ci: re-trigger CI (transient SSH tunnel failure)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/website.yml

@@ -12,10 +12,116 @@ on:
   workflow_dispatch:
 
 jobs:
+  check-changes:
+    name: Detect Website Changes
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      has_changes: ${{ steps.diff.outputs.has_changes }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect website changes since last deploy
+        id: diff
+        shell: bash
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+        run: |
+          # On push or workflow_dispatch always deploy
+          if [ "$GITHUB_EVENT_NAME" != "schedule" ]; then
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          HEAD_SHA=$(git rev-parse HEAD)
+
+          # Find the most recent successful website.yml run where the deploy job
+          # actually ran (not merely skipped). Uses head_sha (not commit_sha which
+          # is always None in Forgejo's API).
+          LAST_DEPLOYED_SHA=$(python3 - << 'PYEOF'
+          import json, os, sys, urllib.request
+          token = os.environ.get("FORGEJO_TOKEN", "")
+          server = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
+          repo = os.environ.get("GITHUB_REPOSITORY", "")
+          base_api = f"{server}/api/v1/repos/{repo}/actions"
+          url = f"{base_api}/runs?workflow_id=website.yml&status=success&limit=10"
+          req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+          try:
+              with urllib.request.urlopen(req) as r:
+                  data = json.loads(r.read())
+              runs = [
+                  r for r in data.get("workflow_runs", [])
+                  if r.get("status") == "success"
+              ]
+              for run in runs:
+                  run_id = run.get("id")
+                  jobs_url = f"{base_api}/runs/{run_id}/jobs"
+                  jobs_req = urllib.request.Request(jobs_url, headers={"Authorization": f"token {token}"})
+                  try:
+                      with urllib.request.urlopen(jobs_req) as jr:
+                          jobs_data = json.loads(jr.read())
+                      for job in jobs_data.get("workflow_jobs", []):
+                          if "Build & Update Website" in job.get("name", "") and (
+                              job.get("conclusion") == "success" or
+                              job.get("status") == "success"
+                          ):
+                              print(run.get("head_sha") or "")
+                              sys.exit(0)
+                  except Exception:
+                      pass  # skip this run if jobs API fails
+              print("")
+          except Exception as e:
+              print(f"::error::LAST_DEPLOYED_SHA lookup failed ({type(e).__name__}: {e})")
+              print("")
+          PYEOF
+          )
+
+          if [ -z "$LAST_DEPLOYED_SHA" ]; then
+            echo "::warning::Could not determine last successfully deployed SHA — deploying as a precaution"
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [ "$HEAD_SHA" = "$LAST_DEPLOYED_SHA" ]; then
+            echo "::notice::Website deploy SKIPPED — HEAD $HEAD_SHA was already successfully deployed"
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Diff from last successfully deployed commit to catch all changes since
+          # that deploy, not just the most recent commit.
+          if git cat-file -e "$LAST_DEPLOYED_SHA" 2>/dev/null; then
+            echo "Diffing from last deployed SHA $LAST_DEPLOYED_SHA"
+            CHANGED=$(git diff --name-only "$LAST_DEPLOYED_SHA" HEAD 2>/dev/null \
+              || git show --name-only --format= HEAD)
+          else
+            echo "::warning::Last deployed SHA $LAST_DEPLOYED_SHA not in local history — deploying as a precaution"
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Changed files:"
+          echo "$CHANGED"
+
+          website_re='^(website/|scripts/website-verify\.sh|\.forgejo/workflows/website\.yml)'
+
+          if echo "$CHANGED" | grep -qE "$website_re"; then
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+            echo "::notice::Website deploy TRIGGERED — website-relevant files changed since $LAST_DEPLOYED_SHA"
+          else
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Website deploy SKIPPED — diff $LAST_DEPLOYED_SHA..HEAD has no website-relevant changes"
+          fi
+
   deploy:
     name: Build & Update Website
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: [check-changes]
+    if: needs.check-changes.outputs.has_changes == 'true'
 
     steps:
       - name: Print runner wait time

AGENTS.md

@@ -13,23 +13,27 @@ Automation is handled by [agentloop](https://github.com/guettli/agentloop) runni
 | Label | Trigger | Outcome |
 |---|---|---|
 | `loop/plan` | Planning agent reads the issue and writes an implementation plan as a comment | Issue moves to `loop/plan-done` |
-| `loop/code` | Coding agent implements the change, creates a branch + PR | Issue moves to `loop/code-done` |
+| `loop/code` | Coding agent implements the change, creates a branch + PR | Issue routes to `loop/merge` |
+| `loop/merge` | Merge agent rebases, waits for CI, and merges the PR | Issue moves to `loop/merge-done` |
 
 **State machine:**
 
 ```
-loop/plan  →  loop/plan-in-progress  →  loop/plan-done
-                                      ↘  NeedSupervisor  (on failure)
+loop/plan  →  loop/plan-in-process  →  loop/plan-done
+                                     ↘  NeedSupervisor  (on failure)
 
-loop/code  →  loop/code-in-progress  →  loop/code-done
-                                      ↘  NeedSupervisor  (on failure)
+loop/code  →  loop/code-in-process  →  loop/merge (via route)
+                                     ↘  NeedSupervisor  (on failure)
+
+loop/merge →  loop/merge-in-process →  loop/merge-done
+                                     ↘  NeedSupervisor  (on failure)
 ```
 
 **Rules:**
 
 - Only issues authored by allowed users are picked up (guettli, guettlibot, guettlibot2, forgejo-actions).
 - An issue with `NeedSupervisor` needs human attention — investigate, fix, then re-label.
-- The coding agent opens a PR but does NOT close the issue. A human reviews the PR and closes the issue after merging.
+- The merge agent merges the PR automatically once CI is green. A human still reviews the PR before it merges if branch protection requires a review.
 - Planning agents only post a comment — they do NOT write code or open PRs.
 - `loop/*` labels are managed by agentloop — do not set them manually while an agent is active.
 
@@ -39,9 +43,9 @@ loop/code  →  loop/code-in-progress  →  loop/code-done
 1. Create issue
 2. Add label loop/plan   → agent writes plan as comment
 3. Review plan, request changes or approve
-4. Add label loop/code   → agent implements + opens PR
-5. Review PR, merge
-6. Close issue
+4. Add label loop/code   → agent implements + opens PR + hands off to merge
+5. (Optional) Review PR before it merges
+6. Merge agent waits for CI and merges the PR automatically
 ```
 
 ## Code conventions

ci/main.go

@@ -388,7 +388,7 @@ func (m *Ci) Stalwart() *dagger.Service {
 	return dag.Container().
 		From("stalwartlabs/stalwart:v0.14.1").
 		WithFile("/etc/stalwart/config.toml.orig", config).
-		WithExec([]string{"/bin/sh", "-c", "sed -e 's/hostname = \"localhost\"/hostname = \"stalwart\"/' -e 's/bind     = \\[\"0.0.0.0:\\([0-9]*\\)\"\\]/bind     = [\"0.0.0.0:\\1\", \"[::]:\\1\"]/g' /etc/stalwart/config.toml.orig > /etc/stalwart/config.toml"}).
+		WithExec([]string{"/bin/sh", "-c", "sed -e 's/hostname = \"localhost\"/hostname = \"stalwart\"/' /etc/stalwart/config.toml.orig > /etc/stalwart/config.toml"}).
 		WithDirectory("/tmp/stalwart", dataDir).
 		WithExposedPort(8080). // JMAP
 		WithExposedPort(1430). // IMAP
@@ -594,25 +594,33 @@ func (m *Ci) Check(ctx context.Context) (string, error) {
 		return "", err
 	}
 
-	checkSetup := m.setup(m.checkSrc())
-
-	if _, err := checkSetup.WithExec([]string{"dart", "format", "--output=none", "--set-exit-if-changed", "lib", "test"}).Stdout(ctx); err != nil {
-		return "Format check failed", err
-	}
-
-	analyze, err := checkSetup.WithExec([]string{"dart", "analyze", "--fatal-infos"}).Stdout(ctx)
-	if err != nil {
-		return analyze, err
-	}
-
-	mocks, err := m.CheckGenerated(ctx)
-	if err != nil {
-		return mocks, err
-	}
-
-	coverage, err := m.Coverage(ctx)
-	if err != nil {
-		return coverage, err
+	// Run format, analyze, generated-code check, and coverage in parallel —
+	// they all share the same setup base and have no dependencies on each other.
+	var analyze, mocks, coverage string
+	var checkEg errgroup.Group
+	checkEg.Go(func() error {
+		setup := m.setup(m.checkSrc())
+		_, err := setup.WithExec([]string{"dart", "format", "--output=none", "--set-exit-if-changed", "lib", "test"}).Stdout(ctx)
+		return err
+	})
+	checkEg.Go(func() error {
+		setup := m.setup(m.checkSrc())
+		var err error
+		analyze, err = setup.WithExec([]string{"dart", "analyze", "--fatal-infos"}).Stdout(ctx)
+		return err
+	})
+	checkEg.Go(func() error {
+		var err error
+		mocks, err = m.CheckGenerated(ctx)
+		return err
+	})
+	checkEg.Go(func() error {
+		var err error
+		coverage, err = m.Coverage(ctx)
+		return err
+	})
+	if err := checkEg.Wait(); err != nil {
+		return "", err
 	}
 
 	// Use errgroup.Group (not WithContext) so a failing test does not cancel its

lib/core/db_schema_version.dart

@@ -1 +1 @@
-const int dbSchemaVersion = 40;
+const int dbSchemaVersion = 41;

lib/core/sieve/sieve_interpreter.dart

@@ -1,6 +1,7 @@
 import 'package:sharedinbox/core/sieve/sieve_actions.dart';
 import 'package:sharedinbox/core/sieve/sieve_conditions.dart';
 import 'package:sharedinbox/core/sieve/sieve_rule.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 
 /// A lightweight email representation used by [SieveInterpreter].
 /// Header names are lower-cased.
@@ -102,18 +103,11 @@ class SieveInterpreter {
     return switch (matchType) {
       ':contains' => k.isEmpty || v.contains(k),
       ':is' => v == k,
-      ':matches' => _globMatch(v, k),
+      ':matches' => globMatch(v, k),
       _ => false,
     };
   }
 
-  bool _globMatch(String value, String pattern) {
-    final regexStr = RegExp.escape(
-      pattern,
-    ).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
-    return RegExp('^$regexStr\$').hasMatch(value);
-  }
-
   void _applyActions(List<SieveAction> actions, SieveExecutionContext ctx) {
     for (final action in actions) {
       switch (action) {

lib/core/utils/glob_match.dart

@@ -0,0 +1,9 @@
+/// Returns true if [value] matches the glob [pattern].
+///
+/// Supports `*` (any number of characters) and `?` (exactly one character).
+/// The comparison is case-insensitive, which is appropriate for email addresses.
+bool globMatch(String value, String pattern) {
+  final regexStr =
+      RegExp.escape(pattern).replaceAll(r'\*', '.*').replaceAll(r'\?', '.');
+  return RegExp('^$regexStr\$', caseSensitive: false).hasMatch(value);
+}

lib/data/db/database.dart

@@ -679,6 +679,116 @@ class AppDatabase extends _$AppDatabase {
           if (from < 40) {
             await m.createTable(installedVersions);
           }
+          if (from < 41) {
+            // Fix IMAP email IDs to include mailboxPath, preventing UID
+            // collisions across mailboxes (IMAP UIDs are mailbox-scoped).
+            // New format: "accountId:mailboxPath:uid" (was "accountId:uid").
+            //
+            // defer_foreign_keys defers the email_bodies→emails FK check
+            // to COMMIT so the two tables can be updated sequentially inside
+            // the migration transaction without a transient FK violation.
+            await customStatement('PRAGMA defer_foreign_keys = ON');
+
+            // 1. Remap email_bodies.email_id before emails.id changes.
+            await customStatement('''
+              UPDATE email_bodies
+              SET email_id = (
+                SELECT e.account_id || ':' || e.mailbox_path || ':' || CAST(e.uid AS TEXT)
+                FROM emails e
+                JOIN accounts a ON a.id = e.account_id
+                WHERE e.id = email_bodies.email_id
+                  AND a.account_type = 'imap'
+              )
+              WHERE EXISTS (
+                SELECT 1 FROM emails e
+                JOIN accounts a ON a.id = e.account_id
+                WHERE e.id = email_bodies.email_id
+                  AND a.account_type = 'imap'
+              )
+            ''');
+
+            // 2. Update emails.thread_id where it was set to the email's own
+            //    id (fallback for messages with no Message-ID header).
+            await customStatement('''
+              UPDATE emails
+              SET thread_id = account_id || ':' || mailbox_path || ':' || CAST(uid AS TEXT)
+              WHERE account_id IN (SELECT id FROM accounts WHERE account_type = 'imap')
+                AND thread_id = id
+            ''');
+
+            // 3. Update the primary key on emails.
+            await customStatement('''
+              UPDATE emails
+              SET id = account_id || ':' || mailbox_path || ':' || CAST(uid AS TEXT)
+              WHERE account_id IN (
+                SELECT id FROM accounts WHERE account_type = 'imap'
+              )
+            ''');
+
+            // 5. Rebuild threads for IMAP accounts from the updated email rows.
+            //    The threads table stores denormalised data (latest_email_id,
+            //    email_ids_json) that references email IDs, so it is simpler to
+            //    delete and reconstruct than to patch the JSON in SQL.
+            await customStatement('''
+              DELETE FROM threads
+              WHERE account_id IN (SELECT id FROM accounts WHERE account_type = 'imap')
+            ''');
+
+            final imapAccounts = await (select(accounts)
+                  ..where((t) => t.accountType.equals('imap')))
+                .get();
+            for (final acct in imapAccounts) {
+              final emailRows = await (select(emails)
+                    ..where((t) => t.accountId.equals(acct.id)))
+                  .get();
+
+              final groups = <String, List<Email>>{};
+              for (final row in emailRows) {
+                final key = '${row.mailboxPath}:${row.threadId ?? row.id}';
+                groups.putIfAbsent(key, () => []).add(row);
+              }
+
+              for (final threadEmails in groups.values) {
+                threadEmails.sort((a, b) {
+                  final da = a.sentAt ?? a.receivedAt;
+                  final db = b.sentAt ?? b.receivedAt;
+                  return da.compareTo(db);
+                });
+                final latest = threadEmails.last;
+
+                final seen = <String>{};
+                final participants = <Map<String, dynamic>>[];
+                for (final e in threadEmails) {
+                  final from = jsonDecode(e.fromJson) as List<dynamic>;
+                  for (final a in from.cast<Map<String, dynamic>>()) {
+                    final email = a['email'] as String;
+                    if (seen.add(email)) {
+                      participants.add({'name': a['name'], 'email': email});
+                    }
+                  }
+                }
+
+                await into(threads).insert(
+                  ThreadsCompanion.insert(
+                    id: latest.threadId ?? latest.id,
+                    accountId: latest.accountId,
+                    mailboxPath: latest.mailboxPath,
+                    subject: Value(latest.subject),
+                    latestDate: latest.sentAt ?? latest.receivedAt,
+                    messageCount: Value(threadEmails.length),
+                    hasUnread: Value(threadEmails.any((e) => !e.isSeen)),
+                    isFlagged: Value(threadEmails.any((e) => e.isFlagged)),
+                    participantsJson: Value(jsonEncode(participants)),
+                    preview: Value(latest.preview),
+                    latestEmailId: latest.id,
+                    emailIdsJson: Value(
+                      jsonEncode(threadEmails.map((e) => e.id).toList()),
+                    ),
+                  ),
+                );
+              }
+            }
+          }
         },
       );
 

lib/data/repositories/email_repository_impl.dart

@@ -561,7 +561,7 @@ class EmailRepositoryImpl implements EmailRepository {
     for (final msg in result.messages) {
       final uid = msg.uid;
       if (uid == null) continue;
-      final emailId = '${account.id}:$uid';
+      final emailId = '${account.id}:$mailboxPath:$uid';
       await (_db.update(_db.emails)..where((t) => t.id.equals(emailId))).write(
         EmailsCompanion(
           isSeen: Value(msg.flags?.contains(r'\Seen') ?? false),
@@ -616,7 +616,7 @@ class EmailRepositoryImpl implements EmailRepository {
           continue;
         }
         bytes += msg.size ?? 0;
-        final emailId = '${account.id}:$uid';
+        final emailId = '${account.id}:$mailboxPath:$uid';
         final msgId = envelope.messageId?.trim();
         final inReplyTo = envelope.inReplyTo?.trim();
         final refs = msg.getHeaderValue('References')?.trim();

lib/ui/screens/email_detail_screen.dart

@@ -16,6 +16,7 @@ import 'package:sharedinbox/core/models/note.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
 import 'package:sharedinbox/core/utils/format_utils.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/screens/email_action_helpers.dart';
@@ -208,8 +209,8 @@ class _EmailDetailScreenState extends ConsumerState<EmailDetailScreen> {
     final senderEmail = header?.from.isNotEmpty == true
         ? header!.from.first.email.toLowerCase()
         : null;
-    final isTrusted =
-        senderEmail != null && trustedSenders.contains(senderEmail);
+    final isTrusted = senderEmail != null &&
+        trustedSenders.any((p) => globMatch(senderEmail, p));
     final effectiveLoadImages = _loadRemoteImages || isTrusted;
 
     return ListView(

lib/ui/screens/email_list_screen.dart

@@ -278,7 +278,14 @@ class _EmailListScreenState extends ConsumerState<EmailListScreen> {
                 ),
             ],
             onChanged: _onSearchChanged,
-            onSubmitted: _runSearch,
+            onSubmitted: (value) {
+              // Only run the search if results haven't settled yet via
+              // onChanged — prevents a second IMAP round-trip from reordering
+              // the already-visible results when the user presses Enter.
+              if (_searchResults == null && !_searchLoading) {
+                unawaited(_runSearch(value));
+              }
+            },
             textInputAction: TextInputAction.search,
           ),
         ),

lib/ui/screens/thread_detail_screen.dart

@@ -8,6 +8,7 @@ import 'package:intl/intl.dart';
 import 'package:sharedinbox/core/models/email.dart';
 import 'package:sharedinbox/core/models/undo_action.dart';
 import 'package:sharedinbox/core/models/user_preferences.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
 import 'package:sharedinbox/core/utils/html_utils.dart';
 import 'package:sharedinbox/di.dart';
 import 'package:sharedinbox/ui/widgets/secure_email_webview.dart';
@@ -118,8 +119,8 @@ class _EmailMessageCardState extends ConsumerState<_EmailMessageCard> {
     final senderEmail = widget.email.from.isNotEmpty
         ? widget.email.from.first.email.toLowerCase()
         : null;
-    final isTrusted =
-        senderEmail != null && trustedSenders.contains(senderEmail);
+    final isTrusted = senderEmail != null &&
+        trustedSenders.any((p) => globMatch(senderEmail, p));
 
     return Card(
       margin: const EdgeInsets.symmetric(vertical: 4),

lib/ui/screens/trusted_image_senders_screen.dart

@@ -16,6 +16,11 @@ class TrustedImageSendersScreen extends ConsumerWidget {
 
     return Scaffold(
       appBar: AppBar(title: const Text('Allowed addresses for images')),
+      floatingActionButton: FloatingActionButton(
+        tooltip: 'Add address',
+        onPressed: () => _showAddDialog(context, ref),
+        child: const Icon(Icons.add),
+      ),
       body: trustedSendersAsync.when(
         loading: () => const Center(child: CircularProgressIndicator()),
         error: (_, __) =>
@@ -26,7 +31,8 @@ class TrustedImageSendersScreen extends ConsumerWidget {
               padding: EdgeInsets.all(16),
               child: Text(
                 'No addresses added yet. '
-                'Tap "Load remote images" in an email to add the sender.',
+                'Tap + to add an address or pattern (e.g. *@example.com), '
+                'or tap "Load remote images" in an email to add the sender automatically.',
               ),
             );
           }
@@ -60,4 +66,61 @@ class TrustedImageSendersScreen extends ConsumerWidget {
       ),
     );
   }
+
+  Future<void> _showAddDialog(BuildContext context, WidgetRef ref) async {
+    final controller = TextEditingController();
+
+    await showDialog<void>(
+      context: context,
+      builder: (ctx) {
+        return StatefulBuilder(
+          builder: (ctx, setState) {
+            return AlertDialog(
+              title: const Text('Add allowed address'),
+              content: TextField(
+                controller: controller,
+                autofocus: true,
+                keyboardType: TextInputType.emailAddress,
+                decoration: const InputDecoration(
+                  labelText: 'Email address or pattern',
+                  hintText: '*@example.com',
+                  helperText: '* matches any characters, e.g. *@example.com',
+                ),
+                onChanged: (_) => setState(() {}),
+                onSubmitted: (value) {
+                  if (value.trim().isNotEmpty) {
+                    _addSender(ref, value);
+                    Navigator.of(ctx).pop();
+                  }
+                },
+              ),
+              actions: [
+                TextButton(
+                  onPressed: () => Navigator.of(ctx).pop(),
+                  child: const Text('Cancel'),
+                ),
+                TextButton(
+                  onPressed: controller.text.trim().isEmpty
+                      ? null
+                      : () {
+                          _addSender(ref, controller.text);
+                          Navigator.of(ctx).pop();
+                        },
+                  child: const Text('Add'),
+                ),
+              ],
+            );
+          },
+        );
+      },
+    );
+  }
+
+  void _addSender(WidgetRef ref, String value) {
+    unawaited(
+      ref
+          .read(userPreferencesRepositoryProvider)
+          .addTrustedImageSender(value.trim()),
+    );
+  }
 }

test/unit/email_repository_impl_test.dart

@@ -262,6 +262,50 @@ void main() {
       expect(emails.map((e) => e.uid).toList(), [3, 2, 1]);
     });
 
+    test('same UID in different mailboxes yields independent emails', () async {
+      // Regression test for the UID collision bug: IMAP UIDs are mailbox-scoped,
+      // so UID 50 in INBOX and UID 50 in Archive must get distinct local IDs.
+      final r = _makeRepos();
+      await r.accounts.addAccount(_account, 'pw');
+
+      // New ID format: accountId:mailboxPath:uid
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:INBOX:50',
+              accountId: 'acc-1',
+              mailboxPath: 'INBOX',
+              uid: 50,
+              receivedAt: DateTime(2024),
+            ),
+          );
+      await r.db.into(r.db.emails).insert(
+            EmailsCompanion.insert(
+              id: 'acc-1:Archive:50',
+              accountId: 'acc-1',
+              mailboxPath: 'Archive',
+              uid: 50,
+              receivedAt: DateTime(2024, 1, 2),
+            ),
+          );
+
+      final inboxEmail = await r.emails.getEmail('acc-1:INBOX:50');
+      expect(inboxEmail, isNotNull);
+      expect(inboxEmail!.mailboxPath, 'INBOX');
+
+      final archiveEmail = await r.emails.getEmail('acc-1:Archive:50');
+      expect(archiveEmail, isNotNull);
+      expect(archiveEmail!.mailboxPath, 'Archive');
+
+      final inboxEmails = await r.emails.observeEmails('acc-1', 'INBOX').first;
+      expect(inboxEmails, hasLength(1));
+      expect(inboxEmails.first.id, 'acc-1:INBOX:50');
+
+      final archiveEmails =
+          await r.emails.observeEmails('acc-1', 'Archive').first;
+      expect(archiveEmails, hasLength(1));
+      expect(archiveEmails.first.id, 'acc-1:Archive:50');
+    });
+
     test('syncEmails propagates IMAP error', () async {
       final r = _makeRepos();
       await r.accounts.addAccount(_account, 'pw');

test/unit/glob_match_test.dart

@@ -0,0 +1,50 @@
+import 'package:flutter_test/flutter_test.dart';
+import 'package:sharedinbox/core/utils/glob_match.dart';
+
+void main() {
+  group('globMatch', () {
+    test('exact match (no wildcards)', () {
+      expect(globMatch('alice@example.com', 'alice@example.com'), isTrue);
+      expect(globMatch('alice@example.com', 'bob@example.com'), isFalse);
+    });
+
+    test('* matches any domain wildcard', () {
+      expect(globMatch('alice@example.com', '*@example.com'), isTrue);
+      expect(globMatch('bob@example.com', '*@example.com'), isTrue);
+      expect(globMatch('alice@other.com', '*@example.com'), isFalse);
+    });
+
+    test('* matches zero or more characters', () {
+      expect(
+        globMatch('newsletter@news.example.com', '*@*.example.com'),
+        isTrue,
+      );
+      expect(globMatch('alice@example.com', 'alice*'), isTrue);
+      expect(globMatch('alice@example.com', '*example*'), isTrue);
+    });
+
+    test('? matches exactly one character', () {
+      expect(globMatch('alice@example.com', 'alice@exampl?.com'), isTrue);
+      expect(globMatch('alice@example.com', 'alice@exampl??.com'), isFalse);
+    });
+
+    test('case-insensitive comparison', () {
+      expect(globMatch('Alice@Example.COM', '*@example.com'), isTrue);
+      expect(globMatch('alice@example.com', '*@EXAMPLE.COM'), isTrue);
+    });
+
+    test('no wildcards — mismatch is false', () {
+      expect(globMatch('alice@example.com', 'alice@other.com'), isFalse);
+    });
+
+    test('bare * matches everything', () {
+      expect(globMatch('alice@example.com', '*'), isTrue);
+      expect(globMatch('', '*'), isTrue);
+    });
+
+    test('empty pattern only matches empty string', () {
+      expect(globMatch('', ''), isTrue);
+      expect(globMatch('alice@example.com', ''), isFalse);
+    });
+  });
+}

test/unit/migration_test.dart

@@ -14,7 +14,7 @@ void main() {
   group('Migration', () {
     test('schemaVersion matches expected value', () async {
       final db = AppDatabase(NativeDatabase.memory());
-      expect(db.schemaVersion, 40);
+      expect(db.schemaVersion, 41);
       await db.close();
     });
 
@@ -435,7 +435,184 @@ void main() {
       },
     );
 
-    test('fresh install creates all tables at schemaVersion 40', () async {
+    test('v40→v41: IMAP email IDs gain mailboxPath segment', () async {
+      final dbFile = File('test_migration_v40.db');
+      if (dbFile.existsSync()) dbFile.deleteSync();
+
+      final rawDb = sqlite.sqlite3.open(dbFile.path);
+      rawDb.execute('''
+        CREATE TABLE accounts (
+          id TEXT NOT NULL PRIMARY KEY,
+          display_name TEXT NOT NULL,
+          email TEXT NOT NULL,
+          imap_host TEXT NOT NULL DEFAULT '',
+          imap_port INTEGER NOT NULL DEFAULT 993,
+          imap_ssl INTEGER NOT NULL DEFAULT 1,
+          smtp_host TEXT NOT NULL DEFAULT '',
+          smtp_port INTEGER NOT NULL DEFAULT 465,
+          smtp_ssl INTEGER NOT NULL DEFAULT 1,
+          account_type TEXT NOT NULL DEFAULT 'imap',
+          jmap_url TEXT NULL,
+          username TEXT NOT NULL DEFAULT '',
+          verbose INTEGER NOT NULL DEFAULT 0,
+          manage_sieve_host TEXT NOT NULL DEFAULT '',
+          manage_sieve_port INTEGER NOT NULL DEFAULT 4190,
+          manage_sieve_ssl INTEGER NOT NULL DEFAULT 1,
+          manage_sieve_available INTEGER NULL
+        )
+      ''');
+      rawDb.execute('''
+        CREATE TABLE emails (
+          id TEXT NOT NULL PRIMARY KEY,
+          account_id TEXT NOT NULL REFERENCES accounts (id) ON DELETE CASCADE,
+          mailbox_path TEXT NOT NULL,
+          uid INTEGER NOT NULL,
+          subject TEXT NULL,
+          sent_at INTEGER NULL,
+          received_at INTEGER NOT NULL,
+          from_json TEXT NOT NULL DEFAULT '[]',
+          to_addresses TEXT NOT NULL DEFAULT '[]',
+          cc_json TEXT NOT NULL DEFAULT '[]',
+          preview TEXT NULL,
+          is_seen INTEGER NOT NULL DEFAULT 0,
+          is_flagged INTEGER NOT NULL DEFAULT 0,
+          has_attachment INTEGER NOT NULL DEFAULT 0,
+          thread_id TEXT NULL,
+          message_id TEXT NULL,
+          in_reply_to TEXT NULL,
+          "references" TEXT NULL,
+          snoozed_until INTEGER NULL,
+          snoozed_from_mailbox_path TEXT NULL,
+          list_unsubscribe_header TEXT NULL
+        )
+      ''');
+      rawDb.execute('''
+        CREATE TABLE email_bodies (
+          email_id TEXT NOT NULL PRIMARY KEY REFERENCES emails (id) ON DELETE CASCADE,
+          text_body TEXT NULL,
+          html_body TEXT NULL,
+          attachments_json TEXT NOT NULL DEFAULT '[]',
+          cached_at INTEGER NULL,
+          headers_json TEXT NULL,
+          mime_tree_json TEXT NULL
+        )
+      ''');
+      rawDb.execute('''
+        CREATE TABLE threads (
+          account_id TEXT NOT NULL REFERENCES accounts (id) ON DELETE CASCADE,
+          mailbox_path TEXT NOT NULL,
+          id TEXT NOT NULL,
+          subject TEXT NULL,
+          latest_date INTEGER NOT NULL,
+          message_count INTEGER NOT NULL DEFAULT 1,
+          has_unread INTEGER NOT NULL DEFAULT 0,
+          is_flagged INTEGER NOT NULL DEFAULT 0,
+          participants_json TEXT NOT NULL DEFAULT '[]',
+          preview TEXT NULL,
+          latest_email_id TEXT NOT NULL,
+          email_ids_json TEXT NOT NULL DEFAULT '[]',
+          PRIMARY KEY (account_id, mailbox_path, id)
+        )
+      ''');
+      rawDb.execute('''
+        CREATE TABLE pending_changes (
+          id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+          account_id TEXT NOT NULL REFERENCES accounts (id) ON DELETE CASCADE,
+          resource_type TEXT NOT NULL,
+          resource_id TEXT NOT NULL,
+          change_type TEXT NOT NULL,
+          payload TEXT NOT NULL,
+          created_at INTEGER NOT NULL,
+          attempts INTEGER NOT NULL DEFAULT 0,
+          last_error TEXT NULL
+        )
+      ''');
+
+      // Insert an IMAP account.
+      rawDb.execute(
+        "INSERT INTO accounts (id, display_name, email) VALUES ('acc-1', 'Alice', 'alice@example.com')",
+      );
+
+      // Two emails with the same UID but in different mailboxes — old format.
+      final now = DateTime.now().millisecondsSinceEpoch ~/ 1000;
+      rawDb.execute(
+        'INSERT INTO emails (id, account_id, mailbox_path, uid, received_at, thread_id) '
+        "VALUES ('acc-1:50', 'acc-1', 'INBOX', 50, $now, 'acc-1:50')",
+      );
+      rawDb.execute(
+        'INSERT INTO emails (id, account_id, mailbox_path, uid, received_at) '
+        "VALUES ('acc-1:50-arch', 'acc-1', 'Archive', 50, $now)",
+      );
+      // A third email with a Message-ID-based thread_id (should not be changed).
+      rawDb.execute(
+        'INSERT INTO emails (id, account_id, mailbox_path, uid, received_at, thread_id) '
+        "VALUES ('acc-1:99', 'acc-1', 'INBOX', 99, $now, '<original@example.com>')",
+      );
+
+      // Email body for the first email.
+      rawDb.execute(
+        "INSERT INTO email_bodies (email_id, text_body) VALUES ('acc-1:50', 'body text')",
+      );
+
+      // Thread for the first email (old-format IDs).
+      rawDb.execute(
+        'INSERT INTO threads (account_id, mailbox_path, id, latest_date, latest_email_id, email_ids_json) '
+        "VALUES ('acc-1', 'INBOX', 'acc-1:50', $now, 'acc-1:50', '[\"acc-1:50\"]')",
+      );
+
+      // A pending change referencing the first email's old ID.
+      rawDb.execute(
+        'INSERT INTO pending_changes (account_id, resource_type, resource_id, change_type, payload, created_at) '
+        "VALUES ('acc-1', 'Email', 'acc-1:50', 'flag_seen', '{\"seen\":true}', $now)",
+      );
+
+      rawDb.execute('PRAGMA user_version = 40');
+      rawDb.close();
+
+      // Open with Drift to trigger the migration.
+      final db = AppDatabase(NativeDatabase(dbFile));
+      await db.select(db.accounts).get();
+
+      // emails.id should now use the accountId:mailboxPath:uid format.
+      final emailRows = await db.select(db.emails).get();
+      final emailIds = emailRows.map((r) => r.id).toSet();
+      expect(emailIds, contains('acc-1:INBOX:50'));
+      expect(emailIds, contains('acc-1:Archive:50'));
+      expect(emailIds, contains('acc-1:INBOX:99'));
+      // Old-format IDs must be gone.
+      expect(emailIds, isNot(contains('acc-1:50')));
+      expect(emailIds, isNot(contains('acc-1:99')));
+
+      // email_bodies.email_id must be updated.
+      final bodyRows = await db.select(db.emailBodies).get();
+      expect(bodyRows, hasLength(1));
+      expect(bodyRows.first.emailId, 'acc-1:INBOX:50');
+
+      // thread_id where it was the email's own ID should be updated.
+      final inboxEmail = emailRows.firstWhere((r) => r.id == 'acc-1:INBOX:50');
+      expect(inboxEmail.threadId, 'acc-1:INBOX:50');
+
+      // thread_id based on a real Message-ID must be left unchanged.
+      final inboxEmail99 =
+          emailRows.firstWhere((r) => r.id == 'acc-1:INBOX:99');
+      expect(inboxEmail99.threadId, '<original@example.com>');
+
+      // threads must be rebuilt with new-format IDs.
+      final threadRows = await db.select(db.threads).get();
+      final thread = threadRows.firstWhere((t) => t.mailboxPath == 'INBOX');
+      expect(thread.latestEmailId, 'acc-1:INBOX:50');
+      expect(thread.emailIdsJson, contains('acc-1:INBOX:50'));
+
+      // pending_changes.resource_id is not updated by the migration
+      // (IMAP operations use payload uid/mailboxPath, so this is safe).
+      final changeRows = await db.select(db.pendingChanges).get();
+      expect(changeRows, hasLength(1));
+
+      await db.close();
+      if (dbFile.existsSync()) dbFile.deleteSync();
+    });
+
+    test('fresh install creates all tables at schemaVersion 41', () async {
       final db = AppDatabase(NativeDatabase.memory());
       await db.select(db.accounts).get();
 

test/widget/email_list_screen_test.dart

@@ -798,6 +798,67 @@ void main() {
       },
     );
 
+    testWidgets(
+      'pressing Enter after search settles does not reorder results',
+      (tester) async {
+        // Reproduces: user types a query → onChanged fires → results settle.
+        // Then user presses Enter → onSubmitted fires a second search → the
+        // second IMAP response may return results in a different order, so the
+        // tile the user is about to tap is no longer the email they expect.
+        final email1 = testEmail(id: 'acc-1:1', subject: 'Alpha Foo');
+        final email2 = testEmail(id: 'acc-1:2', subject: 'Beta Foo');
+        var callCount = 0;
+        await tester.pumpWidget(
+          buildApp(
+            initialLocation: '/accounts/acc-1/mailboxes/INBOX/emails',
+            overrides: [
+              accountRepositoryProvider.overrideWithValue(
+                FakeAccountRepository([kTestAccount]),
+              ),
+              mailboxRepositoryProvider.overrideWithValue(
+                FakeMailboxRepository(),
+              ),
+              emailRepositoryProvider.overrideWithValue(
+                FakeEmailRepository(
+                  onSearch: (_) async {
+                    callCount++;
+                    // First call: [Alpha, Beta]. Second call: reversed.
+                    return callCount == 1 ? [email1, email2] : [email2, email1];
+                  },
+                  emailBody: const EmailBody(emailId: '', attachments: []),
+                ),
+              ),
+            ],
+          ),
+        );
+        await tester.pumpAndSettle();
+
+        // Typing triggers onChanged → first search → results settle.
+        await tester.enterText(find.byType(TextField), 'foo');
+        await tester.pumpAndSettle();
+
+        expect(find.text('Alpha Foo'), findsOneWidget);
+        expect(find.text('Beta Foo'), findsOneWidget);
+        // Alpha must appear above Beta (it is first in the list).
+        expect(
+          tester.getTopLeft(find.text('Alpha Foo')).dy,
+          lessThan(tester.getTopLeft(find.text('Beta Foo')).dy),
+        );
+
+        // Pressing Enter triggers onSubmitted — must NOT re-run the search.
+        await tester.testTextInput.receiveAction(TextInputAction.search);
+        await tester.pumpAndSettle();
+
+        // Order must be unchanged: pressing Enter must not reorder results.
+        expect(find.text('Alpha Foo'), findsOneWidget);
+        expect(find.text('Beta Foo'), findsOneWidget);
+        expect(
+          tester.getTopLeft(find.text('Alpha Foo')).dy,
+          lessThan(tester.getTopLeft(find.text('Beta Foo')).dy),
+        );
+      },
+    );
+
     testWidgets('shows preview snippet when email has preview', (tester) async {
       final email = Email(
         id: 'acc-1:99',

test/widget/helpers.dart

@@ -44,6 +44,7 @@ import 'package:sharedinbox/ui/screens/email_list_screen.dart';
 import 'package:sharedinbox/ui/screens/mailbox_list_screen.dart';
 import 'package:sharedinbox/ui/screens/search_screen.dart';
 import 'package:sharedinbox/ui/screens/thread_detail_screen.dart';
+import 'package:sharedinbox/ui/screens/trusted_image_senders_screen.dart';
 import 'package:sharedinbox/ui/screens/user_preferences_screen.dart';
 
 // ---------------------------------------------------------------------------
@@ -484,6 +485,12 @@ Widget buildApp({
             path: 'preferences',
             builder: (ctx, state) => const UserPreferencesScreen(),
           ),
+          GoRoute(
+            path: 'trusted-senders',
+            builder: (ctx, state) => TrustedImageSendersScreen(
+              highlightedSender: state.extra as String?,
+            ),
+          ),
           GoRoute(
             path: ':accountId/edit',
             builder: (ctx, state) => EditAccountScreen(
@@ -696,6 +703,9 @@ class FakeUserPreferencesRepository implements UserPreferencesRepository {
   AfterMailViewAction afterMailViewAction;
   final List<String> _trustedImageSenders;
 
+  List<String> get trustedImageSendersForTest =>
+      List.unmodifiable(_trustedImageSenders);
+
   @override
   Stream<UserPreferences> observePreferences() => Stream.value(
         UserPreferences(

test/widget/trusted_image_senders_screen_test.dart

@@ -0,0 +1,163 @@
+import 'package:flutter/material.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+import 'helpers.dart';
+
+void main() {
+  group('TrustedImageSendersScreen', () {
+    testWidgets('shows empty state with glob hint when no senders', (
+      tester,
+    ) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.textContaining('*@example.com'), findsOneWidget);
+      expect(find.byIcon(Icons.add), findsOneWidget);
+    });
+
+    testWidgets('lists existing senders', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['alice@example.com', '*@work.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.text('alice@example.com'), findsOneWidget);
+      expect(find.text('*@work.com'), findsOneWidget);
+    });
+
+    testWidgets('add dialog shows glob hint text', (tester) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      expect(find.text('Add allowed address'), findsOneWidget);
+      expect(find.textContaining('*@example.com'), findsWidgets);
+      expect(find.textContaining('* matches any characters'), findsOneWidget);
+    });
+
+    testWidgets('Add button is disabled when input is empty', (tester) async {
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      final addButton = find.widgetWithText(TextButton, 'Add');
+      final button = tester.widget<TextButton>(addButton);
+      expect(button.onPressed, isNull);
+    });
+
+    testWidgets('typing in dialog enables Add button and adds sender', (
+      tester,
+    ) async {
+      final repo = FakeUserPreferencesRepository();
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      await tester.enterText(find.byType(TextField), '*@example.com');
+      await tester.pumpAndSettle();
+
+      final addButton = find.widgetWithText(TextButton, 'Add');
+      final button = tester.widget<TextButton>(addButton);
+      expect(button.onPressed, isNotNull);
+
+      await tester.tap(addButton);
+      await tester.pumpAndSettle();
+
+      expect(repo.trustedImageSendersForTest, contains('*@example.com'));
+    });
+
+    testWidgets('cancel closes dialog without adding', (tester) async {
+      final repo = FakeUserPreferencesRepository();
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.add));
+      await tester.pumpAndSettle();
+
+      await tester.enterText(find.byType(TextField), 'someone@test.com');
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.widgetWithText(TextButton, 'Cancel'));
+      await tester.pumpAndSettle();
+
+      expect(find.byType(AlertDialog), findsNothing);
+      expect(repo.trustedImageSendersForTest, isEmpty);
+    });
+
+    testWidgets('delete button removes a sender', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['alice@example.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      await tester.tap(find.byIcon(Icons.delete_outline));
+      await tester.pumpAndSettle();
+
+      expect(repo.trustedImageSendersForTest, isEmpty);
+    });
+
+    testWidgets('lists existing glob patterns', (tester) async {
+      final repo = FakeUserPreferencesRepository(
+        trustedImageSenders: ['*@example.com', 'alice@other.com'],
+      );
+      await tester.pumpWidget(
+        buildApp(
+          initialLocation: '/accounts/trusted-senders',
+          overrides: baseOverrides(),
+          userPreferences: repo,
+        ),
+      );
+      await tester.pumpAndSettle();
+
+      expect(find.text('*@example.com'), findsOneWidget);
+      expect(find.text('alice@other.com'), findsOneWidget);
+    });
+  });
+}