Merge branch 'main' into issue-475-allowed-addresses-glob

- sqlite3 is now imported in lib/ (production code), so it must be a
  regular dependency, not a dev_dependency
- Replace deprecated conn.dispose() with conn.close() in the test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/chaos-monkey.yml

@@ -0,0 +1,20 @@
+name: Chaos Monkey
+
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+
+jobs:
+  chaos-monkey-backend:
+    name: Chaos Monkey (backend)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Dagger Remote Engine
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+        run: scripts/setup_dagger_remote.sh
+      - name: Run backend chaos monkey
+        run: task chaos-monkey-backend

.forgejo/workflows/ci.yml

@@ -1,11 +1,35 @@
 name: CI
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   check:
     name: Full Project Check
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
       - name: Setup Dagger Remote Engine
         env:

.forgejo/workflows/deploy.yml

@@ -15,6 +15,23 @@ jobs:
       linux: ${{ steps.diff.outputs.linux }}
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -141,6 +158,23 @@ jobs:
     if: needs.check-changes.outputs.android == 'true'
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 100
@@ -175,6 +209,23 @@ jobs:
     if: needs.check-changes.outputs.android == 'true'
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 100
@@ -203,6 +254,23 @@ jobs:
     if: needs.check-changes.outputs.linux == 'true'
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 100
@@ -236,6 +304,23 @@ jobs:
     timeout-minutes: 5
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - name: Set CI/Full-Pass or CI/Full-Fail label on tracking issue
         env:
           FORGEJO_TOKEN: ${{ github.token }}

.forgejo/workflows/firebase-tests.yml

@@ -14,6 +14,23 @@ jobs:
       has_changes: ${{ steps.diff.outputs.has_changes }}
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -50,6 +67,23 @@ jobs:
     if: needs.check-changes.outputs.has_changes == 'true'
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1

.forgejo/workflows/website.yml

@@ -18,6 +18,23 @@ jobs:
     timeout-minutes: 60
 
     steps:
+      - name: Print runner wait time
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          RUN_NUMBER: ${{ github.run_number }}
+        run: |
+          runner_start=$(date +%s)
+          created_at=$(curl -sf \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks?limit=100" \
+            | python3 -c "import sys,json;data=json.load(sys.stdin);rs=[r for r in data.get('workflow_runs',[]) if r.get('run_number')==$RUN_NUMBER];print(rs[0]['created_at'] if rs else '')" 2>/dev/null)
+          if [ -n "$created_at" ]; then
+            queued_epoch=$(date -d "$created_at" +%s)
+            wait_seconds=$((runner_start - queued_epoch))
+            echo "Runner wait time: ${wait_seconds}s (queued at $created_at)"
+          else
+            echo "Runner wait time: unknown (API lookup failed)"
+          fi
       - uses: actions/checkout@v4
         with:
           submodules: recursive

Taskfile.yml

@@ -37,6 +37,8 @@ tasks:
     run: once
     deps: [_nix-check]
     preconditions:
+      - sh: '[ "$(id -u)" != "0" ]'
+        msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
       - sh: test -n "${IN_NIX_SHELL}"
         msg: "Not in nix dev shell. Run: nix develop"
     cmds:
@@ -56,6 +58,14 @@ tasks:
     cmds:
       - echo "Setup complete."
 
+  generate-icons:
+    desc: Rasterise icon.svg → icon.png and regenerate all platform launcher icons
+    deps: [_pub-get]
+    cmds:
+      - rsvg-convert -w 1024 -h 1024 icon.svg -o icon.png
+      - rsvg-convert -w 512  -h 512  icon.svg -o playstore/icon.png
+      - fvm flutter pub run flutter_launcher_icons
+
   generate-changelog:
     desc: Generate assets/changelog.txt from git history
     cmds:
@@ -519,13 +529,6 @@ tasks:
     cmds:
       - ANDROID_HOME=${ANDROID_HOME:-$HOME/Android/Sdk} fvm flutter build apk --release --no-pub --dart-define=GIT_HASH=$(git rev-parse --short HEAD) | grep -Ev "was tree-shaken|Tree-shaking can be disabled"
 
-  deploy-android-bundle:
-    desc: Build release AAB and upload to Play Store internal track (local/fvm)
-    deps: [build-android-bundle-local]
-    dotenv: [".env"]
-    cmds:
-      - sops exec-env secrets.enc.yaml 'python3 scripts/deploy_playstore.py'
-
   build-android-bundle-local:
     desc: Build a release App Bundle (AAB) locally via fvm (not Dagger)
     deps: [_preflight, _android-sdk-check, _codegen, generate-changelog]
@@ -540,6 +543,13 @@ tasks:
     cmds:
       - sops exec-env secrets.enc.yaml 'bash scripts/build_android_bundle_local.sh'
 
+  deploy-android-bundle:
+    desc: Build release AAB and upload to Play Store internal track (local/fvm)
+    deps: [build-android-bundle-local]
+    dotenv: [".env"]
+    cmds:
+      - sops exec-env secrets.enc.yaml 'python3 scripts/deploy_playstore.py'
+
   deploy-android:
     desc: Build release APK and upload via scp to $ANDROID_APK_SCP_USER@$ANDROID_APK_SCP_HOST:$ANDROID_APK_SCP_PATH
     deps: [check, build-android]
@@ -720,6 +730,11 @@ tasks:
     cmds:
       - fvm flutter test test/screenshot_automation_test.dart --update-goldens
 
+  chaos-monkey-backend:
+    desc: Chaos monkey — random IMAP/SMTP ops against Stalwart (via Dagger, headless)
+    cmds:
+      - timeout --kill-after=10 600 dagger call --progress=plain -q -m ci --source=. chaos-monkey-backend
+
   check:
     desc: Full check suite — unit tests first, then integration (merges coverage), then gate
     deps: [analyze, build-linux, test]

android/settings.gradle.kts

@@ -19,7 +19,7 @@ pluginManagement {
 
 plugins {
     id("dev.flutter.flutter-plugin-loader") version "1.0.0"
-    id("com.android.application") version "8.13.2" apply false
+    id("com.android.application") version "9.2.1" apply false
     id("org.jetbrains.kotlin.android") version "2.4.0" apply false
 }
 

ci/main.go

@@ -539,7 +539,7 @@ func (m *Ci) TestBackend(ctx context.Context) (string, error) {
 	return m.WithStalwart(m.setup(m.backendSrc())).
 		WithExec([]string{"/bin/bash", "-c",
 			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
-				`flutter test --concurrency=1 --reporter expanded --no-pub test/backend >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
+				`flutter test --concurrency=1 --reporter expanded --no-pub --exclude-tags=nightly test/backend >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
 				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
 		Stdout(ctx)
 }
@@ -565,6 +565,16 @@ func (m *Ci) TestSyncReliability(ctx context.Context) (string, error) {
 		Stdout(ctx)
 }
 
+// ChaosMonkeyBackend runs random IMAP/SMTP operations against Stalwart to surface crashes.
+func (m *Ci) ChaosMonkeyBackend(ctx context.Context) (string, error) {
+	return m.WithStalwart(m.setup(m.backendSrc())).
+		WithExec([]string{"/bin/bash", "-c",
+			`tmp=$(mktemp); trap 'rm -f "$tmp"' EXIT; ` +
+				`flutter test test/backend/chaos_monkey_test.dart --reporter expanded --concurrency=1 --no-pub --tags=nightly >"$tmp" 2>&1 || { cat "$tmp"; exit 1; }; ` +
+				`grep -E '^All [0-9]+ tests passed' "$tmp" || tail -1 "$tmp"`}).
+		Stdout(ctx)
+}
+
 // Check runs the full check suite.
 func (m *Ci) Check(ctx context.Context) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Minute)

deploy.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # Load .env into environment

flake.nix

@@ -48,11 +48,28 @@
             chmod +x $out/bin/fgj
           '';
         };
+
+        # The dagger/nix flake pins 0.20.8, whose Nix wrapper is a broken self-exec
+        # loop.  Fetch 0.21.4 directly so the pre-commit dart-check hook can run.
+        dagger021 = pkgs.stdenv.mkDerivation {
+          pname = "dagger";
+          version = "0.21.4";
+          src = pkgs.fetchurl {
+            url = "https://dl.dagger.io/dagger/releases/0.21.4/dagger_v0.21.4_linux_amd64.tar.gz";
+            sha256 = "0wlnbr4g5069755131yjp2a6alacn64f1c8b27xn0cbynq3zicjd";
+          };
+          sourceRoot = ".";
+          installPhase = ''
+            mkdir -p $out/bin
+            cp dagger $out/bin/dagger
+            chmod +x $out/bin/dagger
+          '';
+        };
       in {
         devShells.default = pkgs.mkShell {
           buildInputs = with pkgs; [
             # Dagger CLI
-            dagger.packages.${system}.dagger
+            dagger021
 
             # Go compiler — for Dagger development
             go
@@ -100,12 +117,16 @@
             ]))  # used by stalwart-dev/start and deploy_playstore.py
             fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
             skopeo   # inspect OCI image manifests without pulling layers (used by check-ci-images)
+            librsvg  # rsvg-convert — SVG→PNG for generate-icons task
           ]);
 
           shellHook = ''
             # nix develop --command does not set IN_NIX_SHELL; set it so _preflight passes in CI
             export IN_NIX_SHELL=1
 
+            # Point Dagger client at the running engine socket
+            export DAGGER_HOST=unix:///run/dagger/engine.sock
+
             # Disable Flutter telemetry inside dev shell
             export FLUTTER_SUPPRESS_ANALYTICS=true
 

lib/core/db_schema_version.dart

@@ -1 +1 @@
-const int dbSchemaVersion = 38;
+const int dbSchemaVersion = 40;

lib/core/models/email.dart

@@ -192,6 +192,22 @@ class EmailThread {
     required this.accountId,
     required this.mailboxPath,
   });
+
+  /// Wraps a single [Email] as a one-message thread for uniform rendering.
+  factory EmailThread.fromEmail(Email e) => EmailThread(
+        threadId: e.threadId ?? e.id,
+        subject: e.subject,
+        participants: e.from,
+        latestDate: e.sentAt ?? e.receivedAt,
+        messageCount: 1,
+        hasUnread: !e.isSeen,
+        isFlagged: e.isFlagged,
+        latestEmailId: e.id,
+        preview: e.preview,
+        emailIds: [e.id],
+        accountId: e.accountId,
+        mailboxPath: e.mailboxPath,
+      );
 }
 
 class EmailAddress {

lib/core/models/note.dart

@@ -0,0 +1,17 @@
+class EmailNote {
+  final String id; // UUID (X-SharedInbox-Note-Id)
+  final String accountId;
+  final String messageId; // RFC 2822 Message-ID (X-SharedInbox-Note-For)
+  final String noteText;
+  final String serverId; // IMAP UID (as string) or JMAP email ID
+  final DateTime createdAt;
+
+  const EmailNote({
+    required this.id,
+    required this.accountId,
+    required this.messageId,
+    required this.noteText,
+    required this.serverId,
+    required this.createdAt,
+  });
+}

lib/core/repositories/email_repository.dart

@@ -58,7 +58,7 @@ abstract class EmailRepository {
   );
 
   /// Searches the local DB across all mailboxes of [accountId] (or all accounts
-  /// if null) by subject and preview. Fast, works offline.
+  /// if null) by subject, preview, and notes. Fast, works offline.
   Future<List<Email>> searchEmailsGlobal(String? accountId, String query);
 
   /// Returns all locally cached emails in any mailbox of [accountId] (or all

lib/core/repositories/mailbox_repository.dart

@@ -20,4 +20,8 @@ abstract class MailboxRepository {
     String name,
     String role,
   );
+
+  /// Creates a new mailbox named [name] for [accountId] without a special role.
+  /// Returns the newly created [Mailbox].
+  Future<Mailbox> createMailbox(String accountId, String name);
 }

lib/core/repositories/note_repository.dart

@@ -0,0 +1,15 @@
+import 'package:sharedinbox/core/models/note.dart';
+
+abstract class NoteRepository {
+  /// Stream of notes for an email, keyed by [messageId] (stable across moves).
+  Stream<List<EmailNote>> observeNotes(String accountId, String messageId);
+
+  /// Fetches notes from the server into the local cache.
+  Future<void> syncNotes(String accountId, String messageId);
+
+  /// Creates a new note on the server and caches it locally.
+  Future<void> addNote(String accountId, String messageId, String text);
+
+  /// Deletes a note from the server and removes it from the local cache.
+  Future<void> deleteNote(String noteId);
+}

lib/core/sieve/sieve_interpreter.dart

@@ -1,6 +1,7 @@
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 import 'package:sharedinbox/core/sieve/sieve_conditions.dart';
 import 'package:sharedinbox/core/sieve/sieve_rule.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 
 /// A lightweight email representation used by [SieveInterpreter].
 /// Header names are lower-cased.
@@ -102,18 +103,11 @@ class SieveInterpreter {
     return switch (matchType) {
       ':contains' => k.isEmpty || v.contains(k),
       ':is' => v == k,
-      ':matches' => _globMatch(v, k),
+      ':matches' => globMatch(v, k),
       _ => false,
     };
   }
 
-  bool _globMatch(String value, String pattern) {
-    final regexStr = RegExp.escape(
-      pattern,
-    ).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
-    return RegExp('^$regexStr\$').hasMatch(value);
-  }
-
   void _applyActions(List<SieveAction> actions, SieveExecutionContext ctx) {
     for (final action in actions) {
       switch (action) {

lib/core/utils/glob_match.dart

@@ -0,0 +1,9 @@
+/// Returns true if [value] matches the glob [pattern].
+///
+/// Supports `*` (any number of characters) and `?` (exactly one character).
+/// The comparison is case-insensitive, which is appropriate for email addresses.
+bool globMatch(String value, String pattern) {
+  final regexStr =
+      RegExp.escape(pattern).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
+  return RegExp('^$regexStr\$', caseSensitive: false).hasMatch(value);
+}

lib/data/db/database.dart

@@ -7,6 +7,7 @@ import 'package:flutter/services.dart';
 import 'package:path/path.dart' as p;
 import 'package:path_provider/path_provider.dart';
 import 'package:sharedinbox/core/db_schema_version.dart';
+import 'package:sqlite3/sqlite3.dart' show Database;
 
 part 'database.g.dart';
 
@@ -318,6 +319,37 @@ class ImageTrustedSenders extends Table {
   Set<Column> get primaryKey => {senderEmail};
 }
 
+/// Per-email notes stored server-side (IMAP Notes folder / JMAP Notes mailbox).
+/// Keyed by the RFC 2822 Message-ID header so notes survive folder moves.
+// Added in schema v39.
+@DataClassName('EmailNoteRow')
+class EmailNotes extends Table {
+  // UUID matching the X-SharedInbox-Note-Id custom header on the server.
+  TextColumn get id => text()();
+  TextColumn get accountId =>
+      text().references(Accounts, #id, onDelete: KeyAction.cascade)();
+  // X-SharedInbox-Note-For value — stable across IMAP folder moves.
+  TextColumn get messageId => text()();
+  TextColumn get noteText => text()();
+  // IMAP UID (as string) or JMAP email ID of the note message on the server.
+  TextColumn get serverId => text()();
+  DateTimeColumn get createdAt => dateTime()();
+
+  @override
+  Set<Column> get primaryKey => {id};
+}
+
+/// Records the first time the user ran each app version (identified by GIT_HASH).
+/// Added in schema v40.
+@DataClassName('InstalledVersionRow')
+class InstalledVersions extends Table {
+  TextColumn get gitHash => text()();
+  DateTimeColumn get installedAt => dateTime()();
+
+  @override
+  Set<Column> get primaryKey => {gitHash};
+}
+
 /// App-wide user preferences, stored as a singleton row (id always 1).
 @DataClassName('UserPreferencesRow')
 class UserPreferences extends Table {
@@ -363,6 +395,8 @@ class UserPreferences extends Table {
     ShareKeys,
     UserPreferences,
     ImageTrustedSenders,
+    EmailNotes,
+    InstalledVersions,
   ],
 )
 class AppDatabase extends _$AppDatabase {
@@ -639,8 +673,33 @@ class AppDatabase extends _$AppDatabase {
               userPreferences.bodyCacheLimitMb,
             );
           }
+          if (from < 39) {
+            await m.createTable(emailNotes);
+          }
+          if (from < 40) {
+            await m.createTable(installedVersions);
+          }
         },
       );
+
+  /// Inserts a row for [gitHash] the first time that version is seen.
+  /// Subsequent calls for the same hash are silently ignored so the original
+  /// install timestamp is preserved.
+  Future<void> recordInstalledVersionIfNew(String gitHash) async {
+    if (gitHash.isEmpty) return;
+    await into(installedVersions).insert(
+      InstalledVersionsCompanion.insert(
+        gitHash: gitHash,
+        installedAt: DateTime.now(),
+      ),
+      mode: InsertMode.insertOrIgnore,
+    );
+  }
+
+  Future<Map<String, DateTime>> loadInstalledVersions() async {
+    final rows = await select(installedVersions).get();
+    return {for (final r in rows) r.gitHash: r.installedAt};
+  }
 }
 
 // Resolved once in main() via initDatabasePath() before runApp().
@@ -735,18 +794,34 @@ Future<String> resolveDatabasePathForTesting() => _resolveDatabasePath();
 void resetDatabasePathForTesting() => _dbPath = null;
 Future<String?> androidFallbackPathForTesting() => _androidFallbackPath();
 
+/// Configures PRAGMAs on a newly opened SQLite connection.
+///
+/// busy_timeout must come first so subsequent statements retry on SQLITE_BUSY
+/// instead of immediately failing.
+///
+/// journal_mode = WAL is wrapped in a try/catch because a concurrent
+/// WorkManager background task may already have the DB open when the app
+/// starts.  SQLITE_BUSY_SNAPSHOT (extended code 261, primary code 5) is
+/// returned in that situation; it only occurs when the DB is already in WAL
+/// mode, so the pragma would be a no-op anyway and it is safe to continue.
+void _setupPragmas(Database db) {
+  db.execute('PRAGMA busy_timeout = 5000;');
+  try {
+    db.execute('PRAGMA journal_mode = WAL;');
+  } on SqliteException catch (e) {
+    // resultCode strips the extended bits: both SQLITE_BUSY (5) and
+    // SQLITE_BUSY_SNAPSHOT (261) reduce to 5.  Re-throw anything else.
+    if (e.resultCode != 5) rethrow;
+  }
+}
+
 LazyDatabase _openConnection() {
   return LazyDatabase(() async {
     final file = File(await _resolveDatabasePath());
-    return NativeDatabase.createInBackground(
-      file,
-      setup: (db) {
-        // WAL lets readers and writers proceed concurrently (different account
-        // sync loops share the same DB).  busy_timeout makes SQLite retry for
-        // up to 5 s instead of immediately returning SQLITE_BUSY.
-        db.execute('PRAGMA journal_mode = WAL;');
-        db.execute('PRAGMA busy_timeout = 5000;');
-      },
-    );
+    return NativeDatabase.createInBackground(file, setup: _setupPragmas);
   });
 }
+
+// Exposed so tests can run the exact production setup logic on a raw
+// sqlite3 connection (same pattern as resolveDatabasePathForTesting).
+void setupPragmasForTesting(Database db) => _setupPragmas(db);

lib/data/repositories/email_repository_impl.dart

@@ -2922,9 +2922,9 @@ class EmailRepositoryImpl implements EmailRepository {
 
     final sql = accountId != null
         ? 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
-            ' WHERE email_fts MATCH ? AND e.account_id = ? ORDER BY rank LIMIT 50'
+            ' WHERE email_fts MATCH ? AND e.account_id = ? ORDER BY e.received_at DESC LIMIT 50'
         : 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
-            ' WHERE email_fts MATCH ? ORDER BY rank LIMIT 50';
+            ' WHERE email_fts MATCH ? ORDER BY e.received_at DESC LIMIT 50';
     final variables = accountId != null
         ? [Variable<String>(ftsQuery), Variable<String>(accountId)]
         : [Variable<String>(ftsQuery)];
@@ -2934,6 +2934,56 @@ class EmailRepositoryImpl implements EmailRepository {
     final emailRows = await Future.wait(
       queryRows.map((r) => _db.emails.mapFromRow(r)),
     );
+
+    final noteRows = await _searchEmailsByNotes(accountId, null, query);
+
+    final seen = <String>{};
+    final merged = <model.Email>[];
+    for (final e in [...emailRows.map(_toModel), ...noteRows]) {
+      if (seen.add(e.id)) merged.add(e);
+    }
+    merged.sort((a, b) => b.receivedAt.compareTo(a.receivedAt));
+    return merged;
+  }
+
+  /// Returns emails whose associated notes contain all words from [query].
+  /// Optionally filtered by [accountId] and [mailboxPath].
+  Future<List<model.Email>> _searchEmailsByNotes(
+    String? accountId,
+    String? mailboxPath,
+    String query,
+  ) async {
+    final words =
+        query.trim().split(RegExp(r'\s+')).where((w) => w.isNotEmpty).toList();
+    if (words.isEmpty) return [];
+
+    final noteConditions = words.map((_) => 'n.note_text LIKE ?').join(' AND ');
+    final likeVars = words.map((w) => Variable<String>('%$w%')).toList();
+
+    final extraConditions = StringBuffer();
+    final extraVars = <Variable<String>>[];
+    if (accountId != null) {
+      extraConditions.write(' AND e.account_id = ?');
+      extraVars.add(Variable<String>(accountId));
+    }
+    if (mailboxPath != null) {
+      extraConditions.write(' AND e.mailbox_path = ?');
+      extraVars.add(Variable<String>(mailboxPath));
+    }
+
+    final sql = 'SELECT DISTINCT e.* FROM emails e'
+        ' JOIN email_notes n ON n.message_id = e.message_id'
+        ' AND n.account_id = e.account_id'
+        ' WHERE $noteConditions$extraConditions'
+        ' ORDER BY e.received_at DESC LIMIT 50';
+
+    final rows = await _db.customSelect(
+      sql,
+      variables: [...likeVars, ...extraVars],
+      readsFrom: {_db.emails, _db.emailNotes},
+    ).get();
+    final emailRows =
+        await Future.wait(rows.map((r) => _db.emails.mapFromRow(r)));
     return emailRows.map(_toModel).toList();
   }
 
@@ -2943,9 +2993,7 @@ class EmailRepositoryImpl implements EmailRepository {
   static String _toFtsQuery(String query) {
     final words = query
         .trim()
-        .split(RegExp(r'\s+'))
-        .where((w) => w.isNotEmpty)
-        .map((w) => w.replaceAll(RegExp(r'[^\w]'), ''))
+        .split(RegExp(r'[^\w]+'))
         .where((w) => w.isNotEmpty)
         .toList();
     if (words.isEmpty) return '';
@@ -3047,68 +3095,42 @@ class EmailRepositoryImpl implements EmailRepository {
   }
 
   @override
+  // Results are limited to emails already synced into the local SQLite FTS5
+  // index; call syncEmails first to ensure the index is up-to-date.
   Future<List<model.Email>> searchEmails(
     String accountId,
     String mailboxPath,
     String query,
   ) async {
-    final account = (await _accounts.getAccount(accountId))!;
-    final password = await _accounts.getPassword(accountId);
-    final client = await _imapConnect(
-      account,
-      _effectiveUsername(account),
-      password,
+    final ftsQuery = _toFtsQuery(query);
+    if (ftsQuery.isEmpty) return [];
+
+    const sql = 'SELECT e.* FROM email_fts f JOIN emails e ON e.rowid = f.rowid'
+        ' WHERE email_fts MATCH ? AND e.account_id = ? AND e.mailbox_path = ?'
+        ' ORDER BY e.received_at DESC LIMIT 50';
+    final variables = [
+      Variable<String>(ftsQuery),
+      Variable<String>(accountId),
+      Variable<String>(mailboxPath),
+    ];
+
+    final queryRows = await _db
+        .customSelect(sql, variables: variables, readsFrom: {_db.emails}).get();
+    final emailRows = await Future.wait(
+      queryRows.map((r) => _db.emails.mapFromRow(r)),
     );
-    try {
-      await client.selectMailboxByPath(mailboxPath);
-      final terms =
-          query.split(RegExp(r'\s+')).where((t) => t.isNotEmpty).toList();
-      final searchCriteria = terms.map((term) {
-        final escaped = term.replaceAll('"', '\\"');
-        return 'OR SUBJECT "$escaped" TEXT "$escaped"';
-      }).join(' ');
-      final result = await client.uidSearchMessages(
-        searchCriteria: searchCriteria,
-      );
-      final uids = result.matchingSequence?.toList() ?? [];
-      if (uids.isEmpty) return [];
 
-      final fetch = await client.uidFetchMessages(
-        imap.MessageSequence.fromIds(uids, isUid: true),
-        '(UID FLAGS ENVELOPE)',
-      );
-      return fetch.messages
-          .where((msg) => msg.uid != null && msg.envelope != null)
-          .map((msg) {
-        final envelope = msg.envelope!;
-        final uid = msg.uid!;
-        final emailId = '$accountId:$uid';
-        return model.Email(
-          id: emailId,
-          accountId: accountId,
-          mailboxPath: mailboxPath,
-          uid: uid,
-          subject: envelope.subject,
-          sentAt: envelope.date,
-          receivedAt: envelope.date ?? DateTime.now(),
-          from: _toAddressList(envelope.from),
-          to: _toAddressList(envelope.to),
-          cc: _toAddressList(envelope.cc),
-          isSeen: msg.flags?.contains(r'\Seen') ?? false,
-          isFlagged: msg.flags?.contains(r'\Flagged') ?? false,
-          hasAttachment: msg.hasAttachments(),
-        );
-      }).toList();
-    } finally {
-      await client.logout();
+    final noteRows = await _searchEmailsByNotes(accountId, mailboxPath, query);
+
+    final seen = <String>{};
+    final merged = <model.Email>[];
+    for (final e in [...emailRows.map(_toModel), ...noteRows]) {
+      if (seen.add(e.id)) merged.add(e);
     }
+    merged.sort((a, b) => b.receivedAt.compareTo(a.receivedAt));
+    return merged;
   }
 
-  List<model.EmailAddress> _toAddressList(List<imap.MailAddress>? addresses) =>
-      (addresses ?? const [])
-          .map((a) => model.EmailAddress(name: a.personalName, email: a.email))
-          .toList();
-
   // ── Helpers ────────────────────────────────────────────────────────────────
 
   /// Computes a stable threadId from RFC 2822 headers.

lib/data/repositories/mailbox_repository_impl.dart

@@ -343,11 +343,23 @@ class MailboxRepositoryImpl implements MailboxRepository {
     }
   }
 
+  @override
+  Future<model.Mailbox> createMailbox(String accountId, String name) async {
+    final account = (await _accounts.getAccount(accountId))!;
+    final password = await _accounts.getPassword(accountId);
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        return _createMailboxWithRoleImap(account, password, name, null);
+      case account_model.AccountType.jmap:
+        return _createMailboxWithRoleJmap(account, password, name, null);
+    }
+  }
+
   Future<model.Mailbox> _createMailboxWithRoleImap(
     account_model.Account account,
     String password,
     String name,
-    String role,
+    String? role,
   ) async {
     final client = await _imapConnect(
       account,
@@ -380,7 +392,7 @@ class MailboxRepositoryImpl implements MailboxRepository {
     account_model.Account account,
     String password,
     String name,
-    String role,
+    String? role,
   ) async {
     final jmapUrl = account.jmapUrl;
     if (jmapUrl == null || jmapUrl.isEmpty) {
@@ -398,7 +410,10 @@ class MailboxRepositoryImpl implements MailboxRepository {
         {
           'accountId': jmap.accountId,
           'create': {
-            'new-mailbox': {'name': name, 'role': role},
+            'new-mailbox': {
+              'name': name,
+              if (role != null) 'role': role,
+            },
           },
         },
         '0',

lib/data/repositories/note_repository_impl.dart

@@ -0,0 +1,570 @@
+import 'dart:math' as math;
+
+import 'package:drift/drift.dart';
+import 'package:enough_mail/enough_mail.dart' as imap;
+import 'package:http/http.dart' as http;
+
+import 'package:sharedinbox/core/models/account.dart' as account_model;
+import 'package:sharedinbox/core/models/note.dart';
+import 'package:sharedinbox/core/repositories/account_repository.dart';
+import 'package:sharedinbox/core/repositories/note_repository.dart';
+import 'package:sharedinbox/data/db/database.dart';
+import 'package:sharedinbox/data/imap/imap_client_factory.dart';
+import 'package:sharedinbox/data/jmap/jmap_client.dart';
+
+const _notesFolder = 'Notes';
+const _headerNoteFor = 'X-SharedInbox-Note-For';
+const _headerNoteId = 'X-SharedInbox-Note-Id';
+
+class NoteRepositoryImpl implements NoteRepository {
+  NoteRepositoryImpl(
+    this._db,
+    this._accounts, {
+    ImapConnectFn imapConnect = connectImap,
+    http.Client? httpClient,
+  })  : _imapConnect = imapConnect,
+        _httpClient = httpClient ?? http.Client();
+
+  final AppDatabase _db;
+  final AccountRepository _accounts;
+  final ImapConnectFn _imapConnect;
+  final http.Client _httpClient;
+
+  String _effectiveUsername(account_model.Account account) =>
+      account.username.isNotEmpty ? account.username : account.email;
+
+  // ── Observe (local cache) ─────────────────────────────────────────────────
+
+  @override
+  Stream<List<EmailNote>> observeNotes(String accountId, String messageId) {
+    return (_db.select(_db.emailNotes)
+          ..where(
+            (t) =>
+                t.accountId.equals(accountId) & t.messageId.equals(messageId),
+          )
+          ..orderBy([(t) => OrderingTerm.asc(t.createdAt)]))
+        .watch()
+        .map((rows) => rows.map(_toModel).toList());
+  }
+
+  // ── Sync (server → local cache) ──────────────────────────────────────────
+
+  @override
+  Future<void> syncNotes(String accountId, String messageId) async {
+    final account = await _accounts.getAccount(accountId);
+    if (account == null) return;
+    final password = await _accounts.getPassword(accountId);
+
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        await _syncNotesImap(account, password, messageId);
+      case account_model.AccountType.jmap:
+        await _syncNotesJmap(account, password, messageId);
+    }
+  }
+
+  Future<void> _syncNotesImap(
+    account_model.Account account,
+    String password,
+    String messageId,
+  ) async {
+    final client = await _imapConnect(
+      account,
+      _effectiveUsername(account),
+      password,
+    );
+    try {
+      try {
+        await client.selectMailboxByPath(_notesFolder);
+      } catch (_) {
+        // Notes folder doesn't exist — nothing to sync.
+        return;
+      }
+
+      final escaped = messageId.replaceAll('\\', '\\\\').replaceAll('"', '\\"');
+      final searchResult = await client.uidSearchMessages(
+        searchCriteria: 'HEADER $_headerNoteFor "$escaped"',
+      );
+      final uids = searchResult.matchingSequence?.toList() ?? [];
+
+      if (uids.isEmpty) {
+        await (_db.delete(_db.emailNotes)
+              ..where(
+                (t) =>
+                    t.accountId.equals(account.id) &
+                    t.messageId.equals(messageId),
+              ))
+            .go();
+        return;
+      }
+
+      final seq = imap.MessageSequence.fromIds(uids, isUid: true);
+      final fetch = await client.uidFetchMessages(seq, '(UID BODY.PEEK[])');
+
+      final fetchedIds = <String>{};
+      for (final msg in fetch.messages) {
+        final uid = msg.uid;
+        if (uid == null) continue;
+        final noteId = msg.getHeaderValue(_headerNoteId)?.trim();
+        if (noteId == null || noteId.isEmpty) continue;
+        fetchedIds.add(noteId);
+        await _db.into(_db.emailNotes).insertOnConflictUpdate(
+              EmailNotesCompanion.insert(
+                id: noteId,
+                accountId: account.id,
+                messageId: messageId,
+                noteText: msg.decodeTextPlainPart() ?? '',
+                serverId: uid.toString(),
+                createdAt: msg.decodeDate() ?? DateTime.now(),
+              ),
+            );
+      }
+
+      // Remove stale local notes (deleted on the server).
+      final local = await (_db.select(_db.emailNotes)
+            ..where(
+              (t) =>
+                  t.accountId.equals(account.id) &
+                  t.messageId.equals(messageId),
+            ))
+          .get();
+      for (final note in local) {
+        if (!fetchedIds.contains(note.id)) {
+          await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(note.id)))
+              .go();
+        }
+      }
+    } finally {
+      await client.logout();
+    }
+  }
+
+  Future<void> _syncNotesJmap(
+    account_model.Account account,
+    String password,
+    String messageId,
+  ) async {
+    final jmapUrl = account.jmapUrl;
+    if (jmapUrl == null || jmapUrl.isEmpty) return;
+
+    final jmap = await JmapClient.connect(
+      httpClient: _httpClient,
+      jmapUrl: Uri.parse(jmapUrl),
+      username: _effectiveUsername(account),
+      password: password,
+    );
+
+    final mailboxId = await _findNotesMailboxJmap(jmap);
+    if (mailboxId == null) {
+      await (_db.delete(_db.emailNotes)
+            ..where(
+              (t) =>
+                  t.accountId.equals(account.id) &
+                  t.messageId.equals(messageId),
+            ))
+          .go();
+      return;
+    }
+
+    final queryResp = await jmap.call([
+      [
+        'Email/query',
+        {
+          'accountId': jmap.accountId,
+          'filter': {'inMailbox': mailboxId},
+        },
+        '0',
+      ],
+    ]);
+    final ids = List<String>.from(
+      (_responseArgs(queryResp, 0, 'Email/query')['ids'] as List? ?? []),
+    );
+
+    if (ids.isEmpty) {
+      await (_db.delete(_db.emailNotes)
+            ..where(
+              (t) =>
+                  t.accountId.equals(account.id) &
+                  t.messageId.equals(messageId),
+            ))
+          .go();
+      return;
+    }
+
+    final getResp = await jmap.call([
+      [
+        'Email/get',
+        {
+          'accountId': jmap.accountId,
+          'ids': ids,
+          'properties': [
+            'id',
+            'receivedAt',
+            'textBody',
+            'bodyValues',
+            'header:$_headerNoteFor:asText',
+            'header:$_headerNoteId:asText',
+          ],
+          'fetchTextBodyValues': true,
+        },
+        '0',
+      ],
+    ]);
+    final list =
+        _responseArgs(getResp, 0, 'Email/get')['list'] as List<dynamic>;
+
+    final fetchedIds = <String>{};
+    for (final e in list) {
+      final m = e as Map<String, dynamic>;
+      final noteFor = (m['header:$_headerNoteFor:asText'] as String?)?.trim();
+      if (noteFor != messageId) continue;
+      final noteId = (m['header:$_headerNoteId:asText'] as String?)?.trim();
+      if (noteId == null || noteId.isEmpty) continue;
+      final jmapEmailId = m['id'] as String;
+
+      final bodyValues = m['bodyValues'] as Map<String, dynamic>? ?? {};
+      final textBodyParts = m['textBody'] as List<dynamic>? ?? [];
+      var noteText = '';
+      if (textBodyParts.isNotEmpty) {
+        final partId =
+            (textBodyParts.first as Map<String, dynamic>)['partId'] as String?;
+        if (partId != null) {
+          noteText = (bodyValues[partId] as Map<String, dynamic>?)?['value']
+                  as String? ??
+              '';
+        }
+      }
+
+      final createdAt =
+          DateTime.tryParse(m['receivedAt'] as String? ?? '') ?? DateTime.now();
+      fetchedIds.add(noteId);
+      await _db.into(_db.emailNotes).insertOnConflictUpdate(
+            EmailNotesCompanion.insert(
+              id: noteId,
+              accountId: account.id,
+              messageId: messageId,
+              noteText: noteText,
+              serverId: jmapEmailId,
+              createdAt: createdAt,
+            ),
+          );
+    }
+
+    // Remove stale local notes.
+    final local = await (_db.select(_db.emailNotes)
+          ..where(
+            (t) =>
+                t.accountId.equals(account.id) & t.messageId.equals(messageId),
+          ))
+        .get();
+    for (final note in local) {
+      if (!fetchedIds.contains(note.id)) {
+        await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(note.id)))
+            .go();
+      }
+    }
+  }
+
+  // ── Add ───────────────────────────────────────────────────────────────────
+
+  @override
+  Future<void> addNote(
+    String accountId,
+    String messageId,
+    String text,
+  ) async {
+    final account = await _accounts.getAccount(accountId);
+    if (account == null) return;
+    final password = await _accounts.getPassword(accountId);
+    final noteId = _generateId();
+
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        await _addNoteImap(account, password, messageId, noteId, text);
+      case account_model.AccountType.jmap:
+        await _addNoteJmap(account, password, messageId, noteId, text);
+    }
+  }
+
+  Future<void> _addNoteImap(
+    account_model.Account account,
+    String password,
+    String messageId,
+    String noteId,
+    String text,
+  ) async {
+    final client = await _imapConnect(
+      account,
+      _effectiveUsername(account),
+      password,
+    );
+    try {
+      try {
+        await client.createMailbox(_notesFolder);
+      } catch (_) {
+        // Already exists.
+      }
+
+      final builder = imap.MessageBuilder()
+        ..subject = 'Note'
+        ..text = text;
+      builder.addHeader(_headerNoteFor, messageId);
+      builder.addHeader(_headerNoteId, noteId);
+      final mime = builder.buildMimeMessage();
+
+      final appendResult = await client.appendMessage(
+        mime,
+        targetMailboxPath: _notesFolder,
+      );
+      final uidList =
+          appendResult.responseCodeAppendUid?.targetSequence.toList();
+      final serverId = (uidList != null && uidList.isNotEmpty)
+          ? uidList.first.toString()
+          : '';
+
+      await _db.into(_db.emailNotes).insertOnConflictUpdate(
+            EmailNotesCompanion.insert(
+              id: noteId,
+              accountId: account.id,
+              messageId: messageId,
+              noteText: text,
+              serverId: serverId,
+              createdAt: DateTime.now(),
+            ),
+          );
+    } finally {
+      await client.logout();
+    }
+  }
+
+  Future<void> _addNoteJmap(
+    account_model.Account account,
+    String password,
+    String messageId,
+    String noteId,
+    String text,
+  ) async {
+    final jmapUrl = account.jmapUrl;
+    if (jmapUrl == null || jmapUrl.isEmpty) {
+      throw Exception('JMAP account ${account.id} has no jmapUrl');
+    }
+
+    final jmap = await JmapClient.connect(
+      httpClient: _httpClient,
+      jmapUrl: Uri.parse(jmapUrl),
+      username: _effectiveUsername(account),
+      password: password,
+    );
+
+    final mailboxId = await _findOrCreateNotesMailboxJmap(jmap);
+
+    const bodyPartId = '1';
+    final setResp = await jmap.call([
+      [
+        'Email/set',
+        {
+          'accountId': jmap.accountId,
+          'create': {
+            'new-note': {
+              'mailboxIds': {mailboxId: true},
+              'subject': 'Note',
+              'keywords': {r'$seen': true},
+              'headers': [
+                {'name': _headerNoteFor, 'value': ' $messageId'},
+                {'name': _headerNoteId, 'value': ' $noteId'},
+              ],
+              'bodyValues': {
+                bodyPartId: {
+                  'value': text,
+                  'isEncodingProblem': false,
+                  'isTruncated': false,
+                },
+              },
+              'textBody': [
+                {'partId': bodyPartId, 'type': 'text/plain'},
+              ],
+            },
+          },
+        },
+        '0',
+      ],
+    ]);
+
+    final result = _responseArgs(setResp, 0, 'Email/set');
+    final created = result['created'] as Map<String, dynamic>?;
+    final newEmail = created?['new-note'] as Map<String, dynamic>?;
+    final jmapEmailId = newEmail?['id'] as String? ?? '';
+
+    await _db.into(_db.emailNotes).insertOnConflictUpdate(
+          EmailNotesCompanion.insert(
+            id: noteId,
+            accountId: account.id,
+            messageId: messageId,
+            noteText: text,
+            serverId: jmapEmailId,
+            createdAt: DateTime.now(),
+          ),
+        );
+  }
+
+  // ── Delete ────────────────────────────────────────────────────────────────
+
+  @override
+  Future<void> deleteNote(String noteId) async {
+    final noteRow = await (_db.select(_db.emailNotes)
+          ..where((t) => t.id.equals(noteId)))
+        .getSingleOrNull();
+    if (noteRow == null) return;
+
+    final account = await _accounts.getAccount(noteRow.accountId);
+    if (account == null) {
+      await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteId)))
+          .go();
+      return;
+    }
+    final password = await _accounts.getPassword(account.id);
+
+    switch (account.type) {
+      case account_model.AccountType.imap:
+        await _deleteNoteImap(account, password, noteRow);
+      case account_model.AccountType.jmap:
+        await _deleteNoteJmap(account, password, noteRow);
+    }
+  }
+
+  Future<void> _deleteNoteImap(
+    account_model.Account account,
+    String password,
+    EmailNoteRow noteRow,
+  ) async {
+    final client = await _imapConnect(
+      account,
+      _effectiveUsername(account),
+      password,
+    );
+    try {
+      try {
+        await client.selectMailboxByPath(_notesFolder);
+        final uid = int.tryParse(noteRow.serverId);
+        if (uid != null) {
+          final seq = imap.MessageSequence.fromId(uid, isUid: true);
+          await client.uidMarkDeleted(seq);
+          await client.uidExpunge(seq);
+        }
+      } catch (_) {
+        // Notes folder gone or message already deleted — clean up locally.
+      }
+    } finally {
+      await client.logout();
+    }
+    await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteRow.id)))
+        .go();
+  }
+
+  Future<void> _deleteNoteJmap(
+    account_model.Account account,
+    String password,
+    EmailNoteRow noteRow,
+  ) async {
+    final jmapUrl = account.jmapUrl;
+    if (jmapUrl == null || jmapUrl.isEmpty) return;
+
+    final jmap = await JmapClient.connect(
+      httpClient: _httpClient,
+      jmapUrl: Uri.parse(jmapUrl),
+      username: _effectiveUsername(account),
+      password: password,
+    );
+
+    if (noteRow.serverId.isNotEmpty) {
+      await jmap.call([
+        [
+          'Email/set',
+          {
+            'accountId': jmap.accountId,
+            'destroy': [noteRow.serverId],
+          },
+          '0',
+        ],
+      ]);
+    }
+
+    await (_db.delete(_db.emailNotes)..where((t) => t.id.equals(noteRow.id)))
+        .go();
+  }
+
+  // ── JMAP helpers ──────────────────────────────────────────────────────────
+
+  Future<String?> _findNotesMailboxJmap(JmapClient jmap) async {
+    final resp = await jmap.call([
+      [
+        'Mailbox/get',
+        {'accountId': jmap.accountId, 'ids': null},
+        '0',
+      ],
+    ]);
+    final list = _responseArgs(resp, 0, 'Mailbox/get')['list'] as List<dynamic>;
+    for (final m in list) {
+      final map = m as Map<String, dynamic>;
+      if (map['name'] == _notesFolder) return map['id'] as String?;
+    }
+    return null;
+  }
+
+  Future<String> _findOrCreateNotesMailboxJmap(JmapClient jmap) async {
+    final existing = await _findNotesMailboxJmap(jmap);
+    if (existing != null) return existing;
+
+    final resp = await jmap.call([
+      [
+        'Mailbox/set',
+        {
+          'accountId': jmap.accountId,
+          'create': {
+            'new-notes': {'name': _notesFolder},
+          },
+        },
+        '0',
+      ],
+    ]);
+    final result = _responseArgs(resp, 0, 'Mailbox/set');
+    final created = result['created'] as Map<String, dynamic>?;
+    final newMailbox = created?['new-notes'] as Map<String, dynamic>?;
+    return newMailbox?['id'] as String? ?? _notesFolder;
+  }
+
+  Map<String, dynamic> _responseArgs(
+    List<dynamic> responses,
+    int index,
+    String expectedMethod,
+  ) {
+    final triple = responses[index] as List<dynamic>;
+    final method = triple[0] as String;
+    if (method == 'error') {
+      final err = triple[1] as Map<String, dynamic>;
+      throw JmapException('$expectedMethod error: ${err['type']}');
+    }
+    return triple[1] as Map<String, dynamic>;
+  }
+
+  EmailNote _toModel(EmailNoteRow row) => EmailNote(
+        id: row.id,
+        accountId: row.accountId,
+        messageId: row.messageId,
+        noteText: row.noteText,
+        serverId: row.serverId,
+        createdAt: row.createdAt,
+      );
+
+  // Generates a random UUID v4.
+  static String _generateId() {
+    final rng = math.Random.secure();
+    final bytes = List<int>.generate(16, (_) => rng.nextInt(256));
+    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
+    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant 1
+    final hex = bytes.map((b) => b.toRadixString(16).padLeft(2, '0')).join();
+    return '${hex.substring(0, 8)}-${hex.substring(8, 12)}'
+        '-${hex.substring(12, 16)}-${hex.substring(16, 20)}'
+        '-${hex.substring(20)}';
+  }
+}

lib/di.dart

@@ -4,12 +4,14 @@ import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:http/http.dart' as http;
 import 'package:sharedinbox/core/models/account.dart' as model;
 import 'package:sharedinbox/core/models/email.dart';
+import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/repositories/account_repository.dart';
 import 'package:sharedinbox/core/repositories/draft_repository.dart';
 import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/core/repositories/mailbox_repository.dart';
+import 'package:sharedinbox/core/repositories/note_repository.dart';
 import 'package:sharedinbox/core/repositories/search_history_repository.dart';
 import 'package:sharedinbox/core/repositories/share_key_repository.dart';
 import 'package:sharedinbox/core/repositories/sync_log_repository.dart';
@@ -32,6 +34,7 @@ import 'package:sharedinbox/data/repositories/account_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/draft_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/email_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/mailbox_repository_impl.dart';
+import 'package:sharedinbox/data/repositories/note_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/search_history_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/share_key_repository_impl.dart';
 import 'package:sharedinbox/data/repositories/sync_log_repository_impl.dart';
@@ -282,3 +285,22 @@ final trustedImageSendersProvider =
       .watch(userPreferencesRepositoryProvider)
       .observeTrustedImageSenders();
 });
+
+final noteRepositoryProvider = Provider<NoteRepository>((ref) {
+  return NoteRepositoryImpl(
+    ref.watch(dbProvider),
+    ref.watch(accountRepositoryProvider),
+    imapConnect: ref.watch(imapConnectProvider),
+  );
+});
+
+final installedVersionsProvider = FutureProvider<Map<String, DateTime>>((ref) {
+  return ref.watch(dbProvider).loadInstalledVersions();
+});
+
+/// Stream of notes for a specific email, identified by (accountId, messageId).
+final notesProvider =
+    StreamProvider.autoDispose.family<List<EmailNote>, (String, String)>(
+  (ref, params) =>
+      ref.watch(noteRepositoryProvider).observeNotes(params.$1, params.$2),
+);

lib/main.dart

@@ -86,6 +86,8 @@ class SharedInboxApp extends ConsumerStatefulWidget {
   ConsumerState<SharedInboxApp> createState() => _SharedInboxAppState();
 }
 
+const _kGitHash = String.fromEnvironment('GIT_HASH');
+
 class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
   @override
   void initState() {
@@ -93,6 +95,11 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
     // Start background IMAP sync once — runs for the lifetime of the app.
     ref.read(syncManagerProvider).start();
     ref.read(reliabilityRunnerProvider).start();
+    if (_kGitHash.isNotEmpty) {
+      unawaited(
+        ref.read(dbProvider).recordInstalledVersionIfNew(_kGitHash),
+      );
+    }
   }
 
   @override
@@ -102,6 +109,7 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
       theme: ThemeData(
         colorScheme: ColorScheme.fromSeed(seedColor: Colors.indigo),
         useMaterial3: true,
+        splashFactory: NoSplash.splashFactory,
       ),
       darkTheme: ThemeData(
         colorScheme: ColorScheme.fromSeed(
@@ -109,6 +117,7 @@ class _SharedInboxAppState extends ConsumerState<SharedInboxApp> {
           brightness: Brightness.dark,
         ),
         useMaterial3: true,
+        splashFactory: NoSplash.splashFactory,
       ),
       routerConfig: router,
     );

lib/ui/router.dart

@@ -1,6 +1,7 @@
 import 'package:go_router/go_router.dart';
 
 import 'package:sharedinbox/core/models/sieve_script.dart';
+import 'package:sharedinbox/core/models/undo_action.dart';
 
 import 'package:sharedinbox/ui/screens/about_screen.dart';
 import 'package:sharedinbox/ui/screens/account_list_screen.dart';
@@ -22,6 +23,7 @@ import 'package:sharedinbox/ui/screens/sieve_scripts_screen.dart';
 import 'package:sharedinbox/ui/screens/sync_log_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/trusted_image_senders_screen.dart';
+import 'package:sharedinbox/ui/screens/undo_log_detail_screen.dart';
 import 'package:sharedinbox/ui/screens/undo_log_screen.dart';
 import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 import 'package:sharedinbox/ui/widgets/undo_shell.dart';
@@ -55,6 +57,14 @@ final router = GoRouter(
             GoRoute(
               path: 'undo-log',
               builder: (ctx, state) => const UndoLogScreen(),
+              routes: [
+                GoRoute(
+                  path: ':actionId',
+                  builder: (ctx, state) => UndoLogDetailScreen(
+                    action: state.extra as UndoAction,
+                  ),
+                ),
+              ],
             ),
             GoRoute(
               path: 'changelog',

lib/ui/screens/changelog_screen.dart

@@ -2,21 +2,90 @@ import 'dart:async';
 
 import 'package:flutter/material.dart';
 import 'package:flutter_markdown_plus/flutter_markdown_plus.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:sharedinbox/di.dart';
 import 'package:url_launcher/url_launcher.dart';
 
-class ChangeLogScreen extends StatelessWidget {
+class ChangeLogScreen extends ConsumerWidget {
   const ChangeLogScreen({super.key});
 
+  static const _months = [
+    'Jan',
+    'Feb',
+    'Mar',
+    'Apr',
+    'May',
+    'Jun',
+    'Jul',
+    'Aug',
+    'Sep',
+    'Oct',
+    'Nov',
+    'Dec',
+  ];
+
+  static String _formatInstallDate(DateTime dt) {
+    final h = dt.hour.toString().padLeft(2, '0');
+    final m = dt.minute.toString().padLeft(2, '0');
+    final month = _months[dt.month - 1];
+    return '$h:$m, ${dt.day} $month ${dt.year}';
+  }
+
+  static const _repoUrl = 'https://codeberg.org/guettli/sharedinbox';
+
+  static final _issueRefPattern = RegExp(r'#(\d+)');
+
+  static String _linkifyIssueRefs(String text) {
+    return text.replaceAllMapped(
+      _issueRefPattern,
+      (m) => '[#${m[1]}]($_repoUrl/issues/${m[1]})',
+    );
+  }
+
+  // Changelog lines have the form:
+  //   * 2026-06-05 [abc1234](https://...): subject
+  // This pattern captures the short hash inside the markdown link.
+  static final _hashPattern = RegExp(r'\[([0-9a-f]{6,12})\]\(');
+
+  static String _injectInstallMarkers(
+    String changelog,
+    Map<String, DateTime> versions,
+  ) {
+    if (versions.isEmpty) return changelog;
+    final lines = changelog.split('\n');
+    final buf = StringBuffer();
+    for (final line in lines) {
+      final match = _hashPattern.firstMatch(line);
+      if (match != null) {
+        final lineHash = match.group(1)!;
+        for (final entry in versions.entries) {
+          final stored = entry.key;
+          final matches = stored == lineHash ||
+              stored.startsWith(lineHash) ||
+              lineHash.startsWith(stored);
+          if (!matches) continue;
+          buf.write(
+            '\n---\n\n**Installed: ${_formatInstallDate(entry.value)}**\n\n',
+          );
+          break;
+        }
+      }
+      buf.writeln(line);
+    }
+    return buf.toString();
+  }
+
   @override
-  Widget build(BuildContext context) {
+  Widget build(BuildContext context, WidgetRef ref) {
+    final installedVersions = ref.watch(installedVersionsProvider);
     return Scaffold(
       appBar: AppBar(title: const Text('ChangeLog')),
       body: FutureBuilder<String>(
-        future: DefaultAssetBundle.of(
-          context,
-        ).loadString('assets/changelog.txt'),
+        future:
+            DefaultAssetBundle.of(context).loadString('assets/changelog.txt'),
         builder: (context, snapshot) {
-          if (snapshot.connectionState == ConnectionState.waiting) {
+          if (snapshot.connectionState == ConnectionState.waiting ||
+              installedVersions.isLoading) {
             return const Center(child: CircularProgressIndicator());
           }
           if (snapshot.hasError) {
@@ -24,9 +93,12 @@ class ChangeLogScreen extends StatelessWidget {
               child: Text('Error loading changelog: ${snapshot.error}'),
             );
           }
-          final content = snapshot.data ?? 'No changelog entries found.';
+          final raw = snapshot.data ?? 'No changelog entries found.';
+          final content = _linkifyIssueRefs(raw);
+          final versions = installedVersions.value ?? {};
+          final annotated = _injectInstallMarkers(content, versions);
           return Markdown(
-            data: content,
+            data: annotated,
             onTapLink: (text, href, title) {
               if (href != null) {
                 unawaited(

lib/ui/screens/crash_screen.dart

@@ -57,6 +57,7 @@ class CrashScreen extends StatelessWidget {
   @override
   Widget build(BuildContext context) {
     return MaterialApp(
+      theme: ThemeData(splashFactory: NoSplash.splashFactory),
       home: Scaffold(
         appBar: AppBar(
           title: const Text('Something went wrong'),

lib/ui/screens/email_detail_screen.dart

@@ -12,9 +12,11 @@ import 'package:path_provider/path_provider.dart';
 import 'package:share_plus/share_plus.dart';
 
 import 'package:sharedinbox/core/models/email.dart';
+import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/format_utils.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
@@ -37,6 +39,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
   bool _isFlagged = false;
   bool _loadRemoteImages = false;
   final Set<String> _downloading = {};
+  bool _notesSynced = false;
 
   @override
   Widget build(BuildContext context) {
@@ -50,6 +53,15 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
         if (email != null && mounted) {
           setState(() => _isFlagged = email.isFlagged);
         }
+        if (!_notesSynced && email?.messageId != null) {
+          _notesSynced = true;
+          unawaited(
+            ref.read(noteRepositoryProvider).syncNotes(
+                  email!.accountId,
+                  email.messageId!,
+                ),
+          );
+        }
       },
     );
 
@@ -197,8 +209,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     final senderEmail = header?.from.isNotEmpty == true
         ? header!.from.first.email.toLowerCase()
         : null;
-    final isTrusted =
-        senderEmail != null && trustedSenders.contains(senderEmail);
+    final isTrusted = senderEmail != null &&
+        trustedSenders.any((p) => globMatch(senderEmail, p));
     final effectiveLoadImages = _loadRemoteImages || isTrusted;
 
     return ListView(
@@ -257,6 +269,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
             body.textBody ?? '',
             style: Theme.of(ctx).textTheme.bodyMedium,
           ),
+        if (header?.messageId != null) _buildNotesSection(ctx, header!),
         if (body.attachments.isNotEmpty) ...[
           const Divider(),
           Padding(
@@ -340,6 +353,114 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     }
   }
 
+  Widget _buildNotesSection(BuildContext ctx, Email header) {
+    final messageId = header.messageId!;
+    final notes = ref.watch(notesProvider((header.accountId, messageId)));
+
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        const Divider(),
+        Row(
+          children: [
+            Padding(
+              padding: const EdgeInsets.symmetric(vertical: 4),
+              child: Text(
+                'Notes',
+                style: Theme.of(ctx).textTheme.titleSmall,
+              ),
+            ),
+            const Spacer(),
+            TextButton.icon(
+              icon: const Icon(Icons.add, size: 16),
+              label: const Text('Add'),
+              onPressed: () => unawaited(_addNoteDialog(ctx, header)),
+            ),
+          ],
+        ),
+        notes.when(
+          loading: () => const SizedBox.shrink(),
+          error: (e, _) => Text('Error loading notes: $e'),
+          data: (list) {
+            if (list.isEmpty) {
+              return const Padding(
+                padding: EdgeInsets.only(bottom: 4),
+                child: Text(
+                  'No notes yet.',
+                  style: TextStyle(color: Colors.grey),
+                ),
+              );
+            }
+            return Column(
+              children: [
+                for (final note in list) _buildNoteRow(ctx, note),
+              ],
+            );
+          },
+        ),
+      ],
+    );
+  }
+
+  Widget _buildNoteRow(BuildContext ctx, EmailNote note) {
+    return ListTile(
+      dense: true,
+      contentPadding: EdgeInsets.zero,
+      title: Text(note.noteText),
+      subtitle: Text(
+        DateFormat('MMM d, HH:mm').format(note.createdAt),
+        style: Theme.of(ctx).textTheme.bodySmall,
+      ),
+      trailing: IconButton(
+        icon: const Icon(Icons.delete_outline, size: 20),
+        tooltip: 'Delete note',
+        onPressed: () {
+          unawaited(ref.read(noteRepositoryProvider).deleteNote(note.id));
+        },
+      ),
+    );
+  }
+
+  Future<void> _addNoteDialog(BuildContext context, Email header) async {
+    final messageId = header.messageId;
+    if (messageId == null) return;
+
+    final ctrl = TextEditingController();
+    final confirmed = await showDialog<bool>(
+      context: context,
+      builder: (ctx) => AlertDialog(
+        title: const Text('Add note'),
+        content: TextField(
+          controller: ctrl,
+          autofocus: true,
+          maxLines: 4,
+          decoration: const InputDecoration(hintText: 'Type a note…'),
+        ),
+        actions: [
+          TextButton(
+            onPressed: () => Navigator.pop(ctx, false),
+            child: const Text('Cancel'),
+          ),
+          FilledButton(
+            onPressed: () => Navigator.pop(ctx, true),
+            child: const Text('Save'),
+          ),
+        ],
+      ),
+    );
+
+    final text = ctrl.text.trim();
+    ctrl.dispose();
+    if (confirmed != true || text.isEmpty) return;
+    if (!context.mounted) return;
+
+    await ref.read(noteRepositoryProvider).addNote(
+          header.accountId,
+          messageId,
+          text,
+        );
+  }
+
   Widget _buildHeader(BuildContext ctx, Email email) {
     return Column(
       crossAxisAlignment: CrossAxisAlignment.start,
@@ -563,6 +684,42 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     );
   }
 
+  Future<String?> _promptNewFolderName(BuildContext context) async {
+    final controller = TextEditingController();
+    try {
+      return await showDialog<String>(
+        context: context,
+        builder: (ctx) => AlertDialog(
+          title: const Text('Create new folder'),
+          content: TextField(
+            controller: controller,
+            autofocus: true,
+            decoration: const InputDecoration(hintText: 'Folder name'),
+            textCapitalization: TextCapitalization.words,
+            onSubmitted: (value) {
+              if (value.trim().isNotEmpty) Navigator.pop(ctx, value.trim());
+            },
+          ),
+          actions: [
+            TextButton(
+              onPressed: () => Navigator.pop(ctx),
+              child: const Text('Cancel'),
+            ),
+            FilledButton(
+              onPressed: () {
+                final name = controller.text.trim();
+                if (name.isNotEmpty) Navigator.pop(ctx, name);
+              },
+              child: const Text('Create'),
+            ),
+          ],
+        ),
+      );
+    } finally {
+      controller.dispose();
+    }
+  }
+
   Future<void> _moveTo(BuildContext context, Email header) async {
     final nextEmailId = await _getNextEmailIdIfNeeded(header);
 
@@ -576,6 +733,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
 
     if (!context.mounted) return;
 
+    const createNewSentinel = '__create_new__';
+
     final chosen = await showModalBottomSheet<String>(
       context: context,
       builder: (ctx) => ListView(
@@ -593,13 +752,28 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               title: Text(m.name),
               onTap: () => Navigator.pop(ctx, m.path),
             ),
+          ListTile(
+            leading: const Icon(Icons.create_new_folder_outlined),
+            title: const Text('Create new folder…'),
+            onTap: () => Navigator.pop(ctx, createNewSentinel),
+          ),
         ],
       ),
     );
 
     if (chosen == null || !context.mounted) return;
 
-    await ref.read(emailRepositoryProvider).moveEmail(widget.emailId, chosen);
+    String destination = chosen;
+    if (chosen == createNewSentinel) {
+      final name = await _promptNewFolderName(context);
+      if (name == null || !context.mounted) return;
+      final mailbox = await mailboxRepo.createMailbox(header.accountId, name);
+      destination = mailbox.path;
+    }
+
+    await ref
+        .read(emailRepositoryProvider)
+        .moveEmail(widget.emailId, destination);
 
     unawaited(
       ref.read(undoServiceProvider.notifier).pushAction(
@@ -609,7 +783,7 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
               type: UndoType.move,
               emailIds: [widget.emailId],
               sourceMailboxPath: header.mailboxPath,
-              destinationMailboxPath: chosen,
+              destinationMailboxPath: destination,
             ),
           ),
     );

lib/ui/screens/email_list_screen.dart

@@ -13,9 +13,9 @@ import 'package:sharedinbox/core/repositories/email_repository.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
 import 'package:sharedinbox/ui/widgets/email_thread_tile.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
 import 'package:sharedinbox/ui/widgets/folder_drawer.dart';
 import 'package:sharedinbox/ui/widgets/snooze_picker.dart';
+import 'package:sharedinbox/ui/widgets/thread_tile.dart';
 
 class EmailListScreen extends ConsumerStatefulWidget {
   const EmailListScreen({
@@ -50,6 +50,15 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
   // Pagination: number of threads currently requested from the DB.
   static const _pageSize = 50;
   int _limit = _pageSize;
+
+  // Incremented on every search start; stale completions are ignored when the
+  // generation has advanced (prevents out-of-order IMAP responses from
+  // overwriting fresh results with results for an older query).
+  int _searchGeneration = 0;
+  // The query whose results are currently settled in _searchResults.
+  // Used to skip redundant re-runs when the user presses Enter on an
+  // already-settled search (issue #473).
+  String? _lastSettledQuery;
   bool get _selecting =>
       _selectedThreadIds.isNotEmpty || _selectedSearchIds.isNotEmpty;
 
@@ -61,6 +70,7 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
         setState(() {
           _searchResults = null;
           _searchLoading = false;
+          _lastSettledQuery = null;
         });
       }
     });
@@ -117,18 +127,35 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
   }
 
   Future<void> _runSearch(String query) async {
-    if (query.trim().isEmpty) {
-      setState(() => _searchResults = null);
+    final q = query.trim();
+    if (q.isEmpty) {
+      setState(() {
+        _searchResults = null;
+        _lastSettledQuery = null;
+      });
       return;
     }
+    // Skip if results are already settled for this exact query — prevents the
+    // Enter key from re-triggering a search that already completed.
+    if (_searchResults != null && !_searchLoading && q == _lastSettledQuery) {
+      return;
+    }
+    final generation = ++_searchGeneration;
     setState(() => _searchLoading = true);
     try {
       final results = await ref
           .read(emailRepositoryProvider)
-          .searchEmails(widget.accountId, widget.mailboxPath, query.trim());
-      if (mounted) setState(() => _searchResults = results);
+          .searchEmails(widget.accountId, widget.mailboxPath, q);
+      if (mounted && generation == _searchGeneration) {
+        setState(() {
+          _searchResults = results;
+          _lastSettledQuery = q;
+        });
+      }
     } finally {
-      if (mounted) setState(() => _searchLoading = false);
+      if (mounted && generation == _searchGeneration) {
+        setState(() => _searchLoading = false);
+      }
     }
   }
 
@@ -541,8 +568,8 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
 
     if (wasSearching && mounted) {
       // Filter deleted emails out of the local results immediately.
-      // Calling searchEmails here would hit the IMAP server, which still has
-      // the emails because the delete is only enqueued — not yet applied.
+      // Calling searchEmails here would still return deleted rows because the
+      // delete is only enqueued — not yet applied to the local DB.
       final deletedIds = ids.toSet();
       final remaining = (_searchResults ?? [])
           .where((e) => !deletedIds.contains(e.id))
@@ -762,9 +789,10 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
       itemCount: emails.length,
       itemBuilder: (ctx, i) {
         final e = emails[i];
+        final t = EmailThread.fromEmail(e);
         final isSelected = _selectedSearchIds.contains(e.id);
-        return EmailTile(
-          email: e,
+        return ThreadTile(
+          thread: t,
           selected: isSelected,
           leading: SizedBox(
             width: 40,

lib/ui/screens/search_screen.dart

@@ -8,7 +8,7 @@ import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/mailbox.dart';
 import 'package:sharedinbox/core/utils/logger.dart';
 import 'package:sharedinbox/di.dart';
-import 'package:sharedinbox/ui/widgets/email_tile.dart';
+import 'package:sharedinbox/ui/widgets/thread_tile.dart';
 
 final _searchHistoryProvider = FutureProvider.autoDispose<List<String>>((
   ref,
@@ -189,9 +189,9 @@ class _SearchScreenState extends ConsumerState<SearchScreen> {
         if (r.emails.isNotEmpty) ...[
           const _SectionHeader('Messages'),
           for (final e in r.emails)
-            EmailTile(
-              email: e,
-              showLocation: true,
+            ThreadTile(
+              thread: EmailThread.fromEmail(e),
+              locationLabel: '${e.accountId} • ${e.mailboxPath}',
               onTap: () => context.push(
                 '/accounts/${e.accountId}/mailboxes'
                 '/${Uri.encodeComponent(e.mailboxPath)}'

lib/ui/screens/thread_detail_screen.dart

@@ -8,6 +8,7 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
@@ -118,8 +119,8 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
     final senderEmail = widget.email.from.isNotEmpty
         ? widget.email.from.first.email.toLowerCase()
         : null;
-    final isTrusted =
-        senderEmail != null && trustedSenders.contains(senderEmail);
+    final isTrusted = senderEmail != null &&
+        trustedSenders.any((p) => globMatch(senderEmail, p));
 
     return Card(
       margin: const EdgeInsets.symmetric(vertical: 4),

lib/ui/screens/trusted_image_senders_screen.dart

@@ -16,6 +16,11 @@ class TrustedImageSendersScreen extends ConsumerWidget {
 
     return Scaffold(
       appBar: AppBar(title: const Text('Allowed addresses for images')),
+      floatingActionButton: FloatingActionButton(
+        tooltip: 'Add address',
+        onPressed: () => _showAddDialog(context, ref),
+        child: const Icon(Icons.add),
+      ),
       body: trustedSendersAsync.when(
         loading: () => const Center(child: CircularProgressIndicator()),
         error: (_, __) =>
@@ -26,7 +31,8 @@ class TrustedImageSendersScreen extends ConsumerWidget {
               padding: EdgeInsets.all(16),
               child: Text(
                 'No addresses added yet. '
-                'Tap "Load remote images" in an email to add the sender.',
+                'Tap + to add an address or pattern (e.g. *@example.com), '
+                'or tap "Load remote images" in an email to add the sender automatically.',
               ),
             );
           }
@@ -60,4 +66,61 @@ class TrustedImageSendersScreen extends ConsumerWidget {
       ),
     );
   }
+
+  Future<void> _showAddDialog(BuildContext context, WidgetRef ref) async {
+    final controller = TextEditingController();
+
+    await showDialog<void>(
+      context: context,
+      builder: (ctx) {
+        return StatefulBuilder(
+          builder: (ctx, setState) {
+            return AlertDialog(
+              title: const Text('Add allowed address'),
+              content: TextField(
+                controller: controller,
+                autofocus: true,
+                keyboardType: TextInputType.emailAddress,
+                decoration: const InputDecoration(
+                  labelText: 'Email address or pattern',
+                  hintText: '*@example.com',
+                  helperText: '* matches any characters, e.g. *@example.com',
+                ),
+                onChanged: (_) => setState(() {}),
+                onSubmitted: (value) {
+                  if (value.trim().isNotEmpty) {
+                    _addSender(ref, value);
+                    Navigator.of(ctx).pop();
+                  }
+                },
+              ),
+              actions: [
+                TextButton(
+                  onPressed: () => Navigator.of(ctx).pop(),
+                  child: const Text('Cancel'),
+                ),
+                TextButton(
+                  onPressed: controller.text.trim().isEmpty
+                      ? null
+                      : () {
+                          _addSender(ref, controller.text);
+                          Navigator.of(ctx).pop();
+                        },
+                  child: const Text('Add'),
+                ),
+              ],
+            );
+          },
+        );
+      },
+    );
+  }
+
+  void _addSender(WidgetRef ref, String value) {
+    unawaited(
+      ref
+          .read(userPreferencesRepositoryProvider)
+          .addTrustedImageSender(value.trim()),
+    );
+  }
 }

lib/ui/screens/undo_log_detail_screen.dart

@@ -0,0 +1,139 @@
+import 'package:flutter/material.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:intl/intl.dart';
+import 'package:sharedinbox/core/models/email.dart';
+import 'package:sharedinbox/core/models/undo_action.dart';
+import 'package:sharedinbox/di.dart';
+
+final _dateTimeFmt = DateFormat('yyyy-MM-dd HH:mm:ss');
+
+class UndoLogDetailScreen extends ConsumerWidget {
+  const UndoLogDetailScreen({super.key, required this.action});
+
+  final UndoAction action;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final theme = Theme.of(context);
+
+    return Scaffold(
+      appBar: AppBar(
+        title: const Text('Undo Log Detail'),
+        actions: [
+          TextButton(
+            onPressed: () async {
+              await ref
+                  .read(undoServiceProvider.notifier)
+                  .undo(actionId: action.id);
+              if (context.mounted) {
+                Navigator.of(context).pop();
+                ScaffoldMessenger.of(context).showSnackBar(
+                  const SnackBar(
+                    duration: Duration(seconds: 5),
+                    content: Text('Action undone.'),
+                  ),
+                );
+              }
+            },
+            child: const Text('Undo'),
+          ),
+        ],
+      ),
+      body: ListView(
+        children: [
+          _SectionHeader(text: 'Transaction', theme: theme),
+          ListTile(
+            leading: const Icon(Icons.account_circle),
+            title: const Text('Account'),
+            subtitle: Text(action.accountId),
+          ),
+          ListTile(
+            leading: Icon(
+              action.type == UndoType.delete
+                  ? Icons.delete_outline
+                  : (action.type == UndoType.snooze
+                      ? Icons.access_time
+                      : Icons.move_to_inbox),
+              color: action.type == UndoType.delete
+                  ? Colors.redAccent
+                  : (action.type == UndoType.snooze
+                      ? Colors.orangeAccent
+                      : Colors.blueAccent),
+            ),
+            title: const Text('Action'),
+            subtitle: Text(action.type.name.toUpperCase()),
+          ),
+          ListTile(
+            leading: const Icon(Icons.schedule),
+            title: const Text('Timestamp'),
+            subtitle: Text(_dateTimeFmt.format(action.timestamp.toLocal())),
+          ),
+          _SectionHeader(text: 'Folders', theme: theme),
+          ListTile(
+            leading: const Icon(Icons.folder_open),
+            title: const Text('Source'),
+            subtitle: Text(action.sourceMailboxPath),
+          ),
+          if (action.type == UndoType.move &&
+              action.destinationMailboxPath != null)
+            ListTile(
+              leading: const Icon(Icons.drive_file_move),
+              title: const Text('Destination'),
+              subtitle: Text(action.destinationMailboxPath!),
+            ),
+          _SectionHeader(
+            text: 'Emails (${action.emailIds.length})',
+            theme: theme,
+          ),
+          if (action.originalEmails.isEmpty)
+            Padding(
+              padding: const EdgeInsets.symmetric(horizontal: 16, vertical: 8),
+              child: Text(
+                '${action.emailIds.length} email(s) — details not available',
+                style: theme.textTheme.bodySmall,
+              ),
+            ),
+          ...action.originalEmails.map((email) => _EmailTile(email: email)),
+        ],
+      ),
+    );
+  }
+}
+
+class _SectionHeader extends StatelessWidget {
+  const _SectionHeader({required this.text, required this.theme});
+
+  final String text;
+  final ThemeData theme;
+
+  @override
+  Widget build(BuildContext context) {
+    return Padding(
+      padding: const EdgeInsets.fromLTRB(16, 16, 16, 4),
+      child: Text(
+        text,
+        style: theme.textTheme.labelLarge?.copyWith(
+          color: theme.colorScheme.primary,
+        ),
+      ),
+    );
+  }
+}
+
+class _EmailTile extends StatelessWidget {
+  const _EmailTile({required this.email});
+
+  final Email email;
+
+  @override
+  Widget build(BuildContext context) {
+    final sender = email.from.isNotEmpty
+        ? (email.from.first.name ?? email.from.first.email)
+        : '(Unknown Sender)';
+    return ListTile(
+      leading: const Icon(Icons.email_outlined),
+      title: Text(email.subject ?? '(No Subject)'),
+      subtitle: Text(sender, maxLines: 1, overflow: TextOverflow.ellipsis),
+    );
+  }
+}

lib/ui/screens/undo_log_screen.dart

@@ -2,6 +2,7 @@ import 'dart:async';
 
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:go_router/go_router.dart';
 import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/di.dart';
@@ -55,6 +56,10 @@ class _UndoActionTile extends ConsumerWidget {
     final extraCount = count > 1 ? ' (+${count - 1} more)' : '';
 
     return ListTile(
+      onTap: () => context.go(
+        '/accounts/undo-log/${action.id}',
+        extra: action,
+      ),
       leading: Icon(
         action.type == UndoType.delete
             ? Icons.delete_outline

lib/ui/widgets/thread_tile.dart

@@ -0,0 +1,121 @@
+import 'package:flutter/material.dart';
+import 'package:intl/intl.dart';
+
+import 'package:sharedinbox/core/models/email.dart';
+
+final _dateFmt = DateFormat('MMM d');
+// Cache formatted dates by local calendar day to avoid repeated DateFormat.format calls.
+final _formattedDates = <int, String>{};
+
+int _dayKey(DateTime dt) => dt.year * 10000 + dt.month * 100 + dt.day;
+
+String _fmtDate(DateTime dt) =>
+    _formattedDates[_dayKey(dt)] ??= _dateFmt.format(dt);
+
+/// A list tile for an [EmailThread].
+///
+/// Used in inbox lists, combined inbox, and search result lists.
+/// Pass a custom [leading] widget to support selection-mode checkboxes.
+/// Pass [locationLabel] to show an extra subtitle line (e.g. account name or
+/// "accountId • mailboxPath") — useful in cross-mailbox views.
+class ThreadTile extends StatelessWidget {
+  const ThreadTile({
+    super.key,
+    required this.thread,
+    required this.onTap,
+    this.leading,
+    this.selected = false,
+    this.onLongPress,
+    this.locationLabel,
+  });
+
+  final EmailThread thread;
+  final VoidCallback onTap;
+  final Widget? leading;
+  final bool selected;
+  final VoidCallback? onLongPress;
+
+  /// When non-null, appended as an extra subtitle line in primary colour.
+  final String? locationLabel;
+
+  @override
+  Widget build(BuildContext context) {
+    final senderNames = thread.participants.isEmpty
+        ? '(unknown)'
+        : thread.participants.map((a) => a.name ?? a.email).take(3).join(', ');
+
+    return ListTile(
+      leading: leading ??
+          Icon(
+            thread.hasUnread ? Icons.mail : Icons.mail_outline,
+            color:
+                thread.hasUnread ? Theme.of(context).colorScheme.primary : null,
+          ),
+      title: Row(
+        children: [
+          Expanded(
+            child: Text(
+              senderNames,
+              style: thread.hasUnread
+                  ? const TextStyle(fontWeight: FontWeight.bold)
+                  : null,
+              overflow: TextOverflow.ellipsis,
+            ),
+          ),
+          if (thread.messageCount > 1)
+            Padding(
+              padding: const EdgeInsets.only(left: 4),
+              child: Text(
+                '[${thread.messageCount}]',
+                style: Theme.of(context).textTheme.bodySmall,
+              ),
+            ),
+        ],
+      ),
+      subtitle: Column(
+        crossAxisAlignment: CrossAxisAlignment.start,
+        children: [
+          Text(
+            thread.subject ?? '(no subject)',
+            maxLines: 1,
+            overflow: TextOverflow.ellipsis,
+            style: thread.hasUnread
+                ? const TextStyle(fontWeight: FontWeight.bold)
+                : null,
+          ),
+          if (thread.preview != null && thread.preview!.isNotEmpty)
+            Text(
+              thread.preview!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall,
+            ),
+          if (locationLabel != null)
+            Text(
+              locationLabel!,
+              maxLines: 1,
+              overflow: TextOverflow.ellipsis,
+              style: Theme.of(context).textTheme.bodySmall?.copyWith(
+                    color: Theme.of(context).colorScheme.primary,
+                  ),
+            ),
+        ],
+      ),
+      trailing: Row(
+        mainAxisSize: MainAxisSize.min,
+        children: [
+          if (thread.isFlagged)
+            const Icon(Icons.star, color: Colors.amber, size: 16),
+          const SizedBox(width: 4),
+          Text(
+            _fmtDate(thread.latestDate),
+            style: Theme.of(context).textTheme.bodySmall,
+          ),
+        ],
+      ),
+      selected: selected,
+      onTap: onTap,
+      onLongPress: onLongPress,
+    );
+  }
+}

linux/CMakeLists.txt

@@ -102,3 +102,7 @@ if(NOT CMAKE_BUILD_TYPE MATCHES "Debug")
   install(FILES "${AOT_LIBRARY}" DESTINATION "${INSTALL_BUNDLE_LIB_DIR}"
     COMPONENT Runtime)
 endif()
+
+install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/sharedinbox.png"
+  DESTINATION "${CMAKE_INSTALL_PREFIX}"
+  COMPONENT Runtime)

linux/my_application.cc

@@ -31,6 +31,8 @@ static void my_application_activate(GApplication* application) {
 
   fl_register_plugins(FL_PLUGIN_REGISTRY(view));
 
+  gtk_window_set_icon_from_file(window, "sharedinbox.png", nullptr);
+
   // Show AFTER adding FlView so GTK's first layout pass allocates the full
   // window content area (1280×800) to FlView, not the default 1×1.
   gtk_widget_show_all(GTK_WIDGET(window));

pubspec.lock

@@ -371,6 +371,14 @@ packages:
     description: flutter
     source: sdk
     version: "0.0.0"
+  flutter_launcher_icons:
+    dependency: "direct dev"
+    description:
+      name: flutter_launcher_icons
+      sha256: "10f13781741a2e3972126fae08393d3c4e01fa4cd7473326b94b72cf594195e7"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.14.4"
   flutter_lints:
     dependency: "direct dev"
     description:
@@ -562,6 +570,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "4.1.2"
+  image:
+    dependency: transitive
+    description:
+      name: image
+      sha256: f9881ff4998044947ec38d098bc7c8316ae1186fa786eddffdb867b9bc94dfce
+      url: "https://pub.dev"
+    source: hosted
+    version: "4.8.0"
   integration_test:
     dependency: "direct dev"
     description: flutter

pubspec.yaml

@@ -19,6 +19,7 @@ dependencies:
 
   # Local persistence (offline-first)
   drift: ^2.20.3
+  sqlite3: ^3.1.5  # used directly in lib/data/db/database.dart (_setupPragmas)
   sqlite3_flutter_libs: ^0.6.0+eol
   path_provider: ^2.1.5
   path: ^1.9.1
@@ -78,9 +79,17 @@ dev_dependencies:
   mockito: ^5.4.4
   fake_async: ^1.3.1
   path_provider_platform_interface: ^2.1.2
-  sqlite3: ^3.1.5  # used directly in test/unit/db_test_helper.dart; 3.x required for Database.close()
   url_launcher_platform_interface: ^2.3.2
   plugin_platform_interface: ^2.1.8
+  flutter_launcher_icons: ^0.14.0
+
+flutter_icons:
+  android: "ic_launcher"
+  ios: false
+  image_path: "icon.png"
+  linux:
+    generate: true
+    image_path: "icon.png"
 
 flutter:
   uses-material-design: true

renovate.json

@@ -19,6 +19,14 @@
     }
   ],
   "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": ["^\\.fvmrc$"],
+      "matchStrings": ["\"flutter\":\\s*\"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "ghcr.io/cirruslabs/flutter",
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "semver"
+    },
     {
       "customType": "regex",
       "fileMatch": ["^\\.forgejo/Dockerfile$"],

scripts/check_coverage.dart

@@ -23,6 +23,8 @@ const _noCode = {
   'lib/core/repositories/user_preferences_repository.dart',
   'lib/core/models/undo_action.dart',
   'lib/core/models/user_preferences.dart',
+  'lib/core/models/note.dart',
+  'lib/core/repositories/note_repository.dart',
   'lib/core/storage/secure_storage.dart',
 };
 
@@ -55,6 +57,7 @@ const _excluded = {
   'lib/ui/screens/sieve_scripts_screen.dart',
   'lib/ui/screens/sync_log_screen.dart',
   'lib/ui/screens/thread_detail_screen.dart',
+  'lib/ui/screens/undo_log_detail_screen.dart',
   'lib/ui/screens/undo_log_screen.dart',
   'lib/ui/widgets/folder_drawer.dart',
   'lib/ui/widgets/secure_email_webview.dart',
@@ -83,6 +86,8 @@ const _excluded = {
   'lib/core/services/update_service.dart',
   'lib/ui/widgets/email_thread_tile.dart',
   'lib/ui/screens/trusted_image_senders_screen.dart',
+  'lib/data/repositories/note_repository_impl.dart',
+  'lib/ui/widgets/thread_tile.dart',
 };
 
 void main() {

scripts/setup_dagger_remote.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "${CI:-}" = "true" ] || [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 if [ -z "${SOPS_AGE_KEY:-}" ]; then
     echo "Error: SOPS_AGE_KEY must be set."
@@ -16,12 +17,25 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
 DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
 
+# Register inline secrets for log redaction. Multiline values (e.g. SSH keys)
+# must be masked line-by-line because ::add-mask:: covers one line at a time.
+printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST"
+while IFS= read -r line; do
+    [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
+done <<< "$DAGGER_SSH_KEY"
+
 # Export all CI secrets to the GitHub Actions environment so subsequent steps
 # can use them without referencing Forgejo secrets directly.
 export_secret() {
     local name="$1"
     local value
     value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
+    # Register each non-empty line for log redaction in the Actions runner.
+    if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then
+        while IFS= read -r line; do
+            [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
+        done <<< "$value"
+    fi
     if [ -n "${GITHUB_ENV:-}" ]; then
         # Use heredoc syntax for multiline-safe export.
         # Avoid adding a second trailing newline for values that already end with one
@@ -50,6 +64,7 @@ export_secret "RENOVATE_FORGEJO_TOKEN"
 # Setup SSH directory and keys
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
+rm -f ~/.ssh/dagger_key
 echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
 chmod 600 ~/.ssh/dagger_key
 
@@ -61,11 +76,12 @@ if [ "$_elapsed" -gt 10 ]; then
     echo "::warning::ssh-keyscan took ${_elapsed}s — Dagger engine host may be slow to respond"
 fi
 
-# Create a background SSH tunnel to the Dagger engine.
-# We map local port 8080 to remote port 1774 (where our socat bridge is listening).
+# Create a background SSH tunnel to the Dagger engine Unix socket.
+# Forwards local TCP port 8080 directly to /run/dagger/engine.sock on the remote host,
+# eliminating the need for a socat bridge on the server side.
 echo "Establishing SSH tunnel to $DAGGER_ENGINE_HOST..."
 _t0=$SECONDS
-timeout 30 ssh -i ~/.ssh/dagger_key -o StrictHostKeyChecking=no -f -N -L 8080:localhost:1774 "dagger@$DAGGER_ENGINE_HOST"
+timeout 30 ssh -i ~/.ssh/dagger_key -o StrictHostKeyChecking=no -f -N -L 8080:/run/dagger/engine.sock "dagger@$DAGGER_ENGINE_HOST"
 _elapsed=$(( SECONDS - _t0 ))
 if [ "$_elapsed" -gt 10 ]; then
     echo "::warning::SSH tunnel setup took ${_elapsed}s"

stalwart-dev/integration_android_test.sh

@@ -7,6 +7,7 @@
 # Run inside nix develop:
 #   stalwart-dev/integration_android_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 _SCRIPT_START=$(date +%s%3N)
 ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; }

stalwart-dev/integration_ui_test.sh

@@ -5,6 +5,7 @@
 #
 # Run inside nix develop: stalwart-dev/integration_ui_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 
 # Timing helper: prints elapsed seconds since script start with a label.
 _SCRIPT_START=$(date +%s%3N)

stalwart-dev/test.sh

@@ -2,6 +2,7 @@
 # Starts Stalwart in the background on fresh random ports, runs Flutter
 # integration tests, then stops it.
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR
 
 export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}"

test/backend/account_sync_manager_test.dart

@@ -169,6 +169,15 @@ class _FakeMailboxes implements MailboxRepository {
         unreadCount: 0,
         totalCount: 0,
       );
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async => Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        unreadCount: 0,
+        totalCount: 0,
+      );
 }
 
 class _FakeEmails implements EmailRepository {

test/backend/chaos_monkey_test.dart

@@ -0,0 +1,224 @@
+// Chaos monkey test — drives the email repository through random operations
+// against a live Stalwart instance to surface crashes and data-corruption bugs.
+//
+// Run via: stalwart-dev/test.sh
+//
+// Environment variables:
+//   STALWART_IMAP_HOST, STALWART_IMAP_PORT
+//   STALWART_SMTP_HOST, STALWART_SMTP_PORT
+//   STALWART_USER_B / STALWART_PASS_B  (alice@example.com)
+//   CHAOS_ROUNDS  (default: 30) — number of random operations to perform
+//   CHAOS_SEED    (default: current epoch ms) — seed for reproducibility
+
+@Tags(['nightly'])
+library;
+
+import 'dart:io';
+import 'dart:math';
+
+import 'package:enough_mail/enough_mail.dart';
+import 'package:sharedinbox/core/models/account.dart';
+import 'package:sharedinbox/core/models/email.dart' as email_model;
+import 'package:sharedinbox/data/db/database.dart' hide Account;
+import 'package:sharedinbox/data/repositories/account_repository_impl.dart';
+import 'package:sharedinbox/data/repositories/email_repository_impl.dart';
+import 'package:test/test.dart';
+
+import '../unit/account_repository_impl_test.dart' show MapSecureStorage;
+import '../unit/db_test_helper.dart';
+
+String _env(String key, [String fallback = '']) =>
+    Platform.environment[key] ?? fallback;
+
+Future<ImapClient> _imapConnectPlain(
+  Account account,
+  String username,
+  String password,
+) async {
+  final client =
+      ImapClient(defaultResponseTimeout: const Duration(seconds: 20));
+  await client.connectToServer(
+    account.imapHost,
+    account.imapPort,
+    isSecure: false,
+  );
+  await client.login(username, password);
+  return client;
+}
+
+Future<SmtpClient> _smtpConnectPlain(
+  Account account,
+  String username,
+  String password,
+) async {
+  final atIndex = account.email.lastIndexOf('@');
+  final domain =
+      atIndex != -1 ? account.email.substring(atIndex + 1) : account.smtpHost;
+  final client = SmtpClient(domain);
+  await client.connectToServer(
+    account.smtpHost,
+    account.smtpPort,
+    isSecure: false,
+  );
+  await client.ehlo();
+  await client.authenticate(username, password);
+  return client;
+}
+
+Future<void> _clearMailbox(
+  Account account,
+  String userEmail,
+  String userPass,
+  String mailboxPath,
+) async {
+  final client = await _imapConnectPlain(account, userEmail, userPass);
+  try {
+    final box = await client.selectMailboxByPath(mailboxPath);
+    if (box.messagesExists == 0) return;
+    final result = await client.uidSearchMessages(searchCriteria: 'ALL');
+    final uids = result.matchingSequence?.toList() ?? [];
+    if (uids.isEmpty) return;
+    final seq = MessageSequence.fromIds(uids, isUid: true);
+    await client.uidMarkDeleted(seq);
+    await client.uidExpunge(seq);
+  } finally {
+    await client.logout();
+  }
+}
+
+void main() {
+  late String imapHost;
+  late int imapPort;
+  late String smtpHost;
+  late int smtpPort;
+  late String userEmail;
+  late String userPass;
+  late Account account;
+  late AppDatabase db;
+  late EmailRepositoryImpl emails;
+
+  setUpAll(configureSqliteForTests);
+
+  setUp(() async {
+    imapHost = _env('STALWART_IMAP_HOST', '127.0.0.1');
+    imapPort = int.parse(_env('STALWART_IMAP_PORT', '1430'));
+    smtpHost = _env('STALWART_SMTP_HOST', '127.0.0.1');
+    smtpPort = int.parse(_env('STALWART_SMTP_PORT', '1025'));
+    userEmail = _env('STALWART_USER_B', 'alice@example.com');
+    userPass = _env('STALWART_PASS_B', 'secret');
+
+    account = Account(
+      id: 'chaos',
+      displayName: 'Chaos',
+      email: userEmail,
+      imapHost: imapHost,
+      imapPort: imapPort,
+      imapSsl: false,
+      smtpHost: smtpHost,
+      smtpPort: smtpPort,
+    );
+
+    db = openTestDatabase();
+    final secureStorage = MapSecureStorage();
+    final accounts = AccountRepositoryImpl(db, secureStorage);
+    await accounts.addAccount(account, userPass);
+    emails = EmailRepositoryImpl(
+      db,
+      accounts,
+      imapConnect: _imapConnectPlain,
+      smtpConnect: _smtpConnectPlain,
+    );
+
+    await _clearMailbox(account, userEmail, userPass, 'INBOX');
+  });
+
+  tearDown(() => db.close());
+
+  test('chaos monkey — random operations do not crash the repository',
+      timeout: Timeout.none, () async {
+    final seedStr = _env('CHAOS_SEED');
+    final seed = seedStr.isEmpty
+        ? DateTime.now().millisecondsSinceEpoch
+        : int.parse(seedStr);
+    final rounds = int.parse(_env('CHAOS_ROUNDS', '30'));
+    final rng = Random(seed);
+
+    stdout.writeln('chaos-monkey: seed=$seed rounds=$rounds');
+
+    // Seed INBOX with a few messages so early rounds have something to act on.
+    for (var i = 0; i < 3; i++) {
+      await emails.sendEmail(
+        account.id,
+        email_model.EmailDraft(
+          from: email_model.EmailAddress(name: 'Chaos', email: userEmail),
+          to: [email_model.EmailAddress(email: userEmail)],
+          cc: [],
+          subject: 'seed-$i',
+          body: 'Seed email $i.',
+        ),
+      );
+    }
+    await emails.syncEmails(account.id, 'INBOX');
+
+    for (var round = 0; round < rounds; round++) {
+      final action = rng.nextInt(8);
+      stdout.writeln('chaos-monkey: round=$round action=$action');
+
+      switch (action) {
+        case 0: // sync INBOX
+          await emails.syncEmails(account.id, 'INBOX');
+
+        case 1: // sync Sent
+          await emails.syncEmails(account.id, 'Sent');
+
+        case 2: // send email to self
+          final subject = 'chaos-$round-${rng.nextInt(9999)}';
+          await emails.sendEmail(
+            account.id,
+            email_model.EmailDraft(
+              from: email_model.EmailAddress(name: 'Chaos', email: userEmail),
+              to: [email_model.EmailAddress(email: userEmail)],
+              cc: [],
+              subject: subject,
+              body: 'Round $round. Value: ${rng.nextInt(1000000)}.',
+            ),
+          );
+
+        case 3: // mark random email seen
+          final inbox = await emails.observeEmails(account.id, 'INBOX').first;
+          if (inbox.isEmpty) break;
+          final e = inbox[rng.nextInt(inbox.length)];
+          await emails.setFlag(e.id, seen: true);
+
+        case 4: // mark random email unseen
+          final inbox = await emails.observeEmails(account.id, 'INBOX').first;
+          if (inbox.isEmpty) break;
+          final e = inbox[rng.nextInt(inbox.length)];
+          await emails.setFlag(e.id, seen: false);
+
+        case 5: // toggle flagged on random email
+          final inbox = await emails.observeEmails(account.id, 'INBOX').first;
+          if (inbox.isEmpty) break;
+          final e = inbox[rng.nextInt(inbox.length)];
+          await emails.setFlag(e.id, flagged: !e.isFlagged);
+
+        case 6: // flush pending changes to server
+          final flushed =
+              await emails.flushPendingChanges(account.id, userPass);
+          stdout.writeln('chaos-monkey: flushed $flushed pending changes');
+
+        case 7: // delete random email
+          final inbox = await emails.observeEmails(account.id, 'INBOX').first;
+          if (inbox.isEmpty) break;
+          final e = inbox[rng.nextInt(inbox.length)];
+          await emails.deleteEmail(e.id);
+      }
+    }
+
+    // Final flush and sync to confirm the server is in a consistent state.
+    final flushed = await emails.flushPendingChanges(account.id, userPass);
+    stdout.writeln('chaos-monkey: final flush flushed=$flushed');
+    final result = await emails.syncEmails(account.id, 'INBOX');
+    stdout.writeln('chaos-monkey: final sync fetched=${result.fetched}');
+  });
+}

test/backend/email_repository_imap_test.dart

@@ -421,6 +421,7 @@ void main() {
 
     final r = makeRepo();
     await r.accounts.addAccount(account, userPass);
+    await r.emails.syncEmails('test', 'INBOX');
 
     final results = await r.emails.searchEmails('test', 'INBOX', uniqueWord);
     expect(results, hasLength(1));
@@ -432,6 +433,7 @@ void main() {
 
     final r = makeRepo();
     await r.accounts.addAccount(account, userPass);
+    await r.emails.syncEmails('test', 'INBOX');
 
     final results = await r.emails.searchEmails(
       'test',

test/unit/account_sync_manager_test.dart

@@ -239,6 +239,15 @@ class FakeMailboxRepositoryWithInbox implements MailboxRepository {
         unreadCount: 0,
         totalCount: 0,
       );
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async => Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        unreadCount: 0,
+        totalCount: 0,
+      );
 }
 
 class _AccountRepositoryWithMissingPlugin implements AccountRepository {

test/unit/account_sync_manager_test.mocks.dart

@@ -235,6 +235,31 @@ class MockMailboxRepository extends _i1.Mock implements _i8.MailboxRepository {
           ),
         )),
       ) as _i5.Future<_i2.Mailbox>);
+
+  @override
+  _i5.Future<_i2.Mailbox> createMailbox(
+    String? accountId,
+    String? name,
+  ) =>
+      (super.noSuchMethod(
+        Invocation.method(
+          #createMailbox,
+          [
+            accountId,
+            name,
+          ],
+        ),
+        returnValue: _i5.Future<_i2.Mailbox>.value(_FakeMailbox_0(
+          this,
+          Invocation.method(
+            #createMailbox,
+            [
+              accountId,
+              name,
+            ],
+          ),
+        )),
+      ) as _i5.Future<_i2.Mailbox>);
 }
 
 /// A class which mocks [EmailRepository].

test/unit/email_repository_impl_test.dart

@@ -453,6 +453,191 @@ void main() {
       expect(results.first.subject, 'foobar baz');
     });
 
+    test('searchEmails filters by mailboxPath using local FTS5', () async {
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      // Insert matching email in INBOX.
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:1',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 1,
+              subject: const Value('Meeting agenda'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      // Insert matching email in a different mailbox — must not appear.
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:2',
+              accountId: 'acc-1',
+              mailboxPath: 'Sent',
+              uid: 2,
+              subject: const Value('Meeting follow-up'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+
+      final results = await r.emails.searchEmails('acc-1', 'INBOX', 'meeting');
+      expect(results, hasLength(1));
+      expect(results.first.subject, 'Meeting agenda');
+      expect(results.first.mailboxPath, 'INBOX');
+    });
+
+    test('searchEmailsGlobal includes emails matched by note text', () async {
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      // Email whose subject does NOT match — but its note does.
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:1',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 1,
+              messageId: const Value('<msg1@example.com>'),
+              subject: const Value('Weekly report'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      // Add a note referencing the email's messageId.
+      await r.db.into(r.db.emailNotes).insert(
+            EmailNotesCompanion.insert(
+              id: 'note-1',
+              accountId: 'acc-1',
+              messageId: '<msg1@example.com>',
+              noteText: 'Urgent follow-up needed',
+              serverId: '42',
+              createdAt: DateTime(2024),
+            ),
+          );
+
+      final results = await r.emails.searchEmailsGlobal(null, 'urgent');
+      expect(results, hasLength(1));
+      expect(results.first.subject, 'Weekly report');
+    });
+
+    test('searchEmails includes emails matched by note text in mailbox',
+        () async {
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:1',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 1,
+              messageId: const Value('<msg1@example.com>'),
+              subject: const Value('Project update'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      // Email in a different mailbox — its note must not appear in INBOX search.
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:2',
+              accountId: 'acc-1',
+              mailboxPath: 'Sent',
+              uid: 2,
+              messageId: const Value('<msg2@example.com>'),
+              subject: const Value('Other email'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      await r.db.into(r.db.emailNotes).insert(
+            EmailNotesCompanion.insert(
+              id: 'note-1',
+              accountId: 'acc-1',
+              messageId: '<msg1@example.com>',
+              noteText: 'remember to call client',
+              serverId: '42',
+              createdAt: DateTime(2024),
+            ),
+          );
+      await r.db.into(r.db.emailNotes).insert(
+            EmailNotesCompanion.insert(
+              id: 'note-2',
+              accountId: 'acc-1',
+              messageId: '<msg2@example.com>',
+              noteText: 'remember to call client',
+              serverId: '43',
+              createdAt: DateTime(2024),
+            ),
+          );
+
+      final results = await r.emails.searchEmails('acc-1', 'INBOX', 'client');
+      expect(results, hasLength(1));
+      expect(results.first.subject, 'Project update');
+      expect(results.first.mailboxPath, 'INBOX');
+    });
+
+    test('searchEmailsGlobal returns results sorted by receivedAt descending',
+        () async {
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:1',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 1,
+              subject: const Value('Older report'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:2',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 2,
+              subject: const Value('Newer report'),
+              receivedAt: DateTime(2024, 6),
+            ),
+          );
+
+      final results = await r.emails.searchEmailsGlobal(null, 'report');
+      expect(results, hasLength(2));
+      expect(results[0].subject, 'Newer report');
+      expect(results[1].subject, 'Older report');
+    });
+
+    test('searchEmails returns results sorted by receivedAt descending',
+        () async {
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:1',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 1,
+              subject: const Value('Older meeting'),
+              receivedAt: DateTime(2024),
+            ),
+          );
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:2',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 2,
+              subject: const Value('Newer meeting'),
+              receivedAt: DateTime(2024, 6),
+            ),
+          );
+
+      final results = await r.emails.searchEmails('acc-1', 'INBOX', 'meeting');
+      expect(results, hasLength(2));
+      expect(results[0].subject, 'Newer meeting');
+      expect(results[1].subject, 'Older meeting');
+    });
+
     test(
       'searchAddresses returns results sorted by most recently used',
       () async {

test/unit/glob_match_test.dart

@@ -0,0 +1,50 @@
+import 'package:flutter_test/flutter_test.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
+
+void main() {
+  group('globMatch', () {
+    test('exact match (no wildcards)', () {
+      expect(globMatch('alice@example.com', 'alice@example.com'), isTrue);
+      expect(globMatch('alice@example.com', 'bob@example.com'), isFalse);
+    });
+
+    test('* matches any domain wildcard', () {
+      expect(globMatch('alice@example.com', '*@example.com'), isTrue);
+      expect(globMatch('bob@example.com', '*@example.com'), isTrue);
+      expect(globMatch('alice@other.com', '*@example.com'), isFalse);
+    });
+
+    test('* matches zero or more characters', () {
+      expect(
+        globMatch('newsletter@news.example.com', '*@*.example.com'),
+        isTrue,
+      );
+      expect(globMatch('alice@example.com', 'alice*'), isTrue);
+      expect(globMatch('alice@example.com', '*example*'), isTrue);
+    });
+
+    test('? matches exactly one character', () {
+      expect(globMatch('alice@example.com', 'alice@exampl?.com'), isTrue);
+      expect(globMatch('alice@example.com', 'alice@exampl??.com'), isFalse);
+    });
+
+    test('case-insensitive comparison', () {
+      expect(globMatch('Alice@Example.COM', '*@example.com'), isTrue);
+      expect(globMatch('alice@example.com', '*@EXAMPLE.COM'), isTrue);
+    });
+
+    test('no wildcards — mismatch is false', () {
+      expect(globMatch('alice@example.com', 'alice@other.com'), isFalse);
+    });
+
+    test('bare * matches everything', () {
+      expect(globMatch('alice@example.com', '*'), isTrue);
+      expect(globMatch('', '*'), isTrue);
+    });
+
+    test('empty pattern only matches empty string', () {
+      expect(globMatch('', ''), isTrue);
+      expect(globMatch('alice@example.com', ''), isFalse);
+    });
+  });
+}

test/unit/migration_test.dart

@@ -14,7 +14,7 @@ void main() {
   group('Migration', () {
     test('schemaVersion matches expected value', () async {
       final db = AppDatabase(NativeDatabase.memory());
-      expect(db.schemaVersion, 38);
+      expect(db.schemaVersion, 40);
       await db.close();
     });
 
@@ -424,12 +424,18 @@ void main() {
         expect(userPrefsColumns, contains('prefetch_mode'));
         expect(userPrefsColumns, contains('body_cache_limit_mb'));
 
+        // v39: email_notes table.
+        await db.customSelect('SELECT count(*) FROM email_notes').get();
+
+        // v40: installed_versions table.
+        await db.customSelect('SELECT count(*) FROM installed_versions').get();
+
         await db.close();
         if (dbFile.existsSync()) dbFile.deleteSync();
       },
     );
 
-    test('fresh install creates all tables at schemaVersion 38', () async {
+    test('fresh install creates all tables at schemaVersion 40', () async {
       final db = AppDatabase(NativeDatabase.memory());
       await db.select(db.accounts).get();
 
@@ -458,6 +464,8 @@ void main() {
           'local_sieve_applied', // v32
           'user_preferences', // v34
           'image_trusted_senders', // v37
+          'email_notes', // v39
+          'installed_versions', // v40
         ]),
       );
 
@@ -493,7 +501,49 @@ void main() {
       expect(userPrefsColumns, contains('prefetch_mode'));
       expect(userPrefsColumns, contains('body_cache_limit_mb'));
 
+      // v39: email_notes table.
+      await db.customSelect('SELECT count(*) FROM email_notes').get();
+
+      // v40: installed_versions table.
+      await db.customSelect('SELECT count(*) FROM installed_versions').get();
+
       await db.close();
     });
   });
+
+  // Regression test for https://codeberg.org/guettli/sharedinbox/issues/508:
+  // _openConnection's setup callback must not crash when PRAGMA journal_mode =
+  // WAL fails with SQLITE_BUSY_SNAPSHOT (extended code 261, primary code 5)
+  // because a WorkManager background task already has the DB open in WAL mode.
+  group('WAL setup (#508)', () {
+    test(
+      'setupPragmasForTesting does not throw when WAL is already active and '
+      'another connection holds an open read transaction',
+      () {
+        final dbFile = File('test_wal_busy_508.db');
+        if (dbFile.existsSync()) dbFile.deleteSync();
+        addTearDown(() {
+          if (dbFile.existsSync()) dbFile.deleteSync();
+        });
+
+        // conn1: enable WAL and keep a read transaction open — simulates a
+        // WorkManager background task that opened the DB before the foreground
+        // app starts.
+        final conn1 = sqlite.sqlite3.open(dbFile.path);
+        conn1.execute('PRAGMA journal_mode = WAL;');
+        conn1.execute('BEGIN;');
+        conn1.select('SELECT 1;');
+
+        // conn2: run the exact production setup through setupPragmasForTesting.
+        // This must not throw even though conn1 holds an open transaction and
+        // the DB is already in WAL mode.
+        final conn2 = sqlite.sqlite3.open(dbFile.path);
+        expect(() => setupPragmasForTesting(conn2), returnsNormally);
+
+        conn1.execute('ROLLBACK;');
+        conn1.close();
+        conn2.close();
+      },
+    );
+  });
 }

test/unit/reliability_runner_check_now_test.dart

@@ -77,6 +77,15 @@ class _FakeMailboxes implements MailboxRepository {
         unreadCount: 0,
         totalCount: 0,
       );
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async => Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        unreadCount: 0,
+        totalCount: 0,
+      );
 }
 
 class _FakeEmails implements EmailRepository {

test/unit/reliability_runner_test.dart

@@ -67,6 +67,15 @@ class _FakeMailboxes implements MailboxRepository {
         unreadCount: 0,
         totalCount: 0,
       );
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async => Mailbox(
+        id: '$accountId:$name',
+        accountId: accountId,
+        path: name,
+        name: name,
+        unreadCount: 0,
+        totalCount: 0,
+      );
 }
 
 class _CountingEmails implements EmailRepository {

test/widget/about_screen_test.dart

@@ -50,7 +50,10 @@ Widget _buildScreen({List<Account> accounts = const []}) {
         FakeAccountRepository(accounts),
       ),
     ],
-    child: const MaterialApp(home: AboutScreen()),
+    child: MaterialApp(
+      theme: ThemeData(splashFactory: NoSplash.splashFactory),
+      home: const AboutScreen(),
+    ),
   );
 }
 

test/widget/changelog_screen_test.dart

@@ -1,8 +1,12 @@
 import 'dart:convert';
 
+import 'package:drift/native.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_test/flutter_test.dart';
+import 'package:sharedinbox/data/db/database.dart';
+import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/changelog_screen.dart';
 
 class _FakeAssetBundle extends CachingAssetBundle {
@@ -19,16 +23,33 @@ class _FakeAssetBundle extends CachingAssetBundle {
   }
 }
 
+Widget _buildScreen({
+  required Map<String, String> assets,
+  Map<String, DateTime> installedVersions = const {},
+}) {
+  return ProviderScope(
+    overrides: [
+      dbProvider.overrideWith((ref) {
+        final db = AppDatabase(NativeDatabase.memory());
+        ref.onDispose(db.close);
+        return db;
+      }),
+      installedVersionsProvider.overrideWith((ref) async => installedVersions),
+    ],
+    child: DefaultAssetBundle(
+      bundle: _FakeAssetBundle(assets),
+      child: const MaterialApp(home: ChangeLogScreen()),
+    ),
+  );
+}
+
 const _fakeChangelog =
     '* 2024-01-01 feat: initial release\n* 2024-01-02 fix: resolve crash\n';
 
 void main() {
   testWidgets('ChangeLogScreen shows changelog content', (tester) async {
     await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _FakeAssetBundle({'assets/changelog.txt': _fakeChangelog}),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
+      _buildScreen(assets: {'assets/changelog.txt': _fakeChangelog}),
     );
     await tester.pumpAndSettle();
 
@@ -41,14 +62,58 @@ void main() {
   testWidgets('ChangeLogScreen shows error when asset is missing', (
     tester,
   ) async {
-    await tester.pumpWidget(
-      DefaultAssetBundle(
-        bundle: _FakeAssetBundle({}),
-        child: const MaterialApp(home: ChangeLogScreen()),
-      ),
-    );
+    await tester.pumpWidget(_buildScreen(assets: {}));
     await tester.pumpAndSettle();
 
     expect(find.textContaining('Error loading changelog'), findsOneWidget);
   });
+
+  testWidgets('ChangeLogScreen injects install marker for a known hash', (
+    tester,
+  ) async {
+    const changelog =
+        '* 2024-01-01 [abc1234](https://example.com/abc1234): feat: initial release\n';
+    final installedAt = DateTime(2024, 6, 15, 14, 32);
+
+    await tester.pumpWidget(
+      _buildScreen(
+        assets: {'assets/changelog.txt': changelog},
+        installedVersions: {'abc1234': installedAt},
+      ),
+    );
+    await tester.pumpAndSettle();
+
+    expect(find.textContaining('Installed: 14:32'), findsOneWidget);
+    expect(find.textContaining('15 Jun 2024'), findsOneWidget);
+    expect(find.textContaining('initial release'), findsOneWidget);
+  });
+
+  testWidgets('ChangeLogScreen shows no markers when no version recorded', (
+    tester,
+  ) async {
+    const changelog =
+        '* 2024-01-01 [abc1234](https://example.com/abc1234): feat: initial release\n';
+
+    await tester.pumpWidget(
+      _buildScreen(assets: {'assets/changelog.txt': changelog}),
+    );
+    await tester.pumpAndSettle();
+
+    expect(find.textContaining('Installed:'), findsNothing);
+    expect(find.textContaining('initial release'), findsOneWidget);
+  });
+
+  testWidgets('ChangeLogScreen renders #NNN as a tappable link', (
+    tester,
+  ) async {
+    const changelog = '* 2024-03-01 fix: resolve crash, see #42\n';
+
+    await tester.pumpWidget(
+      _buildScreen(assets: {'assets/changelog.txt': changelog}),
+    );
+    await tester.pumpAndSettle();
+
+    // The link text "#42" must be visible in the rendered output.
+    expect(find.textContaining('#42'), findsOneWidget);
+  });
 }

test/widget/email_list_screen_test.dart

@@ -1,3 +1,5 @@
+import 'dart:async';
+
 import 'package:flutter/material.dart';
 import 'package:flutter_test/flutter_test.dart';
 
@@ -102,30 +104,6 @@ void main() {
       expect(find.byIcon(Icons.star), findsOneWidget);
     });
 
-    testWidgets('tapping search icon shows search bar', (tester) async {
-      await tester.pumpWidget(
-        buildApp(
-          initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
-          overrides: [
-            accountRepositoryProvider.overrideWithValue(
-              FakeAccountRepository([kTestAccount]),
-            ),
-            mailboxRepositoryProvider.overrideWithValue(
-              FakeMailboxRepository(),
-            ),
-            emailRepositoryProvider.overrideWithValue(FakeEmailRepository()),
-          ],
-        ),
-      );
-      await tester.pumpAndSettle();
-
-      await tester.tap(find.byIcon(Icons.search));
-      await tester.pumpAndSettle();
-
-      expect(find.byType(TextField), findsOneWidget);
-      expect(find.text('Search…'), findsOneWidget);
-    });
-
     testWidgets('submitting a search query shows "No results" when empty', (
       tester,
     ) async {
@@ -430,6 +408,230 @@ void main() {
       expect(find.text('Result email'), findsWidgets);
     });
 
+    testWidgets(
+      'tapping first of multiple search results opens the first email',
+      (tester) async {
+        final email1 = testEmail(id: 'acc-1:1', subject: 'Alpha Match');
+        final email2 = testEmail(id: 'acc-1:2', subject: 'Beta Match');
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
+            overrides: [
+              accountRepositoryProvider.overrideWithValue(
+                FakeAccountRepository([kTestAccount]),
+              ),
+              mailboxRepositoryProvider.overrideWithValue(
+                FakeMailboxRepository(),
+              ),
+              emailRepositoryProvider.overrideWithValue(
+                FakeEmailRepository(
+                  searchResults: [email1, email2],
+                  emailBody: const EmailBody(emailId: '', attachments: []),
+                ),
+              ),
+            ],
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        await tester.enterText(find.byType(TextField), 'Match');
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        await tester.pumpAndSettle();
+
+        expect(find.text('Alpha Match'), findsOneWidget);
+        expect(find.text('Beta Match'), findsOneWidget);
+
+        // Tap the first result.
+        await tester.tap(find.text('Alpha Match'));
+        await tester.pumpAndSettle();
+
+        expect(find.byType(EmailDetailScreen), findsOneWidget);
+        // The detail AppBar title shows the first email's subject.
+        expect(
+          find.descendant(
+            of: find.byType(AppBar),
+            matching: find.text('Alpha Match'),
+          ),
+          findsOneWidget,
+        );
+        // The second email's subject must not appear in the detail view.
+        expect(
+          find.descendant(
+            of: find.byType(EmailDetailScreen),
+            matching: find.text('Beta Match'),
+          ),
+          findsNothing,
+        );
+      },
+    );
+
+    testWidgets(
+      'stale search results from a slower concurrent search are discarded',
+      (tester) async {
+        // Reproduces: user types quickly, triggering multiple concurrent IMAP
+        // searches. An older, slower search must not overwrite the results for
+        // the user's current query (issue #467).
+        final staleEmail = testEmail(id: 'acc-1:1', subject: 'Stale Result');
+        final freshEmail = testEmail(id: 'acc-1:2', subject: 'Fresh Result');
+
+        // The first search call is held open by a Completer; all subsequent
+        // calls resolve immediately with freshEmail.
+        final staleCompleter = Completer<List<Email>>();
+        var firstCall = true;
+
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
+            overrides: [
+              accountRepositoryProvider.overrideWithValue(
+                FakeAccountRepository([kTestAccount]),
+              ),
+              mailboxRepositoryProvider.overrideWithValue(
+                FakeMailboxRepository(),
+              ),
+              emailRepositoryProvider.overrideWithValue(
+                FakeEmailRepository(
+                  onSearch: (_) {
+                    if (firstCall) {
+                      firstCall = false;
+                      return staleCompleter.future;
+                    }
+                    return Future.value([freshEmail]);
+                  },
+                  emailBody: const EmailBody(emailId: '', attachments: []),
+                ),
+              ),
+            ],
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        // Trigger the first (slow) search.
+        await tester.enterText(find.byType(TextField), 'slow');
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        // Do not pumpAndSettle yet — the slow search is still in flight.
+
+        // Trigger the second (fast) search by changing the query.
+        await tester.enterText(find.byType(TextField), 'fast');
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        await tester.pumpAndSettle(); // fast searches settle immediately
+
+        // The fresh results must be shown.
+        expect(find.text('Fresh Result'), findsOneWidget);
+        expect(find.text('Stale Result'), findsNothing);
+
+        // Now let the stale search complete.
+        staleCompleter.complete([staleEmail]);
+        await tester.pumpAndSettle();
+
+        // The stale results must NOT replace the fresh ones.
+        expect(find.text('Fresh Result'), findsOneWidget);
+        expect(find.text('Stale Result'), findsNothing);
+      },
+    );
+
+    testWidgets(
+      'pressing Enter on already-settled search does not re-run search (issue #473)',
+      (tester) async {
+        final email1 = testEmail(id: 'acc-1:1', subject: 'Alpha Match');
+        final email2 = testEmail(id: 'acc-1:2', subject: 'Beta Match');
+
+        var searchCallCount = 0;
+
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
+            overrides: [
+              accountRepositoryProvider.overrideWithValue(
+                FakeAccountRepository([kTestAccount]),
+              ),
+              mailboxRepositoryProvider.overrideWithValue(
+                FakeMailboxRepository(),
+              ),
+              emailRepositoryProvider.overrideWithValue(
+                FakeEmailRepository(
+                  onSearch: (_) async {
+                    searchCallCount++;
+                    return [email1, email2];
+                  },
+                  emailBody: const EmailBody(emailId: '', attachments: []),
+                ),
+              ),
+            ],
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        // Run the initial search.
+        await tester.enterText(find.byType(TextField), 'Match');
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        await tester.pumpAndSettle();
+
+        expect(find.text('Alpha Match'), findsOneWidget);
+        expect(find.text('Beta Match'), findsOneWidget);
+
+        final countAfterFirstSearch = searchCallCount;
+
+        // Re-focus the search bar (simulates user tapping back into the field
+        // with the keyboard still visible) and press Enter again on the same,
+        // already-settled query.
+        await tester.tap(find.byType(TextField));
+        await tester.pump();
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        await tester.pumpAndSettle();
+
+        // The search must NOT re-run; call count must not increase.
+        expect(
+          searchCallCount,
+          countAfterFirstSearch,
+          reason:
+              'Enter on settled results must not re-run the search (issue #473)',
+        );
+        // Results must still be visible — no loading spinner.
+        expect(find.byType(CircularProgressIndicator), findsNothing);
+        expect(find.text('Alpha Match'), findsOneWidget);
+      },
+    );
+
+    testWidgets(
+      'folder search returns results from local cache without any network call',
+      (tester) async {
+        // Verifies that searchEmails is backed by local SQLite (not IMAP).
+        // The repository throws if a network call is attempted, yet search
+        // must still return results.
+        final email = testEmail(subject: 'Cached subject');
+
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
+            overrides: [
+              accountRepositoryProvider.overrideWithValue(
+                FakeAccountRepository([kTestAccount]),
+              ),
+              mailboxRepositoryProvider.overrideWithValue(
+                FakeMailboxRepository(),
+              ),
+              emailRepositoryProvider.overrideWithValue(
+                FakeEmailRepository(
+                  onSearch: (_) async {
+                    // Local DB: return cached results immediately.
+                    return [email];
+                  },
+                  emailBody: const EmailBody(emailId: '', attachments: []),
+                ),
+              ),
+            ],
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        await tester.enterText(find.byType(TextField), 'Cached');
+        await tester.pumpAndSettle();
+
+        expect(find.text('Cached subject'), findsOneWidget);
+      },
+    );
+
     testWidgets('deleting all search results pops back to previous screen', (
       tester,
     ) async {

test/widget/helpers.dart

@@ -43,6 +43,7 @@ import 'package:sharedinbox/ui/screens/email_list_screen.dart';
 import 'package:sharedinbox/ui/screens/mailbox_list_screen.dart';
 import 'package:sharedinbox/ui/screens/search_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
+import 'package:sharedinbox/ui/screens/trusted_image_senders_screen.dart';
 import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 
 // ---------------------------------------------------------------------------
@@ -192,6 +193,20 @@ class FakeMailboxRepository implements MailboxRepository {
     _mailboxes.add(mailbox);
     return mailbox;
   }
+
+  @override
+  Future<Mailbox> createMailbox(String accountId, String name) async {
+    final mailbox = Mailbox(
+      id: '$accountId:$name',
+      accountId: accountId,
+      path: name,
+      name: name,
+      unreadCount: 0,
+      totalCount: 0,
+    );
+    _mailboxes.add(mailbox);
+    return mailbox;
+  }
 }
 
 class FakeEmailRepository implements EmailRepository {
@@ -202,12 +217,17 @@ class FakeEmailRepository implements EmailRepository {
 
   final List<Email> _searchResults;
 
+  /// Optional override: when set, [searchEmails] calls this instead of
+  /// returning [_searchResults]. Useful for testing race-condition fixes.
+  final Future<List<Email>> Function(String query)? onSearch;
+
   FakeEmailRepository({
     List<Email>? emails,
     Email? emailDetail,
     EmailBody? emailBody,
     List<Email>? searchResults,
     String rawRfc822 = '',
+    this.onSearch,
   })  : _emails = emails ?? [],
         _emailDetail = emailDetail,
         _searchResults = searchResults ?? [],
@@ -260,7 +280,15 @@ class FakeEmailRepository implements EmailRepository {
       Stream.value(_emails.where((e) => e.threadId == threadId).toList());
 
   @override
-  Future<Email?> getEmail(String emailId) async => _emailDetail;
+  Future<Email?> getEmail(String emailId) async {
+    for (final e in _searchResults) {
+      if (e.id == emailId) return e;
+    }
+    for (final e in _emails) {
+      if (e.id == emailId) return e;
+    }
+    return _emailDetail;
+  }
 
   @override
   Future<EmailBody> getEmailBody(String emailId) async => _emailBody;
@@ -326,8 +354,10 @@ class FakeEmailRepository implements EmailRepository {
     String accountId,
     String mailboxPath,
     String query,
-  ) async =>
-      _searchResults;
+  ) async {
+    if (onSearch != null) return onSearch!(query);
+    return _searchResults;
+  }
 
   @override
   Future<List<Email>> searchEmailsGlobal(
@@ -447,6 +477,12 @@ Widget buildApp({
             path: 'preferences',
             builder: (ctx, state) => const UserPreferencesScreen(),
           ),
+          GoRoute(
+            path: 'trusted-senders',
+            builder: (ctx, state) => TrustedImageSendersScreen(
+              highlightedSender: state.extra as String?,
+            ),
+          ),
           GoRoute(
             path: ':accountId/edit',
             builder: (ctx, state) => EditAccountScreen(
@@ -551,6 +587,7 @@ Widget buildApp({
       theme: ThemeData(
         colorScheme: ColorScheme.fromSeed(seedColor: Colors.indigo),
         useMaterial3: true,
+        splashFactory: NoSplash.splashFactory,
       ),
       darkTheme: ThemeData(
         colorScheme: ColorScheme.fromSeed(
@@ -558,6 +595,7 @@ Widget buildApp({
           brightness: Brightness.dark,
         ),
         useMaterial3: true,
+        splashFactory: NoSplash.splashFactory,
       ),
     ),
   );
@@ -657,6 +695,9 @@ class FakeUserPreferencesRepository implements UserPreferencesRepository {
   AfterMailViewAction afterMailViewAction;
   final List<String> _trustedImageSenders;
 
+  List<String> get trustedImageSendersForTest =>
+      List.unmodifiable(_trustedImageSenders);
+
   @override
   Stream<UserPreferences> observePreferences() => Stream.value(
         UserPreferences(

test/widget/trusted_image_senders_screen_test.dart

@@ -0,0 +1,163 @@
+import 'package:flutter/material.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+import 'helpers.dart';
+
+void main() {
+  group('TrustedImageSendersScreen', () {
+    testWidgets('shows empty state with glob hint when no senders', (
+      tester,
+    ) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.textContaining('*@example.com'), findsOneWidget);
+      expect(find.byIcon(Icons.add), findsOneWidget);
+    });
+
+    testWidgets('lists existing senders', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['alice@example.com', '*@work.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.text('alice@example.com'), findsOneWidget);
+      expect(find.text('*@work.com'), findsOneWidget);
+    });
+
+    testWidgets('add dialog shows glob hint text', (tester) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      expect(find.text('Add allowed address'), findsOneWidget);
+      expect(find.textContaining('*@example.com'), findsWidgets);
+      expect(find.textContaining('* matches any characters'), findsOneWidget);
+    });
+
+    testWidgets('Add button is disabled when input is empty', (tester) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      final addButton = find.widgetWithText(TextButton, 'Add');
+      final button = tester.widget<TextButton>(addButton);
+      expect(button.onPressed, isNull);
+    });
+
+    testWidgets('typing in dialog enables Add button and adds sender', (
+      tester,
+    ) async {
+      final repo = FakeUserPreferencesRepository();
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      await tester.enterText(find.byType(TextField), '*@example.com');
+      await tester.pumpAndSettle();
+
+      final addButton = find.widgetWithText(TextButton, 'Add');
+      final button = tester.widget<TextButton>(addButton);
+      expect(button.onPressed, isNotNull);
+
+      await tester.tap(addButton);
+      await tester.pumpAndSettle();
+
+      expect(repo.trustedImageSendersForTest, contains('*@example.com'));
+    });
+
+    testWidgets('cancel closes dialog without adding', (tester) async {
+      final repo = FakeUserPreferencesRepository();
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      await tester.enterText(find.byType(TextField), 'someone@test.com');
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.widgetWithText(TextButton, 'Cancel'));
+      await tester.pumpAndSettle();
+
+      expect(find.byType(AlertDialog), findsNothing);
+      expect(repo.trustedImageSendersForTest, isEmpty);
+    });
+
+    testWidgets('delete button removes a sender', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['alice@example.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.delete_outline));
+      await tester.pumpAndSettle();
+
+      expect(repo.trustedImageSendersForTest, isEmpty);
+    });
+
+    testWidgets('lists existing glob patterns', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['*@example.com', 'alice@other.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.text('*@example.com'), findsOneWidget);
+      expect(find.text('alice@other.com'), findsOneWidget);
+    });
+  });
+}