cfe85d5043241acac92962c3977c8d2f2add1ee73130c7b286417d1d34"
+      sha256: "0381bd1585d1a924763c308100f2138205252fb90c9d4eeaf28489ee65ccde51"
      url: "https://pub.dev"
    source: hosted
-    version: "0.6.17"
+    version: "0.6.16"
  timezone:
    dependency: transitive
    description:
@@ -1133,13 +1117,13 @@ packages:
    source: hosted
    version: "6.3.2"
  url_launcher_android:
-    dependency: "direct overridden"
+    dependency: transitive
    description:
      name: url_launcher_android
-      sha256: "5c8b6c2d89a78f5a1cca70a73d9d5f86c701b36b42f9c9dac7bad592113c28e9"
+      sha256: "17bc677f0b301615530dd1d67e0a9828cafa2d0b6b6eae4cd3679b7eac4a273c"
      url: "https://pub.dev"
    source: hosted
-    version: "6.3.24"
+    version: "6.3.30"
  url_launcher_ios:
    dependency: transitive
    description:
@@ -1300,14 +1284,6 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "6.3.0"
-  win32_registry:
-    dependency: transitive
-    description:
-      name: win32_registry
-      sha256: "73b1d78920a9d6e03f8b4e43e612b87bf3152a0e5c5e5150267762b7c4116904"
-      url: "https://pub.dev"
-    source: hosted
-    version: "3.0.3"
  workmanager:
    dependency: "direct main"
    description:
@@ -61,7 +61,6 @@ dependencies:
  # App version metadata for crash reports
  package_info_plus: ^10.1.0
  share_plus: ^13.1.0
-  device_info_plus: ^13.1.0

 dev_dependencies:
  flutter_test:
@@ -90,7 +89,3 @@ dependency_overrides:
  # (SIGSEGV in libdartjni.so FindClassUnchecked). Pin to 2.2.20 which uses
  # stable Pigeon and is known to work reliably.
  path_provider_android: ">=2.2.0 <2.2.21"
-  # url_launcher_android 6.3.25 updated to Pigeon 26, which causes a
-  # channel-error on launchUrl on some Android devices (same root cause as
-  # path_provider_android). Pin to <6.3.25 which uses stable Pigeon.
-  url_launcher_android: ">=6.3.0 <6.3.25"
@@ -1,16 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "labels": ["dependencies"],
-  "github-actions": {
-    "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"]
-  },
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["minor", "patch", "pin", "digest", "lockFileMaintenance"],
-      "addLabels": ["automerge"]
-    }
-  ]
-}
@@ -8,31 +8,27 @@ Flow
   a. Age > 1 h  → kill it, set its issue to State/Question, exit 1
   b. Age ≤ 1 h  → print status, exit 0  (let it keep working)
 2. No agent running → extract pending_issue from state (if any), then check CI
-   a. pending_issue type=="plan" → post resume comment, set State/Planned, exit 0
-   b. pending_issue + open PR → check PR branch CI, merge/fix/wait as needed
-   c. Catch-up: orphaned issue-N-fix PRs with passing CI → merge them
-   d. Main CI running         → save pending-ci state, exit 0
-   e. Main CI failed          → start fix-CI agent (pushes fix to main), exit 0
-   f. Main CI ok + pending_issue → close the issue, exit 0  (dead code path —
-                                   section 2b always returns first)
-   g. Main CI ok (or no run yet) → find oldest ToPlan issue, start plan agent,
+   a. pending_issue + open PR → check PR branch CI, merge/fix/wait as needed
+   b. Catch-up: orphaned issue-N-fix PRs with passing CI → merge them
+   c. Main CI running         → save pending-ci state, exit 0
+   d. Main CI failed          → start fix-CI agent (pushes fix to main), exit 0
+   e. Main CI ok + pending_issue → close the issue, exit 0  (dead code path —
+                                   section 2a always returns first)
+   f. Main CI ok (or no run yet) → find oldest Ready issue, start issue agent,
                                   save state, exit 0
-   h. No ToPlan issues        → find oldest Ready issue, start issue agent,
-                                   save state, exit 0
-   i. No Ready issues         → print "nothing to do", exit 0
+   g. No Ready issues         → print "nothing to do", exit 0

 Issue agents must NOT close the issue themselves; the loop closes it after CI passes.
-Plan agents must NOT write any code or create PRs; they only post a plan comment.

 State file: ~/.sharedinbox-agent-state.json
  { "pid": 12345, "issue": 91,
-    "started_at": "2026-05-15T12:00:00+00:00", "type": "issue|plan|ci-fix|pending-ci" }
+    "started_at": "2026-05-15T12:00:00+00:00", "type": "issue" }

 Output is written to ~/.sharedinbox-agent-logs/<session>-<timestamp>.log.
 To resume the Claude conversation, look up the session UUID first:

  scripts/agent_loop.py list          # shows NAME and UUID columns
-  claude --resume <uuid> --dangerously-skip-permissions   # use the UUID, NOT the session name
+  claude --resume <uuid>              # use the UUID, NOT the session name
 """

 import argparse
@@ -42,11 +38,10 @@ import re
 import shlex
 import subprocess
 import sys
-import time
 from datetime import datetime, timezone
 from pathlib import Path

-# Cron runs with a minimal PATH; ensure Nix profile binaries (claude) and ~/go/bin (fgj) are found.
+# Cron runs with a minimal PATH; ensure Nix profile binaries (tea, claude) and ~/go/bin (fgj) are found.
 os.environ["PATH"] = (
    f"{Path.home()}/.nix-profile/bin"
    f":{Path.home()}/go/bin"
@@ -58,9 +53,7 @@ os.environ["PATH"] = (
 REPO = "guettli/sharedinbox"
 REPO_URL = f"https://codeberg.org/{REPO}"
 STATE_FILE = Path.home() / ".sharedinbox-agent-state.json"
-HEARTBEAT_FILE = Path.home() / ".sharedinbox-agent-heartbeat"
 MAX_AGENT_AGE_SECONDS = 3600  # 1 hour
-MAX_HEARTBEAT_AGE_SECONDS = 7200  # 2 hours
 CLAUDE_PROJECTS_DIR = Path.home() / ".claude" / "projects" / (
    "-" + str(Path.home())[1:].replace("/", "-")
 )
@@ -70,8 +63,6 @@ LABEL_READY = "State/Ready"
 LABEL_IN_PROGRESS = "State/InProgress"
 LABEL_QUESTION = "State/Question"
 LABEL_PRIO_HIGH = "Prio/High"
-LABEL_TO_PLAN = "State/ToPlan"
-LABEL_PLANNED = "State/Planned"

 # Only pick up issues filed by these accounts.
 ALLOWED_ISSUE_AUTHORS = {"guettli", "guettlibot", "guettlibot2"}
@@ -97,27 +88,22 @@ def _fgj(*args: str) -> None:
        )


-def _fgj_run_list(limit: int = 20) -> list[dict]:
-    """Return workflow runs via fgj actions run list."""
-    result = subprocess.run(
-        ["fgj", "--hostname", "codeberg.org", "actions", "run", "list",
-         "--repo", REPO, "--json", "-L", str(limit)],
-        capture_output=True, text=True,
-    )
+def _tea_get(path: str) -> dict | list | None:
+    """Run a tea api GET and return parsed JSON. Only use for reads — tea PATCH/PUT
+    silently fails (exits 0) when unauthenticated, so writes must go via fgj."""
+    cmd = ["tea", "api", path]
+    result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        raise RuntimeError(
-            f"fgj actions run list failed:\n{result.stderr or result.stdout}"
+            f"tea api {path} failed:\n{result.stderr or result.stdout}"
        )
    out = result.stdout.strip()
    if not out:
-        return []
-    try:
-        data = json.loads(out)
-    except json.JSONDecodeError as exc:
-        raise RuntimeError(
-            f"fgj actions run list returned non-JSON:\n{out[:500]}"
-        ) from exc
-    return data if isinstance(data, list) else []
+        return None
+    data = json.loads(out)
+    if isinstance(data, dict) and "message" in data and "url" in data:
+        raise RuntimeError(f"tea api {path} returned error: {data['message']}")
+    return data


 def _set_labels(issue: int, add: list[str], remove: list[str]) -> None:
@@ -159,26 +145,6 @@ def _ready_issues() -> list[dict]:
    return ready


-def _to_plan_issues() -> list[dict]:
-    """Return open issues with State/ToPlan, Prio/High first, then oldest."""
-    result = subprocess.run(
-        ["fgj", "--hostname", "codeberg.org", "issue", "list",
-         "--repo", REPO, "--state", "open", "--json"],
-        capture_output=True, text=True, check=True,
-    )
-    data = json.loads(result.stdout) if result.stdout.strip() else []
-    to_plan = [
-        i for i in data
-        if any(lbl["name"] == LABEL_TO_PLAN for lbl in i.get("labels", []))
-        and i.get("user", {}).get("login", "") in ALLOWED_ISSUE_AUTHORS
-    ]
-    to_plan.sort(key=lambda i: (
-        0 if any(lbl["name"] == LABEL_PRIO_HIGH for lbl in i.get("labels", [])) else 1,
-        i["number"],
-    ))
-    return to_plan
-
-
 def _latest_main_ci_run() -> dict | None:
    """Return the latest ci.yml run on the main branch.

@@ -186,7 +152,9 @@ def _latest_main_ci_run() -> dict | None:
    event=push and prettyref=main, so filtering by event alone is not enough.
    We also require workflow_id == "ci.yml".
    """
-    for run in _fgj_run_list(limit=20):
+    data = _tea_get(f"repos/{REPO}/actions/runs?limit=20")
+    runs = (data or {}).get("workflow_runs", [])
+    for run in runs:
        if (run.get("event") == "push"
                and run.get("prettyref") == "main"
                and run.get("workflow_id") == "ci.yml"):
@@ -197,16 +165,20 @@ def _latest_main_ci_run() -> dict | None:
 def _latest_ci_run_for_branch(branch: str) -> dict | None:
    """Return the latest CI run for a specific branch, or None.

-    For push events fgj reports the branch in ``prettyref``; for pull_request
-    events ``prettyref`` is ``#N``, so we resolve the PR number first.
+    Forgejo's workflow_runs API has no top-level head_branch field.
+    For push events the branch is in ``prettyref``; for pull_request
+    events it lives inside ``event_payload["pull_request"]["head"]["ref"]``.
    """
-    runs = _fgj_run_list(limit=20)
-    pr_data = _find_pr_for_branch(branch)
-    pr_ref = f"#{pr_data['number']}" if pr_data else None
+    data = _tea_get(f"repos/{REPO}/actions/runs?limit=20")
+    runs = (data or {}).get("workflow_runs", [])
    for run in runs:
        if run.get("event") == "pull_request":
-            if pr_ref and run.get("prettyref") == pr_ref:
-                return run
+            try:
+                payload = json.loads(run.get("event_payload", "{}"))
+                if payload.get("pull_request", {}).get("head", {}).get("ref") == branch:
+                    return run
+            except (json.JSONDecodeError, AttributeError):
+                pass
        elif run.get("event") == "push":
            if run.get("prettyref") == branch:
                return run
@@ -251,99 +223,25 @@ def _open_issue_prs() -> list[dict]:
    return issue_prs


-def _open_renovate_prs() -> list[dict]:
-    """Return all open PRs from Renovate (renovate/* branches), oldest-first."""
-    result = subprocess.run(
-        ["fgj", "--hostname", "codeberg.org", "pr", "list",
-         "--repo", REPO, "--state", "open", "--json"],
-        capture_output=True, text=True,
-    )
-    if result.returncode != 0 or not result.stdout.strip():
-        return []
-    prs = json.loads(result.stdout)
-    renovate_prs = [
-        pr for pr in prs
-        if (pr.get("head", {}).get("ref") or "").startswith("renovate/")
-    ]
-    renovate_prs.sort(key=lambda p: p["number"])
-    return renovate_prs
-
-
 def _latest_ci_run_for_pr(pr_number: int) -> dict | None:
    """Return the latest CI run triggered by a pull_request event for the given PR number."""
-    pr_ref = f"#{pr_number}"
-    for run in _fgj_run_list(limit=50):
-        if run.get("event") == "pull_request" and run.get("prettyref") == pr_ref:
-            return run
+    data = _tea_get(f"repos/{REPO}/actions/runs?event=pull_request&limit=50")
+    runs = (data or {}).get("workflow_runs", [])
+    for run in runs:
+        try:
+            payload = json.loads(run.get("event_payload", "{}"))
+            if payload.get("pull_request", {}).get("number") == pr_number:
+                return run
+        except (json.JSONDecodeError, AttributeError):
+            pass
    return None


-def _get_issue_labels(issue: int) -> list[str]:
-    """Return label names for an issue."""
-    result = subprocess.run(
-        ["fgj", "--hostname", "codeberg.org", "issue", "view", str(issue),
-         "--repo", REPO, "--json"],
-        capture_output=True, text=True,
-    )
-    if result.returncode != 0 or not result.stdout.strip():
-        return []
-    try:
-        data = json.loads(result.stdout)
-    except json.JSONDecodeError:
-        return []
-    return [lbl["name"] for lbl in data.get("issue", {}).get("labels", [])]
-
-
 def _merge_pr(pr_number: int) -> None:
    """Squash-merge a PR via fgj."""
    _fgj("pr", "merge", str(pr_number), "--repo", REPO, "--merge-method", "squash")


-def _handle_pr_still_open_after_merge(pr_number: int, branch: str, issue_num: int | None) -> str:
-    """Handle a PR that is still open after a successful _merge_pr() call.
-
-    Returns one of:
-      "rebase-spawned" — merge conflict detected; rebase agent started, state written
-      "merged"         — PR closed after a retry
-      "fallback"       — all options exhausted; caller should set State/Question
-    """
-    result = subprocess.run(
-        ["fgj", "--hostname", "codeberg.org", "pr", "view", str(pr_number),
-         "--repo", REPO, "--json"],
-        capture_output=True, text=True,
-    )
-    pr_data: dict = {}
-    if result.returncode == 0 and result.stdout.strip():
-        try:
-            pr_data = json.loads(result.stdout)
-        except json.JSONDecodeError:
-            pass
-    mergeable = pr_data.get("mergeable")
-
-    if mergeable is False:
-        prompt = (
-            f"Rebase branch `{branch}` onto main to resolve merge conflicts, then push. "
-            "Do not change any logic — only resolve conflicts and push."
-        )
-        session_name = f"rebase-pr-{pr_number}"
-        pid = _start_agent(prompt, session_name)
-        _write_state(pid, issue_num, "pending-ci", session_name=session_name)
-        print(f"PR #{pr_number} has merge conflicts — spawned rebase agent (pid={pid}).")
-        return "rebase-spawned"
-
-    for attempt in range(1, 3):
-        time.sleep(5)
-        try:
-            _merge_pr(pr_number)
-        except RuntimeError as e:
-            print(f"PR #{pr_number} merge retry {attempt} failed: {e}")
-        if not _find_pr_for_branch(branch):
-            print(f"PR #{pr_number} merged on retry {attempt}.")
-            return "merged"
-
-    return "fallback"
-
-
 # ── state file ────────────────────────────────────────────────────────────────


@@ -377,12 +275,6 @@ def _clear_state() -> None:
    STATE_FILE.unlink(missing_ok=True)


-def _update_heartbeat() -> None:
-    """Record that the agent loop ran right now."""
-    HEARTBEAT_FILE.write_text(datetime.now(timezone.utc).isoformat())
-    HEARTBEAT_FILE.chmod(0o600)
-
-
 def _find_session_uuid(session_name: str) -> str | None:
    """Return the Claude session UUID for *session_name*, or None if not found.

@@ -542,7 +434,7 @@ def cmd_list() -> int:

    sessions.sort(reverse=True)
    total = len(sessions)
-    print(f"  {'DATE':<16}  {'NAME':<20}  UUID  (use with: claude --resume <uuid> --dangerously-skip-permissions)")
+    print(f"  {'DATE':<16}  {'NAME':<20}  UUID  (use with: claude --resume <uuid>)")
    print(f"  {'-'*16}  {'-'*20}  {'-'*36}")
    for mtime, name, sid in sessions[:20]:
        ts = datetime.fromtimestamp(mtime).strftime("%Y-%m-%d %H:%M")
@@ -552,44 +444,12 @@ def cmd_list() -> int:
    return 0


-# ── monitor subcommand ────────────────────────────────────────────────────────
-
-
-def cmd_monitor() -> int:
-    """Check that the agent loop has run within the last 2 hours.
-
-    Exits 0 if healthy, 1 if the heartbeat is missing or stale.
-    Intended to be called from a scheduled CI job or cron every 2 hours.
-    """
-    if not HEARTBEAT_FILE.exists():
-        print(
-            f"WARNING: Agent loop heartbeat file missing — "
-            f"the loop may not have run yet or the file was deleted ({HEARTBEAT_FILE})."
-        )
-        return 1
-    try:
-        last_run = datetime.fromisoformat(HEARTBEAT_FILE.read_text().strip())
-    except ValueError:
-        print(f"WARNING: Agent loop heartbeat file is corrupted: {HEARTBEAT_FILE}")
-        return 1
-    age = (datetime.now(timezone.utc) - last_run).total_seconds()
-    if age > MAX_HEARTBEAT_AGE_SECONDS:
-        print(
-            f"WARNING: Agent loop last ran {age / 3600:.1f}h ago "
-            f"(limit: {MAX_HEARTBEAT_AGE_SECONDS // 3600}h) — the loop may be stalled."
-        )
-        return 1
-    print(f"Agent loop is healthy. Last run: {age / 60:.0f} min ago.")
-    return 0
-
-
 # ── main flow ─────────────────────────────────────────────────────────────────


 def _run_loop() -> int:
    now = datetime.now(timezone.utc)
    print(f"---------------------- Starting {now.strftime('%Y-%m-%d %H:%MZ')}")
-    _update_heartbeat()

    state = _read_state()

@@ -626,9 +486,9 @@ def _run_loop() -> int:
        session_name = state.get("session_name")
        uuid = _find_session_uuid(session_name) if session_name else None
        if uuid:
-            resume_cmd = f"claude --resume {shlex.quote(uuid)} --dangerously-skip-permissions"
+            resume_cmd = f"claude --resume {shlex.quote(uuid)}"
        elif session_name:
-            resume_cmd = f"claude --resume <uuid> --dangerously-skip-permissions  # run: scripts/agent_loop.py list"
+            resume_cmd = f"claude --resume <uuid>  # run: scripts/agent_loop.py list"
        else:
            resume_cmd = ""
        git_info = _git_summary()
@@ -644,29 +504,13 @@ def _run_loop() -> int:

    # Agent not running (or no state) — extract any pending issue, then clean up.
    pending_issue: int | None = None
-    pending_type: str | None = None
    ci_run_id_at_start: int | None = None
    if state:
        pending_issue = state.get("issue")
-        pending_type = state.get("type")
        ci_run_id_at_start = state.get("ci_run_id_at_start")
        _clear_state()

-    # ── 2a. Finished planning agent ───────────────────────────────────────────
-    if pending_issue and pending_type == "plan":
-        session_name = f"plan-issue-{pending_issue}"
-        uuid = _find_session_uuid(session_name)
-        if uuid:
-            resume_cmd = f"claude --resume {shlex.quote(uuid)} --dangerously-skip-permissions"
-            _comment_issue(
-                pending_issue,
-                f"Planning complete. To resume this session:\n\n```\n{resume_cmd}\n```",
-            )
-        _set_labels(pending_issue, add=[LABEL_PLANNED], remove=[LABEL_IN_PROGRESS])
-        print(f"Planning done for {_issue_url(pending_issue)} — set State/Planned.")
-        return 0
-
-    # ── 2b. Check for a PR opened by the agent ───────────────────────────────
+    # ── 2. Check for a PR opened by the agent ────────────────────────────────
    if pending_issue:
        branch = f"issue-{pending_issue}-fix"
        pr = _find_pr_for_branch(branch)
@@ -742,13 +586,6 @@ def _run_loop() -> int:
                )
                return 0
            if _find_pr_for_branch(branch):
-                merge_result = _handle_pr_still_open_after_merge(pr_number, branch, pending_issue)
-                if merge_result == "rebase-spawned":
-                    return 0
-                if merge_result == "merged":
-                    _close_issue(pending_issue)
-                    print(f"Merged PR #{pr_number} and closed {_issue_url(pending_issue)}.")
-                    return 0
                print(f"PR #{pr_number} is still open after merge attempt — setting to State/Question.")
                _set_labels(pending_issue, add=[LABEL_QUESTION], remove=[LABEL_IN_PROGRESS])
                _comment_issue(
@@ -805,9 +642,6 @@ def _run_loop() -> int:
            continue

        if pr_run and pr_run.get("status") == "success":
-            if issue_num and LABEL_QUESTION in _get_issue_labels(issue_num):
-                print(f"Catch-up: PR #{pr_number} — issue #{issue_num} is State/Question, skipping.")
-                continue
            print(f"Catch-up: CI passed on PR #{pr_number} ({pr_url}) — merging.")
            try:
                _merge_pr(pr_number)
@@ -817,16 +651,6 @@ def _run_loop() -> int:
            # Verify the merge actually happened; fgj can exit 0 without merging
            # (e.g. branch-protection rules not satisfied).
            if _find_pr_for_branch(branch):
-                merge_result = _handle_pr_still_open_after_merge(pr_number, branch, issue_num)
-                if merge_result == "rebase-spawned":
-                    return 0
-                if merge_result == "merged":
-                    if issue_num:
-                        _close_issue(issue_num)
-                        print(f"Catch-up: merged PR #{pr_number} and closed issue #{issue_num} after retry.")
-                    else:
-                        print(f"Catch-up: merged PR #{pr_number} after retry.")
-                    return 0
                print(
                    f"Catch-up: PR #{pr_number} is still open after merge attempt "
                    "— skipping to avoid infinite retry."
@@ -846,40 +670,6 @@ def _run_loop() -> int:
                print(f"Merged PR #{pr_number}.")
            return 0

-    # ── 2c. Catch-up: merge Renovate PRs with passing CI ─────────────────────
-    # The merge-renovate CI job only fires on pull_request events. If a Renovate
-    # PR had CI run before that job was added (or the automerge label was absent),
-    # it stays open forever. Detect and merge those here.
-    for pr in _open_renovate_prs():
-        pr_number = pr["number"]
-        pr_url = f"{REPO_URL}/pulls/{pr_number}"
-        pr_run = _latest_ci_run_for_pr(pr_number)
-
-        if pr_run and pr_run.get("status") == "running":
-            print(f"Catch-up (Renovate): CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} still running. Waiting.")
-            return 0
-
-        if pr_run and pr_run.get("status") in ("failure", "error"):
-            print(f"Catch-up (Renovate): CI {_ci_run_url(pr_run['id'])} on PR #{pr_number} failed — skipping.")
-            continue
-
-        if pr_run and pr_run.get("status") == "success":
-            print(f"Catch-up (Renovate): CI passed on PR #{pr_number} ({pr_url}) — merging.")
-            try:
-                _merge_pr(pr_number)
-            except RuntimeError as e:
-                print(f"Catch-up (Renovate): merge of PR #{pr_number} failed: {e} — skipping.")
-                continue
-            branch = pr.get("head", {}).get("ref", "")
-            if _find_pr_for_branch(branch):
-                print(f"Catch-up (Renovate): PR #{pr_number} still open after merge — skipping.")
-                continue
-            print(f"Catch-up (Renovate): merged PR #{pr_number}.")
-            return 0
-
-        if pr_run is None:
-            print(f"Catch-up (Renovate): no CI run for PR #{pr_number} ({pr_url}) — skipping (needs manual review).")
-
    # ── 3. Global CI check (main branch only) ────────────────────────────────
    run = _latest_main_ci_run()

@@ -895,8 +685,9 @@ def _run_loop() -> int:
        # spawning another agent, check whether any CI run is currently in
        # progress (the branch run) and wait if so.
        if ci_run_id_at_start is not None and run["id"] == ci_run_id_at_start:
+            check = _tea_get(f"repos/{REPO}/actions/runs?limit=5")
            in_flight = [
-                r for r in _fgj_run_list(limit=5)
+                r for r in (check or {}).get("workflow_runs", [])
                if r.get("status") == "running"
            ]
            if in_flight:
@@ -947,44 +738,10 @@ def _run_loop() -> int:
        print(f"CI passed{ci_run_part} — closed {_issue_url(pending_issue)}.")
        return 0

-    # Find a ToPlan issue — planning takes priority over implementation.
-    to_plan = _to_plan_issues()
-    if to_plan:
-        issue = to_plan[0]
-        issue_number = issue["number"]
-        issue_title = issue["title"]
-        issue_body = issue.get("body", "")
-
-        print(f"Starting planning agent for {_issue_url(issue_number)} {issue_title}")
-        _set_labels(issue_number, add=[LABEL_IN_PROGRESS], remove=[LABEL_TO_PLAN])
-
-        plan_prompt = f"""Analyze Codeberg issue #{issue_number} in the guettli/sharedinbox repository and write a detailed implementation plan.
-
-Issue title: {issue_title}
-
-Issue body:
-{issue_body}
-
-Instructions:
- Read and understand the issue thoroughly.
- Explore the relevant parts of the codebase to understand the current structure.
- Write a detailed implementation plan as a comment on the issue using:
-      fgj issue comment {issue_number} --repo {REPO} --body "..."
-  The plan should cover: which files to change, what approach to take, and any risks or open questions.
- Do NOT write any code, do NOT create any branches or PRs, do NOT modify any files.
- If the issue is unclear or you need more information, set the label to State/Question
-  and stop (do NOT close the issue).
- When you have posted the plan as an issue comment, stop.
-"""
-        session_name = f"plan-issue-{issue_number}"
-        pid = _start_agent(plan_prompt, session_name)
-        _write_state(pid, issue_number, "plan", issue_title, session_name=session_name)
-        return 0
-
    # Find a Ready issue.
    issues = _ready_issues()
    if not issues:
-        print("No issues with State/ToPlan or State/Ready. Nothing to do.")
+        print("No issues with State/Ready. Nothing to do.")
        return 0

    issue = issues[0]
@@ -1040,13 +797,10 @@ def main() -> int:
    parser = argparse.ArgumentParser(prog="agent_loop")
    sub = parser.add_subparsers(dest="cmd")
    sub.add_parser("list", help="List recent agent sessions")
-    sub.add_parser("monitor", help="Check that the loop ran within the last 2 hours")
    args = parser.parse_args()

    if args.cmd == "list":
        return cmd_list()
-    if args.cmd == "monitor":
-        return cmd_monitor()
    return _run_loop()


@@ -11,7 +11,6 @@ const _minCoveragePercent = 80;

 // Pure-abstract interfaces: no executable code, Dart VM never instruments them.
 const _noCode = {
-  'lib/core/db_schema_version.dart',
  'lib/core/repositories/account_repository.dart',
  'lib/core/repositories/draft_repository.dart',
  'lib/core/repositories/email_repository.dart',
@@ -20,9 +19,7 @@ const _noCode = {
  'lib/core/repositories/sync_log_repository.dart',
  'lib/core/repositories/undo_repository.dart',
  'lib/core/repositories/search_history_repository.dart',
-  'lib/core/repositories/user_preferences_repository.dart',
  'lib/core/models/undo_action.dart',
-  'lib/core/models/user_preferences.dart',
  'lib/core/storage/secure_storage.dart',
 };

@@ -60,8 +57,6 @@ const _excluded = {
  'lib/ui/widgets/try_connection_button.dart',
  'lib/ui/widgets/undo_shell.dart',
  'lib/ui/screens/about_screen.dart',
-  'lib/ui/screens/email_action_helpers.dart',
-  'lib/ui/utils/about_markdown.dart',
  'lib/ui/widgets/email_tile.dart',
  'lib/core/sync/account_sync_manager.dart',
  'lib/core/sync/background_sync.dart',
@@ -75,8 +70,6 @@ const _excluded = {
  'lib/data/repositories/sync_log_repository_impl.dart',
  'lib/data/repositories/undo_repository_impl.dart',
  'lib/data/repositories/search_history_repository_impl.dart',
-  'lib/data/repositories/user_preferences_repository_impl.dart',
-  'lib/ui/screens/user_preferences_screen.dart',
  'lib/core/services/update_service.dart',
 };

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# Decrypts secrets.age and exports all KEY=VALUE pairs as environment variables.
+#
+# In CI (GITHUB_ENV set): writes to $GITHUB_ENV so subsequent job steps can
+# read the variables. Multi-line values use the heredoc syntax required by
+# Forgejo/GitHub Actions.
+#
+# Locally: prints an eval-safe export block to stdout. Source it with:
+#   eval "$(SECRETS_AGE_KEY=$(cat ~/.config/age/sharedinbox.key) scripts/secrets-decrypt.sh)"
+#   or pass a key file:
+#   eval "$(scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key)"
+#
+# Private key sources (first match wins):
+#   1. Path to a key file passed as $1
+#   2. SECRETS_AGE_KEY env var (the raw private key content — used in CI)
+set -euo pipefail
+
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
+    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
+SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
+
+if [ ! -f "$SECRETS_AGE" ]; then
+    echo "ERROR: secrets.age not found at $SECRETS_AGE" >&2
+    echo "  Run: scripts/secrets-encrypt.sh to create it." >&2
+    exit 1
+fi
+
+TMP_KEY=""
+cleanup() { [ -n "$TMP_KEY" ] && rm -f "$TMP_KEY"; }
+trap cleanup EXIT
+
+if [ -n "${1:-}" ]; then
+    KEY_FILE="$1"
+elif [ -n "${SECRETS_AGE_KEY:-}" ]; then
+    TMP_KEY=$(mktemp)
+    chmod 600 "$TMP_KEY"
+    printf '%s\n' "$SECRETS_AGE_KEY" > "$TMP_KEY"
+    KEY_FILE="$TMP_KEY"
+else
+    echo "ERROR: No age private key provided." >&2
+    echo "  Pass a key file: scripts/secrets-decrypt.sh ~/.config/age/sharedinbox.key" >&2
+    echo "  Or set SECRETS_AGE_KEY env var (CI: store as SECRETS_AGE_KEY secret)." >&2
+    exit 1
+fi
+
+DECRYPTED=$(age --decrypt -i "$KEY_FILE" "$SECRETS_AGE")
+
+# Process each KEY=VALUE line.
+# Double-quoted values have \n escape sequences converted to real newlines.
+process_secrets() {
+    local line key raw_value value
+    while IFS= read -r line; do
+        [[ -z "$line" || "$line" == \#* ]] && continue
+        [[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
+
+        key="${line%%=*}"
+        raw_value="${line#*=}"
+
+        # Double-quoted: strip quotes and expand \n → newline
+        if [[ "$raw_value" == '"'*'"' ]]; then
+            raw_value="${raw_value:1:${#raw_value}-2}"
+            value=$(printf '%b' "$raw_value")
+        # Single-quoted: strip quotes, no expansion
+        elif [[ "$raw_value" == "'"*"'" ]]; then
+            value="${raw_value:1:${#raw_value}-2}"
+        else
+            value="$raw_value"
+        fi
+
+        if [ -n "${GITHUB_ENV:-}" ]; then
+            # Heredoc syntax handles multi-line values safely
+            local delim="EOF_${key}_$$"
+            printf '%s<<%s\n%s\n%s\n' "$key" "$delim" "$value" "$delim" >> "$GITHUB_ENV"
+        else
+            # Print as export statements for eval
+            printf "export %s=%q\n" "$key" "$value"
+        fi
+    done <<< "$DECRYPTED"
+}
+
+process_secrets
+
+if [ -n "${GITHUB_ENV:-}" ]; then
+    echo "Secrets written to \$GITHUB_ENV." >&2
+fi
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Encrypts secrets.env → secrets.age using an age public key.
+#
+# Usage:
+#   scripts/secrets-encrypt.sh [AGE1...]   public key as positional argument
+#   AGE_PUBLIC_KEY=AGE1... scripts/secrets-encrypt.sh
+#   scripts/secrets-encrypt.sh             reads public key from .age-public-key
+#
+# The private key never touches this script. Only the public key is needed to
+# encrypt. Store the private key in CI as SECRETS_AGE_KEY and keep a local
+# copy at ~/.config/age/sharedinbox.key (or wherever you prefer).
+set -euo pipefail
+
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \
+    || REPO_ROOT=$(cd "$(dirname "$0")/.." && pwd)
+SECRETS_ENV="${SECRETS_ENV:-${REPO_ROOT}/secrets.env}"
+SECRETS_AGE="${SECRETS_AGE:-${REPO_ROOT}/secrets.age}"
+KEY_FILE="${REPO_ROOT}/.age-public-key"
+
+if [ -n "${1:-}" ]; then
+    PUBLIC_KEY="$1"
+elif [ -n "${AGE_PUBLIC_KEY:-}" ]; then
+    PUBLIC_KEY="$AGE_PUBLIC_KEY"
+elif [ -f "$KEY_FILE" ]; then
+    PUBLIC_KEY=$(cat "$KEY_FILE")
+    PUBLIC_KEY="${PUBLIC_KEY%%$'\n'*}"  # take only the first line
+else
+    echo "ERROR: No age public key provided." >&2
+    echo "  Pass it as an argument: scripts/secrets-encrypt.sh AGE1..." >&2
+    echo "  Or store it in .age-public-key: age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key" >&2
+    exit 1
+fi
+
+if [ ! -f "$SECRETS_ENV" ]; then
+    echo "ERROR: secrets.env not found at $SECRETS_ENV" >&2
+    echo "  Copy secrets.env.example to secrets.env and fill in values." >&2
+    exit 1
+fi
+
+age --encrypt --recipient "$PUBLIC_KEY" --output "$SECRETS_AGE" "$SECRETS_ENV"
+echo "Encrypted $SECRETS_ENV → $SECRETS_AGE"
+echo "Commit secrets.age to keep CI in sync."
@@ -6,7 +6,6 @@ import json
 import os
 import tempfile
 import unittest
-from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from unittest.mock import MagicMock, patch

@@ -714,7 +713,7 @@ class TestRunLoopResumeCommand(unittest.TestCase):
             contextlib.redirect_stdout(buf):
            agent_loop._run_loop()
        output = buf.getvalue()
-        self.assertIn(f"claude --resume {fake_uuid} --dangerously-skip-permissions", output)
+        self.assertIn(f"claude --resume {fake_uuid}", output)

    def test_resume_shows_list_hint_when_uuid_not_found(self):
        buf = io.StringIO()
@@ -745,194 +744,5 @@ class TestRunLoopResumeCommand(unittest.TestCase):
        self.assertNotIn("Resume:", output)


-
-class TestCatchupSkipsQuestionIssues(unittest.TestCase):
-    """Catch-up must not retry merging a PR whose issue is already State/Question."""
-
-    def _make_pr(self, pr_number=50, branch="issue-10-fix"):
-        return {"number": pr_number, "head": {"ref": branch}}
-
-    def test_skips_merge_when_issue_has_question_label(self):
-        pr = self._make_pr()
-        ci_run = {"id": 999, "status": "success"}
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[pr]), \
-             patch("agent_loop._latest_ci_run_for_pr", return_value=ci_run), \
-             patch("agent_loop._get_issue_labels", return_value=[agent_loop.LABEL_QUESTION]), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._comment_issue") as mock_comment, \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]):
-            result = agent_loop._run_loop()
-        self.assertEqual(result, 0)
-        mock_merge.assert_not_called()
-        mock_comment.assert_not_called()
-        mock_labels.assert_not_called()
-
-    def test_proceeds_with_merge_when_issue_lacks_question_label(self):
-        pr = self._make_pr()
-        ci_run = {"id": 999, "status": "success"}
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[pr]), \
-             patch("agent_loop._latest_ci_run_for_pr", return_value=ci_run), \
-             patch("agent_loop._get_issue_labels", return_value=[agent_loop.LABEL_IN_PROGRESS]), \
-             patch("agent_loop._merge_pr") as mock_merge, \
-             patch("agent_loop._find_pr_for_branch", return_value=None), \
-             patch("agent_loop._close_issue"):
-            result = agent_loop._run_loop()
-        self.assertEqual(result, 0)
-        mock_merge.assert_called_once_with(50)
-
-
-class TestMergeFailsOpen(unittest.TestCase):
-    """Tests for auto-resolution when a PR is still open after the merge command."""
-
-    def _dead_state(self, issue: int, kind: str = "issue") -> dict:
-        return {
-            "pid": 999999999,
-            "issue": issue,
-            "started_at": "2026-01-01T00:00:00+00:00",
-            "type": kind,
-        }
-
-    def _open_pr(self, branch: str = "issue-10-fix") -> dict:
-        return {"number": 5, "head": {"ref": branch}, "created_at": "2026-01-01T00:00:00+00:00"}
-
-    def test_merge_fails_open_with_conflicts_spawns_rebase_agent(self):
-        """mergeable=false → rebase agent spawned, state written as pending-ci."""
-        written_state = {}
-
-        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
-            written_state["pid"] = pid
-            written_state["issue"] = issue
-            written_state["kind"] = kind
-            written_state["session_name"] = session_name
-
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch", side_effect=[self._open_pr(), self._open_pr()]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": False}), \
-             patch("agent_loop._start_agent", return_value=77) as mock_start, \
-             patch("agent_loop._write_state", side_effect=fake_write_state), \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_start.assert_called_once()
-        prompt = mock_start.call_args[0][0]
-        self.assertIn("Rebase branch", prompt)
-        self.assertIn("issue-10-fix", prompt)
-        self.assertEqual(written_state.get("kind"), "pending-ci")
-        self.assertEqual(written_state.get("issue"), 10)
-
-    def test_merge_fails_open_no_conflicts_retries_and_succeeds(self):
-        """mergeable=true, second attempt succeeds → issue closed."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch",
-                   side_effect=[self._open_pr(), self._open_pr(), None]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": True}), \
-             patch("agent_loop.time.sleep"), \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_called_once_with(10)
-
-    def test_merge_fails_open_no_conflicts_all_retries_exhausted(self):
-        """All retries exhausted with PR still open → falls through to State/Question."""
-        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
-             patch("agent_loop._find_pr_for_branch",
-                   side_effect=[self._open_pr(), self._open_pr(),
-                                 self._open_pr(), self._open_pr()]), \
-             patch("agent_loop._latest_ci_run_for_branch", return_value={"id": 1, "status": "success"}), \
-             patch("agent_loop._merge_pr"), \
-             patch("agent_loop._tea_get", return_value={"mergeable": True}), \
-             patch("agent_loop.time.sleep"), \
-             patch("agent_loop._set_labels") as mock_labels, \
-             patch("agent_loop._comment_issue") as mock_comment, \
-             patch("agent_loop._close_issue") as mock_close, \
-             patch("agent_loop._clear_state"):
-            result = agent_loop._run_loop()
-
-        self.assertEqual(result, 0)
-        mock_close.assert_not_called()
-        mock_labels.assert_called_once_with(
-            10,
-            add=[agent_loop.LABEL_QUESTION],
-            remove=[agent_loop.LABEL_IN_PROGRESS],
-        )
-        mock_comment.assert_called_once()
-
-
-class TestHeartbeat(unittest.TestCase):
-    """Tests for _update_heartbeat() and cmd_monitor()."""
-
-    def setUp(self):
-        self._tmp = tempfile.NamedTemporaryFile(delete=False, suffix=".heartbeat")
-        self._tmp.close()
-        self._orig = agent_loop.HEARTBEAT_FILE
-        agent_loop.HEARTBEAT_FILE = Path(self._tmp.name)
-        Path(self._tmp.name).unlink()  # Start with no heartbeat file.
-
-    def tearDown(self):
-        agent_loop.HEARTBEAT_FILE = self._orig
-        Path(self._tmp.name).unlink(missing_ok=True)
-
-    def test_update_heartbeat_writes_timestamp(self):
-        agent_loop._update_heartbeat()
-        content = Path(self._tmp.name).read_text().strip()
-        dt = datetime.fromisoformat(content)
-        age = (datetime.now(timezone.utc) - dt).total_seconds()
-        self.assertLess(age, 5)
-
-    def test_update_heartbeat_creates_file(self):
-        self.assertFalse(Path(self._tmp.name).exists())
-        agent_loop._update_heartbeat()
-        self.assertTrue(Path(self._tmp.name).exists())
-
-    def test_monitor_healthy_when_recent(self):
-        agent_loop._update_heartbeat()
-        result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 0)
-
-    def test_monitor_warns_when_heartbeat_missing(self):
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_monitor_warns_when_stale(self):
-        stale = (datetime.now(timezone.utc) - timedelta(hours=3)).isoformat()
-        Path(self._tmp.name).write_text(stale)
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_monitor_warns_when_corrupted(self):
-        Path(self._tmp.name).write_text("not-a-timestamp")
-        buf = io.StringIO()
-        with contextlib.redirect_stdout(buf):
-            result = agent_loop.cmd_monitor()
-        self.assertEqual(result, 1)
-        self.assertIn("WARNING", buf.getvalue())
-
-    def test_run_loop_updates_heartbeat(self):
-        self.assertFalse(Path(self._tmp.name).exists())
-        with patch("agent_loop._read_state", return_value=None), \
-             patch("agent_loop._open_issue_prs", return_value=[]), \
-             patch("agent_loop._latest_main_ci_run", return_value=None), \
-             patch("agent_loop._ready_issues", return_value=[]):
-            agent_loop._run_loop()
-        self.assertTrue(Path(self._tmp.name).exists())
-
-
 if __name__ == "__main__":
    unittest.main()
@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+# Tests for scripts/secrets-encrypt.sh and scripts/secrets-decrypt.sh.
+# Run directly: bash scripts/test_secrets.sh
+# Requires: age, age-keygen
+set -euo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+PASS=0
+FAIL=0
+
+_assert() {
+    local name="$1" expected="$2" actual="$3"
+    if [ "$actual" = "$expected" ]; then
+        PASS=$((PASS + 1))
+    else
+        echo "FAIL: $name"
+        echo "  expected: $(printf '%s' "$expected" | head -c 80)"
+        echo "  actual:   $(printf '%s' "$actual"   | head -c 80)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+_assert_contains() {
+    local name="$1" needle="$2" haystack="$3"
+    if printf '%s' "$haystack" | grep -qF -- "$needle"; then
+        PASS=$((PASS + 1))
+    else
+        echo "FAIL: $name"
+        echo "  expected to contain: $needle"
+        echo "  actual: $(printf '%s' "$haystack" | head -c 200)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+if ! command -v age >/dev/null 2>&1 || ! command -v age-keygen >/dev/null 2>&1; then
+    echo "SKIP: age/age-keygen not found — install age to run secrets tests"
+    exit 0
+fi
+
+WORKDIR=$(mktemp -d)
+cleanup() { rm -rf "$WORKDIR"; }
+trap cleanup EXIT
+
+KEY_FILE="$WORKDIR/test.key"
+SECRETS_ENV="$WORKDIR/secrets.env"
+SECRETS_AGE="$WORKDIR/secrets.age"
+GITHUB_ENV_FILE="$WORKDIR/github.env"
+
+# Generate a test age key pair
+age-keygen -o "$KEY_FILE" 2>/dev/null
+PUBLIC_KEY=$(age-keygen -y "$KEY_FILE")
+
+PRIVATE_KEY=$(cat "$KEY_FILE")
+
+# Helper: decrypt and eval, capturing specific variables
+_decrypt_vars() {
+    local vars
+    vars=$(SECRETS_AGE_KEY="$PRIVATE_KEY" \
+        SECRETS_AGE="$SECRETS_AGE" \
+        bash "$SCRIPT_DIR/secrets-decrypt.sh")
+    eval "$vars"
+}
+
+# --- simple values ---
+cat > "$SECRETS_ENV" << 'EOF'
+SIMPLE_VAR=hello
+QUOTED_DOUBLE="world"
+QUOTED_SINGLE='literal'
+EMPTY_VAR=
+# comment line — should be ignored
+NUMERIC=42
+EOF
+
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+_decrypt_vars
+_assert "simple value"         "hello"   "${SIMPLE_VAR:-}"
+_assert "double-quoted value"  "world"   "${QUOTED_DOUBLE:-}"
+_assert "single-quoted value"  "literal" "${QUOTED_SINGLE:-}"
+_assert "empty value"          ""        "${EMPTY_VAR:-}"
+_assert "numeric value"        "42"      "${NUMERIC:-}"
+unset SIMPLE_VAR QUOTED_DOUBLE QUOTED_SINGLE EMPTY_VAR NUMERIC
+
+# --- multi-line value with \n escape sequences ---
+# Use a made-up key format to avoid triggering the detect-private-key pre-commit hook.
+printf '%s\n' \
+    'SSH_KEY="FAKE-KEY-HEADER\nfakekey\nFAKE-KEY-FOOTER"' \
+    'SIDE=plain' \
+    > "$SECRETS_ENV"
+
+rm -f "$SECRETS_AGE"
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+_decrypt_vars
+_assert_contains "multi-line: header present" "FAKE-KEY-HEADER" "${SSH_KEY:-}"
+_assert_contains "multi-line: body present"   "fakekey"         "${SSH_KEY:-}"
+_assert_contains "multi-line: footer present" "FAKE-KEY-FOOTER" "${SSH_KEY:-}"
+_assert "variable alongside multi-line" "plain" "${SIDE:-}"
+unset SSH_KEY SIDE
+
+# --- GITHUB_ENV output uses heredoc syntax ---
+printf '%s\n' 'CI_SECRET=supersecret' > "$SECRETS_ENV"
+rm -f "$SECRETS_AGE" "$GITHUB_ENV_FILE"
+AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$SECRETS_ENV" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh"
+
+GITHUB_ENV="$GITHUB_ENV_FILE" \
+    SECRETS_AGE_KEY="$PRIVATE_KEY" \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh"
+
+_assert_contains "GITHUB_ENV contains key"   "CI_SECRET"   "$(cat "$GITHUB_ENV_FILE")"
+_assert_contains "GITHUB_ENV contains value" "supersecret" "$(cat "$GITHUB_ENV_FILE")"
+
+# --- missing secrets.age exits non-zero with a helpful message ---
+ERR=$(SECRETS_AGE="$WORKDIR/nonexistent.age" \
+    SECRETS_AGE_KEY="$PRIVATE_KEY" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "missing secrets.age: exits non-zero" "1" "$GOT"
+_assert_contains "missing secrets.age: error mentions file" "secrets.age" "$ERR"
+
+# --- missing key exits non-zero ---
+ERR=$(SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "missing key: exits non-zero" "1" "$GOT"
+
+# --- wrong key fails decryption ---
+OTHER_KEY="$WORKDIR/other.key"
+age-keygen -o "$OTHER_KEY" 2>/dev/null
+ERR=$(SECRETS_AGE_KEY=$(cat "$OTHER_KEY") \
+    SECRETS_AGE="$SECRETS_AGE" \
+    bash "$SCRIPT_DIR/secrets-decrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "wrong key: exits non-zero" "1" "$GOT"
+
+# --- encrypt without secrets.env exits non-zero ---
+ERR=$(AGE_PUBLIC_KEY="$PUBLIC_KEY" \
+    SECRETS_ENV="$WORKDIR/missing_secrets.env" \
+    SECRETS_AGE="$WORKDIR/out.age" \
+    bash "$SCRIPT_DIR/secrets-encrypt.sh" 2>&1) && GOT=0 || GOT=$?
+_assert "encrypt without secrets.env: exits non-zero" "1" "$GOT"
+_assert_contains "encrypt without secrets.env: error mentions file" "secrets.env" "$ERR"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] || exit 1
@@ -0,0 +1,28 @@
+# Copy this file to secrets.env and fill in real values.
+# Then encrypt to secrets.age: scripts/secrets-encrypt.sh
+#
+# secrets.env  — plaintext, git-ignored
+# secrets.age  — encrypted, committed to the repository
+# .age-public-key — age public key, committed (not secret)
+#
+# Multi-line values (SSH keys, certificates) must be stored as a single line
+# with literal \n for newlines, wrapped in double quotes. Example:
+#   SSH_PRIVATE_KEY="<header line>\n<base64 body lines>\n<footer line>"
+#
+# One-time setup:
+#   age-keygen -o ~/.config/age/sharedinbox.key
+#   age-keygen -y ~/.config/age/sharedinbox.key > .age-public-key
+#   # Store the private key content in CI as SECRETS_AGE_KEY secret.
+
+ANDROID_KEYSTORE_BASE64=
+ANDROID_KEYSTORE_PASSWORD=
+PLAY_STORE_CONFIG_JSON=
+SSH_PRIVATE_KEY=
+SSH_KNOWN_HOSTS=
+SSH_USER=
+SSH_HOST=
+ANDROID_APK_SCP_HOST=
+ANDROID_APK_SCP_USER=
+ANDROID_APK_SCP_PATH=
+FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY=
+FIREBASE_PROJECT_ID=
@@ -149,22 +149,6 @@ class _FakeMailboxes implements MailboxRepository {

  @override
  Future<void> clearForResync(String accountId) async {}
-
-  @override
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async =>
-      Mailbox(
-        id: '$accountId:$name',
-        accountId: accountId,
-        path: name,
-        name: name,
-        role: role,
-        unreadCount: 0,
-        totalCount: 0,
-      );
 }

 class _FakeEmails implements EmailRepository {
@@ -304,8 +288,6 @@ class _FakeLogs implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -181,8 +181,6 @@ class FakeSyncLogRepository implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -224,21 +222,6 @@ class FakeMailboxRepositoryWithInbox implements MailboxRepository {
  Future<Mailbox?> findMailboxByRole(String id, String role) async => null;
  @override
  Future<void> clearForResync(String accountId) async {}
-  @override
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async =>
-      Mailbox(
-        id: '$accountId:$name',
-        accountId: accountId,
-        path: name,
-        name: name,
-        role: role,
-        unreadCount: 0,
-        totalCount: 0,
-      );
 }

 class _AccountRepositoryWithMissingPlugin implements AccountRepository {
@@ -3,16 +3,16 @@
 // Do not manually edit this file.

 // ignore_for_file: no_leading_underscores_for_library_prefixes
-import 'dart:async' as _i5;
+import 'dart:async' as _i4;

 import 'package:mockito/mockito.dart' as _i1;
-import 'package:mockito/src/dummies.dart' as _i7;
-import 'package:sharedinbox/core/models/account.dart' as _i6;
-import 'package:sharedinbox/core/models/email.dart' as _i3;
-import 'package:sharedinbox/core/models/mailbox.dart' as _i2;
-import 'package:sharedinbox/core/repositories/account_repository.dart' as _i4;
+import 'package:mockito/src/dummies.dart' as _i6;
+import 'package:sharedinbox/core/models/account.dart' as _i5;
+import 'package:sharedinbox/core/models/email.dart' as _i2;
+import 'package:sharedinbox/core/models/mailbox.dart' as _i8;
+import 'package:sharedinbox/core/repositories/account_repository.dart' as _i3;
 import 'package:sharedinbox/core/repositories/email_repository.dart' as _i9;
-import 'package:sharedinbox/core/repositories/mailbox_repository.dart' as _i8;
+import 'package:sharedinbox/core/repositories/mailbox_repository.dart' as _i7;

 // ignore_for_file: type=lint
 // ignore_for_file: avoid_redundant_argument_values
@@ -29,8 +29,8 @@ import 'package:sharedinbox/core/repositories/mailbox_repository.dart' as _i8;
 // ignore_for_file: subtype_of_sealed_class
 // ignore_for_file: invalid_use_of_internal_member

-class _FakeMailbox_0 extends _i1.SmartFake implements _i2.Mailbox {
-  _FakeMailbox_0(
+class _FakeEmailBody_0 extends _i1.SmartFake implements _i2.EmailBody {
+  _FakeEmailBody_0(
    Object parent,
    Invocation parentInvocation,
  ) : super(
@@ -39,8 +39,9 @@ class _FakeMailbox_0 extends _i1.SmartFake implements _i2.Mailbox {
        );
 }

-class _FakeEmailBody_1 extends _i1.SmartFake implements _i3.EmailBody {
-  _FakeEmailBody_1(
+class _FakeSyncEmailsResult_1 extends _i1.SmartFake
+    implements _i2.SyncEmailsResult {
+  _FakeSyncEmailsResult_1(
    Object parent,
    Invocation parentInvocation,
  ) : super(
@@ -49,20 +50,9 @@ class _FakeEmailBody_1 extends _i1.SmartFake implements _i3.EmailBody {
        );
 }

-class _FakeSyncEmailsResult_2 extends _i1.SmartFake
-    implements _i3.SyncEmailsResult {
-  _FakeSyncEmailsResult_2(
-    Object parent,
-    Invocation parentInvocation,
-  ) : super(
-          parent,
-          parentInvocation,
-        );
-}
-
-class _FakeReliabilityResult_3 extends _i1.SmartFake
-    implements _i3.ReliabilityResult {
-  _FakeReliabilityResult_3(
+class _FakeReliabilityResult_2 extends _i1.SmartFake
+    implements _i2.ReliabilityResult {
+  _FakeReliabilityResult_2(
    Object parent,
    Invocation parentInvocation,
  ) : super(
@@ -74,32 +64,32 @@ class _FakeReliabilityResult_3 extends _i1.SmartFake
 /// A class which mocks [AccountRepository].
 ///
 /// See the documentation for Mockito's code generation for more information.
-class MockAccountRepository extends _i1.Mock implements _i4.AccountRepository {
+class MockAccountRepository extends _i1.Mock implements _i3.AccountRepository {
  MockAccountRepository() {
    _i1.throwOnMissingStub(this);
  }

  @override
-  _i5.Stream<List<_i6.Account>> observeAccounts() => (super.noSuchMethod(
+  _i4.Stream<List<_i5.Account>> observeAccounts() => (super.noSuchMethod(
        Invocation.method(
          #observeAccounts,
          [],
        ),
-        returnValue: _i5.Stream<List<_i6.Account>>.empty(),
-      ) as _i5.Stream<List<_i6.Account>>);
+        returnValue: _i4.Stream<List<_i5.Account>>.empty(),
+      ) as _i4.Stream<List<_i5.Account>>);

  @override
-  _i5.Future<_i6.Account?> getAccount(String? id) => (super.noSuchMethod(
+  _i4.Future<_i5.Account?> getAccount(String? id) => (super.noSuchMethod(
        Invocation.method(
          #getAccount,
          [id],
        ),
-        returnValue: _i5.Future<_i6.Account?>.value(),
-      ) as _i5.Future<_i6.Account?>);
+        returnValue: _i4.Future<_i5.Account?>.value(),
+      ) as _i4.Future<_i5.Account?>);

  @override
-  _i5.Future<void> addAccount(
-    _i6.Account? account,
+  _i4.Future<void> addAccount(
+    _i5.Account? account,
    String? password,
  ) =>
      (super.noSuchMethod(
@@ -110,13 +100,13 @@ class MockAccountRepository extends _i1.Mock implements _i4.AccountRepository {
            password,
          ],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<void> updateAccount(
-    _i6.Account? account, {
+  _i4.Future<void> updateAccount(
+    _i5.Account? account, {
    String? password,
  }) =>
      (super.noSuchMethod(
@@ -125,65 +115,65 @@ class MockAccountRepository extends _i1.Mock implements _i4.AccountRepository {
          [account],
          {#password: password},
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<void> removeAccount(String? id) => (super.noSuchMethod(
+  _i4.Future<void> removeAccount(String? id) => (super.noSuchMethod(
        Invocation.method(
          #removeAccount,
          [id],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<String> getPassword(String? accountId) => (super.noSuchMethod(
+  _i4.Future<String> getPassword(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #getPassword,
          [accountId],
        ),
-        returnValue: _i5.Future<String>.value(_i7.dummyValue<String>(
+        returnValue: _i4.Future<String>.value(_i6.dummyValue<String>(
          this,
          Invocation.method(
            #getPassword,
            [accountId],
          ),
        )),
-      ) as _i5.Future<String>);
+      ) as _i4.Future<String>);
 }

 /// A class which mocks [MailboxRepository].
 ///
 /// See the documentation for Mockito's code generation for more information.
-class MockMailboxRepository extends _i1.Mock implements _i8.MailboxRepository {
+class MockMailboxRepository extends _i1.Mock implements _i7.MailboxRepository {
  MockMailboxRepository() {
    _i1.throwOnMissingStub(this);
  }

  @override
-  _i5.Stream<List<_i2.Mailbox>> observeMailboxes(String? accountId) =>
+  _i4.Stream<List<_i8.Mailbox>> observeMailboxes(String? accountId) =>
      (super.noSuchMethod(
        Invocation.method(
          #observeMailboxes,
          [accountId],
        ),
-        returnValue: _i5.Stream<List<_i2.Mailbox>>.empty(),
-      ) as _i5.Stream<List<_i2.Mailbox>>);
+        returnValue: _i4.Stream<List<_i8.Mailbox>>.empty(),
+      ) as _i4.Stream<List<_i8.Mailbox>>);

  @override
-  _i5.Future<int> syncMailboxes(String? accountId) => (super.noSuchMethod(
+  _i4.Future<int> syncMailboxes(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #syncMailboxes,
          [accountId],
        ),
-        returnValue: _i5.Future<int>.value(0),
-      ) as _i5.Future<int>);
+        returnValue: _i4.Future<int>.value(0),
+      ) as _i4.Future<int>);

  @override
-  _i5.Future<_i2.Mailbox?> findMailboxByRole(
+  _i4.Future<_i8.Mailbox?> findMailboxByRole(
    String? accountId,
    String? role,
  ) =>
@@ -195,46 +185,18 @@ class MockMailboxRepository extends _i1.Mock implements _i8.MailboxRepository {
            role,
          ],
        ),
-        returnValue: _i5.Future<_i2.Mailbox?>.value(),
-      ) as _i5.Future<_i2.Mailbox?>);
+        returnValue: _i4.Future<_i8.Mailbox?>.value(),
+      ) as _i4.Future<_i8.Mailbox?>);

  @override
-  _i5.Future<void> clearForResync(String? accountId) => (super.noSuchMethod(
+  _i4.Future<void> clearForResync(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #clearForResync,
          [accountId],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
-
-  @override
-  _i5.Future<_i2.Mailbox> createMailboxWithRole(
-    String? accountId,
-    String? name,
-    String? role,
-  ) =>
-      (super.noSuchMethod(
-        Invocation.method(
-          #createMailboxWithRole,
-          [
-            accountId,
-            name,
-            role,
-          ],
-        ),
-        returnValue: _i5.Future<_i2.Mailbox>.value(_FakeMailbox_0(
-          this,
-          Invocation.method(
-            #createMailboxWithRole,
-            [
-              accountId,
-              name,
-              role,
-            ],
-          ),
-        )),
-      ) as _i5.Future<_i2.Mailbox>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);
 }

 /// A class which mocks [EmailRepository].
@@ -246,13 +208,13 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
  }

  @override
-  _i5.Stream<String> get onChangesQueued => (super.noSuchMethod(
+  _i4.Stream<String> get onChangesQueued => (super.noSuchMethod(
        Invocation.getter(#onChangesQueued),
-        returnValue: _i5.Stream<String>.empty(),
-      ) as _i5.Stream<String>);
+        returnValue: _i4.Stream<String>.empty(),
+      ) as _i4.Stream<String>);

  @override
-  _i5.Stream<List<_i3.Email>> observeEmails(
+  _i4.Stream<List<_i2.Email>> observeEmails(
    String? accountId,
    String? mailboxPath, {
    int? limit = 50,
@@ -266,11 +228,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
          ],
          {#limit: limit},
        ),
-        returnValue: _i5.Stream<List<_i3.Email>>.empty(),
-      ) as _i5.Stream<List<_i3.Email>>);
+        returnValue: _i4.Stream<List<_i2.Email>>.empty(),
+      ) as _i4.Stream<List<_i2.Email>>);

  @override
-  _i5.Stream<List<_i3.EmailThread>> observeThreads(
+  _i4.Stream<List<_i2.EmailThread>> observeThreads(
    String? accountId,
    String? mailboxPath, {
    int? limit = 50,
@@ -284,11 +246,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
          ],
          {#limit: limit},
        ),
-        returnValue: _i5.Stream<List<_i3.EmailThread>>.empty(),
-      ) as _i5.Stream<List<_i3.EmailThread>>);
+        returnValue: _i4.Stream<List<_i2.EmailThread>>.empty(),
+      ) as _i4.Stream<List<_i2.EmailThread>>);

  @override
-  _i5.Stream<List<_i3.Email>> observeEmailsInThread(
+  _i4.Stream<List<_i2.Email>> observeEmailsInThread(
    String? accountId,
    String? mailboxPath,
    String? threadId,
@@ -302,36 +264,36 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            threadId,
          ],
        ),
-        returnValue: _i5.Stream<List<_i3.Email>>.empty(),
-      ) as _i5.Stream<List<_i3.Email>>);
+        returnValue: _i4.Stream<List<_i2.Email>>.empty(),
+      ) as _i4.Stream<List<_i2.Email>>);

  @override
-  _i5.Future<_i3.Email?> getEmail(String? emailId) => (super.noSuchMethod(
+  _i4.Future<_i2.Email?> getEmail(String? emailId) => (super.noSuchMethod(
        Invocation.method(
          #getEmail,
          [emailId],
        ),
-        returnValue: _i5.Future<_i3.Email?>.value(),
-      ) as _i5.Future<_i3.Email?>);
+        returnValue: _i4.Future<_i2.Email?>.value(),
+      ) as _i4.Future<_i2.Email?>);

  @override
-  _i5.Future<_i3.EmailBody> getEmailBody(String? emailId) =>
+  _i4.Future<_i2.EmailBody> getEmailBody(String? emailId) =>
      (super.noSuchMethod(
        Invocation.method(
          #getEmailBody,
          [emailId],
        ),
-        returnValue: _i5.Future<_i3.EmailBody>.value(_FakeEmailBody_1(
+        returnValue: _i4.Future<_i2.EmailBody>.value(_FakeEmailBody_0(
          this,
          Invocation.method(
            #getEmailBody,
            [emailId],
          ),
        )),
-      ) as _i5.Future<_i3.EmailBody>);
+      ) as _i4.Future<_i2.EmailBody>);

  @override
-  _i5.Future<_i3.SyncEmailsResult> syncEmails(
+  _i4.Future<_i2.SyncEmailsResult> syncEmails(
    String? accountId,
    String? mailboxPath,
  ) =>
@@ -344,7 +306,7 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
          ],
        ),
        returnValue:
-            _i5.Future<_i3.SyncEmailsResult>.value(_FakeSyncEmailsResult_2(
+            _i4.Future<_i2.SyncEmailsResult>.value(_FakeSyncEmailsResult_1(
          this,
          Invocation.method(
            #syncEmails,
@@ -354,10 +316,10 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            ],
          ),
        )),
-      ) as _i5.Future<_i3.SyncEmailsResult>);
+      ) as _i4.Future<_i2.SyncEmailsResult>);

  @override
-  _i5.Future<void> setFlag(
+  _i4.Future<void> setFlag(
    String? emailId, {
    bool? seen,
    bool? flagged,
@@ -371,12 +333,12 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            #flagged: flagged,
          },
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<void> markAllAsRead(
+  _i4.Future<void> markAllAsRead(
    String? accountId,
    String? mailboxPath,
  ) =>
@@ -388,12 +350,12 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            mailboxPath,
          ],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<void> moveEmail(
+  _i4.Future<void> moveEmail(
    String? emailId,
    String? destMailboxPath,
  ) =>
@@ -405,23 +367,23 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            destMailboxPath,
          ],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<String?> deleteEmail(String? emailId) => (super.noSuchMethod(
+  _i4.Future<String?> deleteEmail(String? emailId) => (super.noSuchMethod(
        Invocation.method(
          #deleteEmail,
          [emailId],
        ),
-        returnValue: _i5.Future<String?>.value(),
-      ) as _i5.Future<String?>);
+        returnValue: _i4.Future<String?>.value(),
+      ) as _i4.Future<String?>);

  @override
-  _i5.Future<void> sendEmail(
+  _i4.Future<void> sendEmail(
    String? accountId,
-    _i3.EmailDraft? draft,
+    _i2.EmailDraft? draft,
  ) =>
      (super.noSuchMethod(
        Invocation.method(
@@ -431,14 +393,14 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            draft,
          ],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<String> downloadAttachment(
+  _i4.Future<String> downloadAttachment(
    String? emailId,
-    _i3.EmailAttachment? attachment,
+    _i2.EmailAttachment? attachment,
  ) =>
      (super.noSuchMethod(
        Invocation.method(
@@ -448,7 +410,7 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            attachment,
          ],
        ),
-        returnValue: _i5.Future<String>.value(_i7.dummyValue<String>(
+        returnValue: _i4.Future<String>.value(_i6.dummyValue<String>(
          this,
          Invocation.method(
            #downloadAttachment,
@@ -458,25 +420,25 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            ],
          ),
        )),
-      ) as _i5.Future<String>);
+      ) as _i4.Future<String>);

  @override
-  _i5.Future<String> fetchRawRfc822(String? emailId) => (super.noSuchMethod(
+  _i4.Future<String> fetchRawRfc822(String? emailId) => (super.noSuchMethod(
        Invocation.method(
          #fetchRawRfc822,
          [emailId],
        ),
-        returnValue: _i5.Future<String>.value(_i7.dummyValue<String>(
+        returnValue: _i4.Future<String>.value(_i6.dummyValue<String>(
          this,
          Invocation.method(
            #fetchRawRfc822,
            [emailId],
          ),
        )),
-      ) as _i5.Future<String>);
+      ) as _i4.Future<String>);

  @override
-  _i5.Future<List<_i3.Email>> searchEmails(
+  _i4.Future<List<_i2.Email>> searchEmails(
    String? accountId,
    String? mailboxPath,
    String? query,
@@ -490,11 +452,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            query,
          ],
        ),
-        returnValue: _i5.Future<List<_i3.Email>>.value(<_i3.Email>[]),
-      ) as _i5.Future<List<_i3.Email>>);
+        returnValue: _i4.Future<List<_i2.Email>>.value(<_i2.Email>[]),
+      ) as _i4.Future<List<_i2.Email>>);

  @override
-  _i5.Future<List<_i3.Email>> searchEmailsGlobal(
+  _i4.Future<List<_i2.Email>> searchEmailsGlobal(
    String? accountId,
    String? query,
  ) =>
@@ -506,11 +468,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            query,
          ],
        ),
-        returnValue: _i5.Future<List<_i3.Email>>.value(<_i3.Email>[]),
-      ) as _i5.Future<List<_i3.Email>>);
+        returnValue: _i4.Future<List<_i2.Email>>.value(<_i2.Email>[]),
+      ) as _i4.Future<List<_i2.Email>>);

  @override
-  _i5.Future<List<_i3.Email>> getEmailsByAddress(
+  _i4.Future<List<_i2.Email>> getEmailsByAddress(
    String? accountId,
    String? address,
  ) =>
@@ -522,11 +484,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            address,
          ],
        ),
-        returnValue: _i5.Future<List<_i3.Email>>.value(<_i3.Email>[]),
-      ) as _i5.Future<List<_i3.Email>>);
+        returnValue: _i4.Future<List<_i2.Email>>.value(<_i2.Email>[]),
+      ) as _i4.Future<List<_i2.Email>>);

  @override
-  _i5.Future<List<_i3.EmailAddress>> searchAddresses(
+  _i4.Future<List<_i2.EmailAddress>> searchAddresses(
    String? accountId,
    String? query, {
    int? limit = 10,
@@ -541,11 +503,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
          {#limit: limit},
        ),
        returnValue:
-            _i5.Future<List<_i3.EmailAddress>>.value(<_i3.EmailAddress>[]),
-      ) as _i5.Future<List<_i3.EmailAddress>>);
+            _i4.Future<List<_i2.EmailAddress>>.value(<_i2.EmailAddress>[]),
+      ) as _i4.Future<List<_i2.EmailAddress>>);

  @override
-  _i5.Future<int> flushPendingChanges(
+  _i4.Future<int> flushPendingChanges(
    String? accountId,
    String? password,
  ) =>
@@ -557,42 +519,42 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            password,
          ],
        ),
-        returnValue: _i5.Future<int>.value(0),
-      ) as _i5.Future<int>);
+        returnValue: _i4.Future<int>.value(0),
+      ) as _i4.Future<int>);

  @override
-  _i5.Stream<List<_i3.FailedMutation>> observeFailedMutations(
+  _i4.Stream<List<_i2.FailedMutation>> observeFailedMutations(
          String? accountId) =>
      (super.noSuchMethod(
        Invocation.method(
          #observeFailedMutations,
          [accountId],
        ),
-        returnValue: _i5.Stream<List<_i3.FailedMutation>>.empty(),
-      ) as _i5.Stream<List<_i3.FailedMutation>>);
+        returnValue: _i4.Stream<List<_i2.FailedMutation>>.empty(),
+      ) as _i4.Stream<List<_i2.FailedMutation>>);

  @override
-  _i5.Future<void> discardMutation(int? id) => (super.noSuchMethod(
+  _i4.Future<void> discardMutation(int? id) => (super.noSuchMethod(
        Invocation.method(
          #discardMutation,
          [id],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<void> retryMutation(int? id) => (super.noSuchMethod(
+  _i4.Future<void> retryMutation(int? id) => (super.noSuchMethod(
        Invocation.method(
          #retryMutation,
          [id],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<bool> cancelPendingChange(
+  _i4.Future<bool> cancelPendingChange(
    String? emailId,
    String? changeType,
  ) =>
@@ -604,11 +566,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            changeType,
          ],
        ),
-        returnValue: _i5.Future<bool>.value(false),
-      ) as _i5.Future<bool>);
+        returnValue: _i4.Future<bool>.value(false),
+      ) as _i4.Future<bool>);

  @override
-  _i5.Future<void> snoozeEmail(
+  _i4.Future<void> snoozeEmail(
    String? emailId,
    DateTime? until,
  ) =>
@@ -620,32 +582,32 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            until,
          ],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<int> wakeUpEmails(String? accountId) => (super.noSuchMethod(
+  _i4.Future<int> wakeUpEmails(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #wakeUpEmails,
          [accountId],
        ),
-        returnValue: _i5.Future<int>.value(0),
-      ) as _i5.Future<int>);
+        returnValue: _i4.Future<int>.value(0),
+      ) as _i4.Future<int>);

  @override
-  _i5.Future<void> restoreEmails(List<_i3.Email>? emails) =>
+  _i4.Future<void> restoreEmails(List<_i2.Email>? emails) =>
      (super.noSuchMethod(
        Invocation.method(
          #restoreEmails,
          [emails],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);

  @override
-  _i5.Future<_i3.Email?> findEmailByMessageId(
+  _i4.Future<_i2.Email?> findEmailByMessageId(
    String? accountId,
    String? messageId,
  ) =>
@@ -657,20 +619,20 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            messageId,
          ],
        ),
-        returnValue: _i5.Future<_i3.Email?>.value(),
-      ) as _i5.Future<_i3.Email?>);
+        returnValue: _i4.Future<_i2.Email?>.value(),
+      ) as _i4.Future<_i2.Email?>);

  @override
-  _i5.Future<int> applySieveRules(String? accountId) => (super.noSuchMethod(
+  _i4.Future<int> applySieveRules(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #applySieveRules,
          [accountId],
        ),
-        returnValue: _i5.Future<int>.value(0),
-      ) as _i5.Future<int>);
+        returnValue: _i4.Future<int>.value(0),
+      ) as _i4.Future<int>);

  @override
-  _i5.Stream<void> watchJmapPush(
+  _i4.Stream<void> watchJmapPush(
    String? accountId,
    String? password,
  ) =>
@@ -682,11 +644,11 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            password,
          ],
        ),
-        returnValue: _i5.Stream<void>.empty(),
-      ) as _i5.Stream<void>);
+        returnValue: _i4.Stream<void>.empty(),
+      ) as _i4.Stream<void>);

  @override
-  _i5.Future<_i3.ReliabilityResult> verifySyncReliability(
+  _i4.Future<_i2.ReliabilityResult> verifySyncReliability(
    String? accountId,
    String? mailboxPath,
  ) =>
@@ -699,7 +661,7 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
          ],
        ),
        returnValue:
-            _i5.Future<_i3.ReliabilityResult>.value(_FakeReliabilityResult_3(
+            _i4.Future<_i2.ReliabilityResult>.value(_FakeReliabilityResult_2(
          this,
          Invocation.method(
            #verifySyncReliability,
@@ -709,15 +671,15 @@ class MockEmailRepository extends _i1.Mock implements _i9.EmailRepository {
            ],
          ),
        )),
-      ) as _i5.Future<_i3.ReliabilityResult>);
+      ) as _i4.Future<_i2.ReliabilityResult>);

  @override
-  _i5.Future<void> clearForResync(String? accountId) => (super.noSuchMethod(
+  _i4.Future<void> clearForResync(String? accountId) => (super.noSuchMethod(
        Invocation.method(
          #clearForResync,
          [accountId],
        ),
-        returnValue: _i5.Future<void>.value(),
-        returnValueForMissingStub: _i5.Future<void>.value(),
-      ) as _i5.Future<void>);
+        returnValue: _i4.Future<void>.value(),
+        returnValueForMissingStub: _i4.Future<void>.value(),
+      ) as _i4.Future<void>);
 }
@@ -14,7 +14,6 @@ import 'package:sharedinbox/data/repositories/mailbox_repository_impl.dart';

 import 'account_repository_impl_test.dart' show MapSecureStorage;
 import 'db_test_helper.dart';
-import 'fake_imap.dart' show SnoozeSpyImapClient;
 // ── Helpers ───────────────────────────────────────────────────────────────────

 const _account = Account(
@@ -433,177 +432,5 @@ void main() {
      expect(result, isNotNull);
      expect(result!.role, 'inbox');
    });
-
-    group('createMailboxWithRole', () {
-      test('IMAP: creates mailbox on server and persists with role', () async {
-        final spy = SnoozeSpyImapClient();
-        final db = openTestDatabase();
-        final accounts = AccountRepositoryImpl(db, MapSecureStorage());
-        final mailboxes = MailboxRepositoryImpl(
-          db,
-          accounts,
-          imapConnect: (_, __, ___) async => spy,
-        );
-        await accounts.addAccount(_account, 'pw');
-
-        final result = await mailboxes.createMailboxWithRole(
-          'acc-1',
-          'Archive',
-          'archive',
-        );
-
-        expect(spy.createdMailbox, 'Archive');
-        expect(result.name, 'Archive');
-        expect(result.role, 'archive');
-        expect(result.path, 'Archive');
-
-        final found = await mailboxes.findMailboxByRole('acc-1', 'archive');
-        expect(found, isNotNull);
-        expect(found!.name, 'Archive');
-      });
-
-      test('JMAP: creates mailbox on server and persists with role', () async {
-        final r = _makeRepos(
-          httpClient: _mockJmap(
-            apiResponses: [
-              {
-                'sessionState': 'sess1',
-                'methodResponses': [
-                  [
-                    'Mailbox/set',
-                    {
-                      'accountId': 'acct1',
-                      'created': {
-                        'new-mailbox': {'id': 'mbx-archive'},
-                      },
-                    },
-                    '0',
-                  ],
-                ],
-              },
-            ],
-          ),
-        );
-        await r.accounts.addAccount(_jmapAccount, 'pw');
-
-        final result = await r.mailboxes
-            .createMailboxWithRole('jmap-1', 'Archive', 'archive');
-
-        expect(result.name, 'Archive');
-        expect(result.role, 'archive');
-        expect(result.path, 'mbx-archive');
-
-        final found = await r.mailboxes.findMailboxByRole('jmap-1', 'archive');
-        expect(found, isNotNull);
-        expect(found!.name, 'Archive');
-      });
-
-      test(
-        'JMAP: throws when server returns no created ID',
-        () async {
-          final r = _makeRepos(
-            httpClient: _mockJmap(
-              apiResponses: [
-                {
-                  'sessionState': 'sess1',
-                  'methodResponses': [
-                    [
-                      'Mailbox/set',
-                      {
-                        'accountId': 'acct1',
-                        'created': null,
-                        'notCreated': {
-                          'new-mailbox': {'type': 'serverFail'},
-                        },
-                      },
-                      '0',
-                    ],
-                  ],
-                },
-              ],
-            ),
-          );
-          await r.accounts.addAccount(_jmapAccount, 'pw');
-
-          await expectLater(
-            r.mailboxes.createMailboxWithRole('jmap-1', 'Archive', 'archive'),
-            throwsA(isA<Exception>()),
-          );
-        },
-      );
-    });
-
-    group('syncMailboxes IMAP preserves manually-set role', () {
-      test('existing role is kept when server returns no special-use flag',
-          () async {
-        final spy = SnoozeSpyImapClient();
-        // Make listMailboxes return a plain folder without \Archive.
-        final db = openTestDatabase();
-        final accounts = AccountRepositoryImpl(db, MapSecureStorage());
-
-        // Override listMailboxes to return one plain folder.
-        final fakeClient = _PlainArchiveImapClient();
-        final mailboxes = MailboxRepositoryImpl(
-          db,
-          accounts,
-          imapConnect: (_, __, ___) async => fakeClient,
-        );
-        await accounts.addAccount(_account, 'pw');
-
-        // Pre-seed the DB with role='archive' (as if user created the folder).
-        await db.into(db.mailboxes).insert(
-              MailboxesCompanion.insert(
-                id: 'acc-1:Archive',
-                accountId: 'acc-1',
-                path: 'Archive',
-                name: 'Archive',
-                role: const Value('archive'),
-              ),
-            );
-
-        await mailboxes.syncMailboxes('acc-1');
-
-        final found = await mailboxes.findMailboxByRole('acc-1', 'archive');
-        expect(
-          found,
-          isNotNull,
-          reason: 'Manually-set role should be preserved after sync',
-        );
-        expect(found!.path, 'Archive');
-        // Suppress unused warning on spy.
-        expect(spy, isNotNull);
-      });
-    });
  });
 }
-
-/// Fake IMAP client that lists one mailbox named 'Archive' without any
-/// special-use flags, and logs out cleanly.
-class _PlainArchiveImapClient extends SnoozeSpyImapClient {
-  @override
-  Future<List<imap.Mailbox>> listMailboxes({
-    String path = '""',
-    bool recursive = false,
-    List<String>? mailboxPatterns,
-    List<String>? selectionOptions,
-    List<imap.ReturnOption>? returnOptions,
-  }) async =>
-      [
-        imap.Mailbox(
-          encodedName: 'Archive',
-          encodedPath: 'Archive',
-          pathSeparator: '/',
-          flags: [], // No \Archive special-use flag
-        ),
-      ];
-
-  @override
-  Future<imap.Mailbox> statusMailbox(
-    imap.Mailbox mailbox,
-    List<imap.StatusFlags> flags,
-  ) async =>
-      mailbox;
-
-  @override
-  Future<dynamic> logout() async {}
-}
@@ -14,7 +14,7 @@ void main() {
  group('Migration', () {
    test('schemaVersion matches expected value', () async {
      final db = AppDatabase(NativeDatabase.memory());
-      expect(db.schemaVersion, 36);
+      expect(db.schemaVersion, 32);
      await db.close();
    });

@@ -194,21 +194,6 @@ void main() {
      // v32: local_sieve_applied table.
      await db.customSelect('SELECT count(*) FROM local_sieve_applied').get();

-      // v33: error_stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, contains('error_stack_trace'));
-      expect(syncLogColumns, contains('is_permanent'));
-
-      // v34: user_preferences table.
-      await db.customSelect('SELECT count(*) FROM user_preferences').get();
-
-      // v35: mail_view_button_position column on user_preferences.
-      final userPrefsColumns = await _tableColumns(db, 'user_preferences');
-      expect(userPrefsColumns, contains('mail_view_button_position'));
-
-      // v36: after_mail_view_action column on user_preferences.
-      expect(userPrefsColumns, contains('after_mail_view_action'));
-
      await db.close();
      if (dbFile.existsSync()) dbFile.deleteSync();
    });
@@ -396,26 +381,11 @@ void main() {
          await _tableColumns(db, 'sync_log_mailboxes');
      expect(syncLogMailboxColumns, contains('duration_ms'));

-      // v33: error_stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, contains('error_stack_trace'));
-      expect(syncLogColumns, contains('is_permanent'));
-
-      // v34: user_preferences table.
-      await db.customSelect('SELECT count(*) FROM user_preferences').get();
-
-      // v35: mail_view_button_position column on user_preferences.
-      final userPrefsColumns = await _tableColumns(db, 'user_preferences');
-      expect(userPrefsColumns, contains('mail_view_button_position'));
-
-      // v36: after_mail_view_action column on user_preferences.
-      expect(userPrefsColumns, contains('after_mail_view_action'));
-
      await db.close();
      if (dbFile.existsSync()) dbFile.deleteSync();
    });

-    test('fresh install creates all tables at schemaVersion 36', () async {
+    test('fresh install creates all tables at schemaVersion 32', () async {
      final db = AppDatabase(NativeDatabase.memory());
      await db.select(db.accounts).get();

@@ -442,7 +412,6 @@ void main() {
          'local_sieve_scripts', // v29
          'share_keys', // v31
          'local_sieve_applied', // v32
-          'user_preferences', // v34
        ]),
      );

@@ -457,18 +426,6 @@ void main() {
          await _tableColumns(db, 'sync_log_mailboxes');
      expect(syncLogMailboxColumns, contains('duration_ms'));

-      // v33: error_stack_trace and is_permanent columns on sync_logs.
-      final syncLogColumns = await _tableColumns(db, 'sync_logs');
-      expect(syncLogColumns, contains('error_stack_trace'));
-      expect(syncLogColumns, contains('is_permanent'));
-
-      // v35: mail_view_button_position column on user_preferences.
-      final userPrefsColumns = await _tableColumns(db, 'user_preferences');
-      expect(userPrefsColumns, contains('mail_view_button_position'));
-
-      // v36: after_mail_view_action column on user_preferences.
-      expect(userPrefsColumns, contains('after_mail_view_action'));
-
      await db.close();
    });
  });
@@ -62,21 +62,6 @@ class _FakeMailboxes implements MailboxRepository {
      null;
  @override
  Future<void> clearForResync(String accountId) async {}
-  @override
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async =>
-      Mailbox(
-        id: '$accountId:$name',
-        accountId: accountId,
-        path: name,
-        name: name,
-        role: role,
-        unreadCount: 0,
-        totalCount: 0,
-      );
 }

 class _FakeEmails implements EmailRepository {
@@ -54,21 +54,6 @@ class _FakeMailboxes implements MailboxRepository {
      null;
  @override
  Future<void> clearForResync(String accountId) async {}
-  @override
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async =>
-      Mailbox(
-        id: '$accountId:$name',
-        accountId: accountId,
-        path: name,
-        name: name,
-        role: role,
-        unreadCount: 0,
-        totalCount: 0,
-      );
 }

 class _CountingEmails implements EmailRepository {
@@ -185,8 +170,6 @@ class _FakeSyncLog implements SyncLogRepository {
    required String accountId,
    required bool success,
    String? errorMessage,
-    String? stackTrace,
-    bool isPermanent = false,
    required String protocol,
    required int emailsFetched,
    required int emailsSkipped,
@@ -126,34 +126,4 @@ void main() {
    expect(rows.first.result, 'error');
    expect(rows.first.errorMessage, 'Connection refused');
  });
-
-  test('stores and retrieves stackTrace and isPermanent on error entries',
-      () async {
-    final repo = SyncLogRepositoryImpl(db);
-    final start = DateTime(2024, 3, 1, 9);
-    final end = DateTime(2024, 3, 1, 9, 0, 1);
-    const fakeTrace = '#0 main (file:///app/lib/main.dart:10:5)';
-
-    await repo.log(
-      accountId: 'acc1',
-      success: false,
-      errorMessage: 'MissingPluginException',
-      stackTrace: fakeTrace,
-      isPermanent: true,
-      protocol: 'imap',
-      emailsFetched: 0,
-      emailsSkipped: 0,
-      mailboxesSynced: 0,
-      pendingFlushed: 0,
-      bytesTransferred: 0,
-      startedAt: start,
-      finishedAt: end,
-    );
-
-    final entries = await repo.observeSyncLogs('acc1').first;
-    final entry = entries.firstWhere((e) => e.startedAt == start);
-    expect(entry.stackTrace, fakeTrace);
-    expect(entry.isPermanent, true);
-    expect(entry.errorMessage, 'MissingPluginException');
-  });
 }
@@ -27,22 +27,6 @@ class MockUrlLauncher extends Mock
  }
 }

-class ThrowingUrlLauncher extends Mock
-    with MockPlatformInterfaceMixin
-    implements UrlLauncherPlatform {
-  @override
-  Future<bool> canLaunch(String? url) async => true;
-
-  @override
-  Future<bool> launchUrl(String? url, LaunchOptions? options) async {
-    throw PlatformException(
-      code: 'channel-error',
-      message: 'Unable to establish connection on channel: '
-          '"dev.flutter.pigeon.url_launcher_android.UrlLauncherApi.launchUrl".',
-    );
-  }
-}
-
 Widget _buildScreen({List<Account> accounts = const []}) {
  return ProviderScope(
    overrides: [
@@ -80,9 +64,6 @@ void main() {
    expect(find.textContaining('Dark Mode'), findsWidgets);
    expect(find.textContaining('IMAP Accounts'), findsWidgets);
    expect(find.textContaining('JMAP Accounts'), findsWidgets);
-    expect(find.textContaining('Locale'), findsWidgets);
-    expect(find.textContaining('Text Scale'), findsWidgets);
-    expect(find.textContaining('DB Schema Version'), findsWidgets);
    // Buttons are in the body, not in the AppBar actions
    expect(find.byIcon(Icons.copy), findsOneWidget);
    expect(find.byIcon(Icons.bug_report), findsOneWidget);
@@ -170,9 +151,6 @@ void main() {
    expect(clipboardText, contains('Dark Mode'));
    expect(clipboardText, contains('IMAP Accounts'));
    expect(clipboardText, contains('JMAP Accounts'));
-    expect(clipboardText, contains('Locale'));
-    expect(clipboardText, contains('Text Scale'));
-    expect(clipboardText, contains('DB Schema Version'));
    expect(
      clipboardText,
      contains('[sharedinbox.de](https://sharedinbox.de)'),
@@ -202,24 +180,4 @@ void main() {
    );
    expect(mock.launchedUrl, contains('1.2.3%2B99'));
  });
-
-  testWidgets(
-    'AboutScreen link tap with failed url_launcher shows error snackbar',
-    (tester) async {
-      tester.view.physicalSize = const Size(800, 1200);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(tester.view.resetPhysicalSize);
-      addTearDown(tester.view.resetDevicePixelRatio);
-
-      UrlLauncherPlatform.instance = ThrowingUrlLauncher();
-
-      await tester.pumpWidget(_buildScreen());
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.textContaining('sharedinbox.de').first);
-      await tester.pumpAndSettle();
-
-      expect(find.textContaining('Error:'), findsOneWidget);
-    },
-  );
 }
@@ -1,6 +1,5 @@
 import 'package:flutter/material.dart';
 import 'package:flutter_test/flutter_test.dart';
-import 'package:sharedinbox/data/db/database.dart' show SyncHealthRow;

 import 'helpers.dart';

@@ -207,50 +206,5 @@ void main() {
      expect(tester.takeException(), isNull);
      expect(find.text('sharedinbox.de'), findsOneWidget);
    });
-
-    testWidgets('shows Healthy when sync health is healthy', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts',
-          overrides: baseOverrides(
-            accounts: [kTestAccount],
-            syncHealth: SyncHealthRow(
-              accountId: kTestAccount.id,
-              lastVerifiedAt: DateTime(2024, 6),
-              isHealthy: true,
-            ),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.textContaining('Healthy'), findsOneWidget);
-    });
-
-    testWidgets(
-      'shows discrepancy details when sync health has discrepancies',
-      (tester) async {
-        const summary =
-            '{"INBOX":{"missingLocally":3,"missingOnServer":0,"flagMismatches":1}}';
-        await tester.pumpWidget(
-          buildApp(
-            initialLocation: '/accounts',
-            overrides: baseOverrides(
-              accounts: [kTestAccount],
-              syncHealth: SyncHealthRow(
-                accountId: kTestAccount.id,
-                lastVerifiedAt: DateTime(2024, 6),
-                isHealthy: false,
-                discrepancySummary: summary,
-              ),
-            ),
-          ),
-        );
-        await tester.pumpAndSettle();
-
-        expect(find.textContaining('missing locally: 3'), findsOneWidget);
-        expect(find.textContaining('flag mismatches: 1'), findsOneWidget);
-      },
-    );
  });
 }
@@ -1,54 +0,0 @@
-import 'dart:convert';
-
-import 'package:flutter/material.dart';
-import 'package:flutter/services.dart';
-import 'package:flutter_test/flutter_test.dart';
-import 'package:sharedinbox/ui/screens/changelog_screen.dart';
-
-class _FakeAssetBundle extends CachingAssetBundle {
-  final Map<String, String> _assets;
-  _FakeAssetBundle(this._assets);
-
-  @override
-  Future<ByteData> load(String key) async {
-    if (_assets.containsKey(key)) {
-      final encoded = utf8.encode(_assets[key]!);
-      return ByteData.view(Uint8List.fromList(encoded).buffer);
-    }
-    throw FlutterError('Asset not found: "$key"');
-  }
-}
-
-const _fakeChangelog =
-    '* 2024-01-01 feat: initial release\n* 2024-01-02 fix: resolve crash\n';
-
-void main() {
-  testWidgets('ChangeLogScreen shows changelog content', (tester) async {
-    await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _FakeAssetBundle({'assets/changelog.txt': _fakeChangelog}),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
-    );
-    await tester.pumpAndSettle();
-
-    expect(find.text('ChangeLog'), findsOneWidget);
-    expect(find.textContaining('initial release'), findsOneWidget);
-    expect(find.textContaining('resolve crash'), findsOneWidget);
-    expect(find.textContaining('Error loading changelog'), findsNothing);
-  });
-
-  testWidgets('ChangeLogScreen shows error when asset is missing', (
-    tester,
-  ) async {
-    await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _FakeAssetBundle({}),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
-    );
-    await tester.pumpAndSettle();
-
-    expect(find.textContaining('Error loading changelog'), findsOneWidget);
-  });
-}
@@ -147,7 +147,6 @@ void main() {
          gitHash: testHash,
        ),
      );
-      await tester.pumpAndSettle();

      // Git hash link should be present
      final gitLinkFinder = find.textContaining('Git Commit: abc1234');
@@ -200,109 +199,6 @@ void main() {
    },
  );

-  testWidgets(
-    'CrashScreen shows app version as clickable link when git hash is set',
-    (tester) async {
-      tester.view.physicalSize = const Size(800, 1200);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(() => tester.view.resetPhysicalSize());
-
-      final mock = MockUrlLauncher();
-      UrlLauncherPlatform.instance = mock;
-
-      const exception = 'TestException: version link test';
-      final stackTrace = StackTrace.current;
-      const testHash = 'abc1234';
-
-      await tester.pumpWidget(
-        CrashScreen(
-          exception: exception,
-          stackTrace: stackTrace,
-          gitHash: testHash,
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      // App version link should be present (mocked as 1.0.0+42)
-      final versionLinkFinder = find.textContaining('App Version: 1.0.0+42');
-      expect(versionLinkFinder, findsOneWidget);
-
-      // It must appear above the git hash link
-      final gitLinkFinder = find.textContaining('Git Commit: abc1234');
-      expect(
-        tester.getTopLeft(versionLinkFinder).dy,
-        lessThan(tester.getTopLeft(gitLinkFinder).dy),
-      );
-
-      // Tapping it should open the Codeberg commit URL
-      await tester.tap(versionLinkFinder);
-      await tester.pumpAndSettle();
-
-      expect(
-        mock.launchedUrl,
-        equals('https://codeberg.org/guettli/sharedinbox/commit/abc1234'),
-      );
-    },
-  );
-
-  testWidgets(
-    'CrashScreen copy-to-clipboard includes app version as markdown link when git hash is set',
-    (tester) async {
-      tester.view.physicalSize = const Size(800, 1200);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(() => tester.view.resetPhysicalSize());
-
-      String? clipboardText;
-      tester.binding.defaultBinaryMessenger.setMockMethodCallHandler(
-        SystemChannels.platform,
-        (MethodCall call) async {
-          if (call.method == 'Clipboard.setData') {
-            clipboardText =
-                (call.arguments as Map<dynamic, dynamic>)['text'] as String?;
-          }
-          return null;
-        },
-      );
-      addTearDown(
-        () => tester.binding.defaultBinaryMessenger
-            .setMockMethodCallHandler(SystemChannels.platform, null),
-      );
-
-      const exception = 'TestException: version link clipboard test';
-      final stackTrace = StackTrace.current;
-      const testHash = 'abc1234';
-
-      await tester.pumpWidget(
-        CrashScreen(
-          exception: exception,
-          stackTrace: stackTrace,
-          gitHash: testHash,
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.text('Copy to Clipboard'));
-      await tester.pump();
-      await tester.pump();
-      await tester.pumpAndSettle();
-
-      expect(clipboardText, isNotNull);
-      // App Version must be a markdown link pointing to the commit
-      expect(
-        clipboardText,
-        contains(
-          'App Version: [1.0.0+42](https://codeberg.org/guettli/sharedinbox/commit/abc1234)',
-        ),
-      );
-      expect(
-        clipboardText,
-        contains(
-          'Git Commit: [abc1234](https://codeberg.org/guettli/sharedinbox/commit/abc1234)',
-        ),
-      );
-    },
-  );
-
  testWidgets(
    'CrashScreen used as root widget — buttons work without ScaffoldMessenger crash',
    (tester) async {
@@ -105,88 +105,6 @@ void main() {
      expect(find.text('Edit account'), findsNothing);
    });

-    testWidgets(
-        'try connection button is disabled when no password stored or entered',
-        (
-      tester,
-    ) async {
-      tester.view.physicalSize = const Size(800, 1400);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(tester.view.resetPhysicalSize);
-      addTearDown(tester.view.resetDevicePixelRatio);
-
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/edit',
-          overrides: baseOverrides(
-            accounts: [kTestAccount],
-            hasStoredPassword: false,
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      final button = tester.widget<OutlinedButton>(
-        find.byKey(const Key('editTryConnectionButton')),
-      );
-      expect(button.onPressed, isNull);
-    });
-
-    testWidgets(
-        'try connection button is enabled after typing password with no stored password',
-        (tester) async {
-      tester.view.physicalSize = const Size(800, 1400);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(tester.view.resetPhysicalSize);
-      addTearDown(tester.view.resetDevicePixelRatio);
-
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/edit',
-          overrides: baseOverrides(
-            accounts: [kTestAccount],
-            hasStoredPassword: false,
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.enterText(
-        find.byKey(const Key('editPasswordField')),
-        'mypassword',
-      );
-      await tester.pump();
-
-      final button = tester.widget<OutlinedButton>(
-        find.byKey(const Key('editTryConnectionButton')),
-      );
-      expect(button.onPressed, isNotNull);
-    });
-
-    testWidgets('save button is disabled when no password stored or entered', (
-      tester,
-    ) async {
-      tester.view.physicalSize = const Size(800, 1400);
-      tester.view.devicePixelRatio = 1.0;
-      addTearDown(tester.view.resetPhysicalSize);
-      addTearDown(tester.view.resetDevicePixelRatio);
-
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/edit',
-          overrides: baseOverrides(
-            accounts: [kTestAccount],
-            hasStoredPassword: false,
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      final button = tester
-          .widget<FilledButton>(find.widgetWithText(FilledButton, 'Save'));
-      expect(button.onPressed, isNull);
-    });
-
    testWidgets('connection error shows error message', (tester) async {
      tester.view.physicalSize = const Size(800, 1400);
      tester.view.devicePixelRatio = 1.0;
@@ -179,210 +179,6 @@ void main() {
      expect(find.text('report.pdf'), findsOneWidget);
    });

-    testWidgets('Reply All button is not present in app bar', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Reply all',
-        ),
-        findsNothing,
-      );
-    });
-
-    testWidgets('Reply on single-recipient email navigates directly to compose',
-        (tester) async {
-      // testEmail has from=[bob], to=[alice]. After removing alice (own),
-      // only bob remains → no dialog, navigate straight to compose.
-      final email = testEmail();
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: [
-            ..._overrides(
-              body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-              email: email,
-            ),
-            draftRepositoryProvider.overrideWithValue(FakeDraftRepository()),
-          ],
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Reply',
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      // No dialog shown — straight navigation to compose.
-      expect(find.text('Reply All'), findsNothing);
-    });
-
-    testWidgets('Reply on multi-recipient email shows Reply All dialog',
-        (tester) async {
-      // Email with an extra Cc recipient so the dialog is triggered.
-      final email = Email(
-        id: 'acc-1:42',
-        accountId: 'acc-1',
-        mailboxPath: 'INBOX',
-        uid: 42,
-        subject: 'Hello world',
-        receivedAt: DateTime(2024, 6),
-        sentAt: DateTime(2024, 6),
-        from: const [EmailAddress(name: 'Bob', email: 'bob@example.com')],
-        to: const [EmailAddress(email: 'alice@example.com')],
-        cc: const [EmailAddress(name: 'Carol', email: 'carol@example.com')],
-        isSeen: false,
-        isFlagged: false,
-        hasAttachment: false,
-      );
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-            email: email,
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Reply',
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      // Dialog must appear with title 'Reply All'.
-      expect(find.text('Reply All'), findsOneWidget);
-      // Both non-own addresses should be listed in the dialog.
-      expect(find.textContaining('bob@example.com'), findsAtLeastNWidgets(1));
-      expect(find.textContaining('carol@example.com'), findsAtLeastNWidgets(1));
-    });
-
-    testWidgets('Mark as spam button is present in app bar', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Mark as spam',
-        ),
-        findsOneWidget,
-      );
-    });
-
-    testWidgets('Mark as spam shows dialog when no junk folder',
-        (tester) async {
-      // FakeMailboxRepository has no mailboxes by default → findMailboxByRole
-      // returns null → dialog shown.
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Mark as spam',
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.text('No spam folder found'), findsOneWidget);
-    });
-
-    testWidgets('Archive button is present in app bar', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Archive',
-        ),
-        findsOneWidget,
-      );
-    });
-
-    testWidgets('Archive shows dialog when no archive folder', (tester) async {
-      // FakeMailboxRepository has no mailboxes by default → findMailboxByRole
-      // returns null → dialog shown.
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Archive',
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.text('No archive folder found'), findsOneWidget);
-    });
-
-    testWidgets('Mark as unread is in popup menu, not a standalone button',
-        (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-          overrides: _overrides(
-            body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-          ),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      // No standalone icon button for mark as unread.
-      expect(
-        find.byWidgetPredicate(
-          (w) => w is Tooltip && w.message == 'Mark as unread',
-        ),
-        findsNothing,
-      );
-
-      // It appears in the popup menu.
-      await tester.tap(find.byType(PopupMenuButton<String>));
-      await tester.pumpAndSettle();
-
-      expect(find.text('Mark as unread'), findsOneWidget);
-    });
-
    testWidgets('Show Raw Email dialog shows size of email', (tester) async {
      // 'A' * 2048 → fmtSize(2048) == '2.0 KB'
      final rawContent = 'A' * 2048;
@@ -475,44 +271,6 @@ void main() {
      expect(find.text('Share'), findsOneWidget);
    });

-    testWidgets(
-      'long-press on unsubscribe chip shows URL tooltip',
-      (tester) async {
-        final email = testEmail(
-          listUnsubscribeHeader: '<https://example.com/unsubscribe>',
-        );
-        await tester.pumpWidget(
-          buildApp(
-            initialLocation:
-                '/accounts/acc-1/mailboxes/INBOX/emails/acc-1%3A42',
-            overrides: _overrides(
-              body: const EmailBody(emailId: 'acc-1:42', attachments: []),
-              email: email,
-            ),
-          ),
-        );
-        await tester.pumpAndSettle();
-
-        expect(find.text('Unsubscribe'), findsOneWidget);
-
-        expect(
-          find.byWidgetPredicate(
-            (w) =>
-                w is Tooltip && w.message == 'https://example.com/unsubscribe',
-          ),
-          findsOneWidget,
-        );
-
-        await tester.longPress(find.text('Unsubscribe'));
-        await tester.pumpAndSettle();
-
-        expect(
-          find.text('https://example.com/unsubscribe'),
-          findsOneWidget,
-        );
-      },
-    );
-
    testWidgets('Show Mail Structure opens dialog with MIME parts', (
      tester,
    ) async {
@@ -2,7 +2,6 @@ import 'package:flutter/material.dart';
 import 'package:flutter_test/flutter_test.dart';

 import 'package:sharedinbox/core/models/email.dart';
-import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/email_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/email_list_screen.dart';
@@ -316,7 +315,7 @@ void main() {
      await tester.pumpAndSettle();

      expect(find.text('INBOX'), findsOneWidget);
-      expect(find.byIcon(Icons.close), findsNothing);
+      expect(find.byType(BottomAppBar), findsNothing);
    });

    testWidgets('tapping clear icon in search bar clears results', (
@@ -632,150 +631,5 @@ void main() {

      expect(find.text('This is the preview text'), findsOneWidget);
    });
-
-    group('archive with missing folder', () {
-      testWidgets('shows dialog when archive folder is not found', (
-        tester,
-      ) async {
-        final email = testEmail(subject: 'To archive');
-        await tester.pumpWidget(
-          buildApp(
-            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
-            overrides: [
-              accountRepositoryProvider.overrideWithValue(
-                FakeAccountRepository([kTestAccount]),
-              ),
-              // No archive folder in the repo.
-              mailboxRepositoryProvider.overrideWithValue(
-                FakeMailboxRepository(),
-              ),
-              emailRepositoryProvider.overrideWithValue(
-                FakeEmailRepository(emails: [email]),
-              ),
-            ],
-          ),
-        );
-        await tester.pumpAndSettle();
-
-        // Enter selection mode and tap archive.
-        await tester.longPress(find.text('To archive'));
-        await tester.pumpAndSettle();
-        await tester.tap(find.byIcon(Icons.archive));
-        await tester.pumpAndSettle();
-
-        expect(find.text('No archive folder found'), findsOneWidget);
-        expect(find.text('Choose existing folder'), findsOneWidget);
-        expect(find.text('Create "Archive"'), findsOneWidget);
-      });
-
-      testWidgets('tapping Create creates the folder and moves emails', (
-        tester,
-      ) async {
-        final email = testEmail(subject: 'To archive');
-        final movedTo = <String>[];
-
-        final fakeEmailRepo = _SpyEmailRepository(
-          emails: [email],
-          onMove: (id, path) => movedTo.add(path),
-        );
-
-        await tester.pumpWidget(
-          buildApp(
-            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
-            overrides: [
-              accountRepositoryProvider.overrideWithValue(
-                FakeAccountRepository([kTestAccount]),
-              ),
-              mailboxRepositoryProvider.overrideWithValue(
-                FakeMailboxRepository(),
-              ),
-              emailRepositoryProvider.overrideWithValue(fakeEmailRepo),
-            ],
-          ),
-        );
-        await tester.pumpAndSettle();
-
-        await tester.longPress(find.text('To archive'));
-        await tester.pumpAndSettle();
-        await tester.tap(find.byIcon(Icons.archive));
-        await tester.pumpAndSettle();
-
-        // Tap "Create Archive".
-        await tester.tap(find.text('Create "Archive"'));
-        await tester.pumpAndSettle();
-
-        expect(movedTo, contains('Archive'));
-      });
-
-      testWidgets(
-        'tapping Choose existing opens folder picker and moves emails',
-        (tester) async {
-          final email = testEmail(subject: 'To archive');
-          final movedTo = <String>[];
-
-          final fakeEmailRepo = _SpyEmailRepository(
-            emails: [email],
-            onMove: (id, path) => movedTo.add(path),
-          );
-          const archiveFolder = Mailbox(
-            id: 'acc-1:OldArchive',
-            accountId: 'acc-1',
-            path: 'OldArchive',
-            name: 'OldArchive',
-            unreadCount: 0,
-            totalCount: 0,
-          );
-
-          await tester.pumpWidget(
-            buildApp(
-              initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
-              overrides: [
-                accountRepositoryProvider.overrideWithValue(
-                  FakeAccountRepository([kTestAccount]),
-                ),
-                // Repo has a folder but it has no 'archive' role.
-                mailboxRepositoryProvider.overrideWithValue(
-                  FakeMailboxRepository([archiveFolder]),
-                ),
-                emailRepositoryProvider.overrideWithValue(fakeEmailRepo),
-              ],
-            ),
-          );
-          await tester.pumpAndSettle();
-
-          await tester.longPress(find.text('To archive'));
-          await tester.pumpAndSettle();
-          await tester.tap(find.byIcon(Icons.archive));
-          await tester.pumpAndSettle();
-
-          // Tap "Choose existing folder".
-          await tester.tap(find.text('Choose existing folder'));
-          await tester.pumpAndSettle();
-
-          // Bottom sheet with folder list appears.
-          expect(find.text('OldArchive'), findsOneWidget);
-
-          await tester.tap(find.text('OldArchive'));
-          await tester.pumpAndSettle();
-
-          expect(movedTo, contains('OldArchive'));
-        },
-      );
-    });
  });
 }
-
-/// Email repository spy that records [moveEmail] calls.
-class _SpyEmailRepository extends FakeEmailRepository {
-  _SpyEmailRepository({
-    super.emails,
-    required void Function(String emailId, String path) onMove,
-  }) : _onMove = onMove;
-
-  final void Function(String emailId, String path) _onMove;
-
-  @override
-  Future<void> moveEmail(String emailId, String destMailboxPath) async {
-    _onMove(emailId, destMailboxPath);
-  }
-}
@@ -14,7 +14,6 @@ import 'package:sharedinbox/core/models/discovery_result.dart';
 import 'package:sharedinbox/core/models/draft.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/draft_repository.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
@@ -22,12 +21,10 @@ import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
 import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
-import 'package:sharedinbox/core/repositories/user_preferences_repository.dart';
 import 'package:sharedinbox/core/services/account_discovery_service.dart';
 import 'package:sharedinbox/core/services/connection_test_service.dart';
 import 'package:sharedinbox/core/services/managesieve_probe_service.dart';
 import 'package:sharedinbox/core/services/share_encryption_service.dart';
-import 'package:sharedinbox/data/db/database.dart' show SyncHealthRow;
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/account_list_screen.dart';
 import 'package:sharedinbox/ui/screens/account_receive_screen.dart';
@@ -41,19 +38,17 @@ import 'package:sharedinbox/ui/screens/email_list_screen.dart';
 import 'package:sharedinbox/ui/screens/mailbox_list_screen.dart';
 import 'package:sharedinbox/ui/screens/search_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
-import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';

 // ---------------------------------------------------------------------------
 // Fake repositories
 // ---------------------------------------------------------------------------

 class FakeAccountRepository implements AccountRepository {
+  final List<Account> _accounts;
+
  FakeAccountRepository([List<Account>? accounts])
      : _accounts = List.of(accounts ?? []);

-  final List<Account> _accounts;
-  bool hasPassword = true;
-
  @override
  Stream<List<Account>> observeAccounts() => Stream.value(List.of(_accounts));

@@ -80,12 +75,7 @@ class FakeAccountRepository implements AccountRepository {
      _accounts.removeWhere((a) => a.id == id);

  @override
-  Future<String> getPassword(String accountId) async {
-    if (!hasPassword) {
-      throw StateError('No password stored for account $accountId');
-    }
-    return 'test-password';
-  }
+  Future<String> getPassword(String accountId) async => 'test-password';
 }

 class FakeShareKeyRepository implements ShareKeyRepository {
@@ -168,28 +158,8 @@ class FakeMailboxRepository implements MailboxRepository {
  @override
  Future<Mailbox?> findMailboxByRole(String accountId, String role) async =>
      _mailboxes.where((m) => m.role == role).firstOrNull;
-
  @override
  Future<void> clearForResync(String accountId) async {}
-
-  @override
-  Future<Mailbox> createMailboxWithRole(
-    String accountId,
-    String name,
-    String role,
-  ) async {
-    final mailbox = Mailbox(
-      id: '$accountId:$name',
-      accountId: accountId,
-      path: name,
-      name: name,
-      role: role,
-      unreadCount: 0,
-      totalCount: 0,
-    );
-    _mailboxes.add(mailbox);
-    return mailbox;
-  }
 }

 class FakeEmailRepository implements EmailRepository {
@@ -414,7 +384,6 @@ class _NoOpManageSieveProbeService implements ManageSieveProbeService {
 Widget buildApp({
  required String initialLocation,
  required List<Override> overrides,
-  UserPreferencesRepository? userPreferences,
 }) {
  final testRouter = GoRouter(
    initialLocation: initialLocation,
@@ -435,10 +404,6 @@ Widget buildApp({
            path: 'send',
            builder: (ctx, state) => const AccountSendScreen(),
          ),
-          GoRoute(
-            path: 'preferences',
-            builder: (ctx, state) => const UserPreferencesScreen(),
-          ),
          GoRoute(
            path: ':accountId/edit',
            builder: (ctx, state) => EditAccountScreen(
@@ -514,18 +479,16 @@ Widget buildApp({
  return ProviderScope(
    // Defaults come first so tests can override them via [overrides].
    //
-    // syncLogRepositoryProvider is backed by a Drift StreamQuery. When the
-    // provider is disposed, Drift schedules a Timer.run() for cache
-    // debouncing. Flutter's test framework then fails the test with "A Timer
-    // is still pending". Replacing it with a synchronous stream avoids this.
-    // syncHealthProvider has the same issue and is overridden in baseOverrides.
+    // syncHealthProvider and syncLogRepositoryProvider are backed by Drift
+    // StreamQueries. When a StreamProvider that wraps a Drift query is disposed,
+    // Drift schedules a Timer.run() for cache debouncing. Flutter's test
+    // framework then fails the test with "A Timer is still pending". Replacing
+    // these with simple synchronous streams avoids the pending-timer assertion.
    overrides: [
+      syncHealthProvider.overrideWith((ref, _) => Stream.value(null)),
      syncLogRepositoryProvider.overrideWithValue(
        const NoOpSyncLogRepository(),
      ),
-      userPreferencesRepositoryProvider.overrideWithValue(
-        userPreferences ?? FakeUserPreferencesRepository(),
-      ),
      ...overrides,
      manageSieveProbeServiceProvider.overrideWith(
        (ref) => _NoOpManageSieveProbeService(),
@@ -551,13 +514,10 @@ List<Override> baseOverrides({
  DiscoveryResult? discovery,
  Exception? connectionError,
  ShareKeyRepository? shareKeyRepository,
-  bool hasStoredPassword = true,
-  SyncHealthRow? syncHealth,
 }) =>
    [
-      accountRepositoryProvider.overrideWithValue(
-        FakeAccountRepository(accounts)..hasPassword = hasStoredPassword,
-      ),
+      accountRepositoryProvider
+          .overrideWithValue(FakeAccountRepository(accounts)),
      mailboxRepositoryProvider
          .overrideWithValue(FakeMailboxRepository(mailboxes)),
      emailRepositoryProvider.overrideWithValue(FakeEmailRepository()),
@@ -571,9 +531,6 @@ List<Override> baseOverrides({
      shareKeyRepositoryProvider.overrideWithValue(
        shareKeyRepository ?? FakeShareKeyRepository(),
      ),
-      // syncHealthProvider is backed by a Drift StreamQuery; override with a
-      // plain stream to avoid "A Timer is still pending" in tests.
-      syncHealthProvider.overrideWith((ref, _) => Stream.value(syncHealth)),
    ];

 // ---------------------------------------------------------------------------
@@ -603,7 +560,6 @@ Email testEmail({
  bool isSeen = false,
  bool isFlagged = false,
  bool hasAttachment = false,
-  String? listUnsubscribeHeader,
 }) =>
    Email(
      id: id,
@@ -619,45 +575,8 @@ Email testEmail({
      isSeen: isSeen,
      isFlagged: isFlagged,
      hasAttachment: hasAttachment,
-      listUnsubscribeHeader: listUnsubscribeHeader,
    );

-class FakeUserPreferencesRepository implements UserPreferencesRepository {
-  FakeUserPreferencesRepository({
-    this.menuPosition = MenuPosition.bottom,
-    this.mailViewButtonPosition = MenuPosition.bottom,
-    this.afterMailViewAction = AfterMailViewAction.nextMessage,
-  });
-
-  MenuPosition menuPosition;
-  MenuPosition mailViewButtonPosition;
-  AfterMailViewAction afterMailViewAction;
-
-  @override
-  Stream<UserPreferences> observePreferences() => Stream.value(
-        UserPreferences(
-          menuPosition: menuPosition,
-          mailViewButtonPosition: mailViewButtonPosition,
-          afterMailViewAction: afterMailViewAction,
-        ),
-      );
-
-  @override
-  Future<void> updateMenuPosition(MenuPosition position) async {
-    menuPosition = position;
-  }
-
-  @override
-  Future<void> updateMailViewButtonPosition(MenuPosition position) async {
-    mailViewButtonPosition = position;
-  }
-
-  @override
-  Future<void> updateAfterMailViewAction(AfterMailViewAction action) async {
-    afterMailViewAction = action;
-  }
-}
-
 class FakeSearchHistoryRepository implements SearchHistoryRepository {
  final List<String> _history = [];

@@ -41,20 +41,6 @@ void main() {
      expect(html, contains('https: http: data: blob:'));
      _expectLightMode(html);
    });
-
-    test('prevents horizontal overflow so wide HTML emails are not cut off',
-        () {
-      final html =
-          buildEmailHtml('<table width="600"><tr><td>x</td></tr></table>');
-      // Body clips overflow so fixed-width email tables don't escape the viewport.
-      expect(html, contains('overflow-x: hidden'));
-      // Tables are forced to full viewport width so fixed pixel widths don't overflow.
-      expect(html, contains('table { width: 100%'));
-      // All elements are capped at viewport width via max-width.
-      expect(html, contains('max-width: 100%'));
-      // Pre-formatted text wraps instead of stretching the page.
-      expect(html, contains('white-space: pre-wrap'));
-    });
  });

  // On Linux (the test host) the widget falls back to plain text extracted via
@@ -2,7 +2,6 @@ import 'package:flutter/material.dart';
 import 'package:flutter_test/flutter_test.dart';

 import 'package:sharedinbox/core/models/email.dart';
-import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/di.dart';

 import 'helpers.dart';
@@ -143,60 +142,6 @@ void main() {
      expect(find.byIcon(Icons.expand_more), findsOneWidget);
    });

-    testWidgets('shows bottom app bar with back button by default', (
-      tester,
-    ) async {
-      final email = _threadEmail();
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/threads/thread-1',
-          overrides: [
-            accountRepositoryProvider.overrideWithValue(
-              FakeAccountRepository([kTestAccount]),
-            ),
-            mailboxRepositoryProvider.overrideWithValue(
-              FakeMailboxRepository(),
-            ),
-            emailRepositoryProvider.overrideWithValue(
-              FakeEmailRepository(emails: [email]),
-            ),
-          ],
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.byType(BottomAppBar), findsOneWidget);
-      expect(find.byIcon(Icons.arrow_back), findsOneWidget);
-    });
-
-    testWidgets('hides bottom app bar when button position is top', (
-      tester,
-    ) async {
-      final email = _threadEmail();
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/threads/thread-1',
-          userPreferences: FakeUserPreferencesRepository(
-            mailViewButtonPosition: MenuPosition.top,
-          ),
-          overrides: [
-            accountRepositoryProvider.overrideWithValue(
-              FakeAccountRepository([kTestAccount]),
-            ),
-            mailboxRepositoryProvider.overrideWithValue(
-              FakeMailboxRepository(),
-            ),
-            emailRepositoryProvider.overrideWithValue(
-              FakeEmailRepository(emails: [email]),
-            ),
-          ],
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.byType(BottomAppBar), findsNothing);
-    });
-
    testWidgets('flagged email shows star icon', (tester) async {
      final email = _threadEmail(isFlagged: true);
      await tester.pumpWidget(
@@ -1,186 +0,0 @@
-import 'package:flutter/material.dart';
-import 'package:flutter_riverpod/flutter_riverpod.dart';
-import 'package:flutter_test/flutter_test.dart';
-
-import 'package:sharedinbox/core/models/user_preferences.dart';
-import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
-
-import 'helpers.dart';
-
-void main() {
-  group('UserPreferencesScreen', () {
-    testWidgets('shows both menu position options', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(find.text('Menu bar position'), findsOneWidget);
-      expect(find.text('Bottom (default)'), findsNWidgets(2));
-      expect(find.text('Top'), findsNWidgets(2));
-    });
-
-    testWidgets('shows single mail view button position section', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      expect(
-        find.text('Single mail view button position'),
-        findsOneWidget,
-      );
-    });
-
-    testWidgets('menu position bottom option is selected by default', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      final radioGroups = find.byType(RadioGroup<MenuPosition>);
-      final menuGroup =
-          tester.widget<RadioGroup<MenuPosition>>(radioGroups.first);
-      expect(menuGroup.groupValue, MenuPosition.bottom);
-    });
-
-    testWidgets('mail view button position bottom is selected by default', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      final radioGroups = find.byType(RadioGroup<MenuPosition>);
-      final mailViewGroup =
-          tester.widget<RadioGroup<MenuPosition>>(radioGroups.last);
-      expect(mailViewGroup.groupValue, MenuPosition.bottom);
-    });
-
-    testWidgets('tapping Top in menu position section updates the repo', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.text('Top').first);
-      await tester.pumpAndSettle();
-
-      final repo = ProviderScope.containerOf(
-        tester.element(find.byType(UserPreferencesScreen)),
-      ).read(userPreferencesRepositoryProvider)
-          as FakeUserPreferencesRepository;
-
-      expect(repo.menuPosition, MenuPosition.top);
-    });
-
-    testWidgets(
-        'tapping Top in mail view button position section updates the repo', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.text('Top').last);
-      await tester.pumpAndSettle();
-
-      final repo = ProviderScope.containerOf(
-        tester.element(find.byType(UserPreferencesScreen)),
-      ).read(userPreferencesRepositoryProvider)
-          as FakeUserPreferencesRepository;
-
-      expect(repo.mailViewButtonPosition, MenuPosition.top);
-    });
-
-    testWidgets('shows after mail action section', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      // Scroll down to reveal the new section below the fold.
-      await tester.drag(find.byType(ListView), const Offset(0, -500));
-      await tester.pumpAndSettle();
-
-      expect(find.text('After mail action'), findsOneWidget);
-      expect(find.text('Next message (default)'), findsOneWidget);
-      expect(find.text('Return to mailbox'), findsOneWidget);
-    });
-
-    testWidgets('after mail action next message is selected by default', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.drag(find.byType(ListView), const Offset(0, -500));
-      await tester.pumpAndSettle();
-
-      final radioGroups = find.byType(RadioGroup<AfterMailViewAction>);
-      final group =
-          tester.widget<RadioGroup<AfterMailViewAction>>(radioGroups.first);
-      expect(group.groupValue, AfterMailViewAction.nextMessage);
-    });
-
-    testWidgets('tapping Return to mailbox updates the repo', (
-      tester,
-    ) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/preferences',
-          overrides: baseOverrides(),
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.drag(find.byType(ListView), const Offset(0, -500));
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.text('Return to mailbox'));
-      await tester.pumpAndSettle();
-
-      final repo = ProviderScope.containerOf(
-        tester.element(find.byType(UserPreferencesScreen)),
-      ).read(userPreferencesRepositoryProvider)
-          as FakeUserPreferencesRepository;
-
-      expect(repo.afterMailViewAction, AfterMailViewAction.showMailbox);
-    });
-  });
-}
@@ -25,8 +25,7 @@ The app processes the following data **exclusively on your device**:
  device's secure storage and never transmitted to us.
 - **Email messages and attachments** — fetched directly from your email provider's IMAP server and
  displayed in the app. We never receive, store, or process your emails.
- **App settings and configuration** — stored locally on your device. The app will never upload
-  this data to sharedinbox.de or any third-party service.
+- **App settings and configuration** — stored locally on your device.

 ### Network connections
Author	SHA1	Message	Date
Thomas SharedInboxandClaude Sonnet 4.6	839a3c63f9	feat: keep secrets in sync via age-encrypted master key (#208 ) Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:32:27 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	a167ebd0a3	feat: add build mode, Dart version, timestamp to crash report (#205 ) Show app version, build mode, and platform OS in the crash screen UI so users can report bugs without needing to copy first. The clipboard report now also includes Build Mode (debug/release/profile), Dart runtime version, and a UTC timestamp to aid post-crash diagnosis. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 16:06:32 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	881a240155	fix: probe scanner method channel to detect MissingPluginException (#204 ) The previous pre-flight check called ctrl.start() without ctrl.attach(), causing MobileScannerController to time out after 500 ms with controllerNotAttached on every device — the scanner never worked even when the plugin was present. Replace with a direct invokeMethod('state') probe on the scanner channel. MissingPluginException (thrown when the plugin is not registered) is the exact error from the crash report; all other errors are surfaced by the MobileScanner widget's own error builder. Also add widget tests for the AccountReceiveScreen step-2 import flow (text fallback, successful import, invalid-QR error) which were previously untested. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-24 15:47:21 +02:00
Thomas SharedInbox	117b546b2c	feat: show live countdown with seconds on receive account screen (#203 ) Replace the static "expires in 20 minutes" label with a StatefulWidget that ticks every second and displays the remaining time as MM:SS.	2026-05-24 15:11:56 +02:00