test: remove https tests

refactor: socks5 chaining
chore: exclude nightly tag
2026-06-12 09:47:51 +02:00 · 2026-03-16 18:21:01 +04:00 · 2026-03-16 17:48:02 +04:00 · 2026-03-16 15:55:29 +04:00 · 2026-03-16 15:50:06 +04:00 · 2026-03-16 15:49:25 +04:00
213 changed files with 50120 additions and 10692 deletions
@@ -0,0 +1,5 @@
+
+APPLE_TEAM_ID=
+APPLE_ID=
+APPLE_PASSWORD=
+APPLE_SIGNING_IDENTITY=
@@ -27,7 +27,7 @@ Hi there! To expedite issue processing please search open and closed issues befo

 ## Your Environment

-<!-- Please provide as much information as you feel comfortable to help us understand the issue better -->
+<!-- Please provide as much information as you feel comfortable to help the maintainers understand the issue better -->

 ## Exception or Error or Screenshot

@@ -0,0 +1,33 @@
+messages:
+  - role: system
+    content: |-
+      You are an expert technical writer tasked with generating comprehensive release notes for Donut Browser, a powerful anti-detect browser desktop app built with Tauri + Next.js that helps users manage multiple browser profiles with proxy support.
+
+      Guidelines:
+      - Use clear, user-friendly language
+      - Group related commits logically
+      - Omit minor commits like formatting, typos unless significant
+      - Focus on user-facing changes
+      - Use emojis sparingly and consistently
+      - Keep descriptions concise but informative
+      - If commits are unclear, infer the purpose from the context
+      - Only include sections that have relevant changes
+  - role: user
+    content: |-
+      Generate release notes for version {{version}} based on these commits:
+
+      {{commits}}
+
+      Use this format:
+
+      ## What's New in {{version}}
+
+      [Brief 1-2 sentence overview]
+
+      ### New Features
+      ### Bug Fixes
+      ### Improvements
+      ### Documentation
+      ### Dependencies
+      ### Developer Experience
+model: openai/gpt-4.1
@@ -32,7 +32,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -13,7 +13,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.actor == 'dependabot[bot]' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -3,7 +3,7 @@ name: Issue & PR Automation
 on:
  issues:
    types: [opened]
-  pull_request:
+  pull_request_target:
    types: [opened]
  issue_comment:
    types: [created]
@@ -18,90 +18,13 @@ permissions:
  id-token: write

 jobs:
-  validate-issue:
+  analyze-issue:
    if: github.event_name == 'issues'
    runs-on: ubuntu-latest
-
    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

-      - name: Get issue templates
-        id: get-templates
-        run: |
-          if [ -f ".github/ISSUE_TEMPLATE/01-bug-report.md" ]; then
-            echo "bug-template-exists=true" >> $GITHUB_OUTPUT
-          fi
-
-          if [ -f ".github/ISSUE_TEMPLATE/02-feature-request.md" ]; then
-            echo "feature-template-exists=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Create issue analysis prompt
-        id: create-prompt
-        env:
-          ISSUE_TITLE: ${{ github.event.issue.title }}
-          ISSUE_BODY: ${{ github.event.issue.body }}
-          ISSUE_LABELS: ${{ join(github.event.issue.labels.*.name, ', ') }}
-        run: |
-          cat > issue_analysis.txt << EOF
-          ## Issue Content to Analyze:
-
-          **Title:** $ISSUE_TITLE
-
-          **Body:**
-          $ISSUE_BODY
-
-          **Labels:** $ISSUE_LABELS
-          EOF
-
-      - name: Validate issue with AI
-        id: validate
-        uses: actions/ai-inference@334892bb203895caaed82ec52d23c1ed9385151e # v2.0.4
-        with:
-          prompt-file: issue_analysis.txt
-          system-prompt: |
-            You are an issue validation assistant for Donut Browser, an anti-detect browser.
-
-            Analyze the provided issue content and determine if it contains sufficient information based on these requirements:
-
-            **For Bug Reports, the issue should include:**
-            1. Clear description of the problem
-            2. Steps to reproduce the issue (numbered list preferred)
-            3. Expected vs actual behavior
-            4. Environment information (OS, browser version, etc.)
-            5. Error messages, stack traces, or screenshots if applicable
-
-            **For Feature Requests, the issue should include:**
-            1. Clear description of the requested feature
-            2. Use case or problem it solves
-            3. Proposed solution or how it should work
-            4. Priority level or importance
-
-            **General Requirements for all issues:**
-            1. Descriptive title
-            2. Sufficient detail to understand and act upon
-            3. Professional tone and clear communication
-
-            Respond ONLY with valid JSON (no markdown fences). Keep responses concise.
-
-            JSON structure:
-            {
-              "is_valid": true|false,
-              "issue_type": "bug_report"|"feature_request"|"other",
-              "missing_info": ["item1", "item2"],
-              "suggestions": ["suggestion1", "suggestion2"],
-              "overall_assessment": "One sentence assessment"
-            }
-
-            IMPORTANT CONSTRAINTS:
-            - Maximum 3 items in missing_info array
-            - Maximum 3 items in suggestions array
-            - Each array item must be under 80 characters
-            - overall_assessment must be under 100 characters
-            - Output ONLY the JSON object, nothing else
-          model: gpt-5
-
      - name: Check if first-time contributor
        id: check-first-time
        env:
@@ -118,102 +41,33 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

-      - name: Parse validation result and take action
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RESPONSE_FILE: ${{ steps.validate.outputs.response-file }}
-        run: |
-          if [ -n "$RESPONSE_FILE" ] && [ -f "$RESPONSE_FILE" ]; then
-            RAW_OUTPUT=$(cat "$RESPONSE_FILE")
-          else
-            echo "::error::Response file not found: $RESPONSE_FILE"
-            exit 1
-          fi
-
-          JSON_RESULT=$(printf "%s" "$RAW_OUTPUT" | sed -n '/```json/,/```/p' | sed '1d;$d')
-          if [ -z "$JSON_RESULT" ]; then
-            JSON_RESULT="$RAW_OUTPUT"
-          fi
-
-          if ! echo "$JSON_RESULT" | jq empty 2>/dev/null; then
-            echo "::warning::Invalid JSON in AI response, using fallback"
-            JSON_RESULT='{"is_valid":true,"issue_type":"other","missing_info":[],"suggestions":[],"overall_assessment":"Unable to validate automatically"}'
-          fi
-
-          IS_VALID=$(echo "$JSON_RESULT" | jq -r '.is_valid // false')
-          ISSUE_TYPE=$(echo "$JSON_RESULT" | jq -r '.issue_type // "other"')
-          MISSING_INFO=$(echo "$JSON_RESULT" | jq -r '.missing_info[]? // empty' | sed 's/^/- /')
-          SUGGESTIONS=$(echo "$JSON_RESULT" | jq -r '.suggestions[]? // empty' | sed 's/^/- /')
-          ASSESSMENT=$(echo "$JSON_RESULT" | jq -r '.overall_assessment // "No assessment provided"')
-
-          IS_FIRST_TIME="${{ steps.check-first-time.outputs.is_first_time }}"
-          GREETING_SECTION=""
-          if [ "$IS_FIRST_TIME" = "true" ]; then
-            GREETING_SECTION="## 👋 Welcome!\n\nThank you for your first issue ❤️ If this is a feature request, please make sure it is clear what you want, why you want it, and how important it is to you. If you posted a bug report, please make sure it includes as much detail as possible.\n\n---\n\n"
-          fi
-
-          if [ "$IS_VALID" = "false" ]; then
-            {
-              printf "%b" "$GREETING_SECTION"
-              printf "## 🤖 Issue Validation\n\n"
-              printf "Thank you for submitting this issue! However, it appears that some required information might be missing to help us better understand and address your concern.\n\n"
-              printf "**Issue Type Detected:** \`%s\`\n\n" "$ISSUE_TYPE"
-              printf "**Assessment:** %s\n\n" "$ASSESSMENT"
-              printf "### 📋 Missing Information:\n%s\n\n" "$MISSING_INFO"
-              printf "### 💡 Suggestions for Improvement:\n%s\n\n" "$SUGGESTIONS"
-              printf "### 📝 How to Provide Additional Information:\n\n"
-              printf "Please edit your original issue description to include the missing information. Here are our issue templates for reference:\n\n"
-              printf -- "- **Bug Report Template:** [View Template](.github/ISSUE_TEMPLATE/01-bug-report.md)\n"
-              printf -- "- **Feature Request Template:** [View Template](.github/ISSUE_TEMPLATE/02-feature-request.md)\n\n"
-              printf "### 🔧 Quick Tips:\n"
-              printf -- "- For **bug reports**: Include step-by-step reproduction instructions, your environment details, and any error messages\n"
-              printf -- "- For **feature requests**: Describe the use case, expected behavior, and why this feature would be valuable\n"
-              printf -- "- Add **screenshots** or **logs** when applicable\n\n"
-              printf "Once you have updated the issue with the missing information, feel free to remove this comment or reply to let us know you have made the updates.\n\n"
-              printf -- "---\n*This validation was performed automatically to ensure we have all the information needed to help you effectively.*\n"
-            } > comment.md
-
-            gh issue comment ${{ github.event.issue.number }} --body-file comment.md
-            gh issue edit ${{ github.event.issue.number }} --add-label "needs-info"
-          else
-            SUGGESTIONS_SECTION=""
-            if [ -n "$SUGGESTIONS" ]; then
-              SUGGESTIONS_SECTION=$(printf "### 💡 Suggestions:\n%s\n\n" "$SUGGESTIONS")
-            fi
-
-            {
-              printf "%b" "$GREETING_SECTION"
-              printf "## 🤖 Issue Validation\n\n"
-              printf "**Issue Type Detected:** \`%s\`\n\n" "$ISSUE_TYPE"
-              printf "**Assessment:** %s\n\n" "$ASSESSMENT"
-              printf "%b" "$SUGGESTIONS_SECTION"
-              printf -- "---\n*This validation was performed automatically to help triage issues.*\n"
-            } > comment.md
-
-            gh issue comment ${{ github.event.issue.number }} --body-file comment.md
-
-            case "$ISSUE_TYPE" in
-              "bug_report")
-                gh issue edit ${{ github.event.issue.number }} --add-label "bug"
-                ;;
-              "feature_request")
-                gh issue edit ${{ github.event.issue.number }} --add-label "enhancement"
-                ;;
-            esac
-          fi
-
-      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@latest
+      - name: Analyze issue
+        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: zai-coding-plan/glm-4.7
+          prompt: |
+            You are a triage bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).

-      - name: Cleanup
-        run: rm -f issue_analysis.txt comment.md
+            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"' || '' }}

-  handle-pr:
-    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+            Analyze this issue and post a single concise comment. Format:
+
+            1. One sentence acknowledging what the user wants.
+            2. A short **Action items** list — what specific info is missing or what the user should do next. Only include items that are actually missing. If the issue is complete, say so and skip this section.
+            3. Label the issue: add "bug" label for bug reports, "enhancement" label for feature requests.
+
+            Rules:
+            - Be brief. No filler, no generic tips, no templates.
+            - If it's a bug report, check for: reproduction steps, OS/version, error messages. Only ask for what's actually missing.
+            - If it's a feature request, check for: clear description of desired behavior, use case. Only ask for what's actually missing.
+            - If the issue already has everything needed, just acknowledge it and label it.
+            - Never exceed 6 items total.
+
+  analyze-pr:
+    if: github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
@@ -237,141 +91,30 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

-      - name: Get PR diff
-        id: get-diff
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh pr diff ${{ github.event.pull_request.number }} > pr_diff.txt
-          head -c 10000 pr_diff.txt > pr_diff_truncated.txt
-
-      - name: Create PR analysis prompt
-        env:
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          PR_BODY: ${{ github.event.pull_request.body }}
-        run: |
-          {
-            printf "## Pull Request to Review:\n\n"
-            printf "**Title:** %s\n\n" "$PR_TITLE"
-            printf "**Description:**\n%s\n\n" "$PR_BODY"
-            printf "**Diff:**\n"
-            cat pr_diff_truncated.txt
-          } > pr_analysis.txt
-
-      - name: Analyze PR with AI
-        id: analyze
-        uses: actions/ai-inference@334892bb203895caaed82ec52d23c1ed9385151e # v2.0.4
-        with:
-          prompt-file: pr_analysis.txt
-          system-prompt: |
-            You are a code review assistant for Donut Browser, an open-source anti-detect browser built with Tauri, Next.js, and Rust.
-
-            Review the provided pull request and provide constructive feedback. Focus on:
-            1. Code quality and best practices
-            2. Potential bugs or issues
-            3. Security concerns (especially important for an anti-detect browser)
-            4. Performance implications
-            5. Consistency with the project's patterns
-
-            Respond ONLY with valid JSON (no markdown fences).
-
-            JSON structure:
-            {
-              "summary": "Brief 1-2 sentence summary of what this PR does",
-              "quality_score": "good"|"needs_work"|"critical_issues",
-              "feedback": ["feedback point 1", "feedback point 2"],
-              "suggestions": ["suggestion 1", "suggestion 2"],
-              "security_notes": ["security note if any"] or []
-            }
-
-            IMPORTANT CONSTRAINTS:
-            - Maximum 4 items in feedback array
-            - Maximum 3 items in suggestions array
-            - Maximum 2 items in security_notes array
-            - Each array item must be under 150 characters
-            - summary must be under 200 characters
-            - Be constructive and helpful, not harsh
-            - Output ONLY the JSON object, nothing else
-          model: gpt-5
-
-      - name: Post PR feedback comment
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RESPONSE_FILE: ${{ steps.analyze.outputs.response-file }}
-        run: |
-          if [ -n "$RESPONSE_FILE" ] && [ -f "$RESPONSE_FILE" ]; then
-            RAW_OUTPUT=$(cat "$RESPONSE_FILE")
-          else
-            echo "::error::Response file not found"
-            exit 1
-          fi
-
-          JSON_RESULT=$(printf "%s" "$RAW_OUTPUT" | sed -n '/```json/,/```/p' | sed '1d;$d')
-          if [ -z "$JSON_RESULT" ]; then
-            JSON_RESULT="$RAW_OUTPUT"
-          fi
-
-          if ! echo "$JSON_RESULT" | jq empty 2>/dev/null; then
-            echo "::warning::Invalid JSON in AI response, using fallback"
-            JSON_RESULT='{"summary":"Unable to analyze automatically","quality_score":"good","feedback":[],"suggestions":[],"security_notes":[]}'
-          fi
-
-          SUMMARY=$(echo "$JSON_RESULT" | jq -r '.summary // "No summary"')
-          QUALITY=$(echo "$JSON_RESULT" | jq -r '.quality_score // "good"')
-          FEEDBACK=$(echo "$JSON_RESULT" | jq -r '.feedback[]? // empty' | sed 's/^/- /')
-          SUGGESTIONS=$(echo "$JSON_RESULT" | jq -r '.suggestions[]? // empty' | sed 's/^/- /')
-          SECURITY=$(echo "$JSON_RESULT" | jq -r '.security_notes[]? // empty' | sed 's/^/- ⚠️ /')
-
-          IS_FIRST_TIME="${{ steps.check-first-time.outputs.is_first_time }}"
-
-          {
-            if [ "$IS_FIRST_TIME" = "true" ]; then
-              printf "## 👋 Welcome!\n\n"
-              printf "Thank you for your first contribution ❤️ A human will review your PR shortly. Make sure that the pipelines are green, so that the PR is considered ready for review and could be merged.\n\n"
-              printf -- "---\n\n"
-            fi
-
-            printf "## 🤖 PR Review\n\n"
-            printf "**Summary:** %s\n\n" "$SUMMARY"
-
-            case "$QUALITY" in
-              "good")
-                printf "**Status:** ✅ Looking good!\n\n"
-                ;;
-              "needs_work")
-                printf "**Status:** 🔧 Some improvements suggested\n\n"
-                ;;
-              "critical_issues")
-                printf "**Status:** ⚠️ Please address the issues below\n\n"
-                ;;
-            esac
-
-            if [ -n "$FEEDBACK" ]; then
-              printf "### 📝 Feedback:\n%s\n\n" "$FEEDBACK"
-            fi
-
-            if [ -n "$SUGGESTIONS" ]; then
-              printf "### 💡 Suggestions:\n%s\n\n" "$SUGGESTIONS"
-            fi
-
-            if [ -n "$SECURITY" ]; then
-              printf "### 🔒 Security Notes:\n%s\n\n" "$SECURITY"
-            fi
-
-            printf -- "---\n*This review was performed automatically. A human maintainer will also review your changes.*\n"
-          } > comment.md
-
-          gh pr comment ${{ github.event.pull_request.number }} --body-file comment.md
-
-      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@latest
+      - name: Analyze PR
+        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: zai-coding-plan/glm-4.7
+          prompt: |
+            You are a review bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).

-      - name: Cleanup
-        run: rm -f pr_diff.txt pr_diff_truncated.txt pr_analysis.txt comment.md
+            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for your first PR!"' || '' }}
+
+            Review this PR and post a single concise comment. Format:
+
+            1. One sentence summarizing what this PR does.
+            2. **Action items** — only list things that actually need to be fixed or addressed. If the PR looks good, say so and skip this section.
+
+            Rules:
+            - Be brief. No filler, no praise padding.
+            - Focus on: bugs, security issues, missing edge cases, breaking changes.
+            - If the PR touches UI text or adds new strings, remind to update translation files in src/i18n/locales/.
+            - If the PR modifies Tauri commands, remind to check the unused-commands test.
+            - Do not nitpick style or formatting — the project has automated linting.
+            - Never exceed 8 lines total.

  opencode-command:
    if: |
@@ -386,8 +129,9 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Run opencode
-        uses: anomalyco/opencode/github@latest
+        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: zai-coding-plan/glm-4.7
@@ -37,7 +37,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -29,8 +29,9 @@ permissions:
 jobs:
  build:
    strategy:
+      fail-fast: false
      matrix:
-        os: [macos-latest, ubuntu-22.04]
+        os: [macos-latest, ubuntu-22.04, windows-latest]

    runs-on: ${{ matrix.os }}

@@ -43,7 +44,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -113,7 +114,7 @@ jobs:
        working-directory: src-tauri

      - name: Run Rust unit tests
-        run: cargo test --lib && cargo test --test donut_proxy_integration
+        run: cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration
        working-directory: src-tauri

      - name: Run Rust sync e2e tests
@@ -46,7 +46,7 @@ jobs:
  scan-scheduled:
    name: Scheduled Security Scan
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -58,7 +58,7 @@ jobs:
  scan-pr:
    name: PR Security Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -29,7 +29,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -82,47 +82,14 @@ jobs:
      - name: Generate release notes with AI
        id: generate-notes
        if: steps.get-release.outputs.is-prerelease == 'false'
-        uses: actions/ai-inference@334892bb203895caaed82ec52d23c1ed9385151e # v2.0.4
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
-          prompt-file: commits.txt
-          system-prompt: |
-            You are an expert technical writer tasked with generating comprehensive release notes for Donut Browser, a powerful anti-detect browser.
-
-            Analyze the provided commit messages and generate well-structured release notes following this format:
-
-            ## What's New in ${{ steps.get-previous-tag.outputs.current-tag }}
-
-            [Brief 1-2 sentence overview of the release]
-
-            ### ✨ New Features
-            [List new features with brief descriptions]
-
-            ### 🐛 Bug Fixes  
-            [List bug fixes]
-
-            ### 🔧 Improvements
-            [List improvements and enhancements]
-
-            ### 📚 Documentation
-            [List documentation updates if any]
-
-            ### 🔄 Dependencies
-            [List dependency updates if any]
-
-            ### 🛠️ Developer Experience
-            [List development-related changes if any]
-
-            Guidelines:
-            - Use clear, user-friendly language
-            - Group related commits logically
-            - Omit minor commits like formatting, typos unless significant
-            - Focus on user-facing changes
-            - Use emojis sparingly and consistently
-            - Keep descriptions concise but informative
-            - If commits are unclear, infer the purpose from the context
-
-            The application is a desktop app built with Tauri + Next.js that helps users manage multiple browser profiles with proxy support.
-          model: gpt-5
+          prompt-file: .github/prompts/release-notes.prompt.yml
+          input: |
+            version: ${{ steps.get-previous-tag.outputs.current-tag }}
+          file_input: |
+            commits: ./commits.txt
+          max-tokens: 4096

      - name: Update release with generated notes
        if: steps.get-release.outputs.is-prerelease == 'false'
@@ -5,6 +5,12 @@ on:
    tags:
      - "v*"

+permissions:
+  contents: write
+  security-events: write
+  packages: read
+  actions: read
+
 env:
  TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
@@ -13,7 +19,7 @@ env:
 jobs:
  security-scan:
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -85,13 +91,18 @@ jobs:
            arch: "aarch64"
            target: "aarch64-unknown-linux-gnu"
            pkg_target: "latest-linux-arm64"
+          - platform: "windows-latest"
+            args: "--target x86_64-pc-windows-msvc --verbose"
+            arch: "x86_64"
+            target: "x86_64-pc-windows-msvc"
+            pkg_target: "latest-win-x64"

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -114,7 +125,7 @@ jobs:
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils

      - name: Rust cache
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workdir: ./src-tauri

@@ -157,11 +168,48 @@ jobs:
            chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }}
          fi

+      - name: Import Apple certificate
+        if: matrix.platform == 'macos-latest'
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_KEY: ${{ secrets.APPLE_CERTIFICATE_KEY }}
+        run: |
+          CERT_PATH=$RUNNER_TEMP/cert.cer
+          KEY_PATH=$RUNNER_TEMP/cert.key
+          PEM_PATH=$RUNNER_TEMP/cert.pem
+          P12_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          P12_PASSWORD=$(openssl rand -base64 32)
+
+          echo "$APPLE_CERTIFICATE" | base64 --decode > $CERT_PATH
+          echo "$APPLE_CERTIFICATE_KEY" | base64 --decode > $KEY_PATH
+
+          openssl x509 -inform DER -in $CERT_PATH -out $PEM_PATH
+          openssl pkcs12 -export -out $P12_PATH -inkey $KEY_PATH -in $PEM_PATH -passout pass:$P12_PASSWORD
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          security import $P12_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db
+
+          echo "Available signing identities:"
+          security find-identity -v -p codesigning $KEYCHAIN_PATH
+
+          rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH
+
      - name: Build Tauri app
        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REF_NAME: ${{ github.ref_name }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          projectPath: ./src-tauri
          tagName: ${{ github.ref_name }}
@@ -171,8 +219,104 @@ jobs:
          prerelease: false
          args: ${{ matrix.args }}

+      - name: Clean up Apple certificate
+        if: matrix.platform == 'macos-latest' && always()
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
+          rm -f $RUNNER_TEMP/build_certificate.p12 || true
+
 #      - name: Commit CHANGELOG.md
 #        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 #v6.0.1
 #        with:
 #          branch: main
 #          commit_message: "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"
+
+  publish-repos:
+    needs: [release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Download Linux packages from release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p /tmp/packages
+          gh release download "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_REPOSITORY" \
+            --pattern "*.deb" \
+            --dir /tmp/packages
+          gh release download "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_REPOSITORY" \
+            --pattern "*.rpm" \
+            --dir /tmp/packages
+          echo "Downloaded packages:"
+          ls -la /tmp/packages/
+
+      - name: Setup Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
+        with:
+          go-version: "1.23"
+          cache: false
+
+      - name: Install repogen
+        run: |
+          go install github.com/ralt/repogen/cmd/repogen@latest
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+      - name: Sync existing repo metadata from R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          mkdir -p /tmp/repo
+          aws s3 cp "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
+            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
+          aws s3 cp "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
+            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
+
+      - name: Generate repository with repogen
+        run: |
+          repogen generate \
+            --input-dir /tmp/packages \
+            --output-dir /tmp/repo \
+            --incremental \
+            --arch amd64,arm64 \
+            --origin "Donut Browser" \
+            --label "Donut Browser" \
+            --codename stable \
+            --components main \
+            --verbose
+
+      - name: Upload repository to R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          aws s3 cp /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+
+      - name: Verify upload
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          echo "DEB repo:"
+          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"
+          echo "RPM repo:"
+          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"
@@ -5,6 +5,12 @@ on:
    branches:
      - main

+permissions:
+  contents: write
+  security-events: write
+  packages: read
+  actions: read
+
 env:
  TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
@@ -12,7 +18,7 @@ env:
 jobs:
  security-scan:
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@2a387edfbe02a11d856b89172f6e978100177eb4" # v2.3.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
    with:
      scan-args: |-
        -r
@@ -95,7 +101,7 @@ jobs:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -118,7 +124,7 @@ jobs:
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils

      - name: Rust cache
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workdir: ./src-tauri

@@ -161,6 +167,39 @@ jobs:
            chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }}
          fi

+      - name: Import Apple certificate
+        if: matrix.platform == 'macos-latest'
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_KEY: ${{ secrets.APPLE_CERTIFICATE_KEY }}
+        run: |
+          CERT_PATH=$RUNNER_TEMP/cert.cer
+          KEY_PATH=$RUNNER_TEMP/cert.key
+          PEM_PATH=$RUNNER_TEMP/cert.pem
+          P12_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          P12_PASSWORD=$(openssl rand -base64 32)
+
+          echo "$APPLE_CERTIFICATE" | base64 --decode > $CERT_PATH
+          echo "$APPLE_CERTIFICATE_KEY" | base64 --decode > $KEY_PATH
+
+          openssl x509 -inform DER -in $CERT_PATH -out $PEM_PATH
+          openssl pkcs12 -export -out $P12_PATH -inkey $KEY_PATH -in $PEM_PATH -passout pass:$P12_PASSWORD
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          security import $P12_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db
+
+          echo "Available signing identities:"
+          security find-identity -v -p codesigning $KEYCHAIN_PATH
+
+          rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH
+
      - name: Generate nightly timestamp
        id: timestamp
        shell: bash
@@ -177,6 +216,10 @@ jobs:
          BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
          GITHUB_REF_NAME: "nightly-${{ steps.timestamp.outputs.timestamp }}"
          GITHUB_SHA: ${{ github.sha }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        with:
          projectPath: ./src-tauri
          tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -185,3 +228,61 @@ jobs:
          releaseDraft: false
          prerelease: true
          args: ${{ matrix.args }}
+
+      - name: Clean up Apple certificate
+        if: matrix.platform == 'macos-latest' && always()
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
+          rm -f $RUNNER_TEMP/build_certificate.p12 || true
+
+  update-nightly-release:
+    needs: [rolling-release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+
+      - name: Generate nightly tag
+        id: tag
+        run: |
+          TIMESTAMP=$(date -u +"%Y-%m-%d")
+          COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          echo "nightly_tag=nightly-${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT
+
+      - name: Update rolling nightly release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          NIGHTLY_TAG="${{ steps.tag.outputs.nightly_tag }}"
+          ASSETS_DIR="/tmp/nightly-assets"
+
+          # Download all assets from the per-commit nightly release
+          mkdir -p "$ASSETS_DIR"
+          gh release download "$NIGHTLY_TAG" --dir "$ASSETS_DIR" --clobber
+
+          # Rename versioned filenames to stable nightly names
+          cd "$ASSETS_DIR"
+          for f in Donut_*_aarch64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.dmg; done
+          for f in Donut_*_x64.dmg; do [ -f "$f" ] && mv "$f" Donut_nightly_x64.dmg; done
+          for f in Donut_*_x64-setup.exe; do [ -f "$f" ] && mv "$f" Donut_nightly_x64-setup.exe; done
+          for f in Donut_*_aarch64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.AppImage; done
+          for f in Donut_*_amd64.AppImage; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.AppImage; done
+          for f in Donut_*_amd64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_amd64.deb; done
+          for f in Donut_*_arm64.deb; do [ -f "$f" ] && mv "$f" Donut_nightly_arm64.deb; done
+          for f in Donut-*.x86_64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_x86_64.rpm; done
+          for f in Donut-*.aarch64.rpm; do [ -f "$f" ] && mv "$f" Donut_nightly_aarch64.rpm; done
+          cd "$GITHUB_WORKSPACE"
+
+          # Delete existing rolling nightly release and tag
+          gh release delete nightly --yes 2>/dev/null || true
+          git push --delete origin nightly 2>/dev/null || true
+
+          # Create new rolling nightly release with all assets
+          gh release create nightly \
+            "$ASSETS_DIR"/Donut_nightly_* \
+            "$ASSETS_DIR"/Donut_aarch64.app.tar.gz \
+            "$ASSETS_DIR"/Donut_x64.app.tar.gz \
+            --title "Donut Browser Nightly" \
+            --notes "Automatically updated nightly build from the latest main branch.\n\nCommit: ${GITHUB_SHA}" \
+            --prerelease
@@ -23,4 +23,4 @@ jobs:
      - name: Checkout Actions Repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
      - name: Spell Check Repo
-        uses: crate-ci/typos@bb4666ad77b539a6b4ce4eda7ebb6de553704021 #v1.42.0
+        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
@@ -12,7 +12,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: "This issue has been inactive for 60 days. Please respond to keep it open."
@@ -24,6 +24,7 @@ jobs:
  rust-sync-e2e:
    name: Rust Sync E2E Tests
    strategy:
+      fail-fast: false
      matrix:
        os: [macos-latest, ubuntu-22.04]

@@ -34,7 +35,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -50,7 +51,7 @@ jobs:
          toolchain: stable

      - name: Cache Rust dependencies
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workspaces: "src-tauri"

@@ -93,7 +94,7 @@ jobs:
          done

      - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
        with:
          run_install: false

@@ -52,4 +52,10 @@ yarn-error.log*
 nodecar/nodecar-bin

 # sync test harness cache
-.cache/
+.cache/
+
+# env
+.env
+
+# next
+next-env.d.ts
@@ -0,0 +1,10 @@
+# Prevent pushing the 'nightly' tag — it is managed by CI
+if git rev-parse nightly >/dev/null 2>&1; then
+  LOCAL_NIGHTLY=$(git rev-parse nightly)
+  REMOTE_NIGHTLY=$(git ls-remote --tags origin refs/tags/nightly 2>/dev/null | awk '{print $1}')
+  if [ -n "$REMOTE_NIGHTLY" ] && [ "$LOCAL_NIGHTLY" != "$REMOTE_NIGHTLY" ]; then
+    echo "⚠ Skipping push of 'nightly' tag (managed by CI)"
+    # Delete the local nightly tag so --tags won't try to push it
+    git tag -d nightly >/dev/null 2>&1 || true
+  fi
+fi
@@ -13,6 +13,7 @@
    "autoconfig",
    "autologin",
    "biomejs",
+    "boringtun",
    "breezedark",
    "browserforge",
    "busctl",
@@ -31,6 +32,7 @@
    "cmdk",
    "codegen",
    "codesign",
+    "codesigning",
    "commitish",
    "Crashpad",
    "CTYPE",
@@ -41,9 +43,12 @@
    "DBAPI",
    "dconf",
    "debuginfo",
+    "desynced",
    "devedition",
    "direnv",
    "distro",
+    "dists",
+    "DMABUF",
    "doctest",
    "doesn",
    "domcontentloaded",
@@ -65,6 +70,7 @@
    "gettimezone",
    "gifs",
    "globset",
+    "GOPATH",
    "gsettings",
    "healthreport",
    "hiddenimports",
@@ -77,7 +83,9 @@
    "idletime",
    "idna",
    "infobars",
+    "inkey",
    "Inno",
+    "isps",
    "kdeglobals",
    "keras",
    "KHTML",
@@ -92,6 +100,7 @@
    "libayatana",
    "libc",
    "libcairo",
+    "libfuse",
    "libgdk",
    "libglib",
    "libpango",
@@ -125,16 +134,20 @@
    "ntlm",
    "numpy",
    "objc",
+    "oneshot",
    "opencode",
    "orhun",
    "orjson",
    "osascript",
    "oscpu",
    "outpath",
+    "OVPN",
+    "passout",
    "patchelf",
    "pathex",
    "pathlib",
    "peerconnection",
+    "PHANDLER",
    "pids",
    "pixbuf",
    "pkexec",
@@ -153,10 +166,17 @@
    "pytest",
    "pyyaml",
    "quic",
+    "ralt",
+    "ramdisk",
+    "repodata",
+    "repogen",
    "reportingpolicy",
    "reqwest",
+    "resvg",
    "ridedott",
    "rlib",
+    "rsplit",
+    "rusqlite",
    "rustc",
    "rwxr",
    "SARIF",
@@ -172,9 +192,11 @@
    "shadcn",
    "showcursor",
    "shutil",
+    "sighandler",
    "signon",
    "signum",
    "sklearn",
+    "smoltcp",
    "SMTO",
    "sonner",
    "splitn",
@@ -183,6 +205,7 @@
    "stefanzweifel",
    "subdirs",
    "subkey",
+    "subsec",
    "SUPPRESSMSGBOXES",
    "swatinem",
    "sysinfo",
@@ -194,14 +217,18 @@
    "TERX",
    "testpass",
    "testuser",
+    "thiserror",
    "timedatectl",
    "titlebar",
    "tkinter",
+    "tmpfs",
    "tqdm",
    "trackingprotection",
    "trailhead",
+    "tungstenite",
    "turbopack",
    "turtledemo",
+    "typer",
    "udeps",
    "unlisten",
    "unminimize",
@@ -212,6 +239,7 @@
    "venv",
    "vercel",
    "VERYSILENT",
+    "vpns",
    "wayfern",
    "webgl",
    "webrtc",
@@ -1,9 +1,39 @@
-# Instructions for AI Agents
+# Project Guidelines

- After your changes, instead of running specific tests or linting specific files, run "pnpm format && pnpm lint && pnpm test". It means that you first format the code, then lint it, then test it, so that no part is broken after your changes.
- Don't leave comments that don't add value.
- Do not duplicate code unless you have a very good reason to do so. It is important that the same logic is not duplicated multiple times.
- Before finishing the task and showing summary, always run "pnpm format && pnpm lint && pnpm test" at the root of the project to ensure that you don't finish with broken application.
- Anytime you change nodecar's code and try to test, recompile it with "cd nodecar && pnpm build".
- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless I have explicitly specified in the request otherwise.
- If you are modifying the UI, do not add random colors that are not controlled by src/lib/themes.ts file.
+## Testing and Quality
+
+- After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
+- Always run this command before finishing a task to ensure the application isn't broken
+- `pnpm lint` includes spellcheck via [typos](https://github.com/crate-ci/typos). False positives can be allowlisted in `_typos.toml`
+
+## Code Quality
+
+- Don't leave comments that don't add value
+- Don't duplicate code unless there's a very good reason; keep the same logic in one place
+- Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files
+
+## Singletons
+
+- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless explicitly specified otherwise
+
+## UI Theming
+
+- Never use hardcoded Tailwind color classes (e.g., `text-red-500`, `bg-green-600`, `border-yellow-400`). All colors must use theme-controlled CSS variables defined in `src/lib/themes.ts`
+- Available semantic color classes:
+  - `background`, `foreground` — page/container background and text
+  - `card`, `card-foreground` — card surfaces
+  - `popover`, `popover-foreground` — dropdown/popover surfaces
+  - `primary`, `primary-foreground` — primary actions
+  - `secondary`, `secondary-foreground` — secondary actions
+  - `muted`, `muted-foreground` — muted/disabled elements
+  - `accent`, `accent-foreground` — accent highlights
+  - `destructive`, `destructive-foreground` — errors, danger, delete actions
+  - `success`, `success-foreground` — success states, valid indicators
+  - `warning`, `warning-foreground` — warnings, caution messages
+  - `border` — borders
+  - `chart-1` through `chart-5` — data visualization
+- Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
+- For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`
+
+## Proprietary Changes
+This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -4,15 +4,13 @@

 - After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
 - Always run this command before finishing a task to ensure the application isn't broken
+- `pnpm lint` includes spellcheck via [typos](https://github.com/crate-ci/typos). False positives can be allowlisted in `_typos.toml`

 ## Code Quality

 - Don't leave comments that don't add value
 - Don't duplicate code unless there's a very good reason; keep the same logic in one place
-
-## Nodecar
-
- After changing nodecar's code, recompile it with `cd nodecar && pnpm build` before testing
+- Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files

 ## Singletons

@@ -20,4 +18,22 @@

 ## UI Theming

- When modifying the UI, don't add random colors that are not controlled by `src/lib/themes.ts`
+- Never use hardcoded Tailwind color classes (e.g., `text-red-500`, `bg-green-600`, `border-yellow-400`). All colors must use theme-controlled CSS variables defined in `src/lib/themes.ts`
+- Available semantic color classes:
+  - `background`, `foreground` — page/container background and text
+  - `card`, `card-foreground` — card surfaces
+  - `popover`, `popover-foreground` — dropdown/popover surfaces
+  - `primary`, `primary-foreground` — primary actions
+  - `secondary`, `secondary-foreground` — secondary actions
+  - `muted`, `muted-foreground` — muted/disabled elements
+  - `accent`, `accent-foreground` — accent highlights
+  - `destructive`, `destructive-foreground` — errors, danger, delete actions
+  - `success`, `success-foreground` — success states, valid indicators
+  - `warning`, `warning-foreground` — warnings, caution messages
+  - `border` — borders
+  - `chart-1` through `chart-5` — data visualization
+- Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
+- For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`
+
+## Proprietary Changes
+This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -1,10 +1,10 @@
 # Code of Conduct

-All participants of the Donut Browser project (referred to as "the project") are expected to abide by our Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.
+All participants of the Donut Browser project (referred to as "the project") are expected to abide by this Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.

 ## The Pledge

-In the interest of fostering an open and welcoming environment, we pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, the maintainers pledge to make participation in the project and the community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## The Standards

@@ -23,6 +23,6 @@ Examples of unacceptable behavior by participants include:

 ## Enforcement

-Violations of the Code of Conduct may be reported to contact at donutbrowser dot com. All reports will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Further details of specific enforcement policies may be posted separately.
+Violations of the Code of Conduct may be reported to [contact@donutbrowser.com](mailto:contact@donutbrowser.com). All reports will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Further details of specific enforcement policies may be posted separately.

-We hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+The maintainers hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that are deemed inappropriate, threatening, offensive, or harmful.
@@ -10,11 +10,11 @@ Do keep in mind before you start working on an issue / posting a PR:

 - Search existing PRs related to that issue which might close them
 - Confirm if other contributors are working on the same issue
- Check if the feature aligns with our roadmap and project goals
+- Check if the feature aligns with the project's roadmap and goals

 ## Contributor License Agreement

-By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to our [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:
+By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to the [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:

 - Your contributions can be used in the open source version of Donut Browser (licensed under AGPL-3.0)
 - Donut Browser can offer commercial licenses for the software, including your contributions
@@ -27,7 +27,7 @@ When you submit your first pull request, you acknowledge that you agree to the t
 - PRs with tests are highly appreciated
 - Avoid adding third party libraries, whenever possible
 - Unless you are helping out by updating dependencies, you should not be uploading your lock files or updating any dependencies in your PR
- If you are unsure where to start, open a discussion and we will point you to a good first issue
+- If you are unsure where to start, open a discussion to get pointed to a good first issue

 ## Development Setup

@@ -80,7 +80,7 @@ This will start the app for local development with live reloading.

 ## Code Style & Quality

-We use several tools to maintain code quality:
+The project uses several tools to maintain code quality:

 - **Biome** for JavaScript/TypeScript linting and formatting
 - **Clippy** for Rust linting
@@ -88,7 +88,7 @@ We use several tools to maintain code quality:

 ### Before Committing

-Run these commands to ensure your code meets our standards:
+Run these commands to ensure your code meets the project's standards:

 ```bash
 # Format and lint frontend code
@@ -151,7 +151,7 @@ Refs #00000

 ### PR Checklist

- [ ] Code follows our style guidelines
+- [ ] Code follows the project's style guidelines
 - [ ] I have performed a self-review of my code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
@@ -187,7 +187,7 @@ Please note that this project is released with a [Contributor Code of Conduct](C

 ## Recognition

-All contributors will be recognized! We use the all-contributors specification to acknowledge everyone who contributes to the project.
+All contributors will be recognized! The project uses the all-contributors specification to acknowledge everyone who contributes.

 ---

@@ -25,11 +25,7 @@
  </a>
 </p>

-<picture>
- <source media="(prefers-color-scheme: dark)" srcset="assets/preview-dark.png" />
- <source media="(prefers-color-scheme: light)" srcset="assets/preview.png" />
- <img alt="Preview" src="assets/preview.png" />
-</picture>
+<img alt="Donut Browser Preview" src="assets/donut-preview.png" />

 ## Features

@@ -42,16 +38,28 @@

 ## Download

-> As of right now, the app is not signed by Apple. You need to have Gatekeeper disabled to run it. The app automatically checks for updates on each launch.
 > For Linux, .deb and .rpm packages are available as well as standalone .AppImage files.

 The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).

-## Supported Platforms
+<details>
+<summary>Troubleshooting AppImage on Linux</summary>

- ✅ **macOS** (Intel & Apple Silicon)
- ✅ **Linux** (x64 & arm64)
- 🔄 **Windows** (Planned)
+If the AppImage segfaults on launch, install **libfuse2** (`sudo apt install libfuse2` / `yay -S libfuse2` / `sudo dnf install fuse-libs`), or bypass FUSE entirely:
+
+```bash
+APPIMAGE_EXTRACT_AND_RUN=1 ./Donut.Browser_x.x.x_amd64.AppImage
+```
+
+If that gives an EGL display error, try adding `WEBKIT_DISABLE_DMABUF_RENDERER=1` or `GDK_BACKEND=x11` to the command above. If issues persist, the **.deb** / **.rpm** packages are a more reliable alternative.
+
+</details>
+
+<!-- ## Supported Platforms
+
+- ✅ **macOS** (Apple Silicon)
+- ✅ **Linux** (x64)
+- ✅ **Windows** (x64) -->

 ## Development

@@ -63,9 +71,13 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).

 If you face any problems while using the application, please [open an issue](https://github.com/zhom/donutbrowser/issues).

+## Self-Hosting Sync
+
+Donut Browser supports syncing profiles, proxies, and groups across devices via a self-hosted sync server. See the [Self-Hosting Guide](docs/self-hosting-donut-sync.md) for Docker-based setup instructions.
+
 ## Community

-Have questions or want to contribute? We'd love to hear from you!
+Have questions or want to contribute? The team would love to hear from you!

 - **Issues**: [GitHub Issues](https://github.com/zhom/donutbrowser/issues)
 - **Discussions**: [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)
@@ -114,7 +126,7 @@ Have questions or want to contribute? We'd love to hear from you!

 ## Contact

-Have an urgent question or want to report a security vulnerability? Send an email to contact at donutbrowser dot com and we'll get back to you as fast as possible.
+Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and the team will get back to you as fast as possible.

 ## License

@@ -8,7 +8,7 @@ We take the security of Donut Browser seriously. If you believe you have found a

 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

-Instead, please send an email to **contact at donutbrowser dot com** with the subject line "Security Vulnerability Report".
+Instead, please send an email to **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)** with the subject line "Security Vulnerability Report".

 Please include as much of the information listed below as you can to help us better understand and resolve the issue:

@@ -32,7 +32,7 @@ This information will help us triage your report more quickly.

 ## Contact

-For urgent security matters, please contact us at **contact at donutbrowser dot com**.
+For urgent security matters, please contact us at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.

 For general questions about this security policy, you can also reach out through:

@@ -2,4 +2,11 @@
 extend-exclude = [
    "src-tauri/src/camoufox/data/*.json",
    "src-tauri/src/camoufox/data/*.xml",
+    "src/i18n/locales/*.json",
+    "src-tauri/build.rs",
+    "src-tauri/tests/fixtures/test.ovpn",
 ]
+
+[default.extend-words]
+DBE = "DBE"
+nd = "nd"
@@ -0,0 +1,177 @@
+# Self-Hosting Donut Sync
+
+Donut Sync is the synchronization server for Donut Browser. It allows you to sync your profiles, proxies, and groups across multiple devices. This guide covers how to self-host it using Docker.
+
+## Prerequisites
+
+- [Docker](https://docs.docker.com/get-docker/) and [Docker Compose](https://docs.docker.com/compose/install/)
+- An S3-compatible object storage (MinIO included by default, or use AWS S3, Cloudflare R2, etc.)
+
+## Quick Start
+
+### 1. Create a `docker-compose.yml`
+
+```yaml
+services:
+  donut-sync:
+    image: donutbrowser/donut-sync:latest
+    ports:
+      - "3929:3929"
+    environment:
+      - SYNC_TOKEN=your-secret-token-here
+      - PORT=3929
+      - S3_ENDPOINT=http://minio:9000
+      - S3_REGION=us-east-1
+      - S3_ACCESS_KEY_ID=minioadmin
+      - S3_SECRET_ACCESS_KEY=minioadmin
+      - S3_BUCKET=donut-sync
+      - S3_FORCE_PATH_STYLE=true
+    depends_on:
+      minio:
+        condition: service_healthy
+
+  minio:
+    image: minio/minio:latest
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    command: server /data --console-address ":9001"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    volumes:
+      - minio_data:/data
+
+volumes:
+  minio_data:
+```
+
+### 2. Start the services
+
+```bash
+docker compose up -d
+```
+
+### 3. Verify the server is running
+
+```bash
+# Health check
+curl http://localhost:3929/health
+# Expected: {"status":"ok"}
+
+# Readiness check (verifies S3 connectivity)
+curl http://localhost:3929/readyz
+# Expected: {"status":"ready","s3":true}
+```
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `SYNC_TOKEN` | Yes | - | Bearer token used to authenticate requests from Donut Browser clients |
+| `PORT` | No | `3929` | Port the sync server listens on |
+| `S3_ENDPOINT` | No | - | S3-compatible endpoint URL (e.g., `http://minio:9000` or `https://s3.amazonaws.com`) |
+| `S3_REGION` | No | `us-east-1` | S3 region |
+| `S3_ACCESS_KEY_ID` | Yes | - | S3 access key |
+| `S3_SECRET_ACCESS_KEY` | Yes | - | S3 secret key |
+| `S3_BUCKET` | No | `donut-sync` | S3 bucket name for storing sync data |
+| `S3_FORCE_PATH_STYLE` | No | `false` | Set to `true` for MinIO and other S3-compatible services that use path-style URLs |
+
+## Using External S3 Storage
+
+Instead of running MinIO, you can use any S3-compatible storage service. Remove the `minio` service from `docker-compose.yml` and update the environment variables:
+
+### AWS S3
+
+```yaml
+services:
+  donut-sync:
+    image: donutbrowser/donut-sync:latest
+    ports:
+      - "3929:3929"
+    environment:
+      - SYNC_TOKEN=your-secret-token-here
+      - S3_REGION=us-east-1
+      - S3_ACCESS_KEY_ID=your-aws-access-key
+      - S3_SECRET_ACCESS_KEY=your-aws-secret-key
+      - S3_BUCKET=your-bucket-name
+```
+
+### Cloudflare R2
+
+```yaml
+services:
+  donut-sync:
+    image: donutbrowser/donut-sync:latest
+    ports:
+      - "3929:3929"
+    environment:
+      - SYNC_TOKEN=your-secret-token-here
+      - S3_ENDPOINT=https://<account-id>.r2.cloudflarestorage.com
+      - S3_REGION=auto
+      - S3_ACCESS_KEY_ID=your-r2-access-key
+      - S3_SECRET_ACCESS_KEY=your-r2-secret-key
+      - S3_BUCKET=your-bucket-name
+      - S3_FORCE_PATH_STYLE=true
+```
+
+### Other S3-Compatible Services
+
+Any service that implements the S3 API (e.g., Backblaze B2, DigitalOcean Spaces, Wasabi) can be used. Set `S3_ENDPOINT` to the service's endpoint URL and `S3_FORCE_PATH_STYLE=true` if required by the provider.
+
+## Configuring the Donut Browser Client
+
+1. Open Donut Browser
+2. Click the sync icon in the header to open the Sync Configuration dialog
+3. Enter the **Server URL** (e.g., `http://your-server:3929`)
+4. Enter the **Sync Token** (the value you set for `SYNC_TOKEN`)
+5. Click **Save**
+
+Once configured, you can enable sync on individual profiles, proxies, and groups.
+
+## Health Check Endpoints
+
+| Endpoint | Description |
+|---|---|
+| `GET /health` | Basic health check. Returns `{"status":"ok"}` if the server is running. |
+| `GET /readyz` | Readiness check. Verifies S3 connectivity. Returns `{"status":"ready","s3":true}` or HTTP 503 if S3 is unreachable. |
+
+## Security Considerations
+
+- **Use a strong `SYNC_TOKEN`**: Generate a random token (e.g., `openssl rand -hex 32`) and keep it secret.
+- **HTTPS**: In production, place a reverse proxy (e.g., Nginx, Caddy, Traefik) in front of Donut Sync to terminate TLS. The sync token is sent as a Bearer token in the `Authorization` header and should not be transmitted over plain HTTP.
+- **Network isolation**: If running on a VPS, consider restricting access to the sync port using firewall rules or binding only to localhost behind a reverse proxy.
+- **S3 credentials**: Use dedicated IAM credentials with minimal permissions (read/write to the sync bucket only).
+
+### Example: Caddy Reverse Proxy
+
+```
+sync.yourdomain.com {
+    reverse_proxy localhost:3929
+}
+```
+
+### Example: Nginx Reverse Proxy
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name sync.yourdomain.com;
+
+    ssl_certificate /path/to/cert.pem;
+    ssl_certificate_key /path/to/key.pem;
+
+    location / {
+        proxy_pass http://localhost:3929;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
@@ -0,0 +1,10 @@
+.env
+.env.*
+!.env.example
+coverage
+.nyc_output
+.temp
+.tmp
+.git
+*.log
+test
@@ -0,0 +1,12 @@
+FROM node:22-alpine
+
+WORKDIR /app
+
+COPY package.json .
+COPY dist/ dist/
+COPY node_modules/ node_modules/
+
+ENV NODE_ENV=production
+EXPOSE 12342
+
+CMD ["node", "dist/main"]
@@ -0,0 +1,11 @@
+[phases.setup]
+nixPkgs = ["nodejs_22"]
+
+[phases.install]
+cmds = ["npm install --include=dev"]
+
+[phases.build]
+cmds = ["npm run build", "npm prune --omit=dev"]
+
+[start]
+cmd = "npm run start:prod"
@@ -18,24 +18,26 @@
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.971.0",
-    "@aws-sdk/s3-request-presigner": "^3.971.0",
-    "@nestjs/common": "^11.1.12",
-    "@nestjs/config": "^4.0.2",
-    "@nestjs/core": "^11.1.12",
-    "@nestjs/platform-express": "^11.1.12",
+    "@aws-sdk/client-s3": "^3.1009.0",
+    "@aws-sdk/s3-request-presigner": "^3.1009.0",
+    "@nestjs/common": "^11.1.16",
+    "@nestjs/config": "^4.0.3",
+    "@nestjs/core": "^11.1.16",
+    "@nestjs/platform-express": "^11.1.16",
+    "jsonwebtoken": "^9.0.3",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
  },
  "devDependencies": {
    "@nestjs/cli": "^11.0.16",
    "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.12",
+    "@nestjs/testing": "^11.1.16",
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
-    "@types/node": "^25.0.9",
-    "@types/supertest": "^6.0.3",
-    "jest": "^30.2.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^25.5.0",
+    "@types/supertest": "^7.2.0",
+    "jest": "^30.3.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
    "ts-jest": "^29.4.6",
@@ -2,14 +2,26 @@ import {
  type CanActivate,
  type ExecutionContext,
  Injectable,
+  Logger,
  UnauthorizedException,
 } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import type { Request } from "express";
+import * as jwt from "jsonwebtoken";
+import type { UserContext } from "./user-context.interface.js";

@Injectable()
 export class AuthGuard implements CanActivate {
-  constructor(private configService: ConfigService) {}
+  private readonly logger = new Logger(AuthGuard.name);
+  private jwtPublicKey: string | null = null;
+
+  constructor(private configService: ConfigService) {
+    const publicKey = this.configService.get<string>("SYNC_JWT_PUBLIC_KEY");
+    if (publicKey) {
+      this.jwtPublicKey = publicKey.replace(/\\n/g, "\n");
+      this.logger.log("JWT public key configured — cloud auth enabled");
+    }
+  }

  canActivate(context: ExecutionContext): boolean {
    const request = context.switchToHttp().getRequest<Request>();
@@ -22,16 +34,49 @@ export class AuthGuard implements CanActivate {
    }

    const token = authHeader.substring(7);
+
+    // Try SYNC_TOKEN first (self-hosted mode)
    const expectedToken = this.configService.get<string>("SYNC_TOKEN");
-
-    if (!expectedToken) {
-      throw new UnauthorizedException("Sync token not configured on server");
+    if (expectedToken && token === expectedToken) {
+      (request as any).user = {
+        mode: "self-hosted",
+        prefix: "",
+        teamPrefix: null,
+        profileLimit: 0,
+        teamProfileLimit: 0,
+      } satisfies UserContext;
+      return true;
    }

-    if (token !== expectedToken) {
-      throw new UnauthorizedException("Invalid sync token");
+    // Try JWT verification (cloud mode)
+    if (this.jwtPublicKey) {
+      try {
+        const decoded = jwt.verify(token, this.jwtPublicKey, {
+          algorithms: ["RS256"],
+        }) as jwt.JwtPayload;
+
+        (request as any).user = {
+          mode: "cloud",
+          prefix: decoded.prefix || `users/${decoded.sub}/`,
+          teamPrefix: decoded.teamPrefix || null,
+          profileLimit: decoded.profileLimit || 0,
+          teamProfileLimit: decoded.teamProfileLimit || 0,
+        } satisfies UserContext;
+        return true;
+      } catch (err) {
+        this.logger.warn(
+          `JWT verification failed: ${err instanceof Error ? err.message : err}`,
+        );
+      }
    }

-    return true;
+    // If SYNC_TOKEN is configured but didn't match, or JWT failed
+    if (!expectedToken && !this.jwtPublicKey) {
+      throw new UnauthorizedException(
+        "No auth method configured on server (set SYNC_TOKEN or SYNC_JWT_PUBLIC_KEY)",
+      );
+    }
+
+    throw new UnauthorizedException("Invalid sync token or JWT");
  }
 }
@@ -0,0 +1,7 @@
+export interface UserContext {
+  mode: "self-hosted" | "cloud";
+  prefix: string; // '' for self-hosted, 'users/{id}/' for cloud
+  teamPrefix: string | null; // 'teams/{id}/' or null
+  profileLimit: number; // 0 for unlimited (self-hosted)
+  teamProfileLimit: number; // 0 for unlimited or non-team users
+}
@@ -1,13 +1,10 @@
 import { NestFactory } from "@nestjs/core";
+import type { NestExpressApplication } from "@nestjs/platform-express";
 import { AppModule } from "./app.module.js";

 function validateEnv() {
-  const required = ["SYNC_TOKEN"];
-  const missing = required.filter((key) => !process.env[key]);
-  if (missing.length > 0) {
-    console.error(
-      `Missing required environment variables: ${missing.join(", ")}`,
-    );
+  if (!process.env.SYNC_TOKEN && !process.env.SYNC_JWT_PUBLIC_KEY) {
+    console.error("Either SYNC_TOKEN or SYNC_JWT_PUBLIC_KEY must be set");
    process.exit(1);
  }
 }
@@ -15,7 +12,10 @@ function validateEnv() {
 async function bootstrap() {
  validateEnv();

-  const app = await NestFactory.create(AppModule);
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
+
+  // biome-ignore lint/correctness/useHookAtTopLevel: NestJS method, not a React hook
+  app.useBodyParser("json", { limit: "50mb" });

  app.enableCors({
    origin: "*",
@@ -0,0 +1,38 @@
+import {
+  Body,
+  Controller,
+  Headers,
+  HttpCode,
+  Post,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { SyncService } from "./sync.service.js";
+
+@Controller("v1/internal")
+export class InternalController {
+  private readonly internalKey: string | undefined;
+
+  constructor(
+    private readonly syncService: SyncService,
+    private readonly configService: ConfigService,
+  ) {
+    this.internalKey = this.configService.get<string>("INTERNAL_KEY");
+  }
+
+  @Post("cleanup-excess-profiles")
+  @HttpCode(200)
+  async cleanupExcessProfiles(
+    @Headers("x-internal-key") key: string,
+    @Body() body: { userId: string; maxProfiles: number },
+  ) {
+    if (!this.internalKey || key !== this.internalKey) {
+      throw new UnauthorizedException("Invalid internal key");
+    }
+
+    return this.syncService.cleanupExcessProfiles(
+      body.userId,
+      body.maxProfiles,
+    );
+  }
+}
@@ -5,11 +5,14 @@ import {
  HttpCode,
  type MessageEvent,
  Post,
+  Req,
  Sse,
  UseGuards,
 } from "@nestjs/common";
+import type { Request } from "express";
 import { map, type Observable } from "rxjs";
 import { AuthGuard } from "../auth/auth.guard.js";
+import type { UserContext } from "../auth/user-context.interface.js";
 import type {
  DeletePrefixRequestDto,
  DeletePrefixResponseDto,
@@ -35,68 +38,86 @@ import { SyncService } from "./sync.service.js";
 export class SyncController {
  constructor(private readonly syncService: SyncService) {}

+  private getUserContext(req: Request): UserContext {
+    return (req as any).user as UserContext;
+  }
+
  @Post("stat")
  @HttpCode(200)
-  async stat(@Body() dto: StatRequestDto): Promise<StatResponseDto> {
-    return this.syncService.stat(dto);
+  async stat(
+    @Body() dto: StatRequestDto,
+    @Req() req: Request,
+  ): Promise<StatResponseDto> {
+    return this.syncService.stat(dto, this.getUserContext(req));
  }

  @Post("presign-upload")
  @HttpCode(200)
  async presignUpload(
    @Body() dto: PresignUploadRequestDto,
+    @Req() req: Request,
  ): Promise<PresignUploadResponseDto> {
-    return this.syncService.presignUpload(dto);
+    return this.syncService.presignUpload(dto, this.getUserContext(req));
  }

  @Post("presign-download")
  @HttpCode(200)
  async presignDownload(
    @Body() dto: PresignDownloadRequestDto,
+    @Req() req: Request,
  ): Promise<PresignDownloadResponseDto> {
-    return this.syncService.presignDownload(dto);
+    return this.syncService.presignDownload(dto, this.getUserContext(req));
  }

  @Post("delete")
  @HttpCode(200)
-  async delete(@Body() dto: DeleteRequestDto): Promise<DeleteResponseDto> {
-    return this.syncService.delete(dto);
+  async delete(
+    @Body() dto: DeleteRequestDto,
+    @Req() req: Request,
+  ): Promise<DeleteResponseDto> {
+    return this.syncService.delete(dto, this.getUserContext(req));
  }

  @Post("list")
  @HttpCode(200)
-  async list(@Body() dto: ListRequestDto): Promise<ListResponseDto> {
-    return this.syncService.list(dto);
+  async list(
+    @Body() dto: ListRequestDto,
+    @Req() req: Request,
+  ): Promise<ListResponseDto> {
+    return this.syncService.list(dto, this.getUserContext(req));
  }

  @Post("presign-upload-batch")
  @HttpCode(200)
  async presignUploadBatch(
    @Body() dto: PresignUploadBatchRequestDto,
+    @Req() req: Request,
  ): Promise<PresignUploadBatchResponseDto> {
-    return this.syncService.presignUploadBatch(dto);
+    return this.syncService.presignUploadBatch(dto, this.getUserContext(req));
  }

  @Post("presign-download-batch")
  @HttpCode(200)
  async presignDownloadBatch(
    @Body() dto: PresignDownloadBatchRequestDto,
+    @Req() req: Request,
  ): Promise<PresignDownloadBatchResponseDto> {
-    return this.syncService.presignDownloadBatch(dto);
+    return this.syncService.presignDownloadBatch(dto, this.getUserContext(req));
  }

  @Post("delete-prefix")
  @HttpCode(200)
  async deletePrefix(
    @Body() dto: DeletePrefixRequestDto,
+    @Req() req: Request,
  ): Promise<DeletePrefixResponseDto> {
-    return this.syncService.deletePrefix(dto);
+    return this.syncService.deletePrefix(dto, this.getUserContext(req));
  }

  @Get("subscribe")
  @Sse()
-  subscribe(): Observable<MessageEvent> {
-    return this.syncService.subscribe(2000).pipe(
+  subscribe(@Req() req: Request): Observable<MessageEvent> {
+    return this.syncService.subscribe(this.getUserContext(req), 2000).pipe(
      map((event) => ({
        data: event,
      })),
@@ -1,10 +1,11 @@
 import { Module } from "@nestjs/common";
 import { AuthGuard } from "../auth/auth.guard.js";
+import { InternalController } from "./internal.controller.js";
 import { SyncController } from "./sync.controller.js";
 import { SyncService } from "./sync.service.js";

@Module({
-  controllers: [SyncController],
+  controllers: [SyncController, InternalController],
  providers: [SyncService, AuthGuard],
  exports: [SyncService],
 })
@@ -11,10 +11,16 @@ import {
  S3Client,
 } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
-import { Injectable, type OnModuleInit } from "@nestjs/common";
+import {
+  ForbiddenException,
+  Injectable,
+  Logger,
+  type OnModuleInit,
+} from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { interval, merge, type Observable, of, Subject } from "rxjs";
 import { catchError, filter, map, startWith, switchMap } from "rxjs/operators";
+import type { UserContext } from "../auth/user-context.interface.js";
 import type {
  DeletePrefixRequestDto,
  DeletePrefixResponseDto,
@@ -37,11 +43,13 @@ import type {

@Injectable()
 export class SyncService implements OnModuleInit {
+  private readonly logger = new Logger(SyncService.name);
  private s3Client: S3Client;
  private bucket: string;
-  private lastKnownState: Map<string, string> = new Map();
  private changeSubject = new Subject<SubscribeEventDto>();
  private s3Ready = false;
+  private backendInternalUrl: string | undefined;
+  private backendInternalKey: string | undefined;

  constructor(private configService: ConfigService) {
    const endpoint =
@@ -65,6 +73,13 @@ export class SyncService implements OnModuleInit {
      },
      forcePathStyle,
    });
+
+    this.backendInternalUrl = this.configService.get<string>(
+      "BACKEND_INTERNAL_URL",
+    );
+    this.backendInternalKey = this.configService.get<string>(
+      "BACKEND_INTERNAL_KEY",
+    );
  }

  async onModuleInit() {
@@ -124,12 +139,38 @@ export class SyncService implements OnModuleInit {
    }
  }

-  async stat(dto: StatRequestDto): Promise<StatResponseDto> {
+  /**
+   * Scope a key to the user's prefix for cloud mode.
+   * Self-hosted mode passes through unchanged.
+   */
+  private scopeKey(ctx: UserContext, key: string): string {
+    if (ctx.mode === "self-hosted") return key;
+    if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return key;
+    return `${ctx.prefix}${key}`;
+  }
+
+  /**
+   * Validate that a key is accessible by the user.
+   * For cloud mode, key must start with user's prefix or team prefix.
+   */
+  private validateKeyAccess(ctx: UserContext, key: string): void {
+    if (ctx.mode === "self-hosted") return;
+
+    if (key.startsWith(ctx.prefix)) return;
+    if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return;
+
+    throw new ForbiddenException("Access denied to this key");
+  }
+
+  async stat(dto: StatRequestDto, ctx: UserContext): Promise<StatResponseDto> {
+    const key = this.scopeKey(ctx, dto.key);
+    this.validateKeyAccess(ctx, key);
+
    try {
      const response = await this.s3Client.send(
        new HeadObjectCommand({
          Bucket: this.bucket,
-          Key: dto.key,
+          Key: key,
        }),
      );

@@ -153,18 +194,32 @@ export class SyncService implements OnModuleInit {

  async presignUpload(
    dto: PresignUploadRequestDto,
+    ctx: UserContext,
  ): Promise<PresignUploadResponseDto> {
+    const key = this.scopeKey(ctx, dto.key);
+    this.validateKeyAccess(ctx, key);
+
+    // Check profile limit for cloud users
+    if (ctx.mode === "cloud" && ctx.profileLimit > 0) {
+      await this.checkProfileLimit(ctx);
+    }
+
    const expiresIn = dto.expiresIn || 3600;
    const expiresAt = new Date(Date.now() + expiresIn * 1000);

    const command = new PutCmd({
      Bucket: this.bucket,
-      Key: dto.key,
+      Key: key,
      ContentType: dto.contentType || "application/octet-stream",
    });

    const url = await getSignedUrl(this.s3Client, command, { expiresIn });

+    // Report profile usage after upload presign if key is under profiles/
+    if (ctx.mode === "cloud" && dto.key.startsWith("profiles/")) {
+      this.reportProfileUsageAsync(ctx);
+    }
+
    return {
      url,
      expiresAt: expiresAt.toISOString(),
@@ -173,13 +228,17 @@ export class SyncService implements OnModuleInit {

  async presignDownload(
    dto: PresignDownloadRequestDto,
+    ctx: UserContext,
  ): Promise<PresignDownloadResponseDto> {
+    const key = this.scopeKey(ctx, dto.key);
+    this.validateKeyAccess(ctx, key);
+
    const expiresIn = dto.expiresIn || 3600;
    const expiresAt = new Date(Date.now() + expiresIn * 1000);

    const command = new GetObjectCommand({
      Bucket: this.bucket,
-      Key: dto.key,
+      Key: key,
    });

    const url = await getSignedUrl(this.s3Client, command, { expiresIn });
@@ -190,7 +249,13 @@ export class SyncService implements OnModuleInit {
    };
  }

-  async delete(dto: DeleteRequestDto): Promise<DeleteResponseDto> {
+  async delete(
+    dto: DeleteRequestDto,
+    ctx: UserContext,
+  ): Promise<DeleteResponseDto> {
+    const key = this.scopeKey(ctx, dto.key);
+    this.validateKeyAccess(ctx, key);
+
    let deleted = false;
    let tombstoneCreated = false;

@@ -198,7 +263,7 @@ export class SyncService implements OnModuleInit {
      await this.s3Client.send(
        new DeleteObjectCommand({
          Bucket: this.bucket,
-          Key: dto.key,
+          Key: key,
        }),
      );
      deleted = true;
@@ -207,15 +272,16 @@ export class SyncService implements OnModuleInit {
    }

    if (dto.tombstoneKey) {
+      const scopedTombstoneKey = this.scopeKey(ctx, dto.tombstoneKey);
      const tombstoneData = JSON.stringify({
-        id: dto.key,
+        id: key,
        deleted_at: dto.deletedAt || new Date().toISOString(),
      });

      await this.s3Client.send(
        new PutObjectCommand({
          Bucket: this.bucket,
-          Key: dto.tombstoneKey,
+          Key: scopedTombstoneKey,
          Body: tombstoneData,
          ContentType: "application/json",
        }),
@@ -223,24 +289,41 @@ export class SyncService implements OnModuleInit {
      tombstoneCreated = true;
    }

+    // Report profile usage after delete if key is under profiles/
+    if (ctx.mode === "cloud" && dto.key.startsWith("profiles/")) {
+      this.reportProfileUsageAsync(ctx);
+    }
+
    return { deleted, tombstoneCreated };
  }

-  async list(dto: ListRequestDto): Promise<ListResponseDto> {
+  async list(dto: ListRequestDto, ctx?: UserContext): Promise<ListResponseDto> {
+    const prefix = ctx ? this.scopeKey(ctx, dto.prefix) : dto.prefix;
+
    const response = await this.s3Client.send(
      new ListObjectsV2Command({
        Bucket: this.bucket,
-        Prefix: dto.prefix,
+        Prefix: prefix,
        MaxKeys: dto.maxKeys || 1000,
        ContinuationToken: dto.continuationToken,
      }),
    );

-    const objects = (response.Contents || []).map((obj) => ({
-      key: obj.Key || "",
-      lastModified: obj.LastModified?.toISOString() || "",
-      size: obj.Size || 0,
-    }));
+    const userPrefix = ctx?.prefix || "";
+    const teamPrefix = ctx?.teamPrefix || "";
+    const objects = (response.Contents || []).map((obj) => {
+      let key = obj.Key || "";
+      if (teamPrefix && key.startsWith(teamPrefix)) {
+        key = key.substring(teamPrefix.length);
+      } else if (userPrefix && key.startsWith(userPrefix)) {
+        key = key.substring(userPrefix.length);
+      }
+      return {
+        key,
+        lastModified: obj.LastModified?.toISOString() || "",
+        size: obj.Size || 0,
+      };
+    });

    return {
      objects,
@@ -251,15 +334,24 @@ export class SyncService implements OnModuleInit {

  async presignUploadBatch(
    dto: PresignUploadBatchRequestDto,
+    ctx: UserContext,
  ): Promise<PresignUploadBatchResponseDto> {
+    // Check profile limit for cloud users
+    if (ctx.mode === "cloud" && ctx.profileLimit > 0) {
+      await this.checkProfileLimit(ctx);
+    }
+
    const expiresIn = dto.expiresIn || 3600;
    const expiresAt = new Date(Date.now() + expiresIn * 1000);

    const items = await Promise.all(
      dto.items.map(async (item) => {
+        const key = this.scopeKey(ctx, item.key);
+        this.validateKeyAccess(ctx, key);
+
        const command = new PutCmd({
          Bucket: this.bucket,
-          Key: item.key,
+          Key: key,
          ContentType: item.contentType || "application/octet-stream",
        });

@@ -273,17 +365,29 @@ export class SyncService implements OnModuleInit {
      }),
    );

+    // Report profile usage if any key is under profiles/
+    if (
+      ctx.mode === "cloud" &&
+      dto.items.some((item) => item.key.startsWith("profiles/"))
+    ) {
+      this.reportProfileUsageAsync(ctx);
+    }
+
    return { items };
  }

  async presignDownloadBatch(
    dto: PresignDownloadBatchRequestDto,
+    ctx: UserContext,
  ): Promise<PresignDownloadBatchResponseDto> {
    const expiresIn = dto.expiresIn || 3600;
    const expiresAt = new Date(Date.now() + expiresIn * 1000);

    const items = await Promise.all(
-      dto.keys.map(async (key) => {
+      dto.keys.map(async (rawKey) => {
+        const key = this.scopeKey(ctx, rawKey);
+        this.validateKeyAccess(ctx, key);
+
        const command = new GetObjectCommand({
          Bucket: this.bucket,
          Key: key,
@@ -292,7 +396,7 @@ export class SyncService implements OnModuleInit {
        const url = await getSignedUrl(this.s3Client, command, { expiresIn });

        return {
-          key,
+          key: rawKey,
          url,
          expiresAt: expiresAt.toISOString(),
        };
@@ -304,7 +408,9 @@ export class SyncService implements OnModuleInit {

  async deletePrefix(
    dto: DeletePrefixRequestDto,
+    ctx: UserContext,
  ): Promise<DeletePrefixResponseDto> {
+    const prefix = this.scopeKey(ctx, dto.prefix);
    let deletedCount = 0;
    let tombstoneCreated = false;
    let continuationToken: string | undefined;
@@ -314,7 +420,7 @@ export class SyncService implements OnModuleInit {
      const listResponse = await this.s3Client.send(
        new ListObjectsV2Command({
          Bucket: this.bucket,
-          Prefix: dto.prefix,
+          Prefix: prefix,
          MaxKeys: 1000,
          ContinuationToken: continuationToken,
        }),
@@ -346,6 +452,7 @@ export class SyncService implements OnModuleInit {

    // Create tombstone if requested
    if (dto.tombstoneKey && deletedCount > 0) {
+      const scopedTombstoneKey = this.scopeKey(ctx, dto.tombstoneKey);
      const tombstoneData = JSON.stringify({
        prefix: dto.prefix,
        deleted_at: dto.deletedAt || new Date().toISOString(),
@@ -355,7 +462,7 @@ export class SyncService implements OnModuleInit {
      await this.s3Client.send(
        new PutObjectCommand({
          Bucket: this.bucket,
-          Key: dto.tombstoneKey,
+          Key: scopedTombstoneKey,
          Body: tombstoneData,
          ContentType: "application/json",
        }),
@@ -363,11 +470,32 @@ export class SyncService implements OnModuleInit {
      tombstoneCreated = true;
    }

+    // Report profile usage after prefix delete if prefix is under profiles/
+    if (ctx.mode === "cloud" && dto.prefix.startsWith("profiles/")) {
+      this.reportProfileUsageAsync(ctx);
+    }
+
    return { deletedCount, tombstoneCreated };
  }

-  subscribe(pollIntervalMs = 2000): Observable<SubscribeEventDto> {
-    const prefixes = ["profiles/", "proxies/", "groups/", "tombstones/"];
+  subscribe(
+    ctx: UserContext,
+    pollIntervalMs = 2000,
+  ): Observable<SubscribeEventDto> {
+    const basePrefixes = ["profiles/", "proxies/", "groups/", "tombstones/"];
+
+    let prefixes: string[];
+    if (ctx.mode === "self-hosted") {
+      prefixes = basePrefixes;
+    } else {
+      prefixes = basePrefixes.map((p) => `${ctx.prefix}${p}`);
+      if (ctx.teamPrefix) {
+        prefixes.push(...basePrefixes.map((p) => `${ctx.teamPrefix}${p}`));
+      }
+    }
+
+    // Per-connection state (not shared across subscribers)
+    let lastKnownState = new Map<string, string>();

    const pollChanges$ = interval(pollIntervalMs).pipe(
      startWith(0),
@@ -382,7 +510,7 @@ export class SyncService implements OnModuleInit {
              const stateKey = `${obj.key}:${obj.lastModified}`;
              currentState.set(obj.key, stateKey);

-              const previousStateKey = this.lastKnownState.get(obj.key);
+              const previousStateKey = lastKnownState.get(obj.key);
              if (previousStateKey !== stateKey) {
                events.push({
                  type: "change",
@@ -397,7 +525,7 @@ export class SyncService implements OnModuleInit {
          }
        }

-        for (const [key] of this.lastKnownState) {
+        for (const [key] of lastKnownState) {
          if (!currentState.has(key)) {
            events.push({
              type: "delete",
@@ -406,7 +534,7 @@ export class SyncService implements OnModuleInit {
          }
        }

-        this.lastKnownState = currentState;
+        lastKnownState = currentState;
        return events;
      }),
      switchMap((events) => of(...events)),
@@ -425,4 +553,283 @@ export class SyncService implements OnModuleInit {
  emitChange(event: SubscribeEventDto) {
    this.changeSubject.next(event);
  }
+
+  async cleanupExcessProfiles(
+    userId: string,
+    maxProfiles: number,
+  ): Promise<{ deletedProfiles: string[]; remaining: number }> {
+    const userPrefix = `users/${userId}/`;
+    const profilePrefix = `${userPrefix}profiles/`;
+
+    // List all profile directories
+    const profiles: { id: string; lastModified: Date }[] = [];
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+
+      if (result.CommonPrefixes) {
+        for (const cp of result.CommonPrefixes) {
+          if (!cp.Prefix) continue;
+          const profileId = cp.Prefix.replace(profilePrefix, "").replace(
+            /\/$/,
+            "",
+          );
+
+          // Get creation time from first object in the profile directory
+          const objects = await this.s3Client.send(
+            new ListObjectsV2Command({
+              Bucket: this.bucket,
+              Prefix: cp.Prefix,
+              MaxKeys: 1,
+            }),
+          );
+
+          const firstObj = objects.Contents?.[0];
+          profiles.push({
+            id: profileId,
+            lastModified: firstObj?.LastModified || new Date(0),
+          });
+        }
+      }
+
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    if (profiles.length <= maxProfiles) {
+      return { deletedProfiles: [], remaining: profiles.length };
+    }
+
+    // Sort newest first — delete newest excess profiles
+    profiles.sort(
+      (a, b) => b.lastModified.getTime() - a.lastModified.getTime(),
+    );
+
+    const excessCount = profiles.length - maxProfiles;
+    const toDelete = profiles.slice(0, excessCount);
+    const deletedProfiles: string[] = [];
+
+    for (const profile of toDelete) {
+      const prefix = `${profilePrefix}${profile.id}/`;
+
+      // Delete all objects under this profile
+      let delToken: string | undefined;
+      do {
+        const listResult = await this.s3Client.send(
+          new ListObjectsV2Command({
+            Bucket: this.bucket,
+            Prefix: prefix,
+            MaxKeys: 1000,
+            ContinuationToken: delToken,
+          }),
+        );
+
+        const objects = listResult.Contents || [];
+        if (objects.length > 0) {
+          const deleteObjects = objects
+            .filter((obj): obj is typeof obj & { Key: string } => !!obj.Key)
+            .map((obj) => ({ Key: obj.Key }));
+
+          if (deleteObjects.length > 0) {
+            await this.s3Client.send(
+              new DeleteObjectsCommand({
+                Bucket: this.bucket,
+                Delete: { Objects: deleteObjects, Quiet: true },
+              }),
+            );
+          }
+        }
+
+        delToken = listResult.NextContinuationToken;
+      } while (delToken);
+
+      // Create tombstone
+      const tombstoneKey = `${userPrefix}tombstones/profiles/${profile.id}`;
+      const tombstoneData = JSON.stringify({
+        prefix: `profiles/${profile.id}/`,
+        deleted_at: new Date().toISOString(),
+        reason: "excess_profile_cleanup",
+      });
+
+      await this.s3Client.send(
+        new PutObjectCommand({
+          Bucket: this.bucket,
+          Key: tombstoneKey,
+          Body: tombstoneData,
+          ContentType: "application/json",
+        }),
+      );
+
+      deletedProfiles.push(profile.id);
+      this.logger.log(
+        `Cleaned up excess profile ${profile.id} for user ${userId}`,
+      );
+    }
+
+    // Report updated profile usage to backend
+    const remaining = profiles.length - deletedProfiles.length;
+    await this.reportProfileUsage(userId, remaining).catch((err) =>
+      this.logger.warn(`Failed to report usage after cleanup: ${err.message}`),
+    );
+
+    return { deletedProfiles, remaining };
+  }
+
+  /**
+   * Check if the user has reached their profile limit.
+   * Counts objects in the profiles/ prefix.
+   */
+  private async checkProfileLimit(ctx: UserContext): Promise<void> {
+    if (ctx.profileLimit <= 0) return; // 0 = unlimited
+
+    let count = 0;
+
+    const userResult = await this.s3Client.send(
+      new ListObjectsV2Command({
+        Bucket: this.bucket,
+        Prefix: `${ctx.prefix}profiles/`,
+        Delimiter: "/",
+      }),
+    );
+    count += userResult.CommonPrefixes?.length || 0;
+
+    if (ctx.teamPrefix && ctx.teamProfileLimit && ctx.teamProfileLimit > 0) {
+      const teamResult = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: `${ctx.teamPrefix}profiles/`,
+          Delimiter: "/",
+        }),
+      );
+      const teamCount = teamResult.CommonPrefixes?.length || 0;
+      if (teamCount >= ctx.teamProfileLimit) {
+        throw new ForbiddenException(
+          `Team profile limit reached (${ctx.teamProfileLimit}). Ask the team owner to upgrade.`,
+        );
+      }
+    }
+
+    if (count >= ctx.profileLimit) {
+      throw new ForbiddenException(
+        `Profile limit reached (${ctx.profileLimit}). Upgrade your plan for more profiles.`,
+      );
+    }
+  }
+
+  /**
+   * Count the number of distinct profile directories for a user.
+   */
+  private async countProfiles(ctx: UserContext): Promise<number> {
+    const profilePrefix = `${ctx.prefix}profiles/`;
+    let count = 0;
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+      count += result.CommonPrefixes?.length || 0;
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    return count;
+  }
+
+  /**
+   * Extract user ID from context prefix (e.g. "users/abc-123/" → "abc-123").
+   */
+  private extractUserId(ctx: UserContext): string | null {
+    const match = ctx.prefix.match(/^users\/([^/]+)\/$/);
+    return match ? match[1] : null;
+  }
+
+  private async countTeamProfiles(ctx: UserContext): Promise<number> {
+    if (!ctx.teamPrefix) return 0;
+    const profilePrefix = `${ctx.teamPrefix}profiles/`;
+    let count = 0;
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+      count += result.CommonPrefixes?.length || 0;
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    return count;
+  }
+
+  private extractTeamId(ctx: UserContext): string | null {
+    if (!ctx.teamPrefix) return null;
+    const match = ctx.teamPrefix.match(/^teams\/([^/]+)\/$/);
+    return match ? match[1] : null;
+  }
+
+  /**
+   * Fire-and-forget: count profiles and report to backend.
+   */
+  private reportProfileUsageAsync(ctx: UserContext): void {
+    if (!this.backendInternalUrl || !this.backendInternalKey) return;
+
+    const userId = this.extractUserId(ctx);
+    if (!userId) return;
+
+    this.countProfiles(ctx)
+      .then(async (count) => {
+        await this.reportProfileUsage(userId, count);
+
+        if (ctx.teamPrefix) {
+          const teamCount = await this.countTeamProfiles(ctx);
+          const teamId = this.extractTeamId(ctx);
+          if (teamId) {
+            await this.reportProfileUsage(teamId, teamCount);
+          }
+        }
+      })
+      .catch((err) =>
+        this.logger.warn(`Failed to report profile usage: ${err.message}`),
+      );
+  }
+
+  private async reportProfileUsage(
+    userId: string,
+    count: number,
+  ): Promise<void> {
+    const url = `${this.backendInternalUrl}/api/auth/internal/profile-usage`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-internal-key": this.backendInternalKey ?? "undefined",
+      },
+      body: JSON.stringify({ userId, count }),
+    });
+
+    if (!response.ok) {
+      this.logger.warn(
+        `Profile usage report failed: ${response.status} ${response.statusText}`,
+      );
+    }
+  }
 }
@@ -2,7 +2,7 @@
  "name": "donutbrowser",
  "private": true,
  "license": "AGPL-3.0",
-  "version": "0.13.9",
+  "version": "0.17.1",
  "type": "module",
  "scripts": {
    "dev": "next dev --turbopack -p 12341",
@@ -12,9 +12,10 @@
    "test:rust": "cd src-tauri && cargo test",
    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration",
    "test:sync-e2e": "node scripts/sync-test-harness.mjs",
-    "lint": "pnpm lint:js && pnpm lint:rust",
+    "lint": "pnpm lint:js && pnpm lint:rust && pnpm lint:spell",
    "lint:js": "biome check src/ && tsc --noEmit && cd donut-sync && biome check src/ && tsc --noEmit",
    "lint:rust": "cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all && cargo fmt --all",
+    "lint:spell": "typos .",
    "tauri": "tauri",
    "shadcn:add": "pnpm dlx shadcn@latest add",
    "prepare": "husky && husky install",
@@ -25,7 +26,7 @@
    "cargo": "cd src-tauri && cargo",
    "unused-exports:js": "ts-unused-exports tsconfig.json",
    "check-unused-commands": "cd src-tauri && cargo test test_no_unused_tauri_commands",
-    "copy-proxy-binary": "cd src-tauri && bash copy-proxy-binary.sh",
+    "copy-proxy-binary": "node src-tauri/copy-proxy-binary.mjs",
    "prebuild": "pnpm copy-proxy-binary",
    "pretauri:dev": "pnpm copy-proxy-binary",
    "precargo": "pnpm copy-proxy-binary"
@@ -44,8 +45,8 @@
    "@radix-ui/react-tabs": "^1.1.13",
    "@radix-ui/react-tooltip": "^1.2.8",
    "@tanstack/react-table": "^8.21.3",
-    "@tauri-apps/api": "^2.9.1",
-    "@tauri-apps/plugin-deep-link": "^2.4.6",
+    "@tauri-apps/api": "~2.10.1",
+    "@tauri-apps/plugin-deep-link": "^2.4.7",
    "@tauri-apps/plugin-dialog": "^2.6.0",
    "@tauri-apps/plugin-fs": "~2.4.5",
    "@tauri-apps/plugin-log": "^2.8.0",
@@ -56,44 +57,49 @@
    "cmdk": "^1.1.1",
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
-    "lucide-react": "^0.562.0",
-    "motion": "^12.26.2",
-    "next": "^16.1.3",
+    "i18next": "^25.8.18",
+    "lucide-react": "^0.577.0",
+    "motion": "^12.36.0",
+    "next": "^16.1.6",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
-    "react": "^19.2.3",
-    "react-dom": "^19.2.3",
-    "react-icons": "^5.5.0",
-    "recharts": "3.6.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-i18next": "^16.5.8",
+    "react-icons": "^5.6.0",
+    "recharts": "3.8.0",
    "sonner": "^2.0.7",
-    "tailwind-merge": "^3.4.0",
+    "tailwind-merge": "^3.5.0",
    "tauri-plugin-macos-permissions-api": "^2.3.0"
  },
  "devDependencies": {
-    "@biomejs/biome": "2.3.11",
-    "@tailwindcss/postcss": "^4.1.18",
-    "@tauri-apps/cli": "^2.9.6",
+    "@biomejs/biome": "2.4.7",
+    "@tailwindcss/postcss": "^4.2.1",
+    "@tauri-apps/cli": "~2.10.1",
    "@types/color": "^4.2.0",
-    "@types/node": "^25.0.9",
-    "@types/react": "^19.2.8",
+    "@types/node": "^25.5.0",
+    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.2",
+    "@vitejs/plugin-react": "^6.0.1",
    "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
-    "tailwindcss": "^4.1.18",
+    "lint-staged": "^16.3.4",
+    "tailwindcss": "^4.2.1",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
    "typescript": "~5.9.3"
  },
-  "packageManager": "pnpm@10.14.0+sha512.ad27a79641b49c3e481a16a805baa71817a04bbe06a38d17e60e2eaee83f6a146c6a688125f5792e48dd5ba30e7da52a5cda4c3992b9ccf333f9ce223af84748",
+  "packageManager": "pnpm@10.30.1",
  "lint-staged": {
    "**/*.{js,jsx,ts,tsx,json,css}": [
      "biome check --fix"
    ],
    "src-tauri/**/*.rs": [
-      "cd src-tauri && cargo fmt --all",
-      "cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all",
-      "cd src-tauri && cargo test"
+      "bash -c 'cd src-tauri && cargo fmt --all'",
+      "bash -c 'cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all'",
+      "bash -c 'cd src-tauri && cargo test --lib'"
+    ],
+    "**/*.{rs,ts,tsx,js,jsx,md}": [
+      "typos"
    ]
  }
 }
@@ -79,13 +79,16 @@ function getMinioUrl() {
      return "https://dl.min.io/server/minio/release/linux-arm64/minio";
    }
    return "https://dl.min.io/server/minio/release/linux-amd64/minio";
+  } else if (platform === "win32") {
+    return "https://dl.min.io/server/minio/release/windows-amd64/minio.exe";
  }

  throw new Error(`Unsupported platform: ${platform}-${arch}`);
 }

 async function ensureMinioBinary() {
-  const minioBin = path.join(CACHE_DIR, "minio");
+  const isWindows = os.platform() === "win32";
+  const minioBin = path.join(CACHE_DIR, isWindows ? "minio.exe" : "minio");

  if (existsSync(minioBin)) {
    log("MinIO binary already cached");
@@ -97,7 +100,9 @@ async function ensureMinioBinary() {

  const url = getMinioUrl();
  await downloadFile(url, minioBin);
-  chmodSync(minioBin, 0o755);
+  if (!isWindows) {
+    chmodSync(minioBin, 0o755);
+  }

  log("MinIO binary downloaded");
  return minioBin;
@@ -247,7 +252,16 @@ function cleanup() {

  for (const proc of processes) {
    try {
-      proc.kill("SIGTERM");
+      if (os.platform() === "win32") {
+        // On Windows, SIGTERM is not supported; use taskkill for reliable cleanup
+        try {
+          execSync(`taskkill /F /T /PID ${proc.pid}`, { stdio: "ignore" });
+        } catch {
+          // Process may already be dead
+        }
+      } else {
+        proc.kill("SIGTERM");
+      }
    } catch {
      // Already dead
    }
@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.13.9"
+version = "0.17.1"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -30,6 +30,7 @@ path = "src/bin/donut_daemon.rs"

 [build-dependencies]
 tauri-build = { version = "2", features = [] }
+resvg = "0.47"

 [dependencies]
 serde_json = "1"
@@ -39,6 +40,7 @@ tauri-plugin-opener = "2"
 tauri-plugin-fs = "2"
 tauri-plugin-shell = "2"
 tauri-plugin-deep-link = "2"
+tauri-plugin-single-instance = "2"
 tauri-plugin-dialog = "2"
 tauri-plugin-macos-permissions = "2"
 tauri-plugin-log = "2"
@@ -46,22 +48,23 @@ log = "0.4"
 env_logger = "0.11"

 directories = "6"
-reqwest = { version = "0.13", features = ["json", "stream", "socks"] }
+reqwest = { version = "0.13", default-features = false, features = ["native-tls", "json", "stream", "socks", "charset", "http2", "system-proxy"] }
 tokio = { version = "1", features = ["full", "sync"] }
-sysinfo = "0.37"
-lazy_static = "1.4"
+tokio-util = "0.7"
+sysinfo = "0.38"
+lazy_static = "1.5"
 base64 = "0.22"
 libc = "0.2"
 async-trait = "0.1"
 futures-util = "0.3"
-zip = "7"
+zip = { version = "8", default-features = false, features = ["deflate-flate2"] }
 tar = "0"
 bzip2 = "0"
 flate2 = "1"
 lzma-rs = "0"
 msi-extract = "0"

-uuid = { version = "1.19", features = ["v4", "serde"] }
+uuid = { version = "1.20", features = ["v4", "serde"] }
 url = "2.5"
 blake3 = "1"
 globset = "0.4"
@@ -69,14 +72,19 @@ mime_guess = "2"
 once_cell = "1"
 urlencoding = "2.1"
 chrono = { version = "0.4", features = ["serde"] }
+chrono-tz = "0.10"
 axum = { version = "0.8.8", features = ["ws"] }
 tower = "0.5"
 tower-http = { version = "0.6", features = ["cors"] }
-rand = "0.9.2"
+rand = "0.10.0"
 utoipa = { version = "5", features = ["axum_extras", "chrono"] }
 utoipa-axum = "0.2"
 argon2 = "0.5"
 aes-gcm = "0.10"
+aes = "0.8"
+cbc = "0.1"
+pbkdf2 = "0.12"
+sha1 = "0.10"
 hyper = { version = "1.8", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
 http-body-util = "0.1"
@@ -88,36 +96,37 @@ playwright = { git = "https://github.com/sctg-development/playwright-rust", bran

 # Wayfern CDP integration
 tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
-rusqlite = { version = "0.38", features = ["bundled"] }
+rusqlite = { version = "0.39", features = ["bundled"] }
 serde_yaml = "0.9"
 thiserror = "2.0"
 regex-lite = "0.1"
 tempfile = "3"
 maxminddb = "0.27"
-quick-xml = { version = "0.38", features = ["serialize"] }
+quick-xml = { version = "0.39", features = ["serialize"] }
+
+# VPN support
+boringtun = "0.7"
+smoltcp = { version = "0.12", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

 # Daemon dependencies (tray icon)
 tray-icon = "0.21"
 muda = "0.17"
 tao = "0.34"
-single-instance = "0.3"
 image = "0.25"
 dirs = "6"
 crossbeam-channel = "0.5"
-
-[target."cfg(any(target_os = \"macos\", windows, target_os = \"linux\"))".dependencies]
-tauri-plugin-single-instance = { version = "2", features = ["deep-link"] }
+sys-locale = "0.3"

 [target.'cfg(unix)'.dependencies]
-nix = { version = "0.30", features = ["signal", "process"] }
+nix = { version = "0.31", features = ["signal", "process"] }

 [target.'cfg(target_os = "macos")'.dependencies]
 core-foundation = "0.10"
-objc2 = "0.6.1"
-objc2-app-kit = { version = "0.3.1", features = ["NSWindow", "NSApplication", "NSRunningApplication"] }
+objc2 = "0.6.3"
+objc2-app-kit = { version = "0.3.2", features = ["NSWindow", "NSApplication", "NSRunningApplication"] }

 [target.'cfg(target_os = "windows")'.dependencies]
-winreg = "0.55"
+winreg = "0.56"
 windows = { version = "0.62", features = [
  "Win32_Foundation",
  "Win32_System_ProcessStatus",
@@ -151,6 +160,10 @@ path = "tests/donut_proxy_integration.rs"
 name = "sync_e2e"
 path = "tests/sync_e2e.rs"

+[[test]]
+name = "vpn_integration"
+path = "tests/vpn_integration.rs"
+
 [profile.dev]
 codegen-units = 256
 incremental = true
@@ -14,6 +14,8 @@
 	<string>Donut</string>
 	<key>CFBundleIdentifier</key>
 	<string>com.donutbrowser</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
    <key>CFBundleURLName</key>
    <string>com.donutbrowser</string>
 	<key>CFBundleExecutable</key>
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+  <dependency>
+    <dependentAssembly>
+      <assemblyIdentity
+        type="win32"
+        name="Microsoft.Windows.Common-Controls"
+        version="6.0.0.0"
+        processorArchitecture="*"
+        publicKeyToken="6595b64144ccf1df"
+        language="*"
+      />
+    </dependentAssembly>
+  </dependency>
+</assembly>
@@ -0,0 +1,2 @@
+#include <winuser.h>
+1 RT_MANIFEST "app.manifest"
@@ -5,6 +5,9 @@ fn main() {
  // This allows running cargo test without building the frontend first
  ensure_dist_folder_exists();

+  // Generate tray icon PNGs from SVG (macOS template icon format)
+  generate_tray_icons();
+
  #[cfg(target_os = "macos")]
  {
    println!("cargo:rustc-link-lib=framework=CoreFoundation");
@@ -53,9 +56,23 @@ fn main() {
  // Only run tauri_build if all external binaries exist
  // This allows building donut-proxy sidecar without the other binaries present
  if external_binaries_exist() {
-    tauri_build::build()
+    tauri_build::build();
+
+    // tauri_build embeds the manifest for bin targets only (cargo:rustc-link-arg-bins).
+    // Test binaries (including `cargo test --lib`) also need the comctl32 v6 manifest
+    // or they crash with STATUS_ENTRYPOINT_NOT_FOUND (0xc0000139). We embed the
+    // manifest for all targets, then suppress the duplicate for bins with /MANIFEST:NO
+    // (tauri_build's resource-embedded manifest still takes effect for bins).
+    #[cfg(target_os = "windows")]
+    {
+      embed_windows_manifest();
+      println!("cargo:rustc-link-arg-bins=/MANIFEST:NO");
+    }
  } else {
    println!("cargo:warning=Skipping tauri_build: external binaries not found. This is expected when building sidecar binaries.");
+
+    #[cfg(target_os = "windows")]
+    embed_windows_manifest();
  }
 }

@@ -113,3 +130,92 @@ fn ensure_dist_folder_exists() {

  println!("cargo:rerun-if-changed=../dist");
 }
+
+#[cfg(target_os = "windows")]
+fn embed_windows_manifest() {
+  use std::path::PathBuf;
+
+  let manifest_dir = std::env::var("CARGO_MANIFEST_DIR").unwrap();
+  let manifest_path = PathBuf::from(&manifest_dir).join("app.manifest");
+
+  if !manifest_path.exists() {
+    println!("cargo:warning=app.manifest not found, skipping manifest embedding");
+    return;
+  }
+
+  // Use the path directly (avoid canonicalize which adds \\?\ prefix that mt.exe rejects)
+  let manifest_str = manifest_path.to_str().unwrap().replace('/', "\\");
+  println!("cargo:rustc-link-arg=/MANIFEST:EMBED");
+  println!("cargo:rustc-link-arg=/MANIFESTINPUT:{manifest_str}");
+  println!("cargo:rerun-if-changed=app.manifest");
+}
+
+fn generate_tray_icons() {
+  use resvg::tiny_skia::{Pixmap, Transform};
+  use resvg::usvg::{Options, Tree};
+  use std::fs;
+  use std::path::PathBuf;
+
+  let manifest_dir = std::env::var("CARGO_MANIFEST_DIR").unwrap();
+  let icons_dir = PathBuf::from(&manifest_dir).join("icons");
+  let svg_path = icons_dir.join("tray-icon.svg");
+
+  println!("cargo:rerun-if-changed=icons/tray-icon.svg");
+
+  if !svg_path.exists() {
+    println!("cargo:warning=tray-icon.svg not found, skipping tray icon generation");
+    return;
+  }
+
+  let svg_data = fs::read(&svg_path).expect("Failed to read tray-icon.svg");
+  let tree = Tree::from_data(&svg_data, &Options::default()).expect("Failed to parse SVG");
+
+  // Generate template icons at different sizes for macOS menu bar
+  // 22x22 is standard, 44x44 is retina (@2x)
+  let sizes = [(22, "tray-icon-22.png"), (44, "tray-icon-44.png")];
+
+  for (size, filename) in sizes {
+    let mut pixmap = Pixmap::new(size, size).expect("Failed to create pixmap");
+
+    let svg_size = tree.size();
+    let scale = size as f32 / svg_size.width().max(svg_size.height());
+    let transform = Transform::from_scale(scale, scale);
+
+    resvg::render(&tree, transform, &mut pixmap.as_mut());
+
+    // Convert to template icon format: black silhouette with alpha channel
+    // macOS will automatically handle light/dark mode by inverting the icon
+    // For template icons: RGB should be 0,0,0 (black) and alpha controls visibility
+    let data = pixmap.data_mut();
+    for pixel in data.chunks_exact_mut(4) {
+      // Keep the original alpha (shows where icon content is)
+      // but make the color black for template icon format
+      pixel[0] = 0; // R
+      pixel[1] = 0; // G
+      pixel[2] = 0; // B
+                    // pixel[3] (alpha) stays as-is
+    }
+
+    let output_path = icons_dir.join(filename);
+    pixmap
+      .save_png(&output_path)
+      .expect("Failed to save tray icon PNG");
+  }
+
+  // Generate a full-color icon for Windows tray (no template conversion)
+  {
+    let size = 44u32;
+    let mut pixmap = Pixmap::new(size, size).expect("Failed to create pixmap");
+
+    let svg_size = tree.size();
+    let scale = size as f32 / svg_size.width().max(svg_size.height());
+    let transform = Transform::from_scale(scale, scale);
+
+    resvg::render(&tree, transform, &mut pixmap.as_mut());
+
+    let output_path = icons_dir.join("tray-icon-win-44.png");
+    pixmap
+      .save_png(&output_path)
+      .expect("Failed to save Windows tray icon PNG");
+  }
+}
@@ -34,6 +34,8 @@
    "deep-link:allow-get-current",
    "dialog:default",
    "dialog:allow-open",
+    "dialog:allow-save",
+    "fs:allow-write-text-file",
    "macos-permissions:default",
    "macos-permissions:allow-request-microphone-permission",
    "macos-permissions:allow-request-camera-permission",
@@ -0,0 +1,80 @@
+import { execSync, execFileSync } from "node:child_process";
+import { copyFileSync, existsSync, mkdirSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const MANIFEST_DIR = dirname(fileURLToPath(import.meta.url));
+const PROFILE = process.env.PROFILE || "debug";
+
+function getTarget() {
+  if (process.env.TARGET) return process.env.TARGET;
+  try {
+    const output = execSync("rustc -vV", { encoding: "utf-8" });
+    const match = output.match(/host:\s*(.+)/);
+    if (match) return match[1].trim();
+  } catch {}
+  return "unknown";
+}
+
+function getHostTarget() {
+  try {
+    const output = execSync("rustc -vV", { encoding: "utf-8" });
+    const match = output.match(/host:\s*(.+)/);
+    if (match) return match[1].trim();
+  } catch {}
+  return "unknown";
+}
+
+const TARGET = getTarget();
+const HOST_TARGET = getHostTarget();
+const isWindows = TARGET.includes("windows");
+
+// Determine source directory
+let srcDir;
+if (TARGET === HOST_TARGET || TARGET === "unknown") {
+  srcDir = join(MANIFEST_DIR, "target", PROFILE === "release" ? "release" : "debug");
+} else {
+  srcDir = join(MANIFEST_DIR, "target", TARGET, PROFILE === "release" ? "release" : "debug");
+}
+
+const destDir = join(MANIFEST_DIR, "binaries");
+mkdirSync(destDir, { recursive: true });
+
+function copyBinary(baseName) {
+  const binName = isWindows ? `${baseName}.exe` : baseName;
+  const source = join(srcDir, binName);
+
+  let destName = `${baseName}-${TARGET}`;
+  if (isWindows) destName += ".exe";
+  const dest = join(destDir, destName);
+
+  if (existsSync(source)) {
+    copyFileSync(source, dest);
+    console.log(`Copied ${binName} to ${dest}`);
+  } else {
+    console.log(`Warning: Binary not found at ${source}`);
+    console.log(`Building ${baseName} binary...`);
+
+    const buildArgs = ["build", "--bin", baseName];
+    if (PROFILE === "release") buildArgs.push("--release");
+    if (TARGET !== "unknown" && TARGET !== HOST_TARGET) {
+      buildArgs.push("--target", TARGET);
+    }
+
+    execFileSync("cargo", buildArgs, {
+      cwd: MANIFEST_DIR,
+      stdio: "inherit",
+    });
+
+    if (existsSync(source)) {
+      copyFileSync(source, dest);
+      console.log(`Built and copied ${binName} to ${dest}`);
+    } else {
+      console.error(`Error: Failed to build ${baseName} binary`);
+      process.exit(1);
+    }
+  }
+}
+
+copyBinary("donut-proxy");
+copyBinary("donut-daemon");
@@ -1,6 +1,32 @@
 #!/bin/bash
 set -e

+# Ensure cargo/rustc are on PATH (pnpm's bash on Windows may not inherit it)
+if ! command -v cargo &>/dev/null; then
+  # Try standard cargo locations
+  for cargo_dir in \
+    "$HOME/.cargo/bin" \
+    "/c/Users/$USER/.cargo/bin" \
+    "/mnt/c/Users/$USER/.cargo/bin"; do
+    if [[ -d "$cargo_dir" ]] && [[ -e "$cargo_dir/cargo" || -e "$cargo_dir/cargo.exe" ]]; then
+      export PATH="$cargo_dir:$PATH"
+      break
+    fi
+  done
+  # Try USERPROFILE (Windows env var with backslashes)
+  if ! command -v cargo &>/dev/null && [[ -n "$USERPROFILE" ]]; then
+    CARGO_DIR="$(cd "$USERPROFILE/.cargo/bin" 2>/dev/null && pwd)"
+    if [[ -n "$CARGO_DIR" ]]; then
+      export PATH="$CARGO_DIR:$PATH"
+    fi
+  fi
+  if ! command -v cargo &>/dev/null; then
+    echo "Error: cargo not found. Please ensure Rust is installed and cargo is on your PATH."
+    echo "  Install Rust: https://rustup.rs"
+    exit 1
+  fi
+fi
+
 # Get the target triple from environment or use default
 TARGET="${TARGET:-$(rustc -vV 2>/dev/null | sed -n 's|host: ||p' || echo "unknown")}"
 MANIFEST_DIR="$(dirname "$0")"
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
@@ -13,6 +12,7 @@ pub struct VersionComponent {
  pub major: u32,
  pub minor: u32,
  pub patch: u32,
+  pub build: u32,
  pub pre_release: Option<PreRelease>,
 }

@@ -48,6 +48,7 @@ impl VersionComponent {
        major: 999, // High major version to indicate it's a rolling release
        minor: 0,
        patch: 0,
+        build: 0,
        pre_release: Some(PreRelease {
          kind: PreReleaseKind::Alpha,
          number: Some(999), // High number to indicate it's a rolling release
@@ -67,6 +68,7 @@ impl VersionComponent {
    let major = parts.first().copied().unwrap_or(0);
    let minor = parts.get(1).copied().unwrap_or(0);
    let patch = parts.get(2).copied().unwrap_or(0);
+    let build = parts.get(3).copied().unwrap_or(0);

    // Parse pre-release part
    let pre_release = pre_release_part
@@ -77,6 +79,7 @@ impl VersionComponent {
      major,
      minor,
      patch,
+      build,
      pre_release,
    }
  }
@@ -174,7 +177,12 @@ impl Ord for VersionComponent {
    match (self_is_twilight, other_is_twilight) {
      (true, true) => {
        // Both are twilight, compare by base version
-        return (self.major, self.minor, self.patch).cmp(&(other.major, other.minor, other.patch));
+        return (self.major, self.minor, self.patch, self.build).cmp(&(
+          other.major,
+          other.minor,
+          other.patch,
+          other.build,
+        ));
      }
      (false, false) => {
        // Neither is twilight, continue with normal comparison
@@ -182,8 +190,13 @@ impl Ord for VersionComponent {
      _ => unreachable!(), // Already handled above
    }

-    // Compare major.minor.patch first
-    match (self.major, self.minor, self.patch).cmp(&(other.major, other.minor, other.patch)) {
+    // Compare major.minor.patch.build first
+    match (self.major, self.minor, self.patch, self.build).cmp(&(
+      other.major,
+      other.minor,
+      other.patch,
+      other.build,
+    )) {
      Ordering::Equal => {
        // If numeric parts are equal, compare pre-release
        match (&self.pre_release, &other.pre_release) {
@@ -334,7 +347,7 @@ pub struct BrowserRelease {
  pub is_prerelease: bool,
 }

-/// Wayfern version info from https://download.wayfern.com/version.json
+/// Wayfern version info from https://donutbrowser.com/wayfern.json
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct WayfernVersionInfo {
  pub version: String,
@@ -464,13 +477,7 @@ impl ApiClient {
  }

  fn get_cache_dir() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    let base_dirs = BaseDirs::new().ok_or("Failed to get base directories")?;
-    let app_name = if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    };
-    let cache_dir = base_dirs.cache_dir().join(app_name).join("version_cache");
+    let cache_dir = crate::app_dirs::cache_dir().join("version_cache");
    fs::create_dir_all(&cache_dir)?;
    Ok(cache_dir)
  }
@@ -1115,7 +1122,7 @@ impl ApiClient {
    Ok(())
  }

-  /// Fetch Wayfern version info from https://download.wayfern.com/version.json
+  /// Fetch Wayfern version info from https://donutbrowser.com/wayfern.json
  pub async fn fetch_wayfern_version_with_caching(
    &self,
    no_caching: bool,
@@ -1128,21 +1135,50 @@ impl ApiClient {
      }
    }

-    log::info!("Fetching Wayfern version from https://download.wayfern.com/version.json");
-    let url = "https://download.wayfern.com/version.json";
+    log::info!("Fetching Wayfern version from https://donutbrowser.com/wayfern.json");
+    let url = "https://donutbrowser.com/wayfern.json";

-    let response = self
-      .client
-      .get(url)
-      .header("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36")
-      .send()
-      .await?;
+    let mut last_err = None;
+    let mut version_info: Option<WayfernVersionInfo> = None;

-    if !response.status().is_success() {
-      return Err(format!("Failed to fetch Wayfern version: {}", response.status()).into());
+    for attempt in 1..=3 {
+      match self
+        .client
+        .get(url)
+        .header("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36")
+        .send()
+        .await
+      {
+        Ok(response) => {
+          if !response.status().is_success() {
+            last_err = Some(format!("HTTP {}", response.status()));
+          } else {
+            match response.json::<WayfernVersionInfo>().await {
+              Ok(info) => {
+                version_info = Some(info);
+                break;
+              }
+              Err(e) => last_err = Some(format!("Failed to parse response: {e}")),
+            }
+          }
+        }
+        Err(e) => {
+          log::warn!("Wayfern fetch attempt {attempt}/3 failed: {e}");
+          last_err = Some(e.to_string());
+        }
+      }
+
+      if attempt < 3 {
+        tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
+      }
    }

-    let version_info: WayfernVersionInfo = response.json().await?;
+    let version_info = version_info.ok_or_else(|| {
+      format!(
+        "Failed to fetch Wayfern version after 3 attempts: {}",
+        last_err.unwrap_or_default()
+      )
+    })?;
    log::info!("Fetched Wayfern version: {}", version_info.version);

    // Cache the results (unless bypassing cache)
@@ -39,6 +39,7 @@ pub struct ApiProfile {
  pub group_id: Option<String>,
  pub tags: Vec<String>,
  pub is_running: bool,
+  pub proxy_bypass_rules: Vec<String>,
 }

 #[derive(Debug, Serialize, Deserialize, ToSchema)]
@@ -78,6 +79,8 @@ pub struct UpdateProfileRequest {
  pub camoufox_config: Option<serde_json::Value>,
  pub group_id: Option<String>,
  pub tags: Option<Vec<String>>,
+  pub extension_group_id: Option<String>,
+  pub proxy_bypass_rules: Option<Vec<String>>,
 }

 #[derive(Clone)]
@@ -108,13 +111,17 @@ struct ApiProxyResponse {
  name: String,
  #[schema(value_type = Object)]
  proxy_settings: ProxySettings,
+  dynamic_proxy_url: Option<String>,
+  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
 struct CreateProxyRequest {
  name: String,
  #[schema(value_type = Object)]
-  proxy_settings: ProxySettings,
+  proxy_settings: Option<ProxySettings>,
+  dynamic_proxy_url: Option<String>,
+  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -122,6 +129,8 @@ struct UpdateProxyRequest {
  name: Option<String>,
  #[schema(value_type = Object)]
  proxy_settings: Option<ProxySettings>,
+  dynamic_proxy_url: Option<String>,
+  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -295,30 +304,24 @@ impl ApiServer {

    // Create router with OpenAPI documentation
    let (v1_routes, _) = OpenApiRouter::new()
-      .routes(routes!(
-        get_profiles,
-        create_profile,
-        get_profile,
-        update_profile,
-        delete_profile,
-        run_profile,
-        open_url_in_profile,
-        kill_profile,
-        get_groups,
-        create_group,
-        get_group,
-        update_group,
-        delete_group,
-        get_tags,
-        get_proxies,
-        create_proxy,
-        get_proxy,
-        update_proxy,
-        delete_proxy,
-        download_browser_api,
-        get_browser_versions,
-        check_browser_downloaded,
-      ))
+      .routes(routes!(get_profiles, create_profile))
+      .routes(routes!(get_profile, update_profile, delete_profile))
+      .routes(routes!(run_profile))
+      .routes(routes!(open_url_in_profile))
+      .routes(routes!(kill_profile))
+      .routes(routes!(get_groups, create_group))
+      .routes(routes!(get_group, update_group, delete_group))
+      .routes(routes!(get_tags))
+      .routes(routes!(get_proxies, create_proxy))
+      .routes(routes!(get_proxy, update_proxy, delete_proxy))
+      .routes(routes!(get_extensions))
+      .routes(routes!(delete_extension_api))
+      .routes(routes!(get_extension_groups))
+      .routes(routes!(delete_extension_group_api))
+      .routes(routes!(download_browser_api))
+      .routes(routes!(get_browser_versions))
+      .routes(routes!(check_browser_downloaded))
+      .routes(routes!(get_wayfern_token, refresh_wayfern_token))
      .split_for_parts();

    let api = ApiDoc::openapi();
@@ -337,7 +340,7 @@ impl ApiServer {
      .with_state(ws_state);

    let app = Router::new()
-      .nest("/v1", v1_routes)
+      .merge(v1_routes)
      .nest("/ws", ws_routes)
      .route("/openapi.json", get(move || async move { Json(api) }))
      .layer(CorsLayer::permissive())
@@ -493,6 +496,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          group_id: profile.group_id.clone(),
          tags: profile.tags.clone(),
          is_running: profile.process_id.is_some(), // Simple check based on process_id
+          proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
        })
        .collect();

@@ -547,6 +551,7 @@ async fn get_profile(
            group_id: profile.group_id.clone(),
            tags: profile.tags.clone(),
            is_running: profile.process_id.is_some(), // Simple check based on process_id
+            proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
          },
        }))
      } else {
@@ -601,9 +606,11 @@ async fn create_profile(
      &request.version,
      request.release_type.as_deref().unwrap_or("stable"),
      request.proxy_id.clone(),
+      None, // vpn_id
      camoufox_config,
      wayfern_config,
      request.group_id.clone(),
+      false,
    )
    .await
  {
@@ -643,6 +650,7 @@ async fn create_profile(
          group_id: profile.group_id,
          tags: profile.tags,
          is_running: false,
+          proxy_bypass_rules: profile.proxy_bypass_rules,
        },
      }))
    }
@@ -746,6 +754,29 @@ async fn update_profile(
    }
  }

+  if let Some(extension_group_id) = request.extension_group_id {
+    let ext_group = if extension_group_id.is_empty() {
+      None
+    } else {
+      Some(extension_group_id)
+    };
+    if profile_manager
+      .update_profile_extension_group(&id, ext_group)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
+  if let Some(proxy_bypass_rules) = request.proxy_bypass_rules {
+    if profile_manager
+      .update_profile_proxy_bypass_rules(&state.app_handle, &id, proxy_bypass_rules)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  // Return updated profile
  get_profile(Path(id), State(state)).await
 }
@@ -1003,6 +1034,8 @@ async fn get_proxies(
      .map(|p| ApiProxyResponse {
        id: p.id,
        name: p.name,
+        dynamic_proxy_url: p.dynamic_proxy_url,
+        dynamic_proxy_format: p.dynamic_proxy_format,
        proxy_settings: p.proxy_settings,
      })
      .collect(),
@@ -1036,6 +1069,8 @@ async fn get_proxy(
      id: proxy.id,
      name: proxy.name,
      proxy_settings: proxy.proxy_settings,
+      dynamic_proxy_url: proxy.dynamic_proxy_url,
+      dynamic_proxy_format: proxy.dynamic_proxy_format,
    }))
  } else {
    Err(StatusCode::NOT_FOUND)
@@ -1061,14 +1096,27 @@ async fn create_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<CreateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  match PROXY_MANAGER.create_stored_proxy(
-    &state.app_handle,
-    request.name.clone(),
-    request.proxy_settings,
-  ) {
+  let result = if let (Some(url), Some(format)) =
+    (&request.dynamic_proxy_url, &request.dynamic_proxy_format)
+  {
+    PROXY_MANAGER.create_dynamic_proxy(
+      &state.app_handle,
+      request.name.clone(),
+      url.clone(),
+      format.clone(),
+    )
+  } else if let Some(settings) = request.proxy_settings {
+    PROXY_MANAGER.create_stored_proxy(&state.app_handle, request.name.clone(), settings)
+  } else {
+    return Err(StatusCode::BAD_REQUEST);
+  };
+
+  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
+      dynamic_proxy_url: proxy.dynamic_proxy_url,
+      dynamic_proxy_format: proxy.dynamic_proxy_format,
      proxy_settings: proxy.proxy_settings,
    })),
    Err(_) => Err(StatusCode::BAD_REQUEST),
@@ -1099,28 +1147,29 @@ async fn update_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<UpdateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let proxies = PROXY_MANAGER.get_stored_proxies();
-  if let Some(proxy) = proxies.into_iter().find(|p| p.id == id) {
-    let new_name = request.name.unwrap_or(proxy.name.clone());
-    let new_proxy_settings = request
-      .proxy_settings
-      .unwrap_or(proxy.proxy_settings.clone());
+  let is_dynamic = PROXY_MANAGER.is_dynamic_proxy(&id) || request.dynamic_proxy_url.is_some();

-    match PROXY_MANAGER.update_stored_proxy(
+  let result = if is_dynamic {
+    PROXY_MANAGER.update_dynamic_proxy(
      &state.app_handle,
      &id,
-      Some(new_name.clone()),
-      Some(new_proxy_settings.clone()),
-    ) {
-      Ok(_) => Ok(Json(ApiProxyResponse {
-        id,
-        name: new_name,
-        proxy_settings: new_proxy_settings,
-      })),
-      Err(_) => Err(StatusCode::BAD_REQUEST),
-    }
+      request.name,
+      request.dynamic_proxy_url,
+      request.dynamic_proxy_format,
+    )
  } else {
-    Err(StatusCode::NOT_FOUND)
+    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings)
+  };
+
+  match result {
+    Ok(proxy) => Ok(Json(ApiProxyResponse {
+      id: proxy.id,
+      name: proxy.name,
+      dynamic_proxy_url: proxy.dynamic_proxy_url,
+      dynamic_proxy_format: proxy.dynamic_proxy_format,
+      proxy_settings: proxy.proxy_settings,
+    })),
+    Err(_) => Err(StatusCode::NOT_FOUND),
  }
 }

@@ -1151,6 +1200,94 @@ async fn delete_proxy(
  }
 }

+// Extension API endpoints
+
+#[utoipa::path(
+  get,
+  path = "/v1/extensions",
+  responses(
+    (status = 200, description = "List of extensions"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extensions(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::Extension>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_extensions()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  get,
+  path = "/v1/extension-groups",
+  responses(
+    (status = 200, description = "List of extension groups"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extension_groups(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::ExtensionGroup>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_groups()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extensions/{id}",
+  params(("id" = String, Path, description = "Extension ID")),
+  responses(
+    (status = 204, description = "Extension deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_extension(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extension-groups/{id}",
+  params(("id" = String, Path, description = "Extension Group ID")),
+  responses(
+    (status = 204, description = "Extension group deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension group not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_group_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_group(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
 // API Handler - Run Profile with Remote Debugging
 #[utoipa::path(
  post,
@@ -1161,6 +1298,7 @@ async fn delete_proxy(
  request_body = RunProfileRequest,
  responses(
    (status = 200, description = "Profile launched successfully", body = RunProfileResponse),
+    (status = 400, description = "Cannot launch cross-OS profile"),
    (status = 401, description = "Unauthorized"),
    (status = 404, description = "Profile not found"),
    (status = 500, description = "Internal server error")
@@ -1175,6 +1313,13 @@ async fn run_profile(
  State(state): State<ApiServerState>,
  Json(request): Json<RunProfileRequest>,
 ) -> Result<Json<RunProfileResponse>, StatusCode> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err(StatusCode::PAYMENT_REQUIRED);
+  }
+
  let headless = request.headless.unwrap_or(false);
  let url = request.url;

@@ -1188,6 +1333,15 @@ async fn run_profile(
    .find(|p| p.id.to_string() == id)
    .ok_or(StatusCode::NOT_FOUND)?;

+  if profile.is_cross_os() {
+    return Err(StatusCode::BAD_REQUEST);
+  }
+
+  // Team lock check
+  crate::team_lock::acquire_team_lock_if_needed(profile)
+    .await
+    .map_err(|_| StatusCode::CONFLICT)?;
+
  // Generate a random port for remote debugging
  let remote_debugging_port = rand::random::<u16>().saturating_add(9000).max(9000);

@@ -1234,6 +1388,13 @@ async fn open_url_in_profile(
  State(state): State<ApiServerState>,
  Json(request): Json<OpenUrlRequest>,
 ) -> Result<StatusCode, StatusCode> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err(StatusCode::PAYMENT_REQUIRED);
+  }
+
  let browser_runner = crate::browser_runner::BrowserRunner::instance();

  browser_runner
@@ -1282,6 +1443,8 @@ async fn kill_profile(
    .await
    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

+  crate::team_lock::release_team_lock_if_needed(profile).await;
+
  Ok(StatusCode::NO_CONTENT)
 }

@@ -1377,3 +1540,54 @@ async fn check_browser_downloaded(
  let is_downloaded = crate::downloaded_browsers_registry::is_browser_downloaded(browser, version);
  Ok(Json(is_downloaded))
 }
+
+// API Handlers - Wayfern Token
+
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct WayfernTokenResponse {
+  pub token: Option<String>,
+}
+
+#[utoipa::path(
+  get,
+  path = "/v1/wayfern-token",
+  responses(
+    (status = 200, description = "Current wayfern token", body = WayfernTokenResponse),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(
+    ("bearer_auth" = [])
+  ),
+  tag = "wayfern"
+)]
+async fn get_wayfern_token(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<WayfernTokenResponse>, StatusCode> {
+  let token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+  Ok(Json(WayfernTokenResponse { token }))
+}
+
+#[utoipa::path(
+  post,
+  path = "/v1/wayfern-token/refresh",
+  responses(
+    (status = 200, description = "Refreshed wayfern token", body = WayfernTokenResponse),
+    (status = 401, description = "Unauthorized"),
+    (status = 500, description = "Failed to refresh token"),
+  ),
+  security(
+    ("bearer_auth" = [])
+  ),
+  tag = "wayfern"
+)]
+async fn refresh_wayfern_token(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<WayfernTokenResponse>, (StatusCode, String)> {
+  crate::cloud_auth::CLOUD_AUTH
+    .request_wayfern_token()
+    .await
+    .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e))?;
+
+  let token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+  Ok(Json(WayfernTokenResponse { token }))
+}
@@ -506,7 +506,8 @@ impl AppAutoUpdater {
        && (asset.name.contains(&format!("_{arch}.dmg"))
          || asset.name.contains(&format!("-{arch}.dmg"))
          || asset.name.contains(&format!("_{arch}_"))
-          || asset.name.contains(&format!("-{arch}-")))
+          || asset.name.contains(&format!("-{arch}-"))
+          || asset.name.contains(&format!("_{arch}-")))
      {
        log::info!("Found exact architecture match: {}", asset.name);
        return Some(asset.browser_download_url.clone());
@@ -564,7 +565,8 @@ impl AppAutoUpdater {
          && (asset.name.contains(&format!("_{arch}.{ext}"))
            || asset.name.contains(&format!("-{arch}.{ext}"))
            || asset.name.contains(&format!("_{arch}_"))
-            || asset.name.contains(&format!("-{arch}-")))
+            || asset.name.contains(&format!("-{arch}-"))
+            || asset.name.contains(&format!("_{arch}-")))
        {
          log::info!("Found Windows {ext} with exact arch match: {}", asset.name);
          return Some(asset.browser_download_url.clone());
@@ -627,7 +629,8 @@ impl AppAutoUpdater {
          && (asset.name.contains(&format!("_{arch}.{ext}"))
            || asset.name.contains(&format!("-{arch}.{ext}"))
            || asset.name.contains(&format!("_{arch}_"))
-            || asset.name.contains(&format!("-{arch}-")))
+            || asset.name.contains(&format!("-{arch}-"))
+            || asset.name.contains(&format!("_{arch}-")))
        {
          log::info!("Found Linux {ext} with exact arch match: {}", asset.name);
          return Some(asset.browser_download_url.clone());
@@ -741,13 +744,36 @@ impl AppAutoUpdater {
    log::info!("Extracting update...");
    let extracted_app_path = self.extract_update(&download_path, &temp_dir).await?;

-    log::info!("Installing update (overwriting binary)...");
-    self.install_update(&extracted_app_path).await?;
+    // On Windows, MSI/EXE installers close the running app, so running them now
+    // would kill the process before the "Update ready" toast can appear. Instead,
+    // defer execution to restart_application() when the user clicks "Restart Now".
+    #[cfg(target_os = "windows")]
+    {
+      let ext = extracted_app_path
+        .extension()
+        .and_then(|e| e.to_str())
+        .unwrap_or("")
+        .to_lowercase();
+      if ext == "msi" || ext == "exe" {
+        log::info!("Deferring Windows installer execution until user-initiated restart");
+        *PENDING_INSTALLER_PATH.lock().unwrap() = Some(extracted_app_path);
+      } else {
+        log::info!("Installing update (overwriting binary)...");
+        self.install_update(&extracted_app_path).await?;
+        log::info!("Cleaning up temporary files...");
+        let _ = fs::remove_dir_all(&temp_dir);
+      }
+    }

-    log::info!("Cleaning up temporary files...");
-    let _ = fs::remove_dir_all(&temp_dir);
+    #[cfg(not(target_os = "windows"))]
+    {
+      log::info!("Installing update (overwriting binary)...");
+      self.install_update(&extracted_app_path).await?;
+      log::info!("Cleaning up temporary files...");
+      let _ = fs::remove_dir_all(&temp_dir);
+    }

-    log::info!("Update installed successfully, emitting app-update-ready event");
+    log::info!("Update ready, emitting app-update-ready event");

    let _ = events::emit("app-update-ready", update_info.new_version.clone());

@@ -1418,14 +1444,63 @@ rm "{}"
    {
      let app_path = self.get_current_app_path()?;
      let current_pid = std::process::id();
+      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      // Create a temporary restart batch script
      let temp_dir = std::env::temp_dir();
      let script_path = temp_dir.join("donut_restart.bat");
+      let update_temp_dir = temp_dir.join("donut_app_update");

-      // Create the restart script content
-      let script_content = format!(
-        r#"@echo off
+      let script_content = if let Some(installer_path) = pending {
+        let ext = installer_path
+          .extension()
+          .and_then(|e| e.to_str())
+          .unwrap_or("")
+          .to_lowercase();
+        let install_cmd = match ext.as_str() {
+          "msi" => format!(
+            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
+            installer_path.to_str().unwrap()
+          ),
+          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
+          _ => String::new(),
+        };
+
+        format!(
+          r#"@echo off
+rem Wait for the current process to exit
+:wait_loop
+tasklist /fi "PID eq {pid}" >nul 2>&1
+if %errorlevel% equ 0 (
+    timeout /t 1 /nobreak >nul
+    goto wait_loop
+)
+
+rem Wait a bit more to ensure clean exit
+timeout /t 2 /nobreak >nul
+
+rem Run the installer
+{install_cmd}
+
+rem Wait for installation to complete
+timeout /t 3 /nobreak >nul
+
+rem Start the new application
+start "" "{app_path}"
+
+rem Clean up installer temp files
+rmdir /s /q "{update_temp}"
+
+rem Clean up this script
+del "%~f0"
+"#,
+          pid = current_pid,
+          install_cmd = install_cmd,
+          app_path = app_path.to_str().unwrap(),
+          update_temp = update_temp_dir.to_str().unwrap(),
+        )
+      } else {
+        format!(
+          r#"@echo off
 rem Wait for the current process to exit
 :wait_loop
 tasklist /fi "PID eq {}" >nul 2>&1
@@ -1443,24 +1518,20 @@ start "" "{}"
 rem Clean up this script
 del "%~f0"
 "#,
-        current_pid,
-        app_path.to_str().unwrap()
-      );
+          current_pid,
+          app_path.to_str().unwrap()
+        )
+      };

-      // Write the script to file
      fs::write(&script_path, script_content)?;

-      // Execute the restart script in the background
      let mut cmd = Command::new("cmd");
      cmd.args(["/C", script_path.to_str().unwrap()]);

-      // Start the process detached
      let _child = cmd.spawn()?;

-      // Give the script a moment to start
      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;

-      // Exit the current process
      std::process::exit(0);
    }

@@ -1531,6 +1602,16 @@ rm "{}"

 #[tauri::command]
 pub async fn check_for_app_updates() -> Result<Option<AppUpdateInfo>, String> {
+  // The disable_auto_updates setting controls app self-updates only
+  let disabled = crate::settings_manager::SettingsManager::instance()
+    .load_settings()
+    .map(|s| s.disable_auto_updates)
+    .unwrap_or(false);
+  if disabled {
+    log::info!("App auto-updates disabled by user setting");
+    return Ok(None);
+  }
+
  let updater = AppAutoUpdater::instance();
  updater
    .check_for_updates()
@@ -1698,15 +1779,10 @@ mod tests {
        browser_download_url: "https://example.com/x64.dmg".to_string(),
        size: 12345,
      },
-      // Windows assets
+      // Windows assets (NSIS naming: _ARCH-setup.exe)
      AppReleaseAsset {
-        name: "Donut.Browser_0.1.0_x64.msi".to_string(),
-        browser_download_url: "https://example.com/x64.msi".to_string(),
-        size: 12345,
-      },
-      AppReleaseAsset {
-        name: "Donut.Browser_0.1.0_x64.exe".to_string(),
-        browser_download_url: "https://example.com/x64.exe".to_string(),
+        name: "Donut_0.1.0_x64-setup.exe".to_string(),
+        browser_download_url: "https://example.com/x64-setup.exe".to_string(),
        size: 12345,
      },
      // Linux assets
@@ -1928,4 +2004,5 @@ mod tests {
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref APP_AUTO_UPDATER: AppAutoUpdater = AppAutoUpdater::new();
+  static ref PENDING_INSTALLER_PATH: std::sync::Mutex<Option<PathBuf>> = std::sync::Mutex::new(None);
 }
@@ -0,0 +1,200 @@
+use directories::BaseDirs;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+
+static BASE_DIRS: OnceLock<BaseDirs> = OnceLock::new();
+
+fn base_dirs() -> &'static BaseDirs {
+  BASE_DIRS.get_or_init(|| BaseDirs::new().expect("Failed to get base directories"))
+}
+
+pub fn app_name() -> &'static str {
+  if cfg!(debug_assertions) {
+    "DonutBrowserDev"
+  } else {
+    "DonutBrowser"
+  }
+}
+
+pub fn data_dir() -> PathBuf {
+  #[cfg(test)]
+  {
+    if let Some(dir) = TEST_DATA_DIR.with(|cell| cell.borrow().clone()) {
+      return dir;
+    }
+  }
+
+  if let Ok(dir) = std::env::var("DONUTBROWSER_DATA_DIR") {
+    return PathBuf::from(dir);
+  }
+
+  base_dirs().data_local_dir().join(app_name())
+}
+
+pub fn cache_dir() -> PathBuf {
+  #[cfg(test)]
+  {
+    if let Some(dir) = TEST_CACHE_DIR.with(|cell| cell.borrow().clone()) {
+      return dir;
+    }
+  }
+
+  if let Ok(dir) = std::env::var("DONUTBROWSER_CACHE_DIR") {
+    return PathBuf::from(dir);
+  }
+
+  base_dirs().cache_dir().join(app_name())
+}
+
+pub fn profiles_dir() -> PathBuf {
+  data_dir().join("profiles")
+}
+
+pub fn binaries_dir() -> PathBuf {
+  data_dir().join("binaries")
+}
+
+pub fn data_subdir() -> PathBuf {
+  data_dir().join("data")
+}
+
+pub fn settings_dir() -> PathBuf {
+  data_dir().join("settings")
+}
+
+pub fn proxies_dir() -> PathBuf {
+  data_dir().join("proxies")
+}
+
+pub fn proxy_workers_dir() -> PathBuf {
+  cache_dir().join("proxy_workers")
+}
+
+pub fn vpn_dir() -> PathBuf {
+  data_dir().join("vpn")
+}
+
+pub fn extensions_dir() -> PathBuf {
+  data_dir().join("extensions")
+}
+
+#[cfg(test)]
+thread_local! {
+  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
+  static TEST_CACHE_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
+}
+
+#[cfg(test)]
+pub struct TestDirGuard {
+  kind: TestDirKind,
+}
+
+#[cfg(test)]
+enum TestDirKind {
+  Data,
+  Cache,
+}
+
+#[cfg(test)]
+impl Drop for TestDirGuard {
+  fn drop(&mut self) {
+    match self.kind {
+      TestDirKind::Data => TEST_DATA_DIR.with(|cell| *cell.borrow_mut() = None),
+      TestDirKind::Cache => TEST_CACHE_DIR.with(|cell| *cell.borrow_mut() = None),
+    }
+  }
+}
+
+#[cfg(test)]
+pub fn set_test_data_dir(dir: PathBuf) -> TestDirGuard {
+  TEST_DATA_DIR.with(|cell| *cell.borrow_mut() = Some(dir));
+  TestDirGuard {
+    kind: TestDirKind::Data,
+  }
+}
+
+#[cfg(test)]
+pub fn set_test_cache_dir(dir: PathBuf) -> TestDirGuard {
+  TEST_CACHE_DIR.with(|cell| *cell.borrow_mut() = Some(dir));
+  TestDirGuard {
+    kind: TestDirKind::Cache,
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_app_name() {
+    let name = app_name();
+    assert!(
+      name == "DonutBrowser" || name == "DonutBrowserDev",
+      "app_name should be DonutBrowser or DonutBrowserDev, got: {name}"
+    );
+  }
+
+  #[test]
+  fn test_data_dir_returns_path() {
+    let dir = data_dir();
+    assert!(
+      dir.to_string_lossy().contains(app_name()),
+      "data_dir should contain app_name"
+    );
+  }
+
+  #[test]
+  fn test_cache_dir_returns_path() {
+    let dir = cache_dir();
+    assert!(
+      dir.to_string_lossy().contains(app_name()),
+      "cache_dir should contain app_name"
+    );
+  }
+
+  #[test]
+  fn test_subdirectory_helpers() {
+    assert!(profiles_dir().ends_with("profiles"));
+    assert!(binaries_dir().ends_with("binaries"));
+    assert!(data_subdir().ends_with("data"));
+    assert!(settings_dir().ends_with("settings"));
+    assert!(proxies_dir().ends_with("proxies"));
+    assert!(proxy_workers_dir().ends_with("proxy_workers"));
+    assert!(vpn_dir().ends_with("vpn"));
+    assert!(extensions_dir().ends_with("extensions"));
+  }
+
+  #[test]
+  fn test_set_test_data_dir() {
+    let tmp = PathBuf::from("/tmp/test-donut-data");
+    let _guard = set_test_data_dir(tmp.clone());
+    assert_eq!(data_dir(), tmp);
+    assert_eq!(profiles_dir(), tmp.join("profiles"));
+    assert_eq!(binaries_dir(), tmp.join("binaries"));
+  }
+
+  #[test]
+  fn test_set_test_cache_dir() {
+    let tmp = PathBuf::from("/tmp/test-donut-cache");
+    let _guard = set_test_cache_dir(tmp.clone());
+    assert_eq!(cache_dir(), tmp);
+  }
+
+  #[test]
+  fn test_guard_cleanup() {
+    let original_data = data_dir();
+    let original_cache = cache_dir();
+
+    {
+      let _guard = set_test_data_dir(PathBuf::from("/tmp/test-cleanup-data"));
+      assert_eq!(data_dir(), PathBuf::from("/tmp/test-cleanup-data"));
+    }
+    assert_eq!(data_dir(), original_data);
+
+    {
+      let _guard = set_test_cache_dir(PathBuf::from("/tmp/test-cleanup-cache"));
+      assert_eq!(cache_dir(), PathBuf::from("/tmp/test-cleanup-cache"));
+    }
+    assert_eq!(cache_dir(), original_cache);
+  }
+}
@@ -1,5 +1,4 @@
 use crate::browser_version_manager::{BrowserVersionInfo, BrowserVersionManager};
-use crate::events;
 use crate::profile::{BrowserProfile, ProfileManager};
 use crate::settings_manager::SettingsManager;
 use serde::{Deserialize, Serialize};
@@ -61,6 +60,10 @@ impl AutoUpdater {
    let mut browser_profiles: HashMap<String, Vec<BrowserProfile>> = HashMap::new();

    for profile in profiles {
+      if profile.is_cross_os() {
+        continue;
+      }
+
      // Only check supported browsers
      if !self
        .browser_version_manager
@@ -77,24 +80,25 @@ impl AutoUpdater {
    }

    for (browser, profiles) in browser_profiles {
-      // Get cached versions first, then try to fetch if needed
-      let versions = if let Some(cached) = self
+      // Always fetch fresh versions for update checks — stale cache would miss new releases
+      let versions = match self
        .browser_version_manager
-        .get_cached_browser_versions_detailed(&browser)
+        .fetch_browser_versions_detailed(&browser, false)
+        .await
      {
-        cached
-      } else if self.browser_version_manager.should_update_cache(&browser) {
-        // Try to fetch fresh versions
-        match self
-          .browser_version_manager
-          .fetch_browser_versions_detailed(&browser, false)
-          .await
-        {
-          Ok(versions) => versions,
-          Err(_) => continue, // Skip this browser if fetch fails
+        Ok(versions) => versions,
+        Err(e) => {
+          log::warn!("Failed to fetch versions for {browser}: {e}, trying cache");
+          // Fall back to cache if network fails
+          if let Some(cached) = self
+            .browser_version_manager
+            .get_cached_browser_versions_detailed(&browser)
+          {
+            cached
+          } else {
+            continue;
+          }
        }
-      } else {
-        continue; // No cached versions and cache doesn't need update
      };

      browser_versions.insert(browser.clone(), versions.clone());
@@ -102,26 +106,7 @@ impl AutoUpdater {
      // Check each profile for updates
      for profile in profiles {
        if let Some(update) = self.check_profile_update(&profile, &versions)? {
-          // Apply chromium threshold logic
-          if browser == "chromium" {
-            // For chromium, only show notifications if there are 400+ new versions
-            let current_version = &profile.version.parse::<u32>().unwrap();
-            let new_version = &update.new_version.parse::<u32>().unwrap();
-
-            let result = new_version - current_version;
-            log::info!(
-              "Current version: {current_version}, New version: {new_version}, Result: {result}"
-            );
-            if result > 400 {
-              notifications.push(update);
-            } else {
-              log::info!(
-                "Skipping chromium update notification: only {result} new versions (need 400+)"
-              );
-            }
-          } else {
-            notifications.push(update);
-          }
+          notifications.push(update);
        }
      }
    }
@@ -132,78 +117,72 @@ impl AutoUpdater {
  pub async fn check_for_updates_with_progress(&self, app_handle: &tauri::AppHandle) {
    log::info!("Starting auto-update check with progress...");

+    // Browser auto-updates are always enabled — the disable_auto_updates setting
+    // only controls app self-updates, not browser version updates.
+
    // Check for browser updates and trigger auto-downloads
    match self.check_for_updates().await {
      Ok(update_notifications) => {
-        if !update_notifications.is_empty() {
-          log::info!(
-            "Found {} browser updates to auto-download",
-            update_notifications.len()
-          );
+        // Group by browser+version to avoid duplicate downloads
+        let grouped = self.group_update_notifications(update_notifications);
+        if !grouped.is_empty() {
+          log::info!("Found {} browser updates", grouped.len());

-          // Trigger automatic downloads for each update
-          for notification in update_notifications {
+          for notification in grouped {
            log::info!(
-              "Auto-downloading {} version {}",
+              "Auto-updating {} to version {} ({} profiles)",
              notification.browser,
-              notification.new_version
+              notification.new_version,
+              notification.affected_profiles.len()
            );

-            // Clone app_handle for the async task
            let browser = notification.browser.clone();
            let new_version = notification.new_version.clone();
-            let notification_id = notification.id.clone();
-            let affected_profiles = notification.affected_profiles.clone();
            let app_handle_clone = app_handle.clone();

            // Spawn async task to handle the download and auto-update
            tokio::spawn(async move {
-              // TODO: update the logic to use the downloaded browsers registry instance instead of the static method
-              // First, check if browser already exists
-              match crate::downloaded_browsers_registry::is_browser_downloaded(
-                browser.clone(),
-                new_version.clone(),
-              ) {
-                true => {
-                  log::info!("Browser {browser} {new_version} already downloaded, proceeding to auto-update profiles");
+              let registry =
+                crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();

-                  // Browser already exists, go straight to profile update
-                  match AutoUpdater::instance()
-                    .complete_browser_update_with_auto_update(
-                      &app_handle_clone,
-                      &browser.clone(),
-                      &new_version.clone(),
-                    )
-                    .await
-                  {
-                    Ok(updated_profiles) => {
+              if registry.is_browser_downloaded(&browser, &new_version) {
+                log::info!("Browser {browser} {new_version} already downloaded, proceeding to auto-update profiles");
+
+                // Browser already exists, go straight to profile update
+                match AutoUpdater::instance()
+                  .auto_update_profile_versions(&app_handle_clone, &browser, &new_version)
+                  .await
+                {
+                  Ok(updated_profiles) => {
+                    if !updated_profiles.is_empty() {
                      log::info!(
-                        "Auto-update completed for {} profiles: {:?}",
+                        "Auto-updated {} profiles to {browser} {new_version}: {:?}",
                        updated_profiles.len(),
                        updated_profiles
                      );
                    }
-                    Err(e) => {
-                      log::error!("Failed to complete auto-update for {browser}: {e}");
-                    }
+                  }
+                  Err(e) => {
+                    log::error!("Failed to auto-update profiles for {browser}: {e}");
                  }
                }
-                false => {
-                  log::info!("Downloading browser {browser} version {new_version}...");
+              } else {
+                log::info!("Downloading browser {browser} version {new_version}...");

-                  // Emit the auto-update event to trigger frontend handling
-                  let auto_update_event = serde_json::json!({
-                    "browser": browser,
-                    "new_version": new_version,
-                    "notification_id": notification_id,
-                    "affected_profiles": affected_profiles
-                  });
-
-                  if let Err(e) = events::emit("browser-auto-update-available", &auto_update_event)
-                  {
-                    log::error!("Failed to emit auto-update event for {browser}: {e}");
-                  } else {
-                    log::info!("Emitted auto-update event for {browser}");
+                // Download directly from Rust — download_browser_full already
+                // auto-updates non-running profiles after successful download.
+                match crate::downloader::download_browser(
+                  app_handle_clone,
+                  browser.clone(),
+                  new_version.clone(),
+                )
+                .await
+                {
+                  Ok(actual_version) => {
+                    log::info!("Auto-download completed for {browser} {actual_version}");
+                  }
+                  Err(e) => {
+                    log::error!("Failed to auto-download {browser} {new_version}: {e}");
                  }
                }
              }
@@ -217,6 +196,24 @@ impl AutoUpdater {
        log::error!("Failed to check for browser updates: {e}");
      }
    }
+
+    // Also update any profiles that can be bumped to an already-installed newer version.
+    // This handles cases where a version was downloaded but profiles weren't updated
+    // (e.g., they were running at the time, or the update was missed).
+    match self.update_profiles_to_latest_installed(app_handle) {
+      Ok(updated) => {
+        if !updated.is_empty() {
+          log::info!(
+            "Updated {} profiles to latest installed versions: {:?}",
+            updated.len(),
+            updated
+          );
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to update profiles to latest installed versions: {e}");
+      }
+    }
  }

  /// Check if a specific profile has an available update
@@ -313,9 +310,42 @@ impl AutoUpdater {
    // Find all profiles for this browser that should be updated
    for profile in profiles {
      if profile.browser == browser {
+        if profile.is_cross_os() {
+          continue;
+        }
+
        // Check if profile is currently running
        if profile.process_id.is_some() {
-          continue; // Skip running profiles
+          // Store as pending update so it gets applied when browser closes
+          log::info!(
+            "Profile {} is running, storing pending update {} -> {}",
+            profile.name,
+            profile.version,
+            new_version
+          );
+          let mut state = self.load_auto_update_state().unwrap_or_default();
+          let notification = UpdateNotification {
+            id: format!("{}_{}_to_{}", browser, profile.version, new_version),
+            browser: browser.to_string(),
+            current_version: profile.version.clone(),
+            new_version: new_version.to_string(),
+            affected_profiles: vec![profile.name.clone()],
+            is_stable_update: true,
+            timestamp: std::time::SystemTime::now()
+              .duration_since(std::time::UNIX_EPOCH)
+              .unwrap_or_default()
+              .as_secs(),
+          };
+          // Add if not already pending
+          if !state
+            .pending_updates
+            .iter()
+            .any(|u| u.id == notification.id)
+          {
+            state.pending_updates.push(notification);
+            let _ = self.save_auto_update_state(&state);
+          }
+          continue;
        }

        // Check if this is an update (newer version)
@@ -362,15 +392,6 @@ impl AutoUpdater {
    Ok(updated_profiles)
  }

-  /// Check if browser is disabled due to ongoing update
-  pub fn is_browser_disabled(
-    &self,
-    browser: &str,
-  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
-    let state = self.load_auto_update_state()?;
-    Ok(state.disabled_browsers.contains(browser))
-  }
-
  /// Dismiss update notification
  pub fn dismiss_update_notification(
    &self,
@@ -457,6 +478,148 @@ impl AutoUpdater {

    Ok(None)
  }
+
+  /// Get the latest installed version for a browser from the downloaded browsers registry
+  pub fn get_latest_installed_version(&self, browser: &str) -> Option<String> {
+    let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+    let versions = registry.get_downloaded_versions(browser);
+    versions
+      .into_iter()
+      .filter(|v| registry.is_browser_downloaded(browser, v))
+      .max_by(|a, b| self.compare_versions(a, b))
+  }
+
+  /// Update a single profile to the latest installed version for its browser.
+  /// Used when a browser closes to ensure it's on the latest version.
+  pub fn update_profile_to_latest_installed(
+    &self,
+    app_handle: &tauri::AppHandle,
+    profile: &crate::profile::BrowserProfile,
+  ) -> Option<crate::profile::BrowserProfile> {
+    let latest = self.get_latest_installed_version(&profile.browser)?;
+
+    if !self.is_version_newer(&latest, &profile.version) {
+      return None;
+    }
+
+    // Only update stable->stable and nightly->nightly
+    let is_profile_nightly =
+      crate::api_client::is_browser_version_nightly(&profile.browser, &profile.version, None);
+    let is_latest_nightly =
+      crate::api_client::is_browser_version_nightly(&profile.browser, &latest, None);
+    if is_profile_nightly != is_latest_nightly {
+      return None;
+    }
+
+    match self
+      .profile_manager
+      .update_profile_version(app_handle, &profile.id.to_string(), &latest)
+    {
+      Ok(updated) => {
+        log::info!(
+          "Updated profile {} from {} {} to latest installed version {}",
+          profile.name,
+          profile.browser,
+          profile.version,
+          latest
+        );
+        Some(updated)
+      }
+      Err(e) => {
+        log::error!(
+          "Failed to update profile {} to latest installed version: {e}",
+          profile.name
+        );
+        None
+      }
+    }
+  }
+
+  /// Update all non-running profiles to the latest installed version for each browser.
+  /// Handles the case where a newer version was downloaded but profiles weren't updated.
+  pub fn update_profiles_to_latest_installed(
+    &self,
+    app_handle: &tauri::AppHandle,
+  ) -> Result<Vec<String>, Box<dyn std::error::Error + Send + Sync>> {
+    let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+    let profiles = self
+      .profile_manager
+      .list_profiles()
+      .map_err(|e| format!("Failed to list profiles: {e}"))?;
+
+    let mut all_updated = Vec::new();
+
+    // Group profiles by browser
+    let mut browser_profiles: HashMap<String, Vec<BrowserProfile>> = HashMap::new();
+    for profile in profiles {
+      if profile.is_cross_os() {
+        continue;
+      }
+      browser_profiles
+        .entry(profile.browser.clone())
+        .or_default()
+        .push(profile);
+    }
+
+    for (browser, profiles) in browser_profiles {
+      let installed_versions = registry.get_downloaded_versions(&browser);
+      if installed_versions.is_empty() {
+        continue;
+      }
+
+      // Find the latest installed version that actually exists on disk
+      let latest_installed = installed_versions
+        .iter()
+        .filter(|v| registry.is_browser_downloaded(&browser, v))
+        .max_by(|a, b| self.compare_versions(a, b));
+
+      let latest_version = match latest_installed {
+        Some(v) => v.clone(),
+        None => continue,
+      };
+
+      for profile in profiles {
+        if profile.process_id.is_some() {
+          continue;
+        }
+
+        if !self.is_version_newer(&latest_version, &profile.version) {
+          continue;
+        }
+
+        // Only update stable->stable and nightly->nightly
+        let is_profile_nightly =
+          crate::api_client::is_browser_version_nightly(&browser, &profile.version, None);
+        let is_latest_nightly =
+          crate::api_client::is_browser_version_nightly(&browser, &latest_version, None);
+        if is_profile_nightly != is_latest_nightly {
+          continue;
+        }
+
+        match self.profile_manager.update_profile_version(
+          app_handle,
+          &profile.id.to_string(),
+          &latest_version,
+        ) {
+          Ok(_) => {
+            log::info!(
+              "Updated profile {} from {} {} to latest installed version {}",
+              profile.name,
+              browser,
+              profile.version,
+              latest_version
+            );
+            all_updated.push(profile.name);
+          }
+          Err(e) => {
+            log::error!("Failed to update profile {}: {e}", profile.name);
+          }
+        }
+      }
+    }
+
+    Ok(all_updated)
+  }
 }

 // Tauri commands
@@ -511,6 +674,7 @@ mod tests {
      version: version.to_string(),
      process_id: None,
      proxy_id: None,
+      vpn_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
      camoufox_config: None,
@@ -518,8 +682,15 @@ mod tests {
      group_id: None,
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: None,
+      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    }
  }

@@ -9,19 +9,39 @@ use std::path::PathBuf;
 use std::process;
 use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::mpsc;
+use std::time::{Duration, Instant};

 use muda::MenuEvent;
 use serde::{Deserialize, Serialize};
-use single_instance::SingleInstance;
 use tao::event::{Event, StartCause};
 use tao::event_loop::{ControlFlow, EventLoopBuilder};
 use tokio::runtime::Runtime;
 use tray_icon::TrayIcon;
+#[cfg(not(target_os = "macos"))]
+use tray_icon::{MouseButton, TrayIconEvent};

 use donutbrowser_lib::daemon::{autostart, services, tray};

 static SHOULD_QUIT: AtomicBool = AtomicBool::new(false);

+#[cfg(windows)]
+fn win_process_exists(pid: u32) -> bool {
+  const PROCESS_QUERY_LIMITED_INFORMATION: u32 = 0x1000;
+
+  extern "system" {
+    fn OpenProcess(dwDesiredAccess: u32, bInheritHandles: i32, dwProcessId: u32) -> *mut ();
+    fn CloseHandle(hObject: *mut ()) -> i32;
+  }
+
+  let handle = unsafe { OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid) };
+  if handle.is_null() {
+    false
+  } else {
+    unsafe { CloseHandle(handle) };
+    true
+  }
+}
+
 enum ServiceStatus {
  Ready {
    api_port: Option<u16>,
@@ -69,52 +89,6 @@ fn write_state(state: &DaemonState) -> std::io::Result<()> {
  fs::write(path, content)
 }

-fn detach_from_parent() {
-  #[cfg(unix)]
-  {
-    unsafe {
-      libc::setsid();
-    }
-  }
-}
-
-fn spawn_detached() {
-  #[cfg(unix)]
-  {
-    match unsafe { libc::fork() } {
-      -1 => {
-        eprintln!("Fork failed");
-        process::exit(1);
-      }
-      0 => {
-        detach_from_parent();
-      }
-      _ => {
-        process::exit(0);
-      }
-    }
-  }
-
-  #[cfg(windows)]
-  {
-    use std::os::windows::process::CommandExt;
-    use std::process::{Command, Stdio};
-    const DETACHED_PROCESS: u32 = 0x00000008;
-    const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
-    let current_exe = env::current_exe().expect("Failed to get current exe path");
-
-    let _ = Command::new(current_exe)
-      .arg("--daemon-internal")
-      .stdin(Stdio::null())
-      .stdout(Stdio::null())
-      .stderr(Stdio::null())
-      .creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP)
-      .spawn();
-
-    process::exit(0);
-  }
-}
-
 fn set_high_priority() {
  #[cfg(unix)]
  {
@@ -174,13 +148,6 @@ fn run_daemon() {
    process::exit(1);
  }

-  let instance =
-    SingleInstance::new("donut-browser-daemon").expect("Failed to create single instance lock");
-  if !instance.is_single() {
-    eprintln!("Daemon is already running");
-    process::exit(1);
-  }
-
  log::info!("[daemon] Starting with PID {}", process::id());

  // Create tokio runtime for async operations
@@ -215,10 +182,7 @@ fn run_daemon() {
  }

  // Prepare tray menu and icon (but don't create the tray icon yet)
-  // Show "Starting..." state initially
  let tray_menu = tray::TrayMenu::new();
-  tray_menu.update_api_status(None);
-  tray_menu.update_mcp_status(false);

  let icon = tray::load_icon();
  let menu_channel = MenuEvent::receiver();
@@ -229,9 +193,45 @@ fn run_daemon() {
  // Store tray icon in Option - created after event loop starts
  let mut tray_icon: Option<TrayIcon> = None;

+  // Install signal handlers so SIGTERM/SIGINT trigger graceful shutdown
+  #[cfg(unix)]
+  unsafe {
+    extern "C" fn signal_handler(_sig: libc::c_int) {
+      SHOULD_QUIT.store(true, std::sync::atomic::Ordering::SeqCst);
+    }
+    libc::signal(
+      libc::SIGTERM,
+      signal_handler as *const () as libc::sighandler_t,
+    );
+    libc::signal(
+      libc::SIGINT,
+      signal_handler as *const () as libc::sighandler_t,
+    );
+  }
+
+  #[cfg(windows)]
+  {
+    extern "system" {
+      fn SetConsoleCtrlHandler(
+        handler: Option<unsafe extern "system" fn(u32) -> i32>,
+        add: i32,
+      ) -> i32;
+    }
+
+    unsafe extern "system" fn ctrl_handler(_ctrl_type: u32) -> i32 {
+      SHOULD_QUIT.store(true, std::sync::atomic::Ordering::SeqCst);
+      1 // TRUE
+    }
+
+    unsafe {
+      SetConsoleCtrlHandler(Some(ctrl_handler), 1);
+    }
+  }
+
  // Run the event loop
  event_loop.run(move |event, _, control_flow| {
-    *control_flow = ControlFlow::Poll;
+    // Use WaitUntil to check for menu events periodically while staying low on CPU
+    *control_flow = ControlFlow::WaitUntil(Instant::now() + Duration::from_millis(100));

    match event {
      Event::NewEvents(StartCause::Init) => {
@@ -260,8 +260,6 @@ fn run_daemon() {
              mcp_running,
            } => {
              log::info!("[daemon] Services started successfully");
-              tray_menu.update_api_status(api_port);
-              tray_menu.update_mcp_status(mcp_running);

              // Update state file
              let mut state = read_state();
@@ -273,30 +271,64 @@ fn run_daemon() {
            }
            ServiceStatus::Failed(e) => {
              log::error!("Failed to start services: {}", e);
-              // Keep tray icon running, show error state
-              tray_menu.update_api_status(None);
-              tray_menu.update_mcp_status(false);
            }
          }
        }

        // Process menu events
        while let Ok(event) = menu_channel.try_recv() {
-          if event.id == tray_menu.open_item.id() || event.id == tray_menu.preferences_item.id() {
-            tray::open_gui();
-          } else if event.id == tray_menu.quit_item.id() {
+          if event.id == tray_menu.quit_item.id() {
            log::info!("[daemon] Quit requested");
            SHOULD_QUIT.store(true, Ordering::SeqCst);
          }
        }

-        if SHOULD_QUIT.load(Ordering::SeqCst) {
-          // Cleanup
+        // Handle tray icon click (left-click opens the app)
+        // On macOS, left-click already shows the menu, so don't also launch the GUI.
+        #[cfg(not(target_os = "macos"))]
+        while let Ok(event) = TrayIconEvent::receiver().try_recv() {
+          if let TrayIconEvent::Click {
+            button: MouseButton::Left,
+            ..
+          } = event
+          {
+            tray::open_gui();
+          }
+        }
+
+        // Use swap to only run cleanup once
+        if SHOULD_QUIT.swap(false, Ordering::SeqCst) {
+          // Remove tray icon from status bar immediately so the UI feels responsive
+          tray_icon = None;
+
+          tray::quit_gui();
+
          let mut state = read_state();
          state.daemon_pid = None;
          let _ = write_state(&state);
          log::info!("[daemon] Exiting");
-          *control_flow = ControlFlow::Exit;
+
+          // Use process::exit for immediate termination instead of ControlFlow::Exit.
+          // ControlFlow::Exit can delay because tao's macOS event loop defers exit,
+          // and dropping the tokio runtime blocks until all spawned tasks finish.
+          process::exit(0);
+        }
+      }
+      Event::Reopen { .. } => {
+        tray::open_gui();
+
+        // Re-hide daemon from Dock. macOS activates the daemon (making it
+        // visible) when the user clicks the Dock icon, overriding the
+        // Accessory policy set at init.
+        #[cfg(target_os = "macos")]
+        {
+          use objc2::MainThreadMarker;
+          use objc2_app_kit::{NSApplication, NSApplicationActivationPolicy};
+
+          if let Some(mtm) = MainThreadMarker::new() {
+            let app = NSApplication::sharedApplication(mtm);
+            app.setActivationPolicy(NSApplicationActivationPolicy::Accessory);
+          }
        }
      }
      _ => {}
@@ -314,6 +346,32 @@ fn stop_daemon() {
  let state = read_state();

  if let Some(pid) = state.daemon_pid {
+    // On Windows, taskkill /F kills instantly with no handler, so kill GUI first
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      use std::process::Command;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+      let state_path = get_state_path();
+      if let Ok(content) = fs::read_to_string(&state_path) {
+        if let Ok(val) = serde_json::from_str::<serde_json::Value>(&content) {
+          if let Some(gui_pid) = val.get("gui_pid").and_then(|v| v.as_u64()) {
+            let _ = Command::new("taskkill")
+              .args(["/PID", &gui_pid.to_string(), "/F"])
+              .creation_flags(CREATE_NO_WINDOW)
+              .output();
+          }
+        }
+      }
+
+      let _ = Command::new("taskkill")
+        .args(["/PID", &pid.to_string(), "/F"])
+        .creation_flags(CREATE_NO_WINDOW)
+        .output();
+      eprintln!("Sent stop signal to daemon (PID {})", pid);
+    }
+
    #[cfg(unix)]
    {
      unsafe {
@@ -321,15 +379,6 @@ fn stop_daemon() {
      }
      eprintln!("Sent stop signal to daemon (PID {})", pid);
    }
-
-    #[cfg(windows)]
-    {
-      use std::process::Command;
-      let _ = Command::new("taskkill")
-        .args(["/PID", &pid.to_string(), "/F"])
-        .output();
-      eprintln!("Sent stop signal to daemon (PID {})", pid);
-    }
  } else {
    eprintln!("Daemon is not running");
  }
@@ -343,15 +392,7 @@ fn show_status() {
    let is_running = unsafe { libc::kill(pid as i32, 0) == 0 };

    #[cfg(windows)]
-    let is_running = {
-      use std::process::Command;
-      let output = Command::new("tasklist")
-        .args(["/FI", &format!("PID eq {}", pid)])
-        .output();
-      output
-        .map(|o| String::from_utf8_lossy(&o.stdout).contains(&pid.to_string()))
-        .unwrap_or(false)
-    };
+    let is_running = win_process_exists(pid);

    #[cfg(not(any(unix, windows)))]
    let is_running = false;
@@ -405,8 +446,6 @@ fn main() {

  match args[1].as_str() {
    "start" => {
-      eprintln!("Starting daemon...");
-      spawn_detached();
      run_daemon();
    }
    "stop" => {
@@ -418,9 +457,6 @@ fn main() {
    "run" => {
      run_daemon();
    }
-    "--daemon-internal" => {
-      run_daemon();
-    }
    "autostart" => {
      if args.len() < 3 {
        eprintln!("Usage: donut-daemon autostart <enable|disable|status>");
@@ -147,6 +147,11 @@ async fn main() {
              Arg::new("profile-id")
                .long("profile-id")
                .help("ID of the profile this proxy is associated with"),
+            )
+            .arg(
+              Arg::new("bypass-rules")
+                .long("bypass-rules")
+                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
            ),
        )
        .subcommand(
@@ -172,6 +177,24 @@ async fn main() {
        )
        .arg(Arg::new("action").required(true).help("Action (start)")),
    )
+    .subcommand(
+      Command::new("vpn-worker")
+        .about("Run a VPN worker process (internal use)")
+        .arg(
+          Arg::new("id")
+            .long("id")
+            .required(true)
+            .help("VPN worker configuration ID"),
+        )
+        .arg(
+          Arg::new("port")
+            .long("port")
+            .value_parser(clap::value_parser!(u16))
+            .required(true)
+            .help("Local SOCKS5 port"),
+        )
+        .arg(Arg::new("action").required(true).help("Action (start)")),
+    )
    .get_matches();

  if let Some(proxy_matches) = matches.subcommand_matches("proxy") {
@@ -199,8 +222,12 @@ async fn main() {

      let port = start_matches.get_one::<u16>("port").copied();
      let profile_id = start_matches.get_one::<String>("profile-id").cloned();
+      let bypass_rules: Vec<String> = start_matches
+        .get_one::<String>("bypass-rules")
+        .and_then(|s| serde_json::from_str(s).ok())
+        .unwrap_or_default();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id).await {
+      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -291,19 +318,31 @@ async fn main() {
      log::error!("Proxy worker starting, looking for config id: {}", id);
      log::error!("Process PID: {}", std::process::id());

-      let config = match get_proxy_config(id) {
-        Some(config) => {
-          log::error!(
-            "Found config: id={}, port={:?}, upstream={}",
-            config.id,
-            config.local_port,
-            config.upstream_url
-          );
-          config
-        }
-        None => {
-          log::error!("Proxy configuration {} not found", id);
-          process::exit(1);
+      // Retry config loading to handle file system race condition on Windows
+      // where the config file may not be immediately visible after being written
+      let config = {
+        let mut attempts = 0;
+        loop {
+          if let Some(config) = get_proxy_config(id) {
+            log::error!(
+              "Found config: id={}, port={:?}, upstream={}",
+              config.id,
+              config.local_port,
+              config.upstream_url
+            );
+            break config;
+          }
+          attempts += 1;
+          if attempts >= 10 {
+            log::error!(
+              "Proxy configuration {} not found after {} attempts",
+              id,
+              attempts
+            );
+            process::exit(1);
+          }
+          log::error!("Config {} not found yet, retrying ({}/10)...", id, attempts);
+          std::thread::sleep(std::time::Duration::from_millis(50));
        }
      };

@@ -321,6 +360,107 @@ async fn main() {
      log::error!("Invalid action for proxy-worker. Use 'start'");
      process::exit(1);
    }
+  } else if let Some(vpn_matches) = matches.subcommand_matches("vpn-worker") {
+    let id = vpn_matches.get_one::<String>("id").expect("id is required");
+    let action = vpn_matches
+      .get_one::<String>("action")
+      .expect("action is required");
+    let port = *vpn_matches
+      .get_one::<u16>("port")
+      .expect("port is required");
+
+    if action == "start" {
+      set_high_priority();
+
+      log::info!("VPN worker starting, config id: {}", id);
+      log::info!("Process PID: {}", std::process::id());
+
+      // Retry config loading to handle file system race condition
+      let config = {
+        let mut attempts = 0;
+        loop {
+          if let Some(config) = donutbrowser_lib::vpn_worker_storage::get_vpn_worker_config(id) {
+            log::info!(
+              "Found VPN worker config: id={}, vpn_type={}, vpn_id={}",
+              config.id,
+              config.vpn_type,
+              config.vpn_id
+            );
+            break config;
+          }
+          attempts += 1;
+          if attempts >= 10 {
+            log::error!(
+              "VPN worker configuration {} not found after {} attempts",
+              id,
+              attempts
+            );
+            process::exit(1);
+          }
+          log::info!(
+            "VPN worker config {} not found yet, retrying ({}/10)...",
+            id,
+            attempts
+          );
+          std::thread::sleep(std::time::Duration::from_millis(50));
+        }
+      };
+
+      // Read the decrypted VPN config from the temp file
+      let vpn_config_data = match std::fs::read_to_string(&config.config_file_path) {
+        Ok(data) => data,
+        Err(e) => {
+          log::error!(
+            "Failed to read VPN config file {}: {}",
+            config.config_file_path,
+            e
+          );
+          process::exit(1);
+        }
+      };
+
+      match config.vpn_type.as_str() {
+        "wireguard" => {
+          let wg_config = match donutbrowser_lib::vpn::parse_wireguard_config(&vpn_config_data) {
+            Ok(c) => c,
+            Err(e) => {
+              log::error!("Failed to parse WireGuard config: {}", e);
+              process::exit(1);
+            }
+          };
+
+          let server =
+            donutbrowser_lib::vpn::socks5_server::WireGuardSocks5Server::new(wg_config, port);
+          if let Err(e) = server.run(id.clone()).await {
+            log::error!("VPN worker failed: {}", e);
+            process::exit(1);
+          }
+        }
+        "openvpn" => {
+          let ovpn_config = match donutbrowser_lib::vpn::parse_openvpn_config(&vpn_config_data) {
+            Ok(c) => c,
+            Err(e) => {
+              log::error!("Failed to parse OpenVPN config: {}", e);
+              process::exit(1);
+            }
+          };
+
+          let server =
+            donutbrowser_lib::vpn::openvpn_socks5::OpenVpnSocks5Server::new(ovpn_config, port);
+          if let Err(e) = server.run(id.clone()).await {
+            log::error!("VPN worker failed: {}", e);
+            process::exit(1);
+          }
+        }
+        other => {
+          log::error!("Unknown VPN type: {}", other);
+          process::exit(1);
+        }
+      }
+    } else {
+      log::error!("Invalid action for vpn-worker. Use 'start'");
+      process::exit(1);
+    }
  } else {
    log::error!("No command specified");
    process::exit(1);
@@ -13,11 +13,6 @@ pub struct ProxySettings {

 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub enum BrowserType {
-  Chromium,
-  Firefox,
-  FirefoxDeveloper,
-  Brave,
-  Zen,
  Camoufox,
  Wayfern,
 }
@@ -25,11 +20,6 @@ pub enum BrowserType {
 impl BrowserType {
  pub fn as_str(&self) -> &'static str {
    match self {
-      BrowserType::Chromium => "chromium",
-      BrowserType::Firefox => "firefox",
-      BrowserType::FirefoxDeveloper => "firefox-developer",
-      BrowserType::Brave => "brave",
-      BrowserType::Zen => "zen",
      BrowserType::Camoufox => "camoufox",
      BrowserType::Wayfern => "wayfern",
    }
@@ -37,11 +27,6 @@ impl BrowserType {

  pub fn from_str(s: &str) -> Result<Self, String> {
    match s {
-      "chromium" => Ok(BrowserType::Chromium),
-      "firefox" => Ok(BrowserType::Firefox),
-      "firefox-developer" => Ok(BrowserType::FirefoxDeveloper),
-      "brave" => Ok(BrowserType::Brave),
-      "zen" => Ok(BrowserType::Zen),
      "camoufox" => Ok(BrowserType::Camoufox),
      "wayfern" => Ok(BrowserType::Wayfern),
      _ => Err(format!("Unknown browser type: {s}")),
@@ -49,6 +34,7 @@ impl BrowserType {
  }
 }

+#[allow(dead_code)]
 pub trait Browser: Send + Sync {
  fn get_executable_path(&self, install_dir: &Path) -> Result<PathBuf, Box<dyn std::error::Error>>;
  fn create_launch_args(
@@ -88,10 +74,7 @@ mod macos {
      .filter(|entry| {
        let binding = entry.file_name();
        let name = binding.to_string_lossy();
-        name.starts_with("firefox")
-          || name.starts_with("zen")
-          || name.starts_with("camoufox")
-          || name.contains("Browser")
+        name.starts_with("firefox") || name.starts_with("camoufox") || name.contains("Browser")
      })
      .map(|entry| entry.path())
      .collect();
@@ -200,34 +183,6 @@ mod macos {
    Ok(executable_path)
  }

-  pub fn get_chromium_executable_path(
-    install_dir: &Path,
-  ) -> Result<PathBuf, Box<dyn std::error::Error>> {
-    // Find the .app directory
-    let app_path = std::fs::read_dir(install_dir)?
-      .filter_map(Result::ok)
-      .find(|entry| entry.path().extension().is_some_and(|ext| ext == "app"))
-      .ok_or("Browser app not found")?;
-
-    // Construct the browser executable path
-    let mut executable_dir = app_path.path();
-    executable_dir.push("Contents");
-    executable_dir.push("MacOS");
-
-    // Find the first executable in the MacOS directory
-    let executable_path = std::fs::read_dir(&executable_dir)?
-      .filter_map(Result::ok)
-      .find(|entry| {
-        let binding = entry.file_name();
-        let name = binding.to_string_lossy();
-        name.contains("Chromium") || name.contains("Brave") || name.contains("Google Chrome")
-      })
-      .map(|entry| entry.path())
-      .ok_or("No executable found in MacOS directory")?;
-
-    Ok(executable_path)
-  }
-
  pub fn get_wayfern_executable_path(
    install_dir: &Path,
  ) -> Result<PathBuf, Box<dyn std::error::Error>> {
@@ -281,18 +236,7 @@ mod macos {
    false
  }

-  pub fn is_chromium_version_downloaded(install_dir: &Path) -> bool {
-    // On macOS, check for .app files
-    if let Ok(entries) = std::fs::read_dir(install_dir) {
-      for entry in entries.flatten() {
-        if entry.path().extension().is_some_and(|ext| ext == "app") {
-          return true;
-        }
-      }
-    }
-    false
-  }
-
+  #[allow(dead_code)]
  pub fn prepare_executable(_executable_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
    // On macOS, no special preparation needed
    Ok(())
@@ -312,24 +256,10 @@ mod linux {
    // - Firefox/Firefox Developer on Linux often extract to: install_dir/firefox/firefox
    // - Some archives may extract directly under: install_dir/firefox or install_dir/firefox-bin
    // - For some flavors we may have: install_dir/<browser_type>/<binary>
-    let browser_subdir = install_dir.join(browser_type.as_str());
+    let _browser_subdir = install_dir.join(browser_type.as_str());

    // Try common firefox executable locations (nested and flat)
    let possible_executables = match browser_type {
-      BrowserType::Firefox | BrowserType::FirefoxDeveloper => vec![
-        // Nested "firefox/firefox" or "firefox/firefox-bin"
-        install_dir.join("firefox").join("firefox"),
-        install_dir.join("firefox").join("firefox-bin"),
-        // Flat under version directory
-        install_dir.join("firefox"),
-        install_dir.join("firefox-bin"),
-        // Under a subdirectory matching the browser type
-        browser_subdir.join("firefox"),
-        browser_subdir.join("firefox-bin"),
-      ],
-      BrowserType::Zen => {
-        vec![browser_subdir.join("zen"), browser_subdir.join("zen-bin")]
-      }
      BrowserType::Camoufox => {
        vec![
          install_dir.join("camoufox-bin"),
@@ -360,36 +290,10 @@ mod linux {
    browser_type: &BrowserType,
  ) -> Result<PathBuf, Box<dyn std::error::Error>> {
    let possible_executables = match browser_type {
-      BrowserType::Chromium => vec![
-        // Direct paths (for manual installations)
-        install_dir.join("chromium"),
-        install_dir.join("chrome"),
-        install_dir.join("chromium-browser"),
-        // Subdirectory paths (for downloaded archives)
-        install_dir.join("chrome-linux").join("chrome"),
-        install_dir.join("chrome-linux").join("chromium"),
-        install_dir.join("chromium").join("chromium"),
-        install_dir.join("chromium").join("chrome"),
-        // Binary subdirectory
-        install_dir.join("bin").join("chromium"),
-        install_dir.join("bin").join("chrome"),
-      ],
-      BrowserType::Brave => vec![
-        install_dir.join("brave"),
-        install_dir.join("brave-browser"),
-        install_dir.join("brave-browser-nightly"),
-        install_dir.join("brave-browser-beta"),
-        // Subdirectory paths
-        install_dir.join("brave").join("brave"),
-        install_dir.join("brave-browser").join("brave"),
-        install_dir.join("bin").join("brave"),
-      ],
      BrowserType::Wayfern => vec![
-        // Wayfern extracts to a directory with chromium executable
        install_dir.join("chromium"),
        install_dir.join("chrome"),
        install_dir.join("wayfern"),
-        // Subdirectory paths (tar.xz may extract to a subdirectory)
        install_dir.join("wayfern").join("chromium"),
        install_dir.join("wayfern").join("chrome"),
        install_dir.join("chrome-linux").join("chrome"),
@@ -418,22 +322,9 @@ mod linux {
    //   install_dir/<browser>/<binary>
    // However, Firefox Developer tarballs often extract to a "firefox" subfolder
    // rather than "firefox-developer". Support both layouts.
-    let browser_subdir = install_dir.join(browser_type.as_str());
+    let _browser_subdir = install_dir.join(browser_type.as_str());

    let possible_executables = match browser_type {
-      BrowserType::Firefox | BrowserType::FirefoxDeveloper => {
-        vec![
-          // Preferred: executable inside a subdirectory named after the browser type
-          browser_subdir.join("firefox-bin"),
-          browser_subdir.join("firefox"),
-          // Fallback: executable inside a generic "firefox" subdirectory
-          install_dir.join("firefox").join("firefox-bin"),
-          install_dir.join("firefox").join("firefox"),
-        ]
-      }
-      BrowserType::Zen => {
-        vec![browser_subdir.join("zen"), browser_subdir.join("zen-bin")]
-      }
      BrowserType::Camoufox => {
        vec![
          install_dir.join("camoufox-bin"),
@@ -454,36 +345,10 @@ mod linux {

  pub fn is_chromium_version_downloaded(install_dir: &Path, browser_type: &BrowserType) -> bool {
    let possible_executables = match browser_type {
-      BrowserType::Chromium => vec![
-        // Direct paths (for manual installations)
-        install_dir.join("chromium"),
-        install_dir.join("chrome"),
-        install_dir.join("chromium-browser"),
-        // Subdirectory paths (for downloaded archives)
-        install_dir.join("chrome-linux").join("chrome"),
-        install_dir.join("chrome-linux").join("chromium"),
-        install_dir.join("chromium").join("chromium"),
-        install_dir.join("chromium").join("chrome"),
-        // Binary subdirectory
-        install_dir.join("bin").join("chromium"),
-        install_dir.join("bin").join("chrome"),
-      ],
-      BrowserType::Brave => vec![
-        install_dir.join("brave"),
-        install_dir.join("brave-browser"),
-        install_dir.join("brave-browser-nightly"),
-        install_dir.join("brave-browser-beta"),
-        // Subdirectory paths
-        install_dir.join("brave").join("brave"),
-        install_dir.join("brave-browser").join("brave"),
-        install_dir.join("bin").join("brave"),
-      ],
      BrowserType::Wayfern => vec![
-        // Wayfern extracts to a directory with chromium executable
        install_dir.join("chromium"),
        install_dir.join("chrome"),
        install_dir.join("wayfern"),
-        // Subdirectory paths
        install_dir.join("wayfern").join("chromium"),
        install_dir.join("wayfern").join("chrome"),
        install_dir.join("chrome-linux").join("chrome"),
@@ -500,6 +365,7 @@ mod linux {
    false
  }

+  #[allow(dead_code)]
  pub fn prepare_executable(executable_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
    // On Linux, ensure the executable has proper permissions
    log::info!("Setting execute permissions for: {:?}", executable_path);
@@ -546,11 +412,12 @@ mod windows {
      for entry in entries.flatten() {
        let path = entry.path();
        if path.extension().is_some_and(|ext| ext == "exe") {
-          let name = path.file_stem().unwrap_or_default().to_string_lossy();
-          if name.starts_with("firefox")
-            || name.starts_with("zen")
-            || name.starts_with("camoufox")
-            || name.contains("browser")
+          let name = path
+            .file_stem()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_lowercase();
+          if name.starts_with("firefox") || name.starts_with("camoufox") || name.contains("browser")
          {
            return Ok(path);
          }
@@ -567,30 +434,11 @@ mod windows {
  ) -> Result<PathBuf, Box<dyn std::error::Error>> {
    // On Windows, look for .exe files
    let possible_paths = match browser_type {
-      BrowserType::Chromium => vec![
-        install_dir.join("chromium.exe"),
-        install_dir.join("chrome.exe"),
-        install_dir.join("chromium-browser.exe"),
-        install_dir.join("bin").join("chromium.exe"),
-        // Common archive extraction patterns
-        install_dir.join("chrome-win").join("chrome.exe"),
-        install_dir.join("chromium").join("chromium.exe"),
-        install_dir.join("chromium").join("chrome.exe"),
-      ],
-      BrowserType::Brave => vec![
-        install_dir.join("brave.exe"),
-        install_dir.join("brave-browser.exe"),
-        install_dir.join("bin").join("brave.exe"),
-        // Subdirectory patterns
-        install_dir.join("brave").join("brave.exe"),
-        install_dir.join("brave-browser").join("brave.exe"),
-      ],
      BrowserType::Wayfern => vec![
        install_dir.join("chromium.exe"),
        install_dir.join("chrome.exe"),
        install_dir.join("wayfern.exe"),
        install_dir.join("bin").join("chromium.exe"),
-        // Subdirectory patterns
        install_dir.join("wayfern").join("chromium.exe"),
        install_dir.join("wayfern").join("chrome.exe"),
        install_dir.join("chrome-win").join("chrome.exe"),
@@ -608,20 +456,20 @@ mod windows {
    if let Ok(entries) = std::fs::read_dir(install_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
-        if path.extension().is_some_and(|ext| ext == "exe") {
-          let name = path.file_stem().unwrap_or_default().to_string_lossy();
-          if name.contains("chromium")
-            || name.contains("brave")
-            || name.contains("chrome")
-            || name.contains("wayfern")
-          {
+        if path.extension().is_some_and(|ext| ext == "exe") && is_pe_executable(&path) {
+          let name = path
+            .file_stem()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_lowercase();
+          if name.contains("chromium") || name.contains("chrome") || name.contains("wayfern") {
            return Ok(path);
          }
        }
      }
    }

-    Err("Chromium/Brave/Wayfern executable not found in Windows installation directory".into())
+    Err("Chromium/Wayfern executable not found in Windows installation directory".into())
  }

  pub fn is_firefox_version_downloaded(install_dir: &Path) -> bool {
@@ -644,11 +492,12 @@ mod windows {
        let path = entry.path();

        if path.extension().is_some_and(|ext| ext == "exe") {
-          let name = path.file_stem().unwrap_or_default().to_string_lossy();
-          if name.starts_with("firefox")
-            || name.starts_with("zen")
-            || name.starts_with("camoufox")
-            || name.contains("browser")
+          let name = path
+            .file_stem()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_lowercase();
+          if name.starts_with("firefox") || name.starts_with("camoufox") || name.contains("browser")
          {
            return true;
          }
@@ -662,30 +511,11 @@ mod windows {
  pub fn is_chromium_version_downloaded(install_dir: &Path, browser_type: &BrowserType) -> bool {
    // On Windows, check for .exe files
    let possible_executables = match browser_type {
-      BrowserType::Chromium => vec![
-        install_dir.join("chromium.exe"),
-        install_dir.join("chrome.exe"),
-        install_dir.join("chromium-browser.exe"),
-        install_dir.join("bin").join("chromium.exe"),
-        // Common archive extraction patterns
-        install_dir.join("chrome-win").join("chrome.exe"),
-        install_dir.join("chromium").join("chromium.exe"),
-        install_dir.join("chromium").join("chrome.exe"),
-      ],
-      BrowserType::Brave => vec![
-        install_dir.join("brave.exe"),
-        install_dir.join("brave-browser.exe"),
-        install_dir.join("bin").join("brave.exe"),
-        // Subdirectory patterns
-        install_dir.join("brave").join("brave.exe"),
-        install_dir.join("brave-browser").join("brave.exe"),
-      ],
      BrowserType::Wayfern => vec![
        install_dir.join("chromium.exe"),
        install_dir.join("chrome.exe"),
        install_dir.join("wayfern.exe"),
        install_dir.join("bin").join("chromium.exe"),
-        // Subdirectory patterns
        install_dir.join("wayfern").join("chromium.exe"),
        install_dir.join("wayfern").join("chrome.exe"),
        install_dir.join("chrome-win").join("chrome.exe"),
@@ -704,13 +534,13 @@ mod windows {
      for entry in entries.flatten() {
        let path = entry.path();

-        if path.extension().is_some_and(|ext| ext == "exe") {
-          let name = path.file_stem().unwrap_or_default().to_string_lossy();
-          if name.contains("chromium")
-            || name.contains("brave")
-            || name.contains("chrome")
-            || name.contains("wayfern")
-          {
+        if path.extension().is_some_and(|ext| ext == "exe") && is_pe_executable(&path) {
+          let name = path
+            .file_stem()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_lowercase();
+          if name.contains("chromium") || name.contains("chrome") || name.contains("wayfern") {
            return true;
          }
        }
@@ -720,236 +550,13 @@ mod windows {
    false
  }

+  #[allow(dead_code)]
  pub fn prepare_executable(_executable_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
    // On Windows, no special preparation needed
    Ok(())
  }
 }

-pub struct FirefoxBrowser {
-  browser_type: BrowserType,
-}
-
-impl FirefoxBrowser {
-  pub fn new(browser_type: BrowserType) -> Self {
-    Self { browser_type }
-  }
-}
-
-impl Browser for FirefoxBrowser {
-  fn get_executable_path(&self, install_dir: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
-    #[cfg(target_os = "macos")]
-    return macos::get_firefox_executable_path(install_dir);
-
-    #[cfg(target_os = "linux")]
-    return linux::get_firefox_executable_path(install_dir, &self.browser_type);
-
-    #[cfg(target_os = "windows")]
-    return windows::get_firefox_executable_path(install_dir);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    Err("Unsupported platform".into())
-  }
-
-  fn create_launch_args(
-    &self,
-    profile_path: &str,
-    _proxy_settings: Option<&ProxySettings>,
-    url: Option<String>,
-    remote_debugging_port: Option<u16>,
-    headless: bool,
-  ) -> Result<Vec<String>, Box<dyn std::error::Error>> {
-    let mut args = vec!["-profile".to_string(), profile_path.to_string()];
-
-    // Add remote debugging if requested
-    if let Some(port) = remote_debugging_port {
-      args.push("--start-debugger-server".to_string());
-      args.push(port.to_string());
-    }
-
-    // Add headless mode if requested
-    if headless {
-      args.push("--headless".to_string());
-    }
-
-    // Use -no-remote when remote debugging to avoid conflicts with existing instances
-    if remote_debugging_port.is_some() {
-      args.push("-no-remote".to_string());
-    }
-
-    // Firefox-based browsers use profile directory and user.js for proxy configuration
-    if let Some(url) = url {
-      args.push(url);
-    }
-
-    Ok(args)
-  }
-
-  fn is_version_downloaded(&self, version: &str, binaries_dir: &Path) -> bool {
-    // Expected structure: binaries/<browser>/<version>
-    let browser_dir = binaries_dir.join(self.browser_type.as_str()).join(version);
-
-    log::info!("Firefox browser checking version {version} in directory: {browser_dir:?}");
-
-    if !browser_dir.exists() {
-      log::info!("Directory does not exist: {browser_dir:?}");
-      return false;
-    }
-
-    log::info!("Directory exists, checking for browser files...");
-
-    #[cfg(target_os = "macos")]
-    return macos::is_firefox_version_downloaded(&browser_dir);
-
-    #[cfg(target_os = "linux")]
-    return linux::is_firefox_version_downloaded(&browser_dir, &self.browser_type);
-
-    #[cfg(target_os = "windows")]
-    return windows::is_firefox_version_downloaded(&browser_dir);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    {
-      log::info!("Unsupported platform for browser verification");
-      false
-    }
-  }
-
-  fn prepare_executable(&self, executable_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
-    #[cfg(target_os = "macos")]
-    return macos::prepare_executable(executable_path);
-
-    #[cfg(target_os = "linux")]
-    return linux::prepare_executable(executable_path);
-
-    #[cfg(target_os = "windows")]
-    return windows::prepare_executable(executable_path);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    Err("Unsupported platform".into())
-  }
-}
-
-// Chromium-based browsers (Chromium, Brave)
-pub struct ChromiumBrowser {
-  #[allow(dead_code)]
-  browser_type: BrowserType,
-}
-
-impl ChromiumBrowser {
-  pub fn new(browser_type: BrowserType) -> Self {
-    Self { browser_type }
-  }
-}
-
-impl Browser for ChromiumBrowser {
-  fn get_executable_path(&self, install_dir: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
-    #[cfg(target_os = "macos")]
-    return macos::get_chromium_executable_path(install_dir);
-
-    #[cfg(target_os = "linux")]
-    return linux::get_chromium_executable_path(install_dir, &self.browser_type);
-
-    #[cfg(target_os = "windows")]
-    return windows::get_chromium_executable_path(install_dir, &self.browser_type);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    Err("Unsupported platform".into())
-  }
-
-  fn create_launch_args(
-    &self,
-    profile_path: &str,
-    proxy_settings: Option<&ProxySettings>,
-    url: Option<String>,
-    remote_debugging_port: Option<u16>,
-    headless: bool,
-  ) -> Result<Vec<String>, Box<dyn std::error::Error>> {
-    let mut args = vec![
-      format!("--user-data-dir={}", profile_path),
-      "--no-default-browser-check".to_string(),
-      "--disable-background-mode".to_string(),
-      "--disable-component-update".to_string(),
-      "--disable-background-timer-throttling".to_string(),
-      "--crash-server-url=".to_string(),
-      "--disable-updater".to_string(),
-      // Disable quit confirmation and session restore prompts
-      "--disable-session-crashed-bubble".to_string(),
-      "--hide-crash-restore-bubble".to_string(),
-      "--disable-infobars".to_string(),
-      // Disable QUIC/HTTP3 to ensure traffic goes through HTTP proxy
-      "--disable-quic".to_string(),
-    ];
-
-    // Add remote debugging if requested
-    if let Some(port) = remote_debugging_port {
-      args.push("--remote-debugging-address=0.0.0.0".to_string());
-      args.push(format!("--remote-debugging-port={port}"));
-    }
-
-    // Add headless mode if requested
-    if headless {
-      args.push("--headless".to_string());
-    }
-
-    // Add proxy configuration if provided
-    if let Some(proxy) = proxy_settings {
-      args.push(format!(
-        "--proxy-server=http://{}:{}",
-        proxy.host, proxy.port
-      ));
-    }
-
-    if let Some(url) = url {
-      args.push(url);
-    }
-
-    Ok(args)
-  }
-
-  fn is_version_downloaded(&self, version: &str, binaries_dir: &Path) -> bool {
-    // Expected structure: binaries/<browser>/<version>
-    let browser_dir = binaries_dir.join(self.browser_type.as_str()).join(version);
-
-    log::info!("Chromium browser checking version {version} in directory: {browser_dir:?}");
-
-    if !browser_dir.exists() {
-      log::info!("Directory does not exist: {browser_dir:?}");
-      return false;
-    }
-
-    log::info!("Directory exists, checking for browser files...");
-
-    #[cfg(target_os = "macos")]
-    return macos::is_chromium_version_downloaded(&browser_dir);
-
-    #[cfg(target_os = "linux")]
-    return linux::is_chromium_version_downloaded(&browser_dir, &self.browser_type);
-
-    #[cfg(target_os = "windows")]
-    return windows::is_chromium_version_downloaded(&browser_dir, &self.browser_type);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    {
-      log::info!("Unsupported platform for browser verification");
-      false
-    }
-  }
-
-  fn prepare_executable(&self, executable_path: &Path) -> Result<(), Box<dyn std::error::Error>> {
-    #[cfg(target_os = "macos")]
-    return macos::prepare_executable(executable_path);
-
-    #[cfg(target_os = "linux")]
-    return linux::prepare_executable(executable_path);
-
-    #[cfg(target_os = "windows")]
-    return windows::prepare_executable(executable_path);
-
-    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
-    Err("Unsupported platform".into())
-  }
-}
-
 pub struct CamoufoxBrowser;

 impl CamoufoxBrowser {
@@ -1159,16 +766,28 @@ impl BrowserFactory {

  pub fn create_browser(&self, browser_type: BrowserType) -> Box<dyn Browser> {
    match browser_type {
-      BrowserType::Firefox | BrowserType::FirefoxDeveloper | BrowserType::Zen => {
-        Box::new(FirefoxBrowser::new(browser_type))
-      }
-      BrowserType::Chromium | BrowserType::Brave => Box::new(ChromiumBrowser::new(browser_type)),
      BrowserType::Camoufox => Box::new(CamoufoxBrowser::new()),
      BrowserType::Wayfern => Box::new(WayfernBrowser::new()),
    }
  }
 }

+/// Check if a file is a valid PE executable by reading its magic bytes (MZ).
+/// Returns false for archive files (.zip starts with PK, etc.) that were
+/// incorrectly named with a .exe extension.
+#[cfg(target_os = "windows")]
+fn is_pe_executable(path: &Path) -> bool {
+  use std::io::Read;
+  let Ok(mut file) = std::fs::File::open(path) else {
+    return false;
+  };
+  let mut magic = [0u8; 2];
+  if file.read_exact(&mut magic).is_err() {
+    return false;
+  }
+  magic == [0x4D, 0x5A] // MZ
+}
+
 // Factory function to create browser instances (kept for backward compatibility)
 pub fn create_browser(browser_type: BrowserType) -> Box<dyn Browser> {
  BrowserFactory::instance().create_browser(browser_type)
@@ -1240,35 +859,10 @@ mod tests {
  #[test]
  fn test_browser_type_conversions() {
    // Test as_str
-    assert_eq!(BrowserType::Firefox.as_str(), "firefox");
-    assert_eq!(BrowserType::FirefoxDeveloper.as_str(), "firefox-developer");
-    assert_eq!(BrowserType::Chromium.as_str(), "chromium");
-    assert_eq!(BrowserType::Brave.as_str(), "brave");
-    assert_eq!(BrowserType::Zen.as_str(), "zen");
    assert_eq!(BrowserType::Camoufox.as_str(), "camoufox");
    assert_eq!(BrowserType::Wayfern.as_str(), "wayfern");

-    // Test from_str - use expect with descriptive messages instead of unwrap
-    assert_eq!(
-      BrowserType::from_str("firefox").expect("firefox should be valid"),
-      BrowserType::Firefox
-    );
-    assert_eq!(
-      BrowserType::from_str("firefox-developer").expect("firefox-developer should be valid"),
-      BrowserType::FirefoxDeveloper
-    );
-    assert_eq!(
-      BrowserType::from_str("chromium").expect("chromium should be valid"),
-      BrowserType::Chromium
-    );
-    assert_eq!(
-      BrowserType::from_str("brave").expect("brave should be valid"),
-      BrowserType::Brave
-    );
-    assert_eq!(
-      BrowserType::from_str("zen").expect("zen should be valid"),
-      BrowserType::Zen
-    );
+    // Test from_str
    assert_eq!(
      BrowserType::from_str("camoufox").expect("camoufox should be valid"),
      BrowserType::Camoufox
@@ -1288,25 +882,25 @@ mod tests {
    let empty_result = BrowserType::from_str("");
    assert!(empty_result.is_err(), "Empty string should return error");

-    let case_sensitive_result = BrowserType::from_str("Firefox");
    assert!(
-      case_sensitive_result.is_err(),
-      "Case sensitive check should fail"
+      BrowserType::from_str("firefox").is_err(),
+      "Removed browser types should return error"
+    );
+    assert!(
+      BrowserType::from_str("chromium").is_err(),
+      "Removed browser types should return error"
    );
  }

  #[test]
-  fn test_firefox_launch_args() {
-    // Test regular Firefox (should not use -no-remote for normal launch)
-    let browser = FirefoxBrowser::new(BrowserType::Firefox);
+  fn test_camoufox_launch_args() {
+    let browser = CamoufoxBrowser::new();
    let args = browser
      .create_launch_args("/path/to/profile", None, None, None, false)
-      .expect("Failed to create launch args for Firefox");
-    assert_eq!(args, vec!["-profile", "/path/to/profile"]);
-    assert!(
-      !args.contains(&"-no-remote".to_string()),
-      "Firefox should not use -no-remote for normal launch"
-    );
+      .expect("Failed to create launch args for Camoufox");
+    assert!(args.contains(&"-profile".to_string()));
+    assert!(args.contains(&"/path/to/profile".to_string()));
+    assert!(args.contains(&"-no-remote".to_string()));

    let args = browser
      .create_launch_args(
@@ -1316,40 +910,20 @@ mod tests {
        None,
        false,
      )
-      .expect("Failed to create launch args for Firefox with URL");
-    assert_eq!(
-      args,
-      vec!["-profile", "/path/to/profile", "https://example.com"]
-    );
+      .expect("Failed to create launch args for Camoufox with URL");
+    assert!(args.contains(&"https://example.com".to_string()));

-    // Test Firefox with remote debugging (should use -no-remote)
+    // Test with remote debugging
    let args = browser
      .create_launch_args("/path/to/profile", None, None, Some(9222), false)
-      .expect("Failed to create launch args for Firefox with remote debugging");
-    assert!(
-      args.contains(&"-no-remote".to_string()),
-      "Firefox should use -no-remote for remote debugging"
-    );
-    assert!(
-      args.contains(&"--start-debugger-server".to_string()),
-      "Firefox should include debugger server arg"
-    );
-    assert!(
-      args.contains(&"9222".to_string()),
-      "Firefox should include debugging port"
-    );
-
-    // Test Zen Browser (no special flags without remote debugging)
-    let browser = FirefoxBrowser::new(BrowserType::Zen);
-    let args = browser
-      .create_launch_args("/path/to/profile", None, None, None, false)
-      .expect("Failed to create launch args for Zen Browser");
-    assert_eq!(args, vec!["-profile", "/path/to/profile"]);
+      .expect("Failed to create launch args for Camoufox with remote debugging");
+    assert!(args.contains(&"--start-debugger-server".to_string()));
+    assert!(args.contains(&"9222".to_string()));

    // Test headless mode
    let args = browser
      .create_launch_args("/path/to/profile", None, None, None, true)
-      .expect("Failed to create launch args for Zen Browser headless");
+      .expect("Failed to create launch args for Camoufox headless");
    assert!(
      args.contains(&"--headless".to_string()),
      "Browser should include headless flag when requested"
@@ -1357,30 +931,27 @@ mod tests {
  }

  #[test]
-  fn test_chromium_launch_args() {
-    let browser = ChromiumBrowser::new(BrowserType::Chromium);
+  fn test_wayfern_launch_args() {
+    let browser = WayfernBrowser::new();
    let args = browser
      .create_launch_args("/path/to/profile", None, None, None, false)
-      .expect("Failed to create launch args for Chromium");
+      .expect("Failed to create launch args for Wayfern");

-    // Test that basic required arguments are present
    assert!(
      args.contains(&"--user-data-dir=/path/to/profile".to_string()),
-      "Chromium args should contain user-data-dir"
+      "Wayfern args should contain user-data-dir"
    );
    assert!(
      args.contains(&"--no-default-browser-check".to_string()),
-      "Chromium args should contain no-default-browser-check"
+      "Wayfern args should contain no-default-browser-check"
    );
-
-    // Test that automatic update disabling arguments are present
    assert!(
      args.contains(&"--disable-background-mode".to_string()),
-      "Chromium args should contain disable-background-mode"
+      "Wayfern args should contain disable-background-mode"
    );
    assert!(
      args.contains(&"--disable-component-update".to_string()),
-      "Chromium args should contain disable-component-update"
+      "Wayfern args should contain disable-component-update"
    );

    let args_with_url = browser
@@ -1391,13 +962,11 @@ mod tests {
        None,
        false,
      )
-      .expect("Failed to create launch args for Chromium with URL");
+      .expect("Failed to create launch args for Wayfern with URL");
    assert!(
      args_with_url.contains(&"https://example.com".to_string()),
-      "Chromium args should contain the URL"
+      "Wayfern args should contain the URL"
    );
-
-    // Verify URL is at the end
    assert_eq!(
      args_with_url.last().expect("Args should not be empty"),
      "https://example.com"
@@ -1406,23 +975,19 @@ mod tests {
    // Test remote debugging
    let args_with_debug = browser
      .create_launch_args("/path/to/profile", None, None, Some(9222), false)
-      .expect("Failed to create launch args for Chromium with remote debugging");
+      .expect("Failed to create launch args for Wayfern with remote debugging");
    assert!(
      args_with_debug.contains(&"--remote-debugging-port=9222".to_string()),
-      "Chromium args should contain remote debugging port"
-    );
-    assert!(
-      args_with_debug.contains(&"--remote-debugging-address=0.0.0.0".to_string()),
-      "Chromium args should contain remote debugging address"
+      "Wayfern args should contain remote debugging port"
    );

    // Test headless mode
    let args_headless = browser
      .create_launch_args("/path/to/profile", None, None, None, true)
-      .expect("Failed to create launch args for Chromium headless");
+      .expect("Failed to create launch args for Wayfern headless");
    assert!(
-      args_headless.contains(&"--headless".to_string()),
-      "Chromium args should contain headless flag when requested"
+      args_headless.contains(&"--headless=new".to_string()),
+      "Wayfern args should contain headless flag when requested"
    );
  }

@@ -1459,26 +1024,21 @@ mod tests {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");
    let binaries_dir = temp_dir.path();

-    // Create a mock Firefox browser installation with new path structure: binaries/<browser>/<version>/
-    let browser_dir = binaries_dir.join("firefox").join("139.0");
+    // Create a mock Camoufox browser installation
+    let browser_dir = binaries_dir.join("camoufox").join("135.0.1");
    fs::create_dir_all(&browser_dir).expect("Failed to create browser directory");

    #[cfg(target_os = "macos")]
    {
-      // Create a mock .app directory for macOS
-      let app_dir = browser_dir.join("Firefox.app");
-      fs::create_dir_all(&app_dir).expect("Failed to create Firefox.app directory");
+      let app_dir = browser_dir.join("Camoufox.app");
+      fs::create_dir_all(&app_dir).expect("Failed to create Camoufox.app directory");
    }

    #[cfg(target_os = "linux")]
    {
-      // Create a mock firefox subdirectory and executable for Linux
-      let firefox_subdir = browser_dir.join("firefox");
-      fs::create_dir_all(&firefox_subdir).expect("Failed to create firefox subdirectory");
-      let executable_path = firefox_subdir.join("firefox");
+      let executable_path = browser_dir.join("camoufox");
      fs::write(&executable_path, "mock executable").expect("Failed to write mock executable");

-      // Set executable permissions on Linux
      use std::os::unix::fs::PermissionsExt;
      let mut permissions = executable_path
        .metadata()
@@ -1491,67 +1051,62 @@ mod tests {

    #[cfg(target_os = "windows")]
    {
-      // Create a mock firefox.exe for Windows
      let executable_path = browser_dir.join("firefox.exe");
      fs::write(&executable_path, "mock executable").expect("Failed to write mock executable");
    }

-    let browser = FirefoxBrowser::new(BrowserType::Firefox);
-    assert!(browser.is_version_downloaded("139.0", binaries_dir));
-    assert!(!browser.is_version_downloaded("140.0", binaries_dir));
+    let browser = CamoufoxBrowser::new();
+    assert!(browser.is_version_downloaded("135.0.1", binaries_dir));
+    assert!(!browser.is_version_downloaded("999.0", binaries_dir));

-    // Test with Chromium browser with new path structure
-    let chromium_dir = binaries_dir.join("chromium").join("1465660");
-    fs::create_dir_all(&chromium_dir).expect("Failed to create chromium directory");
+    // Test with Wayfern browser
+    let wayfern_dir = binaries_dir.join("wayfern").join("1.0.0");
+    fs::create_dir_all(&wayfern_dir).expect("Failed to create wayfern directory");

    #[cfg(target_os = "macos")]
    {
-      let chromium_app_dir = chromium_dir.join("Chromium.app");
-      fs::create_dir_all(chromium_app_dir.join("Contents").join("MacOS"))
+      let wayfern_app_dir = wayfern_dir.join("Chromium.app");
+      fs::create_dir_all(wayfern_app_dir.join("Contents").join("MacOS"))
        .expect("Failed to create Chromium.app structure");

-      // Create a mock executable
-      let executable_path = chromium_app_dir
+      let executable_path = wayfern_app_dir
        .join("Contents")
        .join("MacOS")
        .join("Chromium");
      fs::write(&executable_path, "mock executable")
-        .expect("Failed to write mock Chromium executable");
+        .expect("Failed to write mock Wayfern executable");
    }

    #[cfg(target_os = "linux")]
    {
-      // Create a mock chromium executable for Linux
-      let executable_path = chromium_dir.join("chromium");
+      let executable_path = wayfern_dir.join("chromium");
      fs::write(&executable_path, "mock executable")
-        .expect("Failed to write mock chromium executable");
+        .expect("Failed to write mock wayfern executable");

-      // Set executable permissions on Linux
      use std::os::unix::fs::PermissionsExt;
      let mut permissions = executable_path
        .metadata()
-        .expect("Failed to get chromium metadata")
+        .expect("Failed to get wayfern metadata")
        .permissions();
      permissions.set_mode(0o755);
      fs::set_permissions(&executable_path, permissions)
-        .expect("Failed to set chromium permissions");
+        .expect("Failed to set wayfern permissions");
    }

    #[cfg(target_os = "windows")]
    {
-      // Create a mock chromium.exe for Windows
-      let executable_path = chromium_dir.join("chromium.exe");
+      let executable_path = wayfern_dir.join("chromium.exe");
      fs::write(&executable_path, "mock executable").expect("Failed to write mock chromium.exe");
    }

-    let chromium_browser = ChromiumBrowser::new(BrowserType::Chromium);
+    let wayfern_browser = WayfernBrowser::new();
    assert!(
-      chromium_browser.is_version_downloaded("1465660", binaries_dir),
-      "Chromium version should be detected as downloaded"
+      wayfern_browser.is_version_downloaded("1.0.0", binaries_dir),
+      "Wayfern version should be detected as downloaded"
    );
    assert!(
-      !chromium_browser.is_version_downloaded("1465661", binaries_dir),
-      "Non-existent Chromium version should not be detected as downloaded"
+      !wayfern_browser.is_version_downloaded("9.9.9", binaries_dir),
+      "Non-existent Wayfern version should not be detected as downloaded"
    );
  }

@@ -1561,28 +1116,28 @@ mod tests {
    let binaries_dir = temp_dir.path();

    // Create browser directory but no proper executable structure
-    let browser_dir = binaries_dir.join("firefox").join("139.0");
+    let browser_dir = binaries_dir.join("camoufox").join("135.0.1");
    fs::create_dir_all(&browser_dir).expect("Failed to create browser directory");

    // Create some other files but no proper executable structure
    fs::write(browser_dir.join("readme.txt"), "Some content").expect("Failed to write readme file");

-    let browser = FirefoxBrowser::new(BrowserType::Firefox);
+    let browser = CamoufoxBrowser::new();
    assert!(
-      !browser.is_version_downloaded("139.0", binaries_dir),
-      "Firefox version should not be detected without proper executable structure"
+      !browser.is_version_downloaded("135.0.1", binaries_dir),
+      "Camoufox version should not be detected without proper executable structure"
    );
  }

  #[test]
  fn test_browser_type_clone_and_debug() {
-    let browser_type = BrowserType::Firefox;
+    let browser_type = BrowserType::Camoufox;
    let cloned = browser_type.clone();
    assert_eq!(browser_type, cloned);

    // Test Debug trait
    let debug_str = format!("{browser_type:?}");
-    assert!(debug_str.contains("Firefox"));
+    assert!(debug_str.contains("Camoufox"));
  }

  #[test]
@@ -685,7 +685,7 @@ impl BrowserVersionManager {
          "macos-arm64" | "macos-x64" => (format!("wayfern-{version}-{platform_key}.dmg"), true),
          "linux-x64" | "linux-arm64" => (format!("wayfern-{version}-{platform_key}.tar.xz"), true),
          "windows-x64" | "windows-arm64" => {
-            (format!("wayfern-{version}-{platform_key}.exe"), false)
+            (format!("wayfern-{version}-{platform_key}.zip"), true)
          }
          _ => {
            return Err(
@@ -2,7 +2,7 @@
 //!
 //! Converts fingerprints to Camoufox configuration format and builds launch options.

-use rand::Rng;
+use rand::RngExt;
 use serde_yaml;
 use std::collections::HashMap;
 use std::path::Path;
@@ -425,8 +425,28 @@ impl CamoufoxConfigBuilder {
  /// Build the complete Camoufox launch configuration with async geolocation support.
  /// This method should be used when geoip option is set to Auto.
  pub async fn build_async(self) -> Result<CamoufoxLaunchConfig, ConfigError> {
-    // Get proxy URL for IP detection if set
-    let proxy_url = self.proxy.as_ref().map(|p| p.server.clone());
+    // Get full proxy URL (with credentials) for IP detection
+    let proxy_url = self.proxy.as_ref().map(|p| {
+      if let (Some(user), Some(pass)) = (&p.username, &p.password) {
+        // Reconstruct URL with credentials: scheme://user:pass@host:port
+        if let Ok(mut parsed) = url::Url::parse(&p.server) {
+          let _ = parsed.set_username(user);
+          let _ = parsed.set_password(Some(pass));
+          parsed.to_string()
+        } else {
+          p.server.clone()
+        }
+      } else if let Some(user) = &p.username {
+        if let Ok(mut parsed) = url::Url::parse(&p.server) {
+          let _ = parsed.set_username(user);
+          parsed.to_string()
+        } else {
+          p.server.clone()
+        }
+      } else {
+        p.server.clone()
+      }
+    });
    let geoip_option = self.geoip.clone();
    let block_webrtc = self.block_webrtc;

@@ -2,7 +2,7 @@
 //!
 //! Implements weighted random sampling from conditional probability distributions.

-use rand::Rng;
+use rand::RngExt;
 use serde::Deserialize;
 use std::collections::HashMap;

@@ -9,7 +9,7 @@ use directories::BaseDirs;
 use maxminddb::{geoip2, Reader};
 use quick_xml::events::Event;
 use quick_xml::Reader as XmlReader;
-use rand::Rng;
+use rand::RngExt;
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::PathBuf;
@@ -267,6 +267,7 @@ impl Default for LocaleSelector {
 }

 /// Normalize a locale string to standard format.
+/// Handles formats like "en-US", "zh-Hant-US", "zh-Hans-CN".
 fn normalize_locale(locale: &str) -> Locale {
  let parts: Vec<&str> = locale.split('-').collect();

@@ -275,23 +276,33 @@ fn normalize_locale(locale: &str) -> Locale {
    .map(|s| s.to_lowercase())
    .unwrap_or_else(|| "en".to_string());

-  let region = parts.get(1).map(|s| s.to_uppercase());
+  // A 4-letter part is a script subtag (e.g. "Hant", "Hans", "Cyrl").
+  // A 2-letter or 3-digit part is a region subtag (e.g. "US", "CN").
+  let mut explicit_script: Option<String> = None;
+  let mut region: Option<String> = None;

-  // Determine script based on language if needed
-  let script = match language.as_str() {
-    "zh" => {
-      // Chinese - Traditional for TW/HK, Simplified otherwise
-      if region.as_deref() == Some("TW") || region.as_deref() == Some("HK") {
-        Some("Hant".to_string())
-      } else {
-        Some("Hans".to_string())
+  for part in parts.iter().skip(1) {
+    if part.len() == 4 && part.chars().all(|c| c.is_ascii_alphabetic()) {
+      explicit_script = Some(part[..1].to_uppercase() + &part[1..].to_lowercase());
+    } else {
+      region = Some(part.to_uppercase());
+    }
+  }
+
+  let script = if explicit_script.is_some() {
+    explicit_script
+  } else {
+    match language.as_str() {
+      "zh" => {
+        if region.as_deref() == Some("TW") || region.as_deref() == Some("HK") {
+          Some("Hant".to_string())
+        } else {
+          Some("Hans".to_string())
+        }
      }
+      "sr" => Some("Cyrl".to_string()),
+      _ => None,
    }
-    "sr" => {
-      // Serbian - can be Cyrillic or Latin
-      Some("Cyrl".to_string())
-    }
-    _ => None,
  };

  Locale {
@@ -442,5 +453,16 @@ mod tests {

    let zh_cn = normalize_locale("zh-CN");
    assert_eq!(zh_cn.script, Some("Hans".to_string()));
+
+    // 3-part locale: language-script-region
+    let zh_hant_us = normalize_locale("zh-Hant-US");
+    assert_eq!(zh_hant_us.language, "zh");
+    assert_eq!(zh_hant_us.region, Some("US".to_string()));
+    assert_eq!(zh_hant_us.script, Some("Hant".to_string()));
+
+    let zh_hans_us = normalize_locale("zh-Hans-US");
+    assert_eq!(zh_hans_us.language, "zh");
+    assert_eq!(zh_hans_us.region, Some("US".to_string()));
+    assert_eq!(zh_hans_us.script, Some("Hans".to_string()));
  }
 }
@@ -2,7 +2,7 @@
 //!
 //! Samples realistic WebGL configurations based on OS-specific probability distributions.

-use rand::Rng;
+use rand::RngExt;
 use rusqlite::{Connection, Result as SqliteResult};
 use std::collections::HashMap;
 use std::io::Write;
@@ -1,7 +1,6 @@
 use crate::browser_runner::BrowserRunner;
 use crate::camoufox::{CamoufoxConfigBuilder, GeoIPOption, ScreenConstraints};
 use crate::profile::BrowserProfile;
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::PathBuf;
@@ -57,6 +56,7 @@ pub struct CamoufoxLaunchResult {
  #[serde(alias = "profile_path")]
  pub profilePath: Option<String>,
  pub url: Option<String>,
+  pub cdp_port: Option<u16>,
 }

 #[derive(Debug)]
@@ -66,6 +66,7 @@ struct CamoufoxInstance {
  process_id: Option<u32>,
  profile_path: Option<String>,
  url: Option<String>,
+  cdp_port: Option<u16>,
 }

 struct CamoufoxManagerInner {
@@ -74,7 +75,6 @@ struct CamoufoxManagerInner {

 pub struct CamoufoxManager {
  inner: Arc<AsyncMutex<CamoufoxManagerInner>>,
-  base_dirs: BaseDirs,
 }

 impl CamoufoxManager {
@@ -83,7 +83,6 @@ impl CamoufoxManager {
      inner: Arc::new(AsyncMutex::new(CamoufoxManagerInner {
        instances: HashMap::new(),
      })),
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
    }
  }

@@ -91,15 +90,35 @@ impl CamoufoxManager {
    &CAMOUFOX_LAUNCHER
  }

+  async fn find_free_port() -> Result<u16, Box<dyn std::error::Error + Send + Sync>> {
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
+    let port = listener.local_addr()?.port();
+    drop(listener);
+    Ok(port)
+  }
+
+  #[allow(dead_code)]
+  pub async fn get_cdp_port(&self, profile_path: &str) -> Option<u16> {
+    let inner = self.inner.lock().await;
+    let target_path = std::path::Path::new(profile_path)
+      .canonicalize()
+      .unwrap_or_else(|_| std::path::Path::new(profile_path).to_path_buf());
+
+    for instance in inner.instances.values() {
+      if let Some(path) = &instance.profile_path {
+        let instance_path = std::path::Path::new(path)
+          .canonicalize()
+          .unwrap_or_else(|_| std::path::Path::new(path).to_path_buf());
+        if instance_path == target_path {
+          return instance.cdp_port;
+        }
+      }
+    }
+    None
+  }
+
  pub fn get_profiles_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("profiles");
-    path
+    crate::app_dirs::profiles_dir()
  }

  /// Generate Camoufox fingerprint configuration during profile creation
@@ -111,7 +130,15 @@ impl CamoufoxManager {
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    // Get executable path
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -204,7 +231,15 @@ impl CamoufoxManager {

    // Get executable path
    let executable_path = if let Some(path) = &config.executable_path {
-      PathBuf::from(path)
+      let p = PathBuf::from(path);
+      if p.exists() {
+        p
+      } else {
+        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
+        BrowserRunner::instance()
+          .get_browser_executable_path(profile)
+          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
+      }
    } else {
      BrowserRunner::instance()
        .get_browser_executable_path(profile)
@@ -233,6 +268,9 @@ impl CamoufoxManager {
        .to_string(),
    ];

+    let cdp_port = Self::find_free_port().await?;
+    args.push(format!("--remote-debugging-port={cdp_port}"));
+
    // Add URL if provided
    if let Some(url) = url {
      args.push("-new-tab".to_string());
@@ -288,6 +326,7 @@ impl CamoufoxManager {
      process_id,
      profile_path: Some(profile_path.to_string()),
      url: url.map(String::from),
+      cdp_port: Some(cdp_port),
    };

    let launch_result = CamoufoxLaunchResult {
@@ -295,6 +334,7 @@ impl CamoufoxManager {
      processId: process_id,
      profilePath: Some(profile_path.to_string()),
      url: url.map(String::from),
+      cdp_port: Some(cdp_port),
    };

    {
@@ -360,8 +400,11 @@ impl CamoufoxManager {

    #[cfg(windows)]
    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
      let result = std::process::Command::new("taskkill")
        .args(["/PID", &pid.to_string(), "/T"])
+        .creation_flags(CREATE_NO_WINDOW)
        .status();

      match result {
@@ -409,6 +452,7 @@ impl CamoufoxManager {
                  processId: instance.process_id,
                  profilePath: instance.profile_path.clone(),
                  url: instance.url.clone(),
+                  cdp_port: instance.cdp_port,
                }));
              }
            }
@@ -419,7 +463,9 @@ impl CamoufoxManager {

    // If not found in in-memory instances, scan system processes
    // This handles the case where the app was restarted but Camoufox is still running
-    if let Some((pid, found_profile_path)) = self.find_camoufox_process_by_profile(&target_path) {
+    if let Some((pid, found_profile_path, cdp_port)) =
+      self.find_camoufox_process_by_profile(&target_path)
+    {
      log::info!(
        "Found running Camoufox process (PID: {}) for profile path via system scan",
        pid
@@ -435,6 +481,7 @@ impl CamoufoxManager {
          process_id: Some(pid),
          profile_path: Some(found_profile_path.clone()),
          url: None,
+          cdp_port,
        },
      );

@@ -443,6 +490,7 @@ impl CamoufoxManager {
        processId: Some(pid),
        profilePath: Some(found_profile_path),
        url: None,
+        cdp_port,
      }));
    }

@@ -453,7 +501,7 @@ impl CamoufoxManager {
  fn find_camoufox_process_by_profile(
    &self,
    target_path: &std::path::Path,
-  ) -> Option<(u32, String)> {
+  ) -> Option<(u32, String, Option<u16>)> {
    use sysinfo::{ProcessRefreshKind, RefreshKind, System};

    let system = System::new_with_specifics(
@@ -478,6 +526,10 @@ impl CamoufoxManager {
        continue;
      }

+      let mut matched = false;
+      let mut found_profile_path = None;
+      let mut cdp_port: Option<u16> = None;
+
      // Check if the command line contains our profile path
      for (i, arg) in cmd.iter().enumerate() {
        if let Some(arg_str) = arg.to_str() {
@@ -489,15 +541,27 @@ impl CamoufoxManager {
                .unwrap_or_else(|_| std::path::Path::new(next_arg).to_path_buf());

              if cmd_path == target_path {
-                return Some((pid.as_u32(), next_arg.to_string()));
+                matched = true;
+                found_profile_path = Some(next_arg.to_string());
              }
            }
          }

          // Also check if the argument contains the profile path directly
-          if arg_str.contains(&*target_path_str) {
-            return Some((pid.as_u32(), target_path_str.to_string()));
+          if !matched && arg_str.contains(&*target_path_str) {
+            matched = true;
+            found_profile_path = Some(target_path_str.to_string());
          }
+
+          if let Some(port_val) = arg_str.strip_prefix("--remote-debugging-port=") {
+            cdp_port = port_val.parse().ok();
+          }
+        }
+      }
+
+      if matched {
+        if let Some(profile_path) = found_profile_path {
+          return Some((pid.as_u32(), profile_path, cdp_port));
        }
      }
    }
@@ -548,9 +612,11 @@ impl CamoufoxManager {
  /// Check if a Camoufox server is running with the given process ID
  async fn is_server_running(&self, process_id: u32) -> bool {
    // Check if the process is still running
-    use sysinfo::{Pid, System};
+    use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};

-    let system = System::new_all();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
    if let Some(process) = system.process(Pid::from(process_id as usize)) {
      // Check if this is actually a Camoufox process by looking at the command line
      let cmd = process.cmd();
@@ -576,10 +642,15 @@ impl CamoufoxManager {
    profile: BrowserProfile,
    config: CamoufoxConfig,
    url: Option<String>,
+    override_profile_path: Option<std::path::PathBuf>,
  ) -> Result<CamoufoxLaunchResult, String> {
    // Get profile path
-    let profiles_dir = self.get_profiles_dir();
-    let profile_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_path = if let Some(ref override_path) = override_profile_path {
+      override_path.clone()
+    } else {
+      let profiles_dir = self.get_profiles_dir();
+      profile.get_profile_data_path(&profiles_dir)
+    };
    let profile_path_str = profile_path.to_string_lossy();

    // Check if there's already a running instance for this profile
@@ -591,6 +662,29 @@ impl CamoufoxManager {
    // Clean up any dead instances before launching
    let _ = self.cleanup_dead_instances().await;

+    // For ephemeral profiles, write Firefox prefs to minimize disk writes
+    if override_profile_path.is_some() {
+      let user_js_path = profile_path.join("user.js");
+      let prefs = concat!(
+        "user_pref(\"browser.cache.disk.enable\", false);\n",
+        "user_pref(\"browser.cache.memory.enable\", true);\n",
+        "user_pref(\"browser.sessionstore.resume_from_crash\", false);\n",
+        "user_pref(\"browser.sessionstore.max_tabs_undo\", 0);\n",
+        "user_pref(\"browser.sessionstore.max_windows_undo\", 0);\n",
+        "user_pref(\"places.history.enabled\", false);\n",
+        "user_pref(\"browser.formfill.enable\", false);\n",
+        "user_pref(\"signon.rememberSignons\", false);\n",
+        "user_pref(\"browser.bookmarks.max_backups\", 0);\n",
+        "user_pref(\"browser.shell.checkDefaultBrowser\", false);\n",
+        "user_pref(\"toolkit.crashreporter.enabled\", false);\n",
+        "user_pref(\"browser.pagethumbnails.capturing_disabled\", true);\n",
+        "user_pref(\"browser.download.manager.addToRecentDocs\", false);\n",
+      );
+      if let Err(e) = std::fs::write(&user_js_path, prefs) {
+        log::warn!("Failed to write ephemeral user.js: {e}");
+      }
+    }
+
    self
      .launch_camoufox(
        &app_handle,
@@ -2,10 +2,117 @@ use crate::profile::manager::ProfileManager;
 use crate::profile::BrowserProfile;
 use rusqlite::{params, Connection};
 use serde::{Deserialize, Serialize};
+use serde_json::Value;
 use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 use tauri::AppHandle;

+/// Chromium cookie encryption/decryption support.
+/// On macOS: uses "Chromium Safe Storage" key from Keychain with PBKDF2 + AES-128-CBC.
+/// On Linux: uses os_crypt_key file from profile directory with PBKDF2 + AES-128-CBC.
+mod chrome_decrypt {
+  use aes::cipher::{block_padding::Pkcs7, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+  use std::path::Path;
+
+  type Aes128CbcDec = cbc::Decryptor<aes::Aes128>;
+  type Aes128CbcEnc = cbc::Encryptor<aes::Aes128>;
+
+  const PBKDF2_ITERATIONS: u32 = 1;
+  const KEY_LEN: usize = 16; // AES-128
+  const SALT: &[u8] = b"saltysalt";
+  const IV: [u8; 16] = [b' '; 16]; // 16 spaces
+
+  fn derive_key(password: &[u8]) -> [u8; KEY_LEN] {
+    let mut key = [0u8; KEY_LEN];
+    pbkdf2::pbkdf2_hmac::<sha1::Sha1>(password, SALT, PBKDF2_ITERATIONS, &mut key);
+    key
+  }
+
+  /// Get the encryption key for Chrome cookies.
+  /// Wayfern stores os_crypt_key as a file inside the profile's user-data-dir on all platforms.
+  /// On macOS/Linux the key is a base64 string used as PBKDF2 password.
+  /// On Windows the key is raw bytes (32 bytes) used directly.
+  pub fn get_encryption_key(profile_data_path: &Path) -> Option<[u8; KEY_LEN]> {
+    let key_file = profile_data_path.join("os_crypt_key");
+    if let Ok(contents) = std::fs::read_to_string(&key_file) {
+      let contents = contents.trim();
+      if !contents.is_empty() {
+        return Some(derive_key(contents.as_bytes()));
+      }
+    }
+
+    // Fallback for macOS: try system Keychain (for profiles created before file-based keys)
+    #[cfg(target_os = "macos")]
+    {
+      let output = std::process::Command::new("security")
+        .args([
+          "find-generic-password",
+          "-w",
+          "-s",
+          "Chromium Safe Storage",
+          "-a",
+          "Chromium",
+        ])
+        .output()
+        .ok()?;
+      if output.status.success() {
+        let password = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !password.is_empty() {
+          return Some(derive_key(password.as_bytes()));
+        }
+      }
+    }
+
+    None
+  }
+
+  /// Decrypt a Chrome encrypted cookie value.
+  /// Chromium prefixes encrypted values with "v10" (macOS) or "v11" (Linux).
+  pub fn decrypt(encrypted: &[u8], key: &[u8; KEY_LEN]) -> Option<String> {
+    if encrypted.len() < 3 {
+      return None;
+    }
+    // Check for v10/v11 prefix
+    let prefix = &encrypted[..3];
+    if prefix != b"v10" && prefix != b"v11" {
+      return None;
+    }
+    let ciphertext = &encrypted[3..];
+    if ciphertext.is_empty() {
+      return Some(String::new());
+    }
+
+    let mut buf = ciphertext.to_vec();
+    let decrypted = Aes128CbcDec::new(key.into(), &IV.into())
+      .decrypt_padded_mut::<Pkcs7>(&mut buf)
+      .ok()?;
+
+    String::from_utf8(decrypted.to_vec()).ok()
+  }
+
+  /// Encrypt a cookie value in Chrome format (v10/v11 prefix + AES-128-CBC).
+  pub fn encrypt(plaintext: &str, key: &[u8; KEY_LEN]) -> Vec<u8> {
+    let pt = plaintext.as_bytes();
+    let block_size = 16usize;
+    // Allocate buffer with space for PKCS7 padding (up to one extra block)
+    let padded_len = pt.len() + (block_size - pt.len() % block_size);
+    let mut buf = vec![0u8; padded_len];
+    buf[..pt.len()].copy_from_slice(pt);
+
+    let encrypted = Aes128CbcEnc::new(key.into(), &IV.into())
+      .encrypt_padded_mut::<Pkcs7>(&mut buf, pt.len())
+      .expect("encryption buffer too small");
+
+    let mut result = Vec::with_capacity(3 + encrypted.len());
+    #[cfg(target_os = "macos")]
+    result.extend_from_slice(b"v10");
+    #[cfg(not(target_os = "macos"))]
+    result.extend_from_slice(b"v11");
+    result.extend_from_slice(encrypted);
+    result
+  }
+}
+
 /// Unified cookie representation that works across both browser types
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct UnifiedCookie {
@@ -62,12 +169,26 @@ pub struct CookieCopyResult {
  pub errors: Vec<String>,
 }

+/// Result of a cookie import operation
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CookieImportResult {
+  pub cookies_imported: usize,
+  pub cookies_replaced: usize,
+  pub errors: Vec<String>,
+}
+
 pub struct CookieManager;

 impl CookieManager {
  /// Windows epoch offset: seconds between 1601-01-01 and 1970-01-01
  const WINDOWS_EPOCH_DIFF: i64 = 11644473600;

+  /// Get the Chrome cookie encryption key for a Wayfern profile
+  fn get_chrome_encryption_key(profile: &BrowserProfile, profiles_dir: &Path) -> Option<[u8; 16]> {
+    let profile_data_path = profile.get_profile_data_path(profiles_dir);
+    chrome_decrypt::get_encryption_key(&profile_data_path)
+  }
+
  /// Get the cookie database path for a profile
  fn get_cookie_db_path(profile: &BrowserProfile, profiles_dir: &Path) -> Result<PathBuf, String> {
    let profile_data_path = profile.get_profile_data_path(profiles_dir);
@@ -146,31 +267,58 @@ impl CookieManager {
    Ok(cookies)
  }

-  /// Read cookies from a Chrome/Wayfern profile
-  fn read_chrome_cookies(db_path: &Path) -> Result<Vec<UnifiedCookie>, String> {
+  /// Read cookies from a Chrome/Wayfern profile.
+  /// Handles encrypted cookies by decrypting encrypted_value using the profile's encryption key.
+  fn read_chrome_cookies(
+    db_path: &Path,
+    encryption_key: Option<&[u8; 16]>,
+  ) -> Result<Vec<UnifiedCookie>, String> {
    let conn = Connection::open(db_path).map_err(|e| format!("Failed to open database: {e}"))?;

    let mut stmt = conn
      .prepare(
        "SELECT name, value, host_key, path, expires_utc, is_secure,
-                        is_httponly, samesite, creation_utc, last_access_utc
-                 FROM cookies",
+                is_httponly, samesite, creation_utc, last_access_utc, encrypted_value
+         FROM cookies",
      )
      .map_err(|e| format!("Failed to prepare statement: {e}"))?;

    let cookies = stmt
      .query_map([], |row| {
+        let name: String = row.get(0)?;
+        let plaintext_value: String = row.get(1)?;
+        let domain: String = row.get(2)?;
+        let path: String = row.get(3)?;
+        let expires_utc: i64 = row.get(4)?;
+        let is_secure: i32 = row.get(5)?;
+        let is_httponly: i32 = row.get(6)?;
+        let samesite: i32 = row.get(7)?;
+        let creation_utc: i64 = row.get(8)?;
+        let last_access_utc: i64 = row.get(9)?;
+        let encrypted_value: Vec<u8> = row.get(10)?;
+
+        // Use plaintext value if available, otherwise decrypt encrypted_value
+        let value = if !plaintext_value.is_empty() {
+          plaintext_value
+        } else if !encrypted_value.is_empty() {
+          encryption_key
+            .and_then(|key| chrome_decrypt::decrypt(&encrypted_value, key))
+            .unwrap_or_default()
+        } else {
+          String::new()
+        };
+
        Ok(UnifiedCookie {
-          name: row.get(0)?,
-          value: row.get(1)?,
-          domain: row.get(2)?,
-          path: row.get(3)?,
-          expires: Self::chrome_time_to_unix(row.get(4)?),
-          is_secure: row.get::<_, i32>(5)? != 0,
-          is_http_only: row.get::<_, i32>(6)? != 0,
-          same_site: row.get(7)?,
-          creation_time: Self::chrome_time_to_unix(row.get(8)?),
-          last_accessed: Self::chrome_time_to_unix(row.get(9)?),
+          name,
+          value,
+          domain,
+          path,
+          expires: Self::chrome_time_to_unix(expires_utc),
+          is_secure: is_secure != 0,
+          is_http_only: is_httponly != 0,
+          same_site: samesite,
+          creation_time: Self::chrome_time_to_unix(creation_utc),
+          last_accessed: Self::chrome_time_to_unix(last_access_utc),
        })
      })
      .map_err(|e| format!("Failed to query cookies: {e}"))?
@@ -247,10 +395,12 @@ impl CookieManager {
    Ok((copied, replaced))
  }

-  /// Write cookies to a Chrome/Wayfern profile
+  /// Write cookies to a Chrome/Wayfern profile.
+  /// If an encryption key is available, stores cookies encrypted in encrypted_value.
  fn write_chrome_cookies(
    db_path: &Path,
    cookies: &[UnifiedCookie],
+    encryption_key: Option<&[u8; 16]>,
  ) -> Result<(usize, usize), String> {
    let conn = Connection::open(db_path).map_err(|e| format!("Failed to open database: {e}"))?;

@@ -263,6 +413,12 @@ impl CookieManager {
      .as_secs() as i64;

    for cookie in cookies {
+      // Prepare value/encrypted_value based on whether we have an encryption key
+      let (value_str, encrypted_bytes): (&str, Vec<u8>) = match encryption_key {
+        Some(key) => ("", chrome_decrypt::encrypt(&cookie.value, key)),
+        None => (cookie.value.as_str(), Vec::new()),
+      };
+
      let existing: Option<i64> = conn
        .query_row(
          "SELECT rowid FROM cookies WHERE host_key = ?1 AND name = ?2 AND path = ?3",
@@ -274,11 +430,12 @@ impl CookieManager {
      if existing.is_some() {
        conn
          .execute(
-            "UPDATE cookies SET value = ?1, expires_utc = ?2, is_secure = ?3,
-                     is_httponly = ?4, samesite = ?5, last_access_utc = ?6, last_update_utc = ?7
-                     WHERE host_key = ?8 AND name = ?9 AND path = ?10",
+            "UPDATE cookies SET value = ?1, encrypted_value = ?2, expires_utc = ?3, is_secure = ?4,
+                     is_httponly = ?5, samesite = ?6, last_access_utc = ?7, last_update_utc = ?8
+                     WHERE host_key = ?9 AND name = ?10 AND path = ?11",
            params![
-              &cookie.value,
+              value_str,
+              encrypted_bytes,
              Self::unix_to_chrome_time(cookie.expires),
              cookie.is_secure as i32,
              cookie.is_http_only as i32,
@@ -299,12 +456,13 @@ impl CookieManager {
                      path, expires_utc, is_secure, is_httponly, last_access_utc, has_expires,
                      is_persistent, priority, samesite, source_scheme, source_port, source_type,
                      has_cross_site_ancestor, last_update_utc)
-                     VALUES (?1, ?2, '', ?3, ?4, X'', ?5, ?6, ?7, ?8, ?9, 1, 1, 1, ?10, 2, -1, 0, 0, ?11)",
+                     VALUES (?1, ?2, '', ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, 1, 1, 1, ?11, 2, -1, 0, 0, ?12)",
                    params![
                        Self::unix_to_chrome_time(cookie.creation_time),
                        &cookie.domain,
                        &cookie.name,
-                        &cookie.value,
+                        value_str,
+                        encrypted_bytes,
                        &cookie.path,
                        Self::unix_to_chrome_time(cookie.expires),
                        cookie.is_secure as i32,
@@ -339,7 +497,10 @@ impl CookieManager {

    let cookies = match profile.browser.as_str() {
      "camoufox" => Self::read_firefox_cookies(&db_path)?,
-      "wayfern" => Self::read_chrome_cookies(&db_path)?,
+      "wayfern" => {
+        let key = Self::get_chrome_encryption_key(profile, &profiles_dir);
+        Self::read_chrome_cookies(&db_path, key.as_ref())?
+      }
      _ => return Err(format!("Unsupported browser type: {}", profile.browser)),
    };

@@ -392,7 +553,10 @@ impl CookieManager {
    let source_db_path = Self::get_cookie_db_path(source, &profiles_dir)?;
    let all_cookies = match source.browser.as_str() {
      "camoufox" => Self::read_firefox_cookies(&source_db_path)?,
-      "wayfern" => Self::read_chrome_cookies(&source_db_path)?,
+      "wayfern" => {
+        let key = Self::get_chrome_encryption_key(source, &profiles_dir);
+        Self::read_chrome_cookies(&source_db_path, key.as_ref())?
+      }
      _ => return Err(format!("Unsupported browser type: {}", source.browser)),
    };

@@ -459,7 +623,10 @@ impl CookieManager {

      let write_result = match target.browser.as_str() {
        "camoufox" => Self::write_firefox_cookies(&target_db_path, &cookies_to_copy),
-        "wayfern" => Self::write_chrome_cookies(&target_db_path, &cookies_to_copy),
+        "wayfern" => {
+          let key = Self::get_chrome_encryption_key(target, &profiles_dir);
+          Self::write_chrome_cookies(&target_db_path, &cookies_to_copy, key.as_ref())
+        }
        _ => {
          results.push(CookieCopyResult {
            target_profile_id: target_id.clone(),
@@ -493,4 +660,502 @@ impl CookieManager {

    Ok(results)
  }
+
+  /// Parse Netscape format cookies from text content
+  fn parse_netscape_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let mut cookies = Vec::new();
+    let mut errors = Vec::new();
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs() as i64;
+
+    for (i, line) in content.lines().enumerate() {
+      let line = line.trim();
+      if line.is_empty() || line.starts_with('#') {
+        continue;
+      }
+
+      let fields: Vec<&str> = line.split('\t').collect();
+      if fields.len() < 7 {
+        errors.push(format!(
+          "Line {}: expected 7 tab-separated fields, got {}",
+          i + 1,
+          fields.len()
+        ));
+        continue;
+      }
+
+      let domain = fields[0].to_string();
+      let path = fields[2].to_string();
+      let is_secure = fields[3].eq_ignore_ascii_case("TRUE");
+      let expires = fields[4].parse::<i64>().unwrap_or(0);
+      let name = fields[5].to_string();
+      let value = fields[6].to_string();
+
+      cookies.push(UnifiedCookie {
+        name,
+        value,
+        domain,
+        path,
+        expires,
+        is_secure,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: now,
+        last_accessed: now,
+      });
+    }
+
+    (cookies, errors)
+  }
+
+  /// Parse JSON format cookies (array of cookie objects, e.g. from browser extensions)
+  fn parse_json_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let mut cookies = Vec::new();
+    let mut errors = Vec::new();
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs() as i64;
+
+    let arr: Vec<Value> = match serde_json::from_str(content) {
+      Ok(v) => v,
+      Err(e) => {
+        errors.push(format!("Failed to parse JSON: {e}"));
+        return (cookies, errors);
+      }
+    };
+
+    for (i, obj) in arr.iter().enumerate() {
+      let name = match obj.get("name").and_then(|v| v.as_str()) {
+        Some(s) => s.to_string(),
+        None => {
+          errors.push(format!("Cookie {}: missing 'name' field", i + 1));
+          continue;
+        }
+      };
+      let value = obj
+        .get("value")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+      let domain = match obj.get("domain").and_then(|v| v.as_str()) {
+        Some(s) => s.to_string(),
+        None => {
+          errors.push(format!("Cookie {}: missing 'domain' field", i + 1));
+          continue;
+        }
+      };
+      let path = obj
+        .get("path")
+        .and_then(|v| v.as_str())
+        .unwrap_or("/")
+        .to_string();
+      let is_secure = obj.get("secure").and_then(|v| v.as_bool()).unwrap_or(false);
+      let is_http_only = obj
+        .get("httpOnly")
+        .and_then(|v| v.as_bool())
+        .unwrap_or(false);
+      let is_session = obj
+        .get("session")
+        .and_then(|v| v.as_bool())
+        .unwrap_or(false);
+      let expires = if is_session {
+        0
+      } else {
+        obj
+          .get("expirationDate")
+          .and_then(|v| v.as_f64())
+          .map(|f| f as i64)
+          .unwrap_or(0)
+      };
+      let same_site = obj
+        .get("sameSite")
+        .and_then(|v| v.as_str())
+        .map(|s| match s {
+          "lax" => 1,
+          "strict" => 2,
+          _ => 0, // "no_restriction" or unrecognized
+        })
+        .unwrap_or(0);
+
+      cookies.push(UnifiedCookie {
+        name,
+        value,
+        domain,
+        path,
+        expires,
+        is_secure,
+        is_http_only,
+        same_site,
+        creation_time: now,
+        last_accessed: now,
+      });
+    }
+
+    (cookies, errors)
+  }
+
+  /// Auto-detect cookie format and parse
+  fn parse_cookies(content: &str) -> (Vec<UnifiedCookie>, Vec<String>) {
+    let trimmed = content.trim();
+    if trimmed.starts_with('[') && serde_json::from_str::<Vec<Value>>(trimmed).is_ok() {
+      return Self::parse_json_cookies(trimmed);
+    }
+    Self::parse_netscape_cookies(content)
+  }
+
+  /// Format cookies as Netscape TXT
+  pub fn format_netscape_cookies(cookies: &[UnifiedCookie]) -> String {
+    let mut lines = Vec::new();
+    lines.push("# Netscape HTTP Cookie File".to_string());
+    for cookie in cookies {
+      let flag = if cookie.domain.starts_with('.') {
+        "TRUE"
+      } else {
+        "FALSE"
+      };
+      let secure = if cookie.is_secure { "TRUE" } else { "FALSE" };
+      lines.push(format!(
+        "{}\t{}\t{}\t{}\t{}\t{}\t{}",
+        cookie.domain, flag, cookie.path, secure, cookie.expires, cookie.name, cookie.value
+      ));
+    }
+    lines.join("\n")
+  }
+
+  /// Format cookies as JSON
+  pub fn format_json_cookies(cookies: &[UnifiedCookie]) -> String {
+    let arr: Vec<Value> = cookies
+      .iter()
+      .map(|c| {
+        let same_site_str = match c.same_site {
+          1 => "lax",
+          2 => "strict",
+          _ => "no_restriction",
+        };
+        serde_json::json!({
+          "name": c.name,
+          "value": c.value,
+          "domain": c.domain,
+          "path": c.path,
+          "secure": c.is_secure,
+          "httpOnly": c.is_http_only,
+          "sameSite": same_site_str,
+          "expirationDate": c.expires,
+          "session": c.expires == 0,
+          "hostOnly": !c.domain.starts_with('.'),
+        })
+      })
+      .collect();
+    serde_json::to_string_pretty(&arr).unwrap_or_else(|_| "[]".to_string())
+  }
+
+  /// Public API: Import cookies with auto-format detection
+  pub async fn import_cookies(
+    app_handle: &AppHandle,
+    profile_id: &str,
+    content: &str,
+  ) -> Result<CookieImportResult, String> {
+    let profile_manager = ProfileManager::instance();
+    let profiles_dir = profile_manager.get_profiles_dir();
+    let profiles = profile_manager
+      .list_profiles()
+      .map_err(|e| format!("Failed to list profiles: {e}"))?;
+
+    let profile = profiles
+      .iter()
+      .find(|p| p.id.to_string() == profile_id)
+      .ok_or_else(|| format!("Profile not found: {profile_id}"))?;
+
+    let is_running = profile_manager
+      .check_browser_status(app_handle.clone(), profile)
+      .await
+      .unwrap_or(false);
+
+    if is_running {
+      return Err(format!(
+        "Cannot import cookies while browser is running for profile: {}",
+        profile.name
+      ));
+    }
+
+    let (cookies, parse_errors) = Self::parse_cookies(content);
+
+    if cookies.is_empty() {
+      return Err("No valid cookies found in the file".to_string());
+    }
+
+    let db_path = Self::get_cookie_db_path(profile, &profiles_dir)?;
+
+    let write_result = match profile.browser.as_str() {
+      "camoufox" => Self::write_firefox_cookies(&db_path, &cookies),
+      "wayfern" => {
+        let key = Self::get_chrome_encryption_key(profile, &profiles_dir);
+        Self::write_chrome_cookies(&db_path, &cookies, key.as_ref())
+      }
+      _ => return Err(format!("Unsupported browser type: {}", profile.browser)),
+    };
+
+    match write_result {
+      Ok((imported, replaced)) => Ok(CookieImportResult {
+        cookies_imported: imported,
+        cookies_replaced: replaced,
+        errors: parse_errors,
+      }),
+      Err(e) => Err(format!("Failed to write cookies: {e}")),
+    }
+  }
+
+  /// Public API: Export cookies from a profile in the specified format
+  pub fn export_cookies(profile_id: &str, format: &str) -> Result<String, String> {
+    let result = Self::read_cookies(profile_id)?;
+    let all_cookies: Vec<UnifiedCookie> =
+      result.domains.into_iter().flat_map(|d| d.cookies).collect();
+
+    match format {
+      "json" => Ok(Self::format_json_cookies(&all_cookies)),
+      "netscape" => Ok(Self::format_netscape_cookies(&all_cookies)),
+      _ => Err(format!("Unsupported export format: {format}")),
+    }
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_parse_netscape_cookies_valid() {
+    let content = "# Netscape HTTP Cookie File\n\
+      .example.com\tTRUE\t/\tTRUE\t1700000000\tsession_id\tabc123\n\
+      example.com\tFALSE\t/path\tFALSE\t0\ttoken\txyz";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 2);
+    assert!(errors.is_empty());
+
+    assert_eq!(cookies[0].domain, ".example.com");
+    assert_eq!(cookies[0].name, "session_id");
+    assert_eq!(cookies[0].value, "abc123");
+    assert_eq!(cookies[0].path, "/");
+    assert!(cookies[0].is_secure);
+    assert_eq!(cookies[0].expires, 1700000000);
+
+    assert_eq!(cookies[1].domain, "example.com");
+    assert!(!cookies[1].is_secure);
+    assert_eq!(cookies[1].expires, 0);
+  }
+
+  #[test]
+  fn test_parse_netscape_cookies_skips_comments_and_blanks() {
+    let content = "# Comment line\n\n  \n# Another comment\n\
+      .test.com\tTRUE\t/\tFALSE\t0\tname\tvalue\n";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+  }
+
+  #[test]
+  fn test_parse_netscape_cookies_malformed_lines() {
+    let content = "not\tenough\tfields\n\
+      .ok.com\tTRUE\t/\tFALSE\t0\tname\tvalue\n";
+    let (cookies, errors) = CookieManager::parse_netscape_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(errors.len(), 1);
+    assert!(errors[0].contains("expected 7 tab-separated fields"));
+  }
+
+  #[test]
+  fn test_parse_json_cookies_valid() {
+    let content = r#"[
+      {
+        "name": "sid",
+        "value": "abc",
+        "domain": ".example.com",
+        "path": "/",
+        "secure": true,
+        "httpOnly": true,
+        "sameSite": "lax",
+        "expirationDate": 1700000000,
+        "session": false
+      }
+    ]"#;
+    let (cookies, errors) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+    assert_eq!(cookies[0].name, "sid");
+    assert_eq!(cookies[0].domain, ".example.com");
+    assert!(cookies[0].is_secure);
+    assert!(cookies[0].is_http_only);
+    assert_eq!(cookies[0].same_site, 1);
+    assert_eq!(cookies[0].expires, 1700000000);
+  }
+
+  #[test]
+  fn test_parse_json_cookies_session() {
+    let content = r#"[{"name": "s", "value": "v", "domain": ".d.com", "session": true, "expirationDate": 9999}]"#;
+    let (cookies, errors) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert!(errors.is_empty());
+    assert_eq!(cookies[0].expires, 0);
+  }
+
+  #[test]
+  fn test_parse_json_cookies_same_site_mapping() {
+    let content = r#"[
+      {"name": "a", "value": "", "domain": ".d.com", "sameSite": "no_restriction"},
+      {"name": "b", "value": "", "domain": ".d.com", "sameSite": "lax"},
+      {"name": "c", "value": "", "domain": ".d.com", "sameSite": "strict"}
+    ]"#;
+    let (cookies, _) = CookieManager::parse_json_cookies(content);
+    assert_eq!(cookies[0].same_site, 0);
+    assert_eq!(cookies[1].same_site, 1);
+    assert_eq!(cookies[2].same_site, 2);
+  }
+
+  #[test]
+  fn test_parse_cookies_auto_detect_json() {
+    let content = r#"[{"name": "x", "value": "y", "domain": ".test.com"}]"#;
+    let (cookies, _) = CookieManager::parse_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(cookies[0].name, "x");
+  }
+
+  #[test]
+  fn test_parse_cookies_auto_detect_netscape() {
+    let content = ".test.com\tTRUE\t/\tFALSE\t0\tname\tvalue";
+    let (cookies, _) = CookieManager::parse_cookies(content);
+    assert_eq!(cookies.len(), 1);
+    assert_eq!(cookies[0].name, "name");
+  }
+
+  #[test]
+  fn test_format_netscape_cookies() {
+    let cookies = vec![UnifiedCookie {
+      name: "sid".to_string(),
+      value: "abc".to_string(),
+      domain: ".example.com".to_string(),
+      path: "/".to_string(),
+      expires: 1700000000,
+      is_secure: true,
+      is_http_only: false,
+      same_site: 0,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let output = CookieManager::format_netscape_cookies(&cookies);
+    assert!(output.contains("# Netscape HTTP Cookie File"));
+    assert!(output.contains(".example.com\tTRUE\t/\tTRUE\t1700000000\tsid\tabc"));
+  }
+
+  #[test]
+  fn test_format_json_cookies() {
+    let cookies = vec![UnifiedCookie {
+      name: "sid".to_string(),
+      value: "abc".to_string(),
+      domain: ".example.com".to_string(),
+      path: "/".to_string(),
+      expires: 1700000000,
+      is_secure: true,
+      is_http_only: true,
+      same_site: 1,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let output = CookieManager::format_json_cookies(&cookies);
+    let parsed: Vec<Value> = serde_json::from_str(&output).unwrap();
+    assert_eq!(parsed.len(), 1);
+    assert_eq!(parsed[0]["name"], "sid");
+    assert_eq!(parsed[0]["sameSite"], "lax");
+    assert_eq!(parsed[0]["session"], false);
+    assert_eq!(parsed[0]["hostOnly"], false);
+  }
+
+  #[test]
+  fn test_netscape_roundtrip() {
+    let cookies = vec![
+      UnifiedCookie {
+        name: "a".to_string(),
+        value: "1".to_string(),
+        domain: ".d.com".to_string(),
+        path: "/".to_string(),
+        expires: 1700000000,
+        is_secure: true,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: 0,
+        last_accessed: 0,
+      },
+      UnifiedCookie {
+        name: "b".to_string(),
+        value: "2".to_string(),
+        domain: "d.com".to_string(),
+        path: "/p".to_string(),
+        expires: 0,
+        is_secure: false,
+        is_http_only: false,
+        same_site: 0,
+        creation_time: 0,
+        last_accessed: 0,
+      },
+    ];
+    let formatted = CookieManager::format_netscape_cookies(&cookies);
+    let (parsed, errors) = CookieManager::parse_netscape_cookies(&formatted);
+    assert!(errors.is_empty());
+    assert_eq!(parsed.len(), 2);
+    assert_eq!(parsed[0].name, "a");
+    assert_eq!(parsed[0].domain, ".d.com");
+    assert!(parsed[0].is_secure);
+    assert_eq!(parsed[1].name, "b");
+    assert_eq!(parsed[1].domain, "d.com");
+  }
+
+  #[test]
+  fn test_json_roundtrip() {
+    let cookies = vec![UnifiedCookie {
+      name: "tok".to_string(),
+      value: "xyz".to_string(),
+      domain: ".site.org".to_string(),
+      path: "/app".to_string(),
+      expires: 1700000000,
+      is_secure: false,
+      is_http_only: true,
+      same_site: 2,
+      creation_time: 0,
+      last_accessed: 0,
+    }];
+    let formatted = CookieManager::format_json_cookies(&cookies);
+    let (parsed, errors) = CookieManager::parse_json_cookies(&formatted);
+    assert!(errors.is_empty());
+    assert_eq!(parsed.len(), 1);
+    assert_eq!(parsed[0].name, "tok");
+    assert_eq!(parsed[0].domain, ".site.org");
+    assert_eq!(parsed[0].path, "/app");
+    assert!(!parsed[0].is_secure);
+    assert!(parsed[0].is_http_only);
+    assert_eq!(parsed[0].same_site, 2);
+    assert_eq!(parsed[0].expires, 1700000000);
+  }
+
+  #[test]
+  fn test_chrome_time_to_unix() {
+    assert_eq!(CookieManager::chrome_time_to_unix(0), 0);
+    let chrome_time: i64 = (1700000000 + CookieManager::WINDOWS_EPOCH_DIFF) * 1_000_000;
+    assert_eq!(CookieManager::chrome_time_to_unix(chrome_time), 1700000000);
+  }
+
+  #[test]
+  fn test_unix_to_chrome_time() {
+    assert_eq!(CookieManager::unix_to_chrome_time(0), 0);
+    let expected = (1700000000 + CookieManager::WINDOWS_EPOCH_DIFF) * 1_000_000;
+    assert_eq!(CookieManager::unix_to_chrome_time(1700000000), expected);
+  }
+
+  #[test]
+  fn test_chrome_time_roundtrip() {
+    let unix = 1700000000_i64;
+    let chrome = CookieManager::unix_to_chrome_time(unix);
+    assert_eq!(CookieManager::chrome_time_to_unix(chrome), unix);
+  }
 }
@@ -1,4 +1,5 @@
 use directories::ProjectDirs;
+#[cfg(any(target_os = "macos", target_os = "linux"))]
 use std::fs;
 use std::io;
 use std::path::PathBuf;
@@ -80,6 +81,12 @@ pub fn enable_autostart() -> io::Result<()> {

  let plist_path = plist_dir.join("com.donutbrowser.daemon.plist");

+  // Get log directory (use data directory instead of /tmp)
+  let log_dir = get_data_dir()
+    .unwrap_or_else(|| PathBuf::from("/tmp"))
+    .join("logs");
+  fs::create_dir_all(&log_dir)?;
+
  let plist_content = format!(
    r#"<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -89,21 +96,24 @@ pub fn enable_autostart() -> io::Result<()> {
    <string>com.donutbrowser.daemon</string>
    <key>ProgramArguments</key>
    <array>
-        <string>{}</string>
-        <string>start</string>
+        <string>{daemon_path}</string>
+        <string>run</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
-    <key>KeepAlive</key>
-    <false/>
+    <key>LimitLoadToSessionType</key>
+    <string>Aqua</string>
+    <key>ProcessType</key>
+    <string>Interactive</string>
    <key>StandardOutPath</key>
-    <string>/tmp/donut-daemon.out.log</string>
+    <string>{log_dir}/daemon.out.log</string>
    <key>StandardErrorPath</key>
-    <string>/tmp/donut-daemon.err.log</string>
+    <string>{log_dir}/daemon.err.log</string>
 </dict>
 </plist>
 "#,
-    daemon_path.display()
+    daemon_path = daemon_path.display(),
+    log_dir = log_dir.display()
  );

  fs::write(&plist_path, plist_content)?;
@@ -112,13 +122,19 @@ pub fn enable_autostart() -> io::Result<()> {
  Ok(())
 }

+#[cfg(target_os = "macos")]
+pub fn get_plist_path() -> Option<PathBuf> {
+  dirs::home_dir().map(|h| h.join("Library/LaunchAgents/com.donutbrowser.daemon.plist"))
+}
+
 #[cfg(target_os = "macos")]
 pub fn disable_autostart() -> io::Result<()> {
-  let plist_path = dirs::home_dir()
-    .ok_or_else(|| io::Error::new(io::ErrorKind::NotFound, "Home directory not found"))?
-    .join("Library/LaunchAgents/com.donutbrowser.daemon.plist");
+  let plist_path = get_plist_path()
+    .ok_or_else(|| io::Error::new(io::ErrorKind::NotFound, "Home directory not found"))?;

  if plist_path.exists() {
+    // First unload the launch agent if it's loaded
+    let _ = unload_launch_agent();
    fs::remove_file(&plist_path)?;
    log::info!("Removed launch agent at {:?}", plist_path);
  }
@@ -128,12 +144,91 @@ pub fn disable_autostart() -> io::Result<()> {

 #[cfg(target_os = "macos")]
 pub fn is_autostart_enabled() -> bool {
-  dirs::home_dir()
-    .map(|h| {
-      h.join("Library/LaunchAgents/com.donutbrowser.daemon.plist")
-        .exists()
-    })
-    .unwrap_or(false)
+  get_plist_path().is_some_and(|p| p.exists())
+}
+
+#[cfg(target_os = "macos")]
+pub fn load_launch_agent() -> io::Result<()> {
+  use std::process::Command;
+
+  let plist_path = get_plist_path()
+    .ok_or_else(|| io::Error::new(io::ErrorKind::NotFound, "Could not determine plist path"))?;
+
+  if !plist_path.exists() {
+    return Err(io::Error::new(
+      io::ErrorKind::NotFound,
+      "Launch agent plist does not exist",
+    ));
+  }
+
+  // Use launchctl load to start the daemon via launchd
+  // The -w flag writes the "disabled" key to the override plist
+  let output = Command::new("launchctl")
+    .args(["load", "-w"])
+    .arg(&plist_path)
+    .output()?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    // "already loaded" is not an error condition for us
+    if !stderr.contains("already loaded") {
+      return Err(io::Error::other(format!(
+        "launchctl load failed: {}",
+        stderr
+      )));
+    }
+  }
+
+  log::info!("Loaded launch agent via launchctl");
+  Ok(())
+}
+
+#[cfg(target_os = "macos")]
+pub fn start_launch_agent() -> io::Result<()> {
+  use std::process::Command;
+
+  let output = Command::new("launchctl")
+    .args(["start", "com.donutbrowser.daemon"])
+    .output()?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    return Err(io::Error::other(format!(
+      "launchctl start failed: {}",
+      stderr
+    )));
+  }
+
+  log::info!("Started launch agent via launchctl");
+  Ok(())
+}
+
+#[cfg(target_os = "macos")]
+pub fn unload_launch_agent() -> io::Result<()> {
+  use std::process::Command;
+
+  let plist_path = get_plist_path()
+    .ok_or_else(|| io::Error::new(io::ErrorKind::NotFound, "Could not determine plist path"))?;
+
+  if !plist_path.exists() {
+    return Ok(());
+  }
+
+  let output = Command::new("launchctl")
+    .args(["unload"])
+    .arg(&plist_path)
+    .output()?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    // Not being loaded is not an error
+    if !stderr.contains("Could not find specified service") {
+      log::warn!("launchctl unload warning: {}", stderr);
+    }
+  }
+
+  log::info!("Unloaded launch agent via launchctl");
+  Ok(())
 }

 #[cfg(target_os = "linux")]
@@ -149,16 +244,22 @@ pub fn enable_autostart() -> io::Result<()> {

  let desktop_path = autostart_dir.join("donut-daemon.desktop");

+  let escaped_daemon_path = daemon_path
+    .display()
+    .to_string()
+    .replace('\\', "\\\\")
+    .replace('"', "\\\"")
+    .replace('`', "\\`")
+    .replace('$', "\\$");
  let desktop_content = format!(
    r#"[Desktop Entry]
 Type=Application
 Name=Donut Browser Daemon
-Exec={} start
+Exec="{escaped_daemon_path}" run
 Hidden=false
 NoDisplay=true
 X-GNOME-Autostart-enabled=true
 "#,
-    daemon_path.display()
  );

  fs::write(&desktop_path, desktop_content)?;
@@ -201,7 +302,7 @@ pub fn enable_autostart() -> io::Result<()> {

  key.set_value(
    "DonutBrowserDaemon",
-    &format!("\"{}\" start", daemon_path.display()),
+    &format!("\"{}\" run", daemon_path.display()),
  )?;

  log::info!("Added registry autostart entry");
@@ -1,12 +1,14 @@
-use muda::{Menu, MenuItem, PredefinedMenuItem, Submenu};
+use muda::{Menu, MenuItem};
 use std::process::Command;
-use std::sync::atomic::{AtomicBool, Ordering};
 use tray_icon::{Icon, TrayIcon, TrayIconBuilder};

-static GUI_RUNNING: AtomicBool = AtomicBool::new(false);
-
 pub fn load_icon() -> Icon {
-  let icon_bytes = include_bytes!("../../icons/32x32.png");
+  // On Windows, use the full-color icon so it renders well on dark taskbars.
+  // On macOS/Linux, use the template icon (black with alpha) for system light/dark handling.
+  #[cfg(target_os = "windows")]
+  let icon_bytes = include_bytes!("../../icons/tray-icon-win-44.png");
+  #[cfg(not(target_os = "windows"))]
+  let icon_bytes = include_bytes!("../../icons/tray-icon-44.png");

  let image = image::load_from_memory(icon_bytes)
    .expect("Failed to load icon")
@@ -20,11 +22,6 @@ pub fn load_icon() -> Icon {

 pub struct TrayMenu {
  pub menu: Menu,
-  pub open_item: MenuItem,
-  pub running_profiles_submenu: Submenu,
-  pub api_status_item: MenuItem,
-  pub mcp_status_item: MenuItem,
-  pub preferences_item: MenuItem,
  pub quit_item: MenuItem,
 }

@@ -38,83 +35,78 @@ impl TrayMenu {
  pub fn new() -> Self {
    let menu = Menu::new();

-    let open_item = MenuItem::new("Open Donut Browser", true, None);
-    let running_profiles_submenu = Submenu::new("Running Profiles", true);
-    let no_profiles_item = MenuItem::new("No running profiles", false, None);
-    running_profiles_submenu.append(&no_profiles_item).unwrap();
-
-    let separator1 = PredefinedMenuItem::separator();
-    let api_status_item = MenuItem::new("API: Starting...", false, None);
-    let mcp_status_item = MenuItem::new("MCP: Starting...", false, None);
-    let separator2 = PredefinedMenuItem::separator();
-    let preferences_item = MenuItem::new("Preferences...", true, None);
    let quit_item = MenuItem::new("Quit Donut Browser", true, None);

-    menu.append(&open_item).unwrap();
-    menu.append(&running_profiles_submenu).unwrap();
-    menu.append(&separator1).unwrap();
-    menu.append(&api_status_item).unwrap();
-    menu.append(&mcp_status_item).unwrap();
-    menu.append(&separator2).unwrap();
-    menu.append(&preferences_item).unwrap();
    menu.append(&quit_item).unwrap();

-    Self {
-      menu,
-      open_item,
-      running_profiles_submenu,
-      api_status_item,
-      mcp_status_item,
-      preferences_item,
-      quit_item,
-    }
-  }
-
-  pub fn update_api_status(&self, port: Option<u16>) {
-    let text = match port {
-      Some(p) => format!("API: Running on :{}", p),
-      None => "API: Stopped".to_string(),
-    };
-    self.api_status_item.set_text(&text);
-  }
-
-  pub fn update_mcp_status(&self, running: bool) {
-    let text = if running {
-      "MCP: Running"
-    } else {
-      "MCP: Stopped"
-    };
-    self.mcp_status_item.set_text(text);
+    Self { menu, quit_item }
  }
 }

 pub fn create_tray_icon(icon: Icon, menu: &Menu) -> TrayIcon {
-  TrayIconBuilder::new()
+  let builder = TrayIconBuilder::new()
    .with_icon(icon)
    .with_tooltip("Donut Browser")
-    .with_menu(Box::new(menu.clone()))
-    .build()
-    .expect("Failed to create tray icon")
+    .with_menu(Box::new(menu.clone()));
+
+  // On macOS, template icons are automatically colored by the system for light/dark mode
+  #[cfg(target_os = "macos")]
+  let builder = builder.with_icon_as_template(true);
+
+  builder.build().expect("Failed to create tray icon")
+}
+
+/// Resolve the .app bundle path from the current daemon executable.
+/// In production the daemon is at `Donut.app/Contents/MacOS/donut-daemon`.
+#[cfg(target_os = "macos")]
+fn get_app_bundle_path() -> Option<std::path::PathBuf> {
+  let exe = std::env::current_exe().ok()?;
+  let macos_dir = exe.parent()?;
+  let contents_dir = macos_dir.parent()?;
+  let app_dir = contents_dir.parent()?;
+  if app_dir.extension().and_then(|e| e.to_str()) == Some("app") {
+    Some(app_dir.to_path_buf())
+  } else {
+    None
+  }
 }

 pub fn open_gui() {
-  if GUI_RUNNING.load(Ordering::SeqCst) {
-    log::info!("GUI already running, activating...");
-    activate_gui();
-    return;
-  }
-
  log::info!("Opening GUI...");

  #[cfg(target_os = "macos")]
  {
-    let _ = Command::new("open").arg("-a").arg("Donut Browser").spawn();
+    // Launch the GUI binary directly. The daemon lives inside the same .app
+    // bundle, so `open` (even with `-n`) can re-activate the daemon instead
+    // of launching the GUI. Directly running the binary avoids macOS's app
+    // activation machinery. The single-instance Tauri plugin in the GUI
+    // handles deduplication if a GUI instance is already running.
+    if let Some(app_bundle) = get_app_bundle_path() {
+      let gui_binary = app_bundle.join("Contents").join("MacOS").join("Donut");
+      if gui_binary.exists() {
+        let _ = Command::new(&gui_binary).spawn();
+      } else {
+        let _ = Command::new("open").args(["-n"]).arg(&app_bundle).spawn();
+      }
+    } else {
+      let _ = Command::new("open").args(["-n", "-a", "Donut"]).spawn();
+    }
  }

  #[cfg(target_os = "windows")]
  {
    use std::path::PathBuf;

+    if let Ok(current_exe) = std::env::current_exe() {
+      if let Some(exe_dir) = current_exe.parent() {
+        let app_path = exe_dir.join("donutbrowser.exe");
+        if app_path.exists() {
+          let _ = Command::new(app_path).spawn();
+          return;
+        }
+      }
+    }
+
    let paths = [
      dirs::data_local_dir().map(|p| p.join("Donut Browser").join("Donut Browser.exe")),
      Some(PathBuf::from(
@@ -136,15 +128,77 @@ pub fn open_gui() {
  }
 }

-pub fn activate_gui() {
-  #[cfg(target_os = "macos")]
+fn read_gui_pid() -> Option<u32> {
+  let path = super::autostart::get_data_dir()?.join("daemon-state.json");
+  let content = std::fs::read_to_string(path).ok()?;
+  let val: serde_json::Value = serde_json::from_str(&content).ok()?;
+  val.get("gui_pid")?.as_u64().map(|p| p as u32)
+}
+
+fn kill_gui_by_pid() -> bool {
+  let Some(pid) = read_gui_pid() else {
+    return false;
+  };
+
+  #[cfg(unix)]
  {
-    let _ = Command::new("osascript")
-      .args(["-e", "tell application \"Donut Browser\" to activate"])
-      .spawn();
+    let ret = unsafe { libc::kill(pid as i32, libc::SIGTERM) };
+    ret == 0
+  }
+
+  #[cfg(windows)]
+  {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    Command::new("taskkill")
+      .args(["/PID", &pid.to_string(), "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+      .map(|o| o.status.success())
+      .unwrap_or(false)
+  }
+
+  #[cfg(not(any(unix, windows)))]
+  {
+    false
  }
 }

-pub fn set_gui_running(running: bool) {
-  GUI_RUNNING.store(running, Ordering::SeqCst);
+pub fn quit_gui() {
+  log::info!("[daemon] Quitting GUI...");
+
+  if kill_gui_by_pid() {
+    log::info!("[daemon] GUI killed by PID");
+    return;
+  }
+
+  log::info!("[daemon] PID-based kill failed, falling back to name-based kill");
+
+  #[cfg(target_os = "macos")]
+  {
+    // Use spawn() instead of output() to avoid blocking the event loop.
+    // AppleScript has a ~2 minute default timeout that would freeze the tray icon.
+    let _ = Command::new("osascript")
+      .args(["-e", "tell application \"Donut\" to quit"])
+      .spawn();
+  }
+
+  #[cfg(target_os = "windows")]
+  {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    let _ = Command::new("taskkill")
+      .args(["/IM", "Donut.exe", "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .spawn();
+    let _ = Command::new("taskkill")
+      .args(["/IM", "donutbrowser.exe", "/F"])
+      .creation_flags(CREATE_NO_WINDOW)
+      .spawn();
+  }
+
+  #[cfg(target_os = "linux")]
+  {
+    let _ = Command::new("pkill").args(["-x", "donutbrowser"]).spawn();
+  }
 }
@@ -9,6 +9,26 @@ use std::time::Duration;

 use crate::daemon::autostart;

+/// Check if a process with the given PID exists using the Windows API.
+/// This avoids spawning tasklist.exe which causes a visible conhost window flash.
+#[cfg(windows)]
+fn win_process_exists(pid: u32) -> bool {
+  const PROCESS_QUERY_LIMITED_INFORMATION: u32 = 0x1000;
+
+  extern "system" {
+    fn OpenProcess(dwDesiredAccess: u32, bInheritHandles: i32, dwProcessId: u32) -> *mut ();
+    fn CloseHandle(hObject: *mut ()) -> i32;
+  }
+
+  let handle = unsafe { OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid) };
+  if handle.is_null() {
+    false
+  } else {
+    unsafe { CloseHandle(handle) };
+    true
+  }
+}
+
 #[derive(Debug, Deserialize, Default)]
 struct DaemonState {
  daemon_pid: Option<u32>,
@@ -32,7 +52,7 @@ fn read_state() -> DaemonState {
  DaemonState::default()
 }

-fn is_daemon_running() -> bool {
+pub fn is_daemon_running() -> bool {
  let state = read_state();

  if let Some(pid) = state.daemon_pid {
@@ -43,12 +63,7 @@ fn is_daemon_running() -> bool {

    #[cfg(windows)]
    {
-      let output = Command::new("tasklist")
-        .args(["/FI", &format!("PID eq {}", pid)])
-        .output();
-      output
-        .map(|o| String::from_utf8_lossy(&o.stdout).contains(&pid.to_string()))
-        .unwrap_or(false)
+      win_process_exists(pid)
    }

    #[cfg(not(any(unix, windows)))]
@@ -60,6 +75,39 @@ fn is_daemon_running() -> bool {
  }
 }

+#[cfg(target_os = "macos")]
+fn is_dev_mode() -> bool {
+  if let Ok(current_exe) = std::env::current_exe() {
+    let path_str = current_exe.to_string_lossy();
+    path_str.contains("target/debug") || path_str.contains("target/release")
+  } else {
+    false
+  }
+}
+
+#[cfg(target_os = "macos")]
+fn get_daemon_path() -> Option<PathBuf> {
+  // First try to find the daemon binary next to the current executable
+  if let Ok(current_exe) = std::env::current_exe() {
+    if let Some(exe_dir) = current_exe.parent() {
+      let daemon_path = exe_dir.join("donut-daemon");
+      if daemon_path.exists() {
+        return Some(daemon_path);
+      }
+    }
+  }
+
+  // Try common installation paths
+  let paths = [
+    PathBuf::from("/Applications/Donut Browser.app/Contents/MacOS/donut-daemon"),
+    dirs::home_dir()
+      .map(|h| h.join("Applications/Donut Browser.app/Contents/MacOS/donut-daemon"))
+      .unwrap_or_default(),
+  ];
+  paths.into_iter().find(|path| path.exists())
+}
+
+#[cfg(any(target_os = "linux", windows))]
 fn get_daemon_path() -> Option<PathBuf> {
  // First, try to find it next to the current executable
  if let Ok(current_exe) = std::env::current_exe() {
@@ -68,31 +116,25 @@ fn get_daemon_path() -> Option<PathBuf> {
    // Check for daemon binary in same directory
    #[cfg(target_os = "windows")]
    let daemon_name = "donut-daemon.exe";
-    #[cfg(not(target_os = "windows"))]
+    #[cfg(target_os = "linux")]
    let daemon_name = "donut-daemon";

    let daemon_path = exe_dir.join(daemon_name);
    if daemon_path.exists() {
      return Some(daemon_path);
    }
-
-    // On macOS, check inside the app bundle
-    #[cfg(target_os = "macos")]
-    {
-      // If we're in Contents/MacOS, daemon should be there too
-      if exe_dir.ends_with("Contents/MacOS") {
-        let daemon_path = exe_dir.join(daemon_name);
-        if daemon_path.exists() {
-          return Some(daemon_path);
-        }
-      }
-    }
  }

  // Try to find it in PATH
  #[cfg(target_os = "windows")]
  {
-    if let Ok(output) = Command::new("where").arg("donut-daemon").output() {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    if let Ok(output) = Command::new("where")
+      .arg("donut-daemon")
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+    {
      if output.status.success() {
        let path = String::from_utf8_lossy(&output.stdout);
        let path = path.lines().next()?.trim();
@@ -101,7 +143,7 @@ fn get_daemon_path() -> Option<PathBuf> {
    }
  }

-  #[cfg(unix)]
+  #[cfg(target_os = "linux")]
  {
    if let Ok(output) = Command::new("which").arg("donut-daemon").output() {
      if output.status.success() {
@@ -118,60 +160,39 @@ fn get_daemon_path() -> Option<PathBuf> {
 }

 pub fn spawn_daemon() -> Result<(), String> {
+  // Log the daemon state for debugging
+  let state = read_state();
+  log::info!("Daemon state before spawn: pid={:?}", state.daemon_pid);
+
  // Check if already running
  if is_daemon_running() {
-    log::info!("Daemon is already running");
+    log::info!("Daemon is already running (verified by PID check)");
    return Ok(());
  }

+  log::info!("Daemon is not running, attempting to start...");
+
  // Log current exe location for debugging
  let current_exe = std::env::current_exe().ok();
  log::info!("Current exe: {:?}", current_exe);

-  let daemon_path = get_daemon_path().ok_or_else(|| {
-    format!(
-      "Could not find daemon binary. Current exe: {:?}",
-      current_exe
-    )
-  })?;
-
-  log::info!("Spawning daemon from: {:?}", daemon_path);
-
-  // Use "run" instead of "start" - we handle detachment here
-  #[cfg(unix)]
+  // On macOS, use launchctl to start the daemon via launchd
+  // This ensures the daemon runs in the user's Aqua session with WindowServer access
+  // and survives app termination since it's managed by launchd, not as a child process
+  #[cfg(target_os = "macos")]
  {
-    use std::os::unix::process::CommandExt;
+    spawn_daemon_macos()?;
+  }

-    // Create a new process group so daemon survives parent exit
-    // Note: We don't call setsid() because on macOS that disconnects from the WindowServer
-    // which prevents the tray icon from appearing. Instead, we just set a new process group.
-    let mut cmd = Command::new(&daemon_path);
-    cmd
-      .arg("run")
-      .stdin(Stdio::null())
-      .stdout(Stdio::null())
-      .stderr(Stdio::null())
-      .process_group(0); // Create new process group without new session
-
-    cmd
-      .spawn()
-      .map_err(|e| format!("Failed to spawn daemon: {}", e))?;
+  // On Linux, use direct spawn
+  #[cfg(target_os = "linux")]
+  {
+    spawn_daemon_unix()?;
  }

  #[cfg(windows)]
  {
-    use std::os::windows::process::CommandExt;
-    const DETACHED_PROCESS: u32 = 0x00000008;
-    const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
-
-    Command::new(&daemon_path)
-      .arg("run")
-      .stdin(Stdio::null())
-      .stdout(Stdio::null())
-      .stderr(Stdio::null())
-      .creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP)
-      .spawn()
-      .map_err(|e| format!("Failed to spawn daemon: {}", e))?;
+    spawn_daemon_windows()?;
  }

  // Wait for daemon to start (max 3 seconds)
@@ -185,20 +206,154 @@ pub fn spawn_daemon() -> Result<(), String> {

  // Check if we got a state file at least
  let state = read_state();
-  if state.daemon_pid.is_some() {
-    log::info!(
-      "Daemon appears to have started (PID {} in state file)",
-      state.daemon_pid.unwrap()
-    );
+  if let Some(pid) = state.daemon_pid {
+    log::info!("Daemon appears to have started (PID {} in state file)", pid);
    return Ok(());
  }

  Err("Daemon did not start within timeout".to_string())
 }

+#[cfg(target_os = "macos")]
+fn spawn_daemon_macos() -> Result<(), String> {
+  use std::os::unix::process::CommandExt;
+
+  // In dev mode, use direct spawn instead of launchctl
+  // This avoids issues with plist paths pointing to wrong binaries
+  if is_dev_mode() {
+    log::info!("Dev mode detected, using direct spawn instead of launchctl");
+
+    let daemon_path = get_daemon_path().ok_or_else(|| {
+      format!(
+        "Could not find daemon binary. Current exe: {:?}",
+        std::env::current_exe().ok()
+      )
+    })?;
+
+    log::info!("Spawning daemon from: {:?}", daemon_path);
+
+    // Create a new process group so daemon survives parent exit
+    let mut cmd = Command::new(&daemon_path);
+    cmd
+      .arg("run")
+      .stdin(Stdio::null())
+      .stdout(Stdio::null())
+      .stderr(Stdio::null())
+      .process_group(0);
+
+    cmd
+      .spawn()
+      .map_err(|e| format!("Failed to spawn daemon: {}", e))?;
+
+    return Ok(());
+  }
+
+  // Production mode: use launchctl for proper daemon management
+  // First, ensure the LaunchAgent plist is installed
+  let autostart_enabled = autostart::is_autostart_enabled();
+  log::info!("LaunchAgent plist exists: {}", autostart_enabled);
+
+  if !autostart_enabled {
+    log::info!("Installing LaunchAgent plist for daemon management");
+    autostart::enable_autostart().map_err(|e| format!("Failed to install LaunchAgent: {}", e))?;
+    log::info!("LaunchAgent plist installed successfully");
+  }
+
+  // Load the launch agent via launchctl
+  log::info!("Loading daemon via launchctl...");
+  autostart::load_launch_agent().map_err(|e| format!("Failed to load LaunchAgent: {}", e))?;
+  log::info!("launchctl load completed");
+
+  // Also explicitly start the agent in case it was already loaded but stopped
+  if let Err(e) = autostart::start_launch_agent() {
+    log::debug!("launchctl start note (non-fatal): {}", e);
+  }
+
+  Ok(())
+}
+
+#[cfg(target_os = "linux")]
+fn spawn_daemon_unix() -> Result<(), String> {
+  use std::os::unix::process::CommandExt;
+
+  let daemon_path = get_daemon_path().ok_or_else(|| {
+    format!(
+      "Could not find daemon binary. Current exe: {:?}",
+      std::env::current_exe().ok()
+    )
+  })?;
+
+  log::info!("Spawning daemon from: {:?}", daemon_path);
+
+  // Create a new process group so daemon survives parent exit
+  let mut cmd = Command::new(&daemon_path);
+  cmd
+    .arg("run")
+    .stdin(Stdio::null())
+    .stdout(Stdio::null())
+    .stderr(Stdio::null())
+    .process_group(0);
+
+  cmd
+    .spawn()
+    .map_err(|e| format!("Failed to spawn daemon: {}", e))?;
+
+  Ok(())
+}
+
+#[cfg(windows)]
+fn spawn_daemon_windows() -> Result<(), String> {
+  use std::os::windows::process::CommandExt;
+  const DETACHED_PROCESS: u32 = 0x00000008;
+  const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
+
+  let daemon_path = get_daemon_path().ok_or_else(|| {
+    format!(
+      "Could not find daemon binary. Current exe: {:?}",
+      std::env::current_exe().ok()
+    )
+  })?;
+
+  log::info!("Spawning daemon from: {:?}", daemon_path);
+
+  Command::new(&daemon_path)
+    .arg("run")
+    .stdin(Stdio::null())
+    .stdout(Stdio::null())
+    .stderr(Stdio::null())
+    .creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP)
+    .spawn()
+    .map_err(|e| format!("Failed to spawn daemon: {}", e))?;
+
+  Ok(())
+}
+
 pub fn ensure_daemon_running() -> Result<(), String> {
  if !is_daemon_running() {
    spawn_daemon()?;
  }
  Ok(())
 }
+
+pub fn register_gui_pid() {
+  let path = get_state_path();
+  let mut val: serde_json::Value = if path.exists() {
+    fs::read_to_string(&path)
+      .ok()
+      .and_then(|c| serde_json::from_str(&c).ok())
+      .unwrap_or_else(|| serde_json::json!({}))
+  } else {
+    serde_json::json!({})
+  };
+
+  if let Some(obj) = val.as_object_mut() {
+    obj.insert(
+      "gui_pid".to_string(),
+      serde_json::Value::Number(std::process::id().into()),
+    );
+  }
+
+  if let Ok(content) = serde_json::to_string_pretty(&val) {
+    let _ = fs::write(&path, content);
+  }
+}
@@ -104,6 +104,7 @@ mod macos {
 }

 #[cfg(target_os = "windows")]
+#[allow(clippy::needless_borrows_for_generic_args)]
 mod windows {
  use std::path::Path;
  use winreg::enums::*;
@@ -203,7 +204,7 @@ mod windows {
      .map_err(|e| format!("Failed to set ApplicationDescription: {}", e))?;

    app_key
-      .set_value("ApplicationIcon", &format!("{},0", exe_path))
+      .set_value("ApplicationIcon", &format!("\"{}\",0", exe_path))
      .map_err(|e| format!("Failed to set ApplicationIcon: {}", e))?;

    // Create Capabilities key
@@ -272,7 +273,7 @@ mod windows {
      .map_err(|e| format!("Failed to create DefaultIcon key: {}", e))?;

    icon_key
-      .set_value("", &format!("{},0", exe_path))
+      .set_value("", &format!("\"{}\",0", exe_path))
      .map_err(|e| format!("Failed to set default icon: {}", e))?;

    // Create shell\open\command key
@@ -305,7 +306,7 @@ mod windows {
    match hkcu.create_subkey(&user_choice_path) {
      Ok((user_choice, _)) => {
        // Attempt to set the ProgId
-        if let Err(_) = user_choice.set_value("ProgId", &PROG_ID) {
+        if user_choice.set_value("ProgId", &PROG_ID).is_err() {
          // If we can't set UserChoice, that's expected on newer Windows versions
          // The registration is still valuable for the "Open with" menu
        }
@@ -345,37 +346,29 @@ mod windows {
    unsafe {
      use std::ffi::c_void;

-      // Declare the Windows API functions
-      type UINT = u32;
-      type DWORD = u32;
-      type LPARAM = isize;
-      type WPARAM = usize;
-
      const HWND_BROADCAST: *mut c_void = 0xffff as *mut c_void;
-      const WM_SETTINGCHANGE: UINT = 0x001A;
-      const SMTO_ABORTIFHUNG: UINT = 0x0002;
+      const WM_SETTINGCHANGE: u32 = 0x001A;
+      const SMTO_ABORTIFHUNG: u32 = 0x0002;

-      // Link to user32.dll functions
      extern "system" {
        fn SendMessageTimeoutA(
          hWnd: *mut c_void,
-          Msg: UINT,
-          wParam: WPARAM,
-          lParam: LPARAM,
-          fuFlags: UINT,
-          uTimeout: UINT,
-          lpdwResult: *mut DWORD,
+          Msg: u32,
+          wParam: usize,
+          lParam: isize,
+          fuFlags: u32,
+          uTimeout: u32,
+          lpdwResult: *mut u32,
        ) -> isize;
      }

-      let mut result: DWORD = 0;
+      let mut result: u32 = 0;

-      // Notify about file associations change
      SendMessageTimeoutA(
        HWND_BROADCAST,
        WM_SETTINGCHANGE,
        0,
-        "Software\\Classes\0".as_ptr() as LPARAM,
+        c"Software\\Classes".as_ptr() as isize,
        SMTO_ABORTIFHUNG,
        1000,
        &mut result,
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
@@ -71,16 +70,7 @@ impl DownloadedBrowsersRegistry {
  }

  fn get_registry_path() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    let base_dirs = BaseDirs::new().ok_or("Failed to get base directories")?;
-    let mut path = base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("data");
-    path.push("downloaded_browsers.json");
-    Ok(path)
+    Ok(crate::app_dirs::data_subdir().join("downloaded_browsers.json"))
  }

  pub fn add_browser(&self, info: DownloadedBrowserInfo) {
@@ -128,19 +118,7 @@ impl DownloadedBrowsersRegistry {
    };
    let browser_instance = create_browser(browser_type.clone());

-    // Get binaries directory
-    let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-      let mut path = base_dirs.data_local_dir().to_path_buf();
-      path.push(if cfg!(debug_assertions) {
-        "DonutBrowserDev"
-      } else {
-        "DonutBrowser"
-      });
-      path.push("binaries");
-      path
-    } else {
-      return false;
-    };
+    let binaries_dir = crate::app_dirs::binaries_dir();

    let files_exist = browser_instance.is_version_downloaded(version, &binaries_dir);

@@ -312,6 +290,30 @@ impl DownloadedBrowsersRegistry {
      }
    }

+    // Filter out versions that would leave a browser with zero versions in the registry
+    {
+      let data = self.data.lock().unwrap();
+      let mut removal_counts: std::collections::HashMap<String, usize> =
+        std::collections::HashMap::new();
+      for (browser, _) in &to_remove {
+        *removal_counts.entry(browser.clone()).or_insert(0) += 1;
+      }
+      to_remove.retain(|(browser, version)| {
+        let total = data
+          .browsers
+          .get(browser.as_str())
+          .map(|v| v.len())
+          .unwrap_or(0);
+        let removing = *removal_counts.get(browser.as_str()).unwrap_or(&0);
+        if removing >= total {
+          log::info!("Keeping last available version: {browser} {version}");
+          *removal_counts.get_mut(browser.as_str()).unwrap() -= 1;
+          return false;
+        }
+        true
+      });
+    }
+
    // Remove unused binaries and their version folders
    for (browser, version) in to_remove {
      if let Err(e) = self.cleanup_failed_download(&browser, &version) {
@@ -511,15 +513,7 @@ impl DownloadedBrowsersRegistry {
    browser: &str,
    version: &str,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    // Get binaries directory path
-    let base_dirs = directories::BaseDirs::new().ok_or("Failed to get base directories")?;
-    let mut binaries_dir = base_dirs.data_local_dir().to_path_buf();
-    binaries_dir.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    binaries_dir.push("binaries");
+    let binaries_dir = crate::app_dirs::binaries_dir();

    let version_dir = binaries_dir.join(browser).join(version);

@@ -806,19 +800,7 @@ impl DownloadedBrowsersRegistry {

      let browser = create_browser(browser_type.clone());

-      // Get binaries directory
-      let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-        let mut path = base_dirs.data_local_dir().to_path_buf();
-        path.push(if cfg!(debug_assertions) {
-          "DonutBrowserDev"
-        } else {
-          "DonutBrowser"
-        });
-        path.push("binaries");
-        path
-      } else {
-        return Err("Failed to get base directories".into());
-      };
+      let binaries_dir = crate::app_dirs::binaries_dir();

      log::info!(
        "binaries_dir: {binaries_dir:?} for profile: {}",
@@ -1164,6 +1146,58 @@ mod tests {
    );
  }

+  #[test]
+  fn test_last_version_kept_during_cleanup() {
+    let registry = DownloadedBrowsersRegistry::new();
+
+    // Add a single version for "firefox"
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "firefox".to_string(),
+      version: "139.0".to_string(),
+      file_path: PathBuf::from("/test/firefox/139.0"),
+    });
+
+    // Add two versions for "chromium"
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "chromium".to_string(),
+      version: "120.0".to_string(),
+      file_path: PathBuf::from("/test/chromium/120.0"),
+    });
+    registry.add_browser(DownloadedBrowserInfo {
+      browser: "chromium".to_string(),
+      version: "121.0".to_string(),
+      file_path: PathBuf::from("/test/chromium/121.0"),
+    });
+
+    // No active or running profiles
+    let result = registry
+      .cleanup_unused_binaries_internal(&[], &[])
+      .expect("cleanup should succeed");
+
+    // firefox 139.0 should be kept (last version), chromium should lose one but keep one
+    // The exact one kept depends on iteration order, but at least one must remain
+    assert!(
+      !result.contains(&"firefox 139.0".to_string()),
+      "Last version of firefox should not be cleaned up"
+    );
+    // At most one chromium version should have been cleaned up
+    let chromium_cleaned: Vec<_> = result
+      .iter()
+      .filter(|r| r.starts_with("chromium"))
+      .collect();
+    assert!(
+      chromium_cleaned.len() <= 1,
+      "At most one chromium version should be cleaned up, got: {:?}",
+      chromium_cleaned
+    );
+
+    // Verify firefox is still registered
+    assert!(
+      registry.is_browser_registered("firefox", "139.0"),
+      "Last firefox version should still be registered"
+    );
+  }
+
  #[test]
  fn test_is_browser_registered_vs_downloaded() {
    let registry = DownloadedBrowsersRegistry::new();
@@ -1191,6 +1225,64 @@ mod tests {
  }
 }

+#[tauri::command]
+pub async fn ensure_active_browsers_downloaded(
+  app_handle: tauri::AppHandle,
+) -> Result<Vec<String>, String> {
+  let registry = DownloadedBrowsersRegistry::instance();
+  let version_manager = crate::browser_version_manager::BrowserVersionManager::instance();
+  let mut downloaded = Vec::new();
+
+  for browser in &["wayfern", "camoufox"] {
+    // Check if any version is already downloaded
+    let existing = registry.get_downloaded_versions(browser);
+    if !existing.is_empty() {
+      log::debug!(
+        "Skipping {browser}: already have {} version(s) downloaded",
+        existing.len()
+      );
+      continue;
+    }
+
+    // Get the latest release type for this browser
+    let release_types = match version_manager.get_browser_release_types(browser).await {
+      Ok(rt) => rt,
+      Err(e) => {
+        log::warn!("Failed to get release types for {browser}: {e}");
+        continue;
+      }
+    };
+
+    // Use stable version (the only release type for these browsers)
+    let version = match release_types.stable {
+      Some(v) => v,
+      None => {
+        log::debug!("No stable version available for {browser} on this platform, skipping");
+        continue;
+      }
+    };
+
+    log::info!("Auto-downloading {browser} {version} (no versions found locally)");
+    match crate::downloader::download_browser(
+      app_handle.clone(),
+      browser.to_string(),
+      version.clone(),
+    )
+    .await
+    {
+      Ok(_) => {
+        downloaded.push(format!("{browser} {version}"));
+        log::info!("Successfully auto-downloaded {browser} {version}");
+      }
+      Err(e) => {
+        log::warn!("Failed to auto-download {browser} {version}: {e}");
+      }
+    }
+  }
+
+  Ok(downloaded)
+}
+
 #[tauri::command]
 pub fn get_downloaded_browser_versions(browser_str: String) -> Result<Vec<String>, String> {
  let registry = DownloadedBrowsersRegistry::instance();
@@ -3,6 +3,7 @@ use serde::{Deserialize, Serialize};
 use std::io;
 use std::path::{Path, PathBuf};
 use std::sync::Mutex;
+use tokio_util::sync::CancellationToken;

 use crate::api_client::ApiClient;
 use crate::browser::{create_browser, BrowserType};
@@ -13,6 +14,8 @@ use crate::events;
 lazy_static::lazy_static! {
  static ref DOWNLOADING_BROWSERS: std::sync::Arc<Mutex<std::collections::HashSet<String>>> =
    std::sync::Arc::new(Mutex::new(std::collections::HashSet::new()));
+  static ref DOWNLOAD_CANCELLATION_TOKENS: std::sync::Arc<Mutex<std::collections::HashMap<String, CancellationToken>>> =
+    std::sync::Arc::new(Mutex::new(std::collections::HashMap::new()));
 }

 #[derive(Debug, Serialize, Deserialize, Clone)]
@@ -53,7 +56,7 @@ impl Downloader {
  }

  #[cfg(test)]
-  pub fn new_with_api_client(_api_client: ApiClient) -> Self {
+  pub fn new_for_test() -> Self {
    Self {
      client: Client::new(),
      api_client: ApiClient::instance(),
@@ -64,87 +67,53 @@ impl Downloader {
    }
  }

+  #[cfg(test)]
+  pub async fn download_file(
+    &self,
+    download_url: &str,
+    dest_path: &Path,
+    filename: &str,
+  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
+    let file_path = dest_path.join(filename);
+
+    let response = self
+      .client
+      .get(download_url)
+      .header(
+        "User-Agent",
+        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+      )
+      .send()
+      .await?;
+
+    if !response.status().is_success() {
+      return Err(format!("Download failed with status: {}", response.status()).into());
+    }
+
+    let mut file = std::fs::OpenOptions::new()
+      .create(true)
+      .truncate(true)
+      .write(true)
+      .open(&file_path)?;
+
+    let mut stream = response.bytes_stream();
+    use futures_util::StreamExt;
+    while let Some(chunk) = stream.next().await {
+      let chunk = chunk?;
+      io::copy(&mut chunk.as_ref(), &mut file)?;
+    }
+
+    Ok(file_path)
+  }
+
  /// Resolve the actual download URL for browsers that need dynamic asset resolution
  pub async fn resolve_download_url(
    &self,
    browser_type: BrowserType,
    version: &str,
-    download_info: &DownloadInfo,
+    _download_info: &DownloadInfo,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    match browser_type {
-      BrowserType::Brave => {
-        // For Brave, we need to find the actual platform-specific asset
-        let releases = self
-          .api_client
-          .fetch_brave_releases_with_caching(true)
-          .await?;
-
-        // Find the release with the matching version
-        let release = releases
-          .iter()
-          .find(|r| {
-            r.tag_name == version || r.tag_name == format!("v{}", version.trim_start_matches('v'))
-          })
-          .ok_or(format!("Brave version {version} not found"))?;
-
-        // Get platform and architecture info
-        let (os, arch) = Self::get_platform_info();
-
-        // Find the appropriate asset based on platform and architecture
-        let asset_url = self
-          .find_brave_asset(&release.assets, &os, &arch)
-          .ok_or(format!(
-            "No compatible asset found for Brave version {version} on {os}/{arch}"
-          ))?;
-
-        Ok(asset_url)
-      }
-      BrowserType::Zen => {
-        // For Zen, verify the asset exists and handle different naming patterns
-        let releases = match self.api_client.fetch_zen_releases_with_caching(true).await {
-          Ok(releases) => releases,
-          Err(e) => {
-            log::error!("Failed to fetch Zen releases: {e}");
-            return Err(format!("Failed to fetch Zen releases from GitHub API: {e}. This might be due to GitHub API rate limiting or network issues. Please try again later.").into());
-          }
-        };
-
-        let release = releases
-          .iter()
-          .find(|r| r.tag_name == version)
-          .ok_or_else(|| {
-            format!(
-              "Zen version {} not found. Available versions: {}",
-              version,
-              releases
-                .iter()
-                .take(5)
-                .map(|r| r.tag_name.as_str())
-                .collect::<Vec<_>>()
-                .join(", ")
-            )
-          })?;
-
-        // Get platform and architecture info
-        let (os, arch) = Self::get_platform_info();
-
-        // Find the appropriate asset
-        let asset_url = self
-          .find_zen_asset(&release.assets, &os, &arch)
-          .ok_or_else(|| {
-            let available_assets: Vec<&str> =
-              release.assets.iter().map(|a| a.name.as_str()).collect();
-            format!(
-              "No compatible asset found for Zen version {} on {}/{}. Available assets: {}",
-              version,
-              os,
-              arch,
-              available_assets.join(", ")
-            )
-          })?;
-
-        Ok(asset_url)
-      }
      BrowserType::Camoufox => {
        // For Camoufox, verify the asset exists and find the correct download URL
        let releases = self
@@ -155,7 +124,11 @@ impl Downloader {
        let release = releases
          .iter()
          .find(|r| r.tag_name == version)
-          .ok_or(format!("Camoufox version {version} not found"))?;
+          .or_else(|| {
+            log::info!("Camoufox: requested version {version} not found, using latest available");
+            releases.first()
+          })
+          .ok_or("No Camoufox releases found".to_string())?;

        // Get platform and architecture info
        let (os, arch) = Self::get_platform_info();
@@ -176,14 +149,10 @@ impl Downloader {
          .fetch_wayfern_version_with_caching(true)
          .await?;

-        // Verify requested version matches available version
        if version_info.version != version {
-          return Err(
-            format!(
-              "Wayfern version {version} not found. Available version: {}",
-              version_info.version
-            )
-            .into(),
+          log::info!(
+            "Wayfern: requested version {version}, using available version {}",
+            version_info.version
          );
        }

@@ -206,10 +175,6 @@ impl Downloader {

        Ok(download_url)
      }
-      _ => {
-        // For other browsers, use the provided URL
-        Ok(download_info.url.clone())
-      }
    }
  }

@@ -236,110 +201,6 @@ impl Downloader {
    (os.to_string(), arch.to_string())
  }

-  /// Find the appropriate Brave asset for the current platform and architecture
-  fn find_brave_asset(
-    &self,
-    assets: &[crate::browser::GithubAsset],
-    os: &str,
-    arch: &str,
-  ) -> Option<String> {
-    // Brave asset naming patterns:
-    // Windows: BraveBrowserStandaloneNightlySetup.exe, BraveBrowserStandaloneSilentNightlySetup.exe
-    // macOS: Brave-Browser-Nightly-universal.dmg, Brave-Browser-Nightly-universal.pkg
-    // Linux: brave-browser-1.79.119-linux-arm64.zip, brave-browser-1.79.119-linux-amd64.zip
-
-    let asset = match os {
-      "windows" => {
-        // For Windows, look for standalone setup EXE (not the auto-updater one)
-        assets
-          .iter()
-          .find(|asset| {
-            let name = asset.name.to_lowercase();
-            name.contains("standalone") && name.ends_with(".exe") && !name.contains("silent")
-          })
-          .or_else(|| {
-            // Fallback to any EXE if standalone not found
-            assets.iter().find(|asset| asset.name.ends_with(".exe"))
-          })
-      }
-      "macos" => {
-        // For macOS, prefer universal DMG
-        assets
-          .iter()
-          .find(|asset| {
-            let name = asset.name.to_lowercase();
-            name.contains("universal") && name.ends_with(".dmg")
-          })
-          .or_else(|| {
-            // Fallback to any DMG
-            assets.iter().find(|asset| asset.name.ends_with(".dmg"))
-          })
-      }
-      "linux" => {
-        // For Linux, be strict about architecture matching - same logic as has_compatible_brave_asset
-        let arch_pattern = if arch == "arm64" { "arm64" } else { "amd64" };
-
-        assets.iter().find(|asset| {
-          let name = asset.name.to_lowercase();
-          name.contains("linux") && name.contains(arch_pattern) && name.ends_with(".zip")
-        })
-      }
-      _ => None,
-    };
-
-    asset.map(|a| a.browser_download_url.clone())
-  }
-
-  /// Find the appropriate Zen asset for the current platform and architecture
-  fn find_zen_asset(
-    &self,
-    assets: &[crate::browser::GithubAsset],
-    os: &str,
-    arch: &str,
-  ) -> Option<String> {
-    // Zen asset naming patterns:
-    // Windows: zen.installer.exe, zen.installer-arm64.exe
-    // macOS: zen.macos-universal.dmg
-    // Linux: zen.linux-x86_64.tar.xz, zen.linux-aarch64.tar.xz, zen-x86_64.AppImage, zen-aarch64.AppImage
-
-    let asset = match (os, arch) {
-      ("windows", "x64") => assets
-        .iter()
-        .find(|asset| asset.name == "zen.installer.exe"),
-      ("windows", "arm64") => assets
-        .iter()
-        .find(|asset| asset.name == "zen.installer-arm64.exe"),
-      ("macos", _) => assets
-        .iter()
-        .find(|asset| asset.name == "zen.macos-universal.dmg"),
-      ("linux", "x64") => {
-        // Prefer tar.xz, fallback to AppImage
-        assets
-          .iter()
-          .find(|asset| asset.name == "zen.linux-x86_64.tar.xz")
-          .or_else(|| {
-            assets
-              .iter()
-              .find(|asset| asset.name == "zen-x86_64.AppImage")
-          })
-      }
-      ("linux", "arm64") => {
-        // Prefer tar.xz, fallback to AppImage
-        assets
-          .iter()
-          .find(|asset| asset.name == "zen.linux-aarch64.tar.xz")
-          .or_else(|| {
-            assets
-              .iter()
-              .find(|asset| asset.name == "zen-aarch64.AppImage")
-          })
-      }
-      _ => None,
-    };
-
-    asset.map(|a| a.browser_download_url.clone())
-  }
-
  /// Find the appropriate Camoufox asset for the current platform and architecture
  fn find_camoufox_asset(
    &self,
@@ -438,6 +299,7 @@ impl Downloader {
    version: &str,
    download_info: &DownloadInfo,
    dest_path: &Path,
+    cancel_token: Option<&CancellationToken>,
  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
    let file_path = dest_path.join(&download_info.filename);

@@ -446,16 +308,40 @@ impl Downloader {
      .resolve_download_url(browser_type.clone(), version, download_info)
      .await?;

-    // Check if this is a twilight release for special handling
-    let is_twilight =
-      browser_type == BrowserType::Zen && version.to_lowercase().contains("twilight");
-
-    // Determine if we have a partial file to resume
+    // Check existing file size — if it matches the expected size, skip download
    let mut existing_size: u64 = 0;
    if let Ok(meta) = std::fs::metadata(&file_path) {
      existing_size = meta.len();
    }

+    // Do a HEAD request to get the expected file size for skip/resume decisions
+    let head_response = self
+      .client
+      .head(&download_url)
+      .header(
+        "User-Agent",
+        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
+      )
+      .send()
+      .await
+      .ok();
+
+    let expected_size = head_response.as_ref().and_then(|r| r.content_length());
+
+    // If existing file matches expected size, skip download entirely
+    if existing_size > 0 {
+      if let Some(expected) = expected_size {
+        if existing_size == expected {
+          log::info!(
+            "Archive {} already exists with correct size ({} bytes), skipping download",
+            file_path.display(),
+            existing_size
+          );
+          return Ok(file_path);
+        }
+      }
+    }
+
    // Build request, add Range only if we have bytes. If the server responds with 416 (Range Not
    // Satisfiable), delete the partial file and retry once without the Range header.
    let response = {
@@ -544,11 +430,7 @@ impl Downloader {
      0.0
    };

-    let initial_stage = if is_twilight {
-      "downloading (twilight rolling release)".to_string()
-    } else {
-      "downloading".to_string()
-    };
+    let initial_stage = "downloading".to_string();

    let progress = DownloadProgress {
      browser: browser_type.as_str().to_string(),
@@ -573,6 +455,13 @@ impl Downloader {

    use futures_util::StreamExt;
    while let Some(chunk) = stream.next().await {
+      if let Some(token) = cancel_token {
+        if token.is_cancelled() {
+          drop(file);
+          let _ = std::fs::remove_file(&file_path);
+          return Err("Download cancelled".into());
+        }
+      }
      let chunk = chunk?;
      io::copy(&mut chunk.as_ref(), &mut file)?;
      downloaded += chunk.len() as u64;
@@ -603,11 +492,7 @@ impl Downloader {
          None
        };

-        let stage_description = if is_twilight {
-          "downloading (twilight rolling release)".to_string()
-        } else {
-          "downloading".to_string()
-        };
+        let stage_description = "downloading".to_string();

        let progress = DownloadProgress {
          browser: browser_type.as_str().to_string(),
@@ -635,21 +520,62 @@ impl Downloader {
    browser_str: String,
    version: String,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    // Check if Wayfern terms have been accepted before allowing any browser downloads
-    if !crate::wayfern_terms::WayfernTermsManager::instance().is_terms_accepted() {
+    // Only check Wayfern terms if Wayfern is already downloaded
+    let terms_manager = crate::wayfern_terms::WayfernTermsManager::instance();
+    if terms_manager.is_wayfern_downloaded() && !terms_manager.is_terms_accepted() {
      return Err("Please accept Wayfern Terms and Conditions before downloading browsers".into());
    }

+    // For Wayfern/Camoufox, resolve the actual available version from the API
+    let version = if browser_str == "wayfern" {
+      match self
+        .api_client
+        .fetch_wayfern_version_with_caching(true)
+        .await
+      {
+        Ok(info) if info.version != version => {
+          log::info!(
+            "Wayfern: requested {version}, using available {}",
+            info.version
+          );
+          info.version
+        }
+        _ => version,
+      }
+    } else if browser_str == "camoufox" {
+      match self
+        .api_client
+        .fetch_camoufox_releases_with_caching(true)
+        .await
+      {
+        Ok(releases) if !releases.is_empty() && releases[0].tag_name != version => {
+          log::info!(
+            "Camoufox: requested {version}, using available {}",
+            releases[0].tag_name
+          );
+          releases[0].tag_name.clone()
+        }
+        _ => version,
+      }
+    } else {
+      version
+    };
+
    // Check if this browser-version pair is already being downloaded
    let download_key = format!("{browser_str}-{version}");
-    {
+    let cancel_token = {
      let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
      if downloading.contains(&download_key) {
        return Err(format!("Browser '{browser_str}' version '{version}' is already being downloaded. Please wait for the current download to complete.").into());
      }
      // Mark this browser-version pair as being downloaded
      downloading.insert(download_key.clone());
-    }
+
+      let token = CancellationToken::new();
+      let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+      tokens.insert(download_key.clone(), token.clone());
+      token
+    };

    let browser_type =
      BrowserType::from_str(&browser_str).map_err(|e| format!("Invalid browser type: {e}"))?;
@@ -657,21 +583,7 @@ impl Downloader {

    // Use injected registry instance

-    // Get binaries directory - we need to get it from somewhere
-    // This is a bit tricky since we don't have access to BrowserRunner's get_binaries_dir
-    // We'll need to replicate this logic
-    let binaries_dir = if let Some(base_dirs) = directories::BaseDirs::new() {
-      let mut path = base_dirs.data_local_dir().to_path_buf();
-      path.push(if cfg!(debug_assertions) {
-        "DonutBrowserDev"
-      } else {
-        "DonutBrowser"
-      });
-      path.push("binaries");
-      path
-    } else {
-      return Err("Failed to get base directories".into());
-    };
+    let binaries_dir = crate::app_dirs::binaries_dir();

    // Check if registry thinks it's downloaded, but also verify files actually exist
    if self.registry.is_browser_downloaded(&browser_str, &version) {
@@ -681,6 +593,9 @@ impl Downloader {
        // Remove from downloading set since it's already downloaded
        let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
        downloading.remove(&download_key);
+        drop(downloading);
+        let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+        tokens.remove(&download_key);
        return Ok(version);
      } else {
        // Registry says it's downloaded but files don't exist - clean up registry
@@ -702,6 +617,9 @@ impl Downloader {
      // Remove from downloading set on error
      let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
      downloading.remove(&download_key);
+      drop(downloading);
+      let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+      tokens.remove(&download_key);
      return Err(
        format!(
          "Browser '{}' is not supported on your platform ({} {}). Supported browsers: {}",
@@ -741,6 +659,7 @@ impl Downloader {
        &version,
        &download_info,
        &browser_dir,
+        Some(&cancel_token),
      )
      .await
    {
@@ -752,6 +671,25 @@ impl Downloader {
        let _ = self.registry.save();
        let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
        downloading.remove(&download_key);
+        drop(downloading);
+        let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+        tokens.remove(&download_key);
+
+        // Emit cancelled stage if the download was cancelled by user
+        if cancel_token.is_cancelled() {
+          let progress = DownloadProgress {
+            browser: browser_str.clone(),
+            version: version.clone(),
+            downloaded_bytes: 0,
+            total_bytes: None,
+            percentage: 0.0,
+            speed_bytes_per_sec: 0.0,
+            eta_seconds: None,
+            stage: "cancelled".to_string(),
+          };
+          let _ = events::emit("download-progress", &progress);
+        }
+
        return Err(format!("Failed to download browser: {e}").into());
      }
    };
@@ -773,15 +711,38 @@ impl Downloader {
          // Do not remove the archive here. We keep it until verification succeeds.
        }
        Err(e) => {
-          // Do not remove the archive or extracted files. Just drop the registry entry
-          // so it won't be reported as downloaded.
+          log::error!("Extraction failed for {browser_str} {version}: {e}");
+
+          // Delete the corrupt/invalid archive so a fresh download happens next time
+          if download_path.exists() {
+            log::info!("Deleting corrupt archive: {}", download_path.display());
+            let _ = std::fs::remove_file(&download_path);
+          }
+
          let _ = self.registry.remove_browser(&browser_str, &version);
          let _ = self.registry.save();
-          // Remove browser-version pair from downloading set on error
          {
            let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
            downloading.remove(&download_key);
          }
+          {
+            let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+            tokens.remove(&download_key);
+          }
+
+          // Emit error stage so the UI shows a toast
+          let progress = DownloadProgress {
+            browser: browser_str.clone(),
+            version: version.clone(),
+            downloaded_bytes: 0,
+            total_bytes: None,
+            percentage: 0.0,
+            speed_bytes_per_sec: 0.0,
+            eta_seconds: None,
+            stage: "error".to_string(),
+          };
+          let _ = events::emit("download-progress", &progress);
+
          return Err(format!("Failed to extract browser: {e}").into());
        }
      }
@@ -869,6 +830,10 @@ impl Downloader {
        let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
        downloading.remove(&download_key);
      }
+      {
+        let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+        tokens.remove(&download_key);
+      }
      return Err(error_details.into());
    }

@@ -924,7 +889,6 @@ impl Downloader {
        .await
      {
        log::warn!("Failed to create version.json for Camoufox: {e}");
-        // Don't fail the download if version.json creation fails
      }
    }

@@ -941,11 +905,49 @@ impl Downloader {
    };
    let _ = events::emit("download-progress", &progress);

-    // Remove browser-version pair from downloading set
+    // Remove browser-version pair from downloading set and cancel token
    {
      let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
      downloading.remove(&download_key);
    }
+    {
+      let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+      tokens.remove(&download_key);
+    }
+
+    // Auto-update non-running profiles to the latest installed version and cleanup unused binaries
+    {
+      let app_handle_for_update = app_handle.clone();
+      tauri::async_runtime::spawn(async move {
+        let auto_updater = crate::auto_updater::AutoUpdater::instance();
+        match auto_updater.update_profiles_to_latest_installed(&app_handle_for_update) {
+          Ok(updated) => {
+            if !updated.is_empty() {
+              log::info!(
+                "Auto-updated {} profiles to latest installed versions: {:?}",
+                updated.len(),
+                updated
+              );
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to auto-update profile versions: {e}");
+          }
+        }
+
+        let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+        match registry.cleanup_unused_binaries() {
+          Ok(cleaned) => {
+            if !cleaned.is_empty() {
+              log::info!("Cleaned up unused binaries after download: {:?}", cleaned);
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to cleanup unused binaries: {e}");
+          }
+        }
+      });
+    }

    Ok(version)
  }
@@ -964,88 +966,42 @@ pub async fn download_browser(
    .map_err(|e| format!("Failed to download browser: {e}"))
 }

+#[tauri::command]
+pub async fn cancel_download(browser_str: String, version: String) -> Result<(), String> {
+  let download_key = format!("{browser_str}-{version}");
+  let token = {
+    let tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
+    tokens.get(&download_key).cloned()
+  };
+
+  if let Some(token) = token {
+    token.cancel();
+    Ok(())
+  } else {
+    Err(format!(
+      "No active download found for {browser_str} {version}"
+    ))
+  }
+}
+
 #[cfg(test)]
 mod tests {
  use super::*;
-  use crate::api_client::ApiClient;
-  use crate::browser::BrowserType;
-  use crate::browser_version_manager::DownloadInfo;

  use tempfile::TempDir;
  use wiremock::matchers::{method, path};
  use wiremock::{Mock, MockServer, ResponseTemplate};

-  async fn setup_mock_server() -> MockServer {
-    MockServer::start().await
-  }
-
-  fn create_test_api_client(server: &MockServer) -> ApiClient {
-    let base_url = server.uri();
-    ApiClient::new_with_base_urls(
-      base_url.clone(), // firefox_api_base
-      base_url.clone(), // firefox_dev_api_base
-      base_url.clone(), // github_api_base
-      base_url.clone(), // chromium_api_base
-    )
-  }
-
  #[tokio::test]
-  async fn test_resolve_firefox_download_url() {
-    let server = setup_mock_server().await;
+  async fn test_download_file_with_progress() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    let download_info = DownloadInfo {
-      url: "https://download.mozilla.org/?product=firefox-139.0&os=osx&lang=en-US".to_string(),
-      filename: "firefox-test.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let result = downloader
-      .resolve_download_url(BrowserType::Firefox, "139.0", &download_info)
-      .await;
-
-    assert!(result.is_ok());
-    let url = result.unwrap();
-    assert_eq!(url, download_info.url);
-  }
-
-  #[tokio::test]
-  async fn test_resolve_chromium_download_url() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    let download_info = DownloadInfo {
-      url: "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Mac/1465660/chrome-mac.zip".to_string(),
-      filename: "chromium-test.zip".to_string(),
-      is_archive: true,
-    };
-
-    let result = downloader
-      .resolve_download_url(BrowserType::Chromium, "1465660", &download_info)
-      .await;
-
-    assert!(result.is_ok());
-    let url = result.unwrap();
-    assert_eq!(url, download_info.url);
-  }
-
-  #[tokio::test]
-  async fn test_download_browser_with_progress() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    // Create a temporary directory for the test
    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Create test file content (simulating a small download)
    let test_content = b"This is a test file content for download simulation";

-    // Mock the download endpoint
    Mock::given(method("GET"))
      .and(path("/test-download"))
      .respond_with(
@@ -1057,83 +1013,51 @@ mod tests {
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/test-download", server.uri()),
-      filename: "test-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    // Create a mock app handle for testing
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/test-download", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Firefox,
-        "139.0",
-        &download_info,
-        dest_path,
-      )
+      .download_file(&download_url, dest_path, "test-file.dmg")
      .await;

    assert!(result.is_ok());
    let downloaded_file = result.unwrap();
    assert!(downloaded_file.exists());

-    // Verify file content
    let downloaded_content = std::fs::read(&downloaded_file).unwrap();
    assert_eq!(downloaded_content, test_content);
  }

  #[tokio::test]
-  async fn test_download_browser_network_error() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
+  async fn test_download_file_network_error() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Mock a 404 response
    Mock::given(method("GET"))
      .and(path("/missing-file"))
      .respond_with(ResponseTemplate::new(404))
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/missing-file", server.uri()),
-      filename: "missing-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/missing-file", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Firefox,
-        "139.0",
-        &download_info,
-        dest_path,
-      )
+      .download_file(&download_url, dest_path, "missing-file.dmg")
      .await;

    assert!(result.is_err());
  }

  #[tokio::test]
-  async fn test_download_browser_chunked_response() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
+  async fn test_download_file_chunked_response() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Create larger test content to simulate chunked transfer
    let test_content = vec![42u8; 1024]; // 1KB of data

    Mock::given(method("GET"))
@@ -1147,23 +1071,10 @@ mod tests {
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/chunked-download", server.uri()),
-      filename: "chunked-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/chunked-download", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Chromium,
-        "1465660",
-        &download_info,
-        dest_path,
-      )
+      .download_file(&download_url, dest_path, "chunked-file.dmg")
      .await;

    assert!(result.is_ok());
@@ -0,0 +1,329 @@
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::sync::Mutex;
+
+use crate::profile::BrowserProfile;
+
+lazy_static::lazy_static! {
+  static ref EPHEMERAL_DIRS: Mutex<HashMap<String, PathBuf>> = Mutex::new(HashMap::new());
+}
+
+/// Get or create the RAM-backed base directory for ephemeral profiles.
+/// Linux: /dev/shm (always tmpfs). macOS: RAM disk via hdiutil. Windows: imdisk RAM disk.
+fn get_ephemeral_base_dir() -> Result<PathBuf, String> {
+  #[cfg(target_os = "linux")]
+  {
+    let base = PathBuf::from("/dev/shm/donut-ephemeral");
+    std::fs::create_dir_all(&base)
+      .map_err(|e| format!("Failed to create ephemeral base in /dev/shm: {e}"))?;
+    Ok(base)
+  }
+
+  #[cfg(not(target_os = "linux"))]
+  {
+    #[cfg(target_os = "macos")]
+    {
+      if let Ok(mount) = get_or_create_macos_ramdisk() {
+        return Ok(mount);
+      }
+      log::warn!("Failed to create macOS RAM disk, ephemeral profiles may use disk");
+    }
+
+    #[cfg(target_os = "windows")]
+    {
+      if let Ok(mount) = get_or_create_windows_ramdisk() {
+        return Ok(mount);
+      }
+      log::warn!("Failed to create Windows RAM disk, ephemeral profiles may use disk");
+    }
+
+    // Fallback
+    let base = std::env::temp_dir().join("donut-ephemeral");
+    std::fs::create_dir_all(&base)
+      .map_err(|e| format!("Failed to create ephemeral base dir: {e}"))?;
+    Ok(base)
+  }
+}
+
+#[cfg(target_os = "macos")]
+fn get_or_create_macos_ramdisk() -> Result<PathBuf, String> {
+  let mount_point = PathBuf::from("/Volumes/DonutEphemeral");
+
+  // Reuse existing RAM disk from a previous session
+  if mount_point.exists() && mount_point.is_dir() {
+    return Ok(mount_point);
+  }
+
+  // 256 MB in 512-byte sectors
+  let sectors = 256 * 2048;
+  let output = std::process::Command::new("hdiutil")
+    .args(["attach", "-nomount", &format!("ram://{sectors}")])
+    .output()
+    .map_err(|e| format!("hdiutil attach failed: {e}"))?;
+
+  if !output.status.success() {
+    return Err(format!(
+      "hdiutil attach failed: {}",
+      String::from_utf8_lossy(&output.stderr)
+    ));
+  }
+
+  let dev = String::from_utf8_lossy(&output.stdout).trim().to_string();
+
+  let fmt = std::process::Command::new("diskutil")
+    .args(["erasevolume", "HFS+", "DonutEphemeral", &dev])
+    .output()
+    .map_err(|e| format!("diskutil erasevolume failed: {e}"))?;
+
+  if !fmt.status.success() {
+    let _ = std::process::Command::new("hdiutil")
+      .args(["detach", &dev])
+      .output();
+    return Err(format!(
+      "diskutil erasevolume failed: {}",
+      String::from_utf8_lossy(&fmt.stderr)
+    ));
+  }
+
+  log::info!("Created macOS RAM disk at {}", mount_point.display());
+  Ok(mount_point)
+}
+
+#[cfg(target_os = "windows")]
+fn get_or_create_windows_ramdisk() -> Result<PathBuf, String> {
+  // Check if a previous RAM disk with our directory already exists
+  for letter in ['R', 'Q', 'P', 'O'] {
+    let base = PathBuf::from(format!("{}:\\DonutEphemeral", letter));
+    if base.exists() && base.is_dir() {
+      return Ok(base);
+    }
+  }
+
+  // Try to create a RAM disk using imdisk (open-source RAM disk driver)
+  for letter in ['R', 'Q', 'P', 'O'] {
+    let drive = format!("{}:", letter);
+    if PathBuf::from(format!("{}\\", drive)).exists() {
+      continue;
+    }
+
+    let output = std::process::Command::new("imdisk")
+      .args(["-a", "-s", "256M", "-m", &drive, "-p", "/fs:ntfs /q /y"])
+      .output();
+
+    match output {
+      Ok(out) if out.status.success() => {
+        let base = PathBuf::from(format!("{}\\DonutEphemeral", drive));
+        std::fs::create_dir_all(&base)
+          .map_err(|e| format!("Failed to create dir on RAM disk: {e}"))?;
+        log::info!("Created Windows RAM disk at {}", base.display());
+        return Ok(base);
+      }
+      Ok(out) => {
+        log::debug!(
+          "imdisk failed for drive {}: {}",
+          drive,
+          String::from_utf8_lossy(&out.stderr)
+        );
+      }
+      Err(e) => {
+        return Err(format!("imdisk not available: {e}"));
+      }
+    }
+  }
+
+  Err("Could not create Windows RAM disk".to_string())
+}
+
+pub fn create_ephemeral_dir(profile_id: &str) -> Result<PathBuf, String> {
+  let base = get_ephemeral_base_dir()?;
+  let dir_path = base.join(profile_id);
+
+  std::fs::create_dir_all(&dir_path).map_err(|e| format!("Failed to create ephemeral dir: {e}"))?;
+
+  EPHEMERAL_DIRS
+    .lock()
+    .map_err(|e| format!("Failed to lock ephemeral dirs: {e}"))?
+    .insert(profile_id.to_string(), dir_path.clone());
+
+  log::info!(
+    "Created ephemeral dir for profile {}: {}",
+    profile_id,
+    dir_path.display()
+  );
+
+  Ok(dir_path)
+}
+
+pub fn get_ephemeral_dir(profile_id: &str) -> Option<PathBuf> {
+  EPHEMERAL_DIRS.lock().ok()?.get(profile_id).cloned()
+}
+
+pub fn remove_ephemeral_dir(profile_id: &str) {
+  let dir = EPHEMERAL_DIRS
+    .lock()
+    .ok()
+    .and_then(|mut map| map.remove(profile_id));
+
+  if let Some(dir_path) = dir {
+    if dir_path.exists() {
+      if let Err(e) = std::fs::remove_dir_all(&dir_path) {
+        log::warn!("Failed to remove ephemeral dir {}: {e}", dir_path.display());
+      } else {
+        log::info!(
+          "Removed ephemeral dir for profile {}: {}",
+          profile_id,
+          dir_path.display()
+        );
+      }
+    }
+  }
+}
+
+/// Recover ephemeral dir mappings on startup by scanning the RAM-backed base dir.
+/// Dir names are profile UUIDs, so we re-populate the in-memory HashMap.
+/// Also cleans up old disk-based dirs from previous versions.
+pub fn recover_ephemeral_dirs() {
+  cleanup_legacy_dirs();
+
+  let base = match get_ephemeral_base_dir() {
+    Ok(base) => base,
+    Err(e) => {
+      log::warn!("Cannot recover ephemeral dirs: {e}");
+      return;
+    }
+  };
+
+  let entries = match std::fs::read_dir(&base) {
+    Ok(entries) => entries,
+    Err(_) => return,
+  };
+
+  let mut dirs = match EPHEMERAL_DIRS.lock() {
+    Ok(dirs) => dirs,
+    Err(_) => return,
+  };
+
+  for entry in entries.flatten() {
+    if entry.path().is_dir() {
+      if let Some(name) = entry.file_name().to_str() {
+        if uuid::Uuid::parse_str(name).is_ok() {
+          dirs.insert(name.to_string(), entry.path());
+          log::info!("Recovered ephemeral dir for profile {}", name);
+        }
+      }
+    }
+  }
+}
+
+/// Remove old-format ephemeral dirs from /tmp (pre-tmpfs migration).
+fn cleanup_legacy_dirs() {
+  let temp_dir = std::env::temp_dir();
+  let entries = match std::fs::read_dir(&temp_dir) {
+    Ok(entries) => entries,
+    Err(_) => return,
+  };
+
+  for entry in entries.flatten() {
+    if let Some(name) = entry.file_name().to_str() {
+      if name.starts_with("donut-ephemeral-") && entry.path().is_dir() {
+        if let Err(e) = std::fs::remove_dir_all(entry.path()) {
+          log::warn!("Failed to clean up legacy ephemeral dir: {e}");
+        } else {
+          log::info!(
+            "Cleaned up legacy ephemeral dir: {}",
+            entry.path().display()
+          );
+        }
+      }
+    }
+  }
+}
+
+pub fn get_effective_profile_path(profile: &BrowserProfile, profiles_dir: &Path) -> PathBuf {
+  if profile.ephemeral {
+    if let Some(dir) = get_ephemeral_dir(&profile.id.to_string()) {
+      return dir;
+    }
+  }
+  profile.get_profile_data_path(profiles_dir)
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  fn make_test_profile(id: uuid::Uuid, ephemeral: bool) -> BrowserProfile {
+    BrowserProfile {
+      id,
+      name: "test".to_string(),
+      browser: "camoufox".to_string(),
+      version: "1.0".to_string(),
+      proxy_id: None,
+      vpn_id: None,
+      process_id: None,
+      last_launch: None,
+      release_type: "stable".to_string(),
+      camoufox_config: None,
+      wayfern_config: None,
+      group_id: None,
+      tags: Vec::new(),
+      note: None,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
+      last_sync: None,
+      host_os: None,
+      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
+    }
+  }
+
+  #[test]
+  #[serial_test::serial]
+  fn test_ephemeral_dir_lifecycle() {
+    let profile_id = uuid::Uuid::new_v4();
+    let id_str = profile_id.to_string();
+
+    let dir = create_ephemeral_dir(&id_str).unwrap();
+    assert!(dir.is_dir());
+    assert_eq!(get_ephemeral_dir(&id_str), Some(dir.clone()));
+
+    let ephemeral_profile = make_test_profile(profile_id, true);
+    let profiles_dir = std::env::temp_dir().join("test_profiles_ephemeral");
+    assert_eq!(
+      get_effective_profile_path(&ephemeral_profile, &profiles_dir),
+      dir
+    );
+
+    remove_ephemeral_dir(&id_str);
+    assert!(!dir.exists());
+    assert!(get_ephemeral_dir(&id_str).is_none());
+
+    let persistent_profile = make_test_profile(uuid::Uuid::new_v4(), false);
+    let expected = persistent_profile.get_profile_data_path(&profiles_dir);
+    assert_eq!(
+      get_effective_profile_path(&persistent_profile, &profiles_dir),
+      expected
+    );
+  }
+
+  #[test]
+  fn test_recover_ephemeral_dirs() {
+    let base = get_ephemeral_base_dir().unwrap();
+    let test_id = uuid::Uuid::new_v4().to_string();
+    let test_dir = base.join(&test_id);
+    std::fs::create_dir_all(&test_dir).unwrap();
+
+    // Clear the HashMap so recovery has something to find
+    EPHEMERAL_DIRS.lock().unwrap().remove(&test_id);
+    assert!(get_ephemeral_dir(&test_id).is_none());
+
+    recover_ephemeral_dirs();
+    assert_eq!(get_ephemeral_dir(&test_id), Some(test_dir.clone()));
+
+    // Clean up
+    remove_ephemeral_dir(&test_id);
+  }
+}
@@ -6,8 +6,8 @@ use crate::browser::BrowserType;
 use crate::downloader::DownloadProgress;
 use crate::events;

-#[cfg(any(target_os = "macos", target_os = "windows"))]
-use std::process::Command;
+#[cfg(target_os = "macos")]
+use tokio::process::Command;

 #[cfg(target_os = "macos")]
 use std::fs::create_dir_all;
@@ -38,12 +38,7 @@ impl Extractor {
      "camoufox"
    } else if dest_dir.to_string_lossy().contains("wayfern") {
      "wayfern"
-    } else if dest_dir.to_string_lossy().contains("firefox") {
-      "firefox"
-    } else if dest_dir.to_string_lossy().contains("zen") {
-      "zen"
    } else {
-      // For other browsers, assume the structure is already correct
      return Ok(());
    };

@@ -237,17 +232,8 @@ impl Extractor {
    &self,
    file_path: &Path,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    // First check file extension for DMG files since they're common on macOS
-    // and can have misleading magic numbers
-    if let Some(ext) = file_path.extension().and_then(|ext| ext.to_str()) {
-      if ext.to_lowercase() == "dmg" {
-        return Ok("dmg".to_string());
-      }
-      if ext.to_lowercase() == "msi" {
-        return Ok("msi".to_string());
-      }
-    }
-
+    // Always check magic bytes first — the file extension may be wrong
+    // (e.g. CDN serving a ZIP with .dmg extension)
    let mut file = File::open(file_path)?;
    let mut buffer = [0u8; 12]; // Read first 12 bytes for magic number detection
    file.read_exact(&mut buffer)?;
@@ -362,16 +348,20 @@ impl Extractor {
      .args([
        "attach",
        "-nobrowse",
+        "-noverify",
+        "-noautoopen",
        "-mountpoint",
        mount_point.to_str().unwrap(),
        dmg_path.to_str().unwrap(),
      ])
-      .output()?;
+      .stdin(std::process::Stdio::null())
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
      let stdout = String::from_utf8_lossy(&output.stdout);
-      log::info!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");
+      log::error!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");

      // Clean up mount point before returning error
      let _ = fs::remove_dir_all(&mount_point);
@@ -387,12 +377,13 @@ impl Extractor {
    let app_entry = match app_result {
      Ok(app_path) => app_path,
      Err(e) => {
-        log::info!("Failed to find .app in mount point: {e}");
+        log::error!("Failed to find .app in mount point: {e}");

        // Try to unmount before returning error
        let _ = Command::new("hdiutil")
          .args(["detach", "-force", mount_point.to_str().unwrap()])
-          .output();
+          .output()
+          .await;
        let _ = fs::remove_dir_all(&mount_point);

        return Err("No .app found after extraction".into());
@@ -412,16 +403,18 @@ impl Extractor {
        app_entry.to_str().unwrap(),
        app_path.to_str().unwrap(),
      ])
-      .output()?;
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
-      log::info!("Failed to copy app: {stderr}");
+      log::error!("Failed to copy app: {stderr}");

      // Unmount before returning error
      let _ = Command::new("hdiutil")
        .args(["detach", "-force", mount_point.to_str().unwrap()])
-        .output();
+        .output()
+        .await;
      let _ = fs::remove_dir_all(&mount_point);

      return Err(format!("Failed to copy app: {stderr}").into());
@@ -432,18 +425,21 @@ impl Extractor {
    // Remove quarantine attributes
    let _ = Command::new("xattr")
      .args(["-dr", "com.apple.quarantine", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;

    let _ = Command::new("xattr")
      .args(["-cr", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;

    log::info!("Removed quarantine attributes");

    // Unmount the DMG
    let output = Command::new("hdiutil")
      .args(["detach", mount_point.to_str().unwrap()])
-      .output()?;
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
@@ -593,7 +589,11 @@ impl Extractor {
      }
    }

-    log::info!("ZIP extraction completed. Searching for executable...");
+    log::info!("ZIP extraction completed.");
+
+    self.flatten_single_directory_archive(dest_dir)?;
+
+    log::info!("Searching for executable...");
    self
      .find_extracted_executable(dest_dir)
      .await
@@ -617,7 +617,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.gz extraction completed. Searching for executable...");
+    log::info!("tar.gz extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -638,7 +640,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.bz2 extraction completed. Searching for executable...");
+    log::info!("tar.bz2 extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -673,7 +677,9 @@ impl Extractor {
    // Set executable permissions for extracted files
    self.set_executable_permissions_recursive(dest_dir).await?;

-    log::info!("tar.xz extraction completed. Searching for executable...");
+    log::info!("tar.xz extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -691,7 +697,9 @@ impl Extractor {
      extractor.to(dest_dir);
    }

-    log::info!("MSI extraction completed. Searching for executable...");
+    log::info!("MSI extraction completed.");
+    self.flatten_single_directory_archive(dest_dir)?;
+    log::info!("Searching for executable...");
    self.find_extracted_executable(dest_dir).await
  }

@@ -727,55 +735,91 @@ impl Extractor {
    dest_dir: &Path,
    browser_type: BrowserType,
  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    match browser_type {
-      BrowserType::Zen => {
-        // Zen installer EXE needs to be run to install
-        #[cfg(target_os = "windows")]
-        {
-          self.install_zen_windows(exe_path, dest_dir).await
-        }
-        #[cfg(not(target_os = "windows"))]
-        {
-          Err("Zen EXE installation is only supported on Windows".into())
-        }
-      }
-      _ => {
-        // For other browsers (Firefox, TOR, etc.), the EXE is typically just copied
-        let exe_name = exe_path
-          .file_name()
-          .and_then(|name| name.to_str())
-          .unwrap_or("browser.exe");
+    {
+      let _ = browser_type;
+      let exe_name = exe_path
+        .file_name()
+        .and_then(|name| name.to_str())
+        .unwrap_or("browser.exe");

-        let dest_path = dest_dir.join(exe_name);
-        fs::copy(exe_path, &dest_path)?;
-        Ok(dest_path)
-      }
+      let dest_path = dest_dir.join(exe_name);
+      fs::copy(exe_path, &dest_path)?;
+      Ok(dest_path)
    }
  }

-  #[cfg(target_os = "windows")]
-  async fn install_zen_windows(
+  fn flatten_single_directory_archive(
    &self,
-    installer_path: &Path,
    dest_dir: &Path,
-  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    // For Zen installer, we need to run it silently
-    let output = Command::new(installer_path)
-      .args(["/S", &format!("/D={}", dest_dir.display())])
-      .output()?;
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let entries: Vec<_> = fs::read_dir(dest_dir)?.filter_map(|e| e.ok()).collect();

-    if !output.status.success() {
-      return Err(
-        format!(
-          "Failed to install Zen: {}",
-          String::from_utf8_lossy(&output.stderr)
-        )
-        .into(),
-      );
+    let archive_extensions = ["zip", "tar", "xz", "gz", "bz2", "dmg", "msi", "exe"];
+
+    let mut dirs = Vec::new();
+    let mut has_non_archive_files = false;
+
+    for entry in &entries {
+      let path = entry.path();
+      if path.is_dir() {
+        dirs.push(path);
+      } else if let Some(ext) = path.extension().and_then(|e| e.to_str()) {
+        if !archive_extensions.contains(&ext.to_lowercase().as_str()) {
+          has_non_archive_files = true;
+        }
+      } else {
+        has_non_archive_files = true;
+      }
    }

-    // Find the installed executable
-    self.find_extracted_executable(dest_dir).await
+    if dirs.len() == 1 && !has_non_archive_files {
+      let single_dir = &dirs[0];
+
+      if single_dir.extension().is_some_and(|ext| ext == "app") {
+        log::info!(
+          "Skipping flatten: {} is a macOS app bundle",
+          single_dir.display()
+        );
+        return Ok(());
+      }
+
+      log::info!(
+        "Flattening single-directory archive: moving contents of {} to {}",
+        single_dir.display(),
+        dest_dir.display()
+      );
+
+      let inner_entries: Vec<_> = fs::read_dir(single_dir)?.filter_map(|e| e.ok()).collect();
+
+      for entry in inner_entries {
+        let source = entry.path();
+        let file_name = match source.file_name() {
+          Some(name) => name.to_owned(),
+          None => continue,
+        };
+        let target = dest_dir.join(&file_name);
+        fs::rename(&source, &target).map_err(|e| {
+          format!(
+            "Failed to move {} to {}: {}",
+            source.display(),
+            target.display(),
+            e
+          )
+        })?;
+      }
+
+      fs::remove_dir(single_dir).map_err(|e| {
+        format!(
+          "Failed to remove empty directory {}: {}",
+          single_dir.display(),
+          e
+        )
+      })?;
+
+      log::info!("Successfully flattened archive directory structure");
+    }
+
+    Ok(())
  }

  async fn find_extracted_executable(
@@ -868,8 +912,8 @@ impl Extractor {
      "firefox.exe",
      "chrome.exe",
      "chromium.exe",
-      "zen.exe",
-      "brave.exe",
+      "camoufox.exe",
+      "wayfern.exe",
    ];

    // First try priority executable names
@@ -895,6 +939,7 @@ impl Extractor {
  }

  #[cfg(target_os = "windows")]
+  #[allow(clippy::type_complexity)]
  fn find_windows_executable_recursive<'a>(
    &'a self,
    dir: &'a Path,
@@ -934,9 +979,9 @@ impl Extractor {
            if file_name.contains("firefox")
              || file_name.contains("chrome")
              || file_name.contains("chromium")
-              || file_name.contains("zen")
-              || file_name.contains("brave")
              || file_name.contains("browser")
+              || file_name.contains("camoufox")
+              || file_name.contains("wayfern")
            {
              return Ok(path);
            }
@@ -984,31 +1029,14 @@ impl Extractor {

    // Enhanced list of common browser executable names
    let exe_names = [
-      // Firefox variants
+      // Firefox variants (used by Camoufox)
      "firefox",
      "firefox-bin",
-      "firefox-esr",
-      "firefox-trunk",
-      // Chrome/Chromium variants
+      // Chrome/Chromium variants (used by Wayfern)
      "chrome",
-      "google-chrome",
-      "google-chrome-stable",
-      "google-chrome-beta",
-      "google-chrome-unstable",
      "chromium",
      "chromium-browser",
      "chromium-bin",
-      // Zen Browser
-      "zen",
-      "zen-browser",
-      "zen-bin",
-      // Brave variants
-      "brave",
-      "brave-browser",
-      "brave-browser-stable",
-      "brave-browser-beta",
-      "brave-browser-dev",
-      "brave-bin",
      // Camoufox variants
      "camoufox",
      "camoufox-bin",
@@ -1039,17 +1067,12 @@ impl Extractor {
      "firefox",
      "chrome",
      "chromium",
-      "brave",
-      "zen",
      "camoufox",
      "wayfern",
      ".",
      "./",
-      "firefox",
      "Browser",
      "browser",
-      "opt/google/chrome",
-      "opt/brave.com/brave",
      "opt/camoufox",
      "usr/lib/firefox",
      "usr/lib/chromium",
@@ -5,6 +5,7 @@ use directories::BaseDirs;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
+use std::sync::atomic::{AtomicBool, Ordering};
 use tokio::fs;
 use tokio::io::AsyncWriteExt;

@@ -22,6 +23,8 @@ pub struct GeoIPDownloadProgress {
  pub eta_seconds: Option<f64>,
 }

+static DOWNLOAD_IN_PROGRESS: AtomicBool = AtomicBool::new(false);
+
 pub struct GeoIPDownloader {
  client: Client,
 }
@@ -76,21 +79,39 @@ impl GeoIPDownloader {
      false
    }
  }
-  /// Check if GeoIP database is missing for Camoufox profiles
+
+  fn get_timestamp_path() -> PathBuf {
+    crate::app_dirs::cache_dir().join("geoip_last_download")
+  }
+
+  fn is_geoip_stale() -> bool {
+    let timestamp_path = Self::get_timestamp_path();
+    let Ok(content) = std::fs::read_to_string(&timestamp_path) else {
+      return true;
+    };
+    let Ok(timestamp) = content.trim().parse::<u64>() else {
+      return true;
+    };
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap_or_default()
+      .as_secs();
+    const SEVEN_DAYS: u64 = 7 * 24 * 60 * 60;
+    now.saturating_sub(timestamp) > SEVEN_DAYS
+  }
+
+  /// Check if GeoIP database is missing or stale for Camoufox profiles
  pub fn check_missing_geoip_database(
    &self,
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
-    // Get all profiles
    let profiles = ProfileManager::instance()
      .list_profiles()
      .map_err(|e| format!("Failed to list profiles: {e}"))?;

-    // Check if there are any Camoufox profiles
    let has_camoufox_profiles = profiles.iter().any(|profile| profile.browser == "camoufox");

    if has_camoufox_profiles {
-      // Check if GeoIP database is available
-      return Ok(!Self::is_geoip_database_available());
+      return Ok(!Self::is_geoip_database_available() || Self::is_geoip_stale());
    }

    Ok(false)
@@ -108,6 +129,22 @@ impl GeoIPDownloader {
  pub async fn download_geoip_database(
    &self,
    _app_handle: &tauri::AppHandle,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    if DOWNLOAD_IN_PROGRESS
+      .compare_exchange(false, true, Ordering::SeqCst, Ordering::SeqCst)
+      .is_err()
+    {
+      log::info!("GeoIP database download already in progress, skipping");
+      return Ok(());
+    }
+    let result = self.download_geoip_database_inner(_app_handle).await;
+    DOWNLOAD_IN_PROGRESS.store(false, Ordering::SeqCst);
+    result
+  }
+
+  async fn download_geoip_database_inner(
+    &self,
+    _app_handle: &tauri::AppHandle,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    // Emit initial progress
    let _ = events::emit(
@@ -137,6 +174,13 @@ impl GeoIPDownloader {

    let mmdb_path = Self::get_mmdb_file_path()?;

+    // Always download to a temp file first, then atomically rename.
+    // This prevents corruption if the app is closed mid-download.
+    let temp_path = mmdb_path.with_extension("mmdb.downloading");
+
+    // Remove any leftover temp file from a previous interrupted download
+    let _ = fs::remove_file(&temp_path).await;
+
    // Download the file
    let response = self.client.get(&download_url).send().await?;

@@ -152,7 +196,7 @@ impl GeoIPDownloader {

    let total_size = response.content_length().unwrap_or(0);
    let mut downloaded: u64 = 0;
-    let mut file = fs::File::create(&mmdb_path).await?;
+    let mut file = fs::File::create(&temp_path).await?;
    let mut stream = response.bytes_stream();

    use futures_util::StreamExt;
@@ -200,6 +244,21 @@ impl GeoIPDownloader {
    }

    file.flush().await?;
+    drop(file);
+
+    // Atomically replace the old database with the new one
+    fs::rename(&temp_path, &mmdb_path).await?;
+
+    // Write download timestamp
+    let timestamp_path = Self::get_timestamp_path();
+    if let Some(parent) = timestamp_path.parent() {
+      let _ = fs::create_dir_all(parent).await;
+    }
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap_or_default()
+      .as_secs();
+    let _ = fs::write(&timestamp_path, now.to_string()).await;

    // Emit completion
    let _ = events::emit(
@@ -362,6 +421,31 @@ mod tests {
    assert!(path.to_string_lossy().ends_with("GeoLite2-City.mmdb"));
  }

+  #[test]
+  fn test_is_geoip_stale() {
+    let tmp = tempfile::TempDir::new().unwrap();
+    let _guard = crate::app_dirs::set_test_cache_dir(tmp.path().to_path_buf());
+
+    // No timestamp file → stale
+    assert!(GeoIPDownloader::is_geoip_stale());
+
+    let timestamp_path = GeoIPDownloader::get_timestamp_path();
+    std::fs::create_dir_all(timestamp_path.parent().unwrap()).unwrap();
+
+    // Recent timestamp → not stale
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs();
+    std::fs::write(&timestamp_path, now.to_string()).unwrap();
+    assert!(!GeoIPDownloader::is_geoip_stale());
+
+    // 8 days ago → stale
+    let eight_days_ago = now - 8 * 24 * 60 * 60;
+    std::fs::write(&timestamp_path, eight_days_ago.to_string()).unwrap();
+    assert!(GeoIPDownloader::is_geoip_stale());
+  }
+
  #[test]
  fn test_is_geoip_database_available() {
    // Test that the function works correctly regardless of file system state.
@@ -1,8 +1,6 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
-use std::path::{Path, PathBuf};
 use std::sync::Mutex;

 use crate::events;
@@ -33,48 +31,15 @@ struct GroupsData {
  groups: Vec<ProfileGroup>,
 }

-pub struct GroupManager {
-  base_dirs: BaseDirs,
-  data_dir_override: Option<PathBuf>,
-}
+pub struct GroupManager;

 impl GroupManager {
  pub fn new() -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: std::env::var("DONUTBROWSER_DATA_DIR")
-        .ok()
-        .map(PathBuf::from),
-    }
+    Self
  }

-  // Helper for tests to override data directory without global env var
-  #[allow(dead_code)]
-  pub fn with_data_dir_override(dir: &Path) -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: Some(dir.to_path_buf()),
-    }
-  }
-
-  fn get_groups_file_path(&self) -> PathBuf {
-    if let Some(dir) = &self.data_dir_override {
-      let mut override_path = dir.clone();
-      // Ensure the directory exists before returning the path
-      let _ = fs::create_dir_all(&override_path);
-      override_path.push("groups.json");
-      return override_path;
-    }
-
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("data");
-    path.push("groups.json");
-    path
+  fn get_groups_file_path(&self) -> std::path::PathBuf {
+    crate::app_dirs::data_subdir().join("groups.json")
  }

  fn load_groups_data(&self) -> Result<GroupsData, Box<dyn std::error::Error>> {
@@ -119,10 +84,11 @@ impl GroupManager {
      return Err(format!("Group with name '{name}' already exists").into());
    }

+    let sync_enabled = crate::sync::is_sync_configured();
    let group = ProfileGroup {
      id: uuid::Uuid::new_v4().to_string(),
      name,
-      sync_enabled: false,
+      sync_enabled,
      last_sync: None,
    };

@@ -134,6 +100,15 @@ impl GroupManager {
      log::error!("Failed to emit groups-changed event: {e}");
    }

+    if group.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = group.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_group_sync(id).await;
+        });
+      }
+    }
+
    Ok(group)
  }

@@ -170,6 +145,15 @@ impl GroupManager {
      log::error!("Failed to emit groups-changed event: {e}");
    }

+    if updated_group.sync_enabled {
+      if let Some(scheduler) = crate::sync::get_global_scheduler() {
+        let id = updated_group.id.clone();
+        tauri::async_runtime::spawn(async move {
+          scheduler.queue_group_sync(id).await;
+        });
+      }
+    }
+
    Ok(updated_group)
  }

@@ -207,6 +191,17 @@ impl GroupManager {
    Ok(())
  }

+  pub fn delete_group_internal(&self, id: &str) -> Result<(), Box<dyn std::error::Error>> {
+    let mut groups_data = self.load_groups_data()?;
+    let initial_len = groups_data.groups.len();
+    groups_data.groups.retain(|g| g.id != id);
+    if groups_data.groups.len() == initial_len {
+      return Err(format!("Group with id '{id}' not found").into());
+    }
+    self.save_groups_data(&groups_data)?;
+    Ok(())
+  }
+
  pub fn delete_group(
    &self,
    app_handle: &tauri::AppHandle,
@@ -0,0 +1,492 @@
+use rand::{Rng, RngExt};
+use std::collections::{HashMap, HashSet};
+
+const PROB_ERROR: f64 = 0.04;
+const PROB_SWAP_ERROR: f64 = 0.015;
+const PROB_NOTICE_ERROR: f64 = 0.85;
+const SPEED_BOOST_COMMON_WORD: f64 = 0.6;
+const SPEED_PENALTY_COMPLEX_WORD: f64 = 1.3;
+const SPEED_BOOST_CLOSE_KEYS: f64 = 0.5;
+const SPEED_BOOST_BIGRAM: f64 = 0.4;
+const TIME_KEYSTROKE_STD: f64 = 0.03;
+const TIME_BACKSPACE_MEAN: f64 = 0.12;
+const TIME_BACKSPACE_STD: f64 = 0.02;
+const TIME_REACTION_MEAN: f64 = 0.35;
+const TIME_REACTION_STD: f64 = 0.1;
+const TIME_UPPERCASE_PENALTY: f64 = 0.2;
+const TIME_SPACE_PAUSE_MEAN: f64 = 0.25;
+const TIME_SPACE_PAUSE_STD: f64 = 0.05;
+const FATIGUE_FACTOR: f64 = 1.0005;
+const AVG_WORD_LENGTH: f64 = 5.0;
+const WPM_STD: f64 = 10.0;
+const DEFAULT_WPM: f64 = 80.0;
+
+#[derive(Debug, Clone)]
+pub enum TypingAction {
+  Char(char),
+  Backspace,
+}
+
+#[derive(Debug, Clone)]
+pub struct TypingEvent {
+  pub time: f64,
+  pub action: TypingAction,
+}
+
+struct KeyboardLayout {
+  pos_map: HashMap<char, (usize, usize)>,
+  grid: Vec<Vec<char>>,
+}
+
+impl KeyboardLayout {
+  fn new() -> Self {
+    let grid: Vec<Vec<char>> = vec![
+      "`1234567890-=".chars().collect(),
+      "qwertyuiop[]\\".chars().collect(),
+      "asdfghjkl;'".chars().collect(),
+      "zxcvbnm,./".chars().collect(),
+    ];
+    let mut pos_map = HashMap::new();
+    for (r, row) in grid.iter().enumerate() {
+      for (c, &ch) in row.iter().enumerate() {
+        pos_map.insert(ch, (r, c));
+      }
+    }
+    KeyboardLayout { pos_map, grid }
+  }
+
+  fn has_key(&self, ch: char) -> bool {
+    self.pos_map.contains_key(&ch.to_ascii_lowercase())
+  }
+
+  fn get_neighbor_keys(&self, ch: char) -> Vec<char> {
+    let ch = ch.to_ascii_lowercase();
+    let (r, c) = match self.pos_map.get(&ch) {
+      Some(&pos) => pos,
+      None => return vec![],
+    };
+    let deltas: [(i32, i32); 8] = [
+      (-1, -1),
+      (-1, 0),
+      (-1, 1),
+      (0, -1),
+      (0, 1),
+      (1, -1),
+      (1, 0),
+      (1, 1),
+    ];
+    let mut neighbors = Vec::new();
+    for (dr, dc) in &deltas {
+      let nr = r as i32 + dr;
+      let nc = c as i32 + dc;
+      if nr >= 0 && (nr as usize) < self.grid.len() {
+        let row = &self.grid[nr as usize];
+        if nc >= 0 && (nc as usize) < row.len() {
+          neighbors.push(row[nc as usize]);
+        }
+      }
+    }
+    neighbors
+  }
+
+  fn get_distance(&self, c1: char, c2: char) -> f64 {
+    let c1 = c1.to_ascii_lowercase();
+    let c2 = c2.to_ascii_lowercase();
+    match (self.pos_map.get(&c1), self.pos_map.get(&c2)) {
+      (Some(&(r1, c1p)), Some(&(r2, c2p))) => {
+        let dr = r1 as f64 - r2 as f64;
+        let dc = c1p as f64 - c2p as f64;
+        (dr * dr + dc * dc).sqrt()
+      }
+      _ => 4.0,
+    }
+  }
+
+  fn get_random_neighbor(&self, ch: char, rng: &mut impl Rng) -> char {
+    let neighbors = self.get_neighbor_keys(ch);
+    if neighbors.is_empty() {
+      let flat: Vec<char> = self.grid.iter().flat_map(|r| r.iter().copied()).collect();
+      flat[rng.random_range(0..flat.len())]
+    } else {
+      neighbors[rng.random_range(0..neighbors.len())]
+    }
+  }
+}
+
+fn normal_sample(rng: &mut impl Rng, mean: f64, std_dev: f64) -> f64 {
+  // Box-Muller transform
+  let u1: f64 = rng.random::<f64>().max(1e-10);
+  let u2: f64 = rng.random::<f64>();
+  let z = (-2.0_f64 * u1.ln()).sqrt() * (2.0_f64 * std::f64::consts::PI * u2).cos();
+  mean + std_dev * z
+}
+
+static COMMON_WORDS: &[&str] = &[
+  "the", "be", "to", "of", "and", "a", "in", "that", "have", "it", "for", "not", "on", "with",
+  "he", "as", "you", "do", "at", "this", "but", "his", "by", "from", "they", "we", "say", "her",
+  "she", "or", "an", "will", "my", "one", "all", "would", "there", "their", "what", "so", "up",
+  "out", "if", "about", "who", "get", "which", "go", "me", "when", "make", "can", "like", "time",
+  "no", "just", "him", "know", "take", "people", "into", "year", "your", "good", "some", "could",
+  "them", "see", "other", "than", "then", "now", "look", "only", "come", "its", "over", "think",
+  "also", "back", "after", "use", "two", "how", "our", "work", "first", "well", "way", "even",
+  "new", "want", "because",
+];
+
+static COMMON_BIGRAMS: &[&str] = &[
+  "th", "he", "in", "er", "an", "re", "on", "at", "en", "nd", "ti", "es", "or", "te", "of", "ed",
+  "is", "it", "al", "ar", "st", "to", "nt", "ng", "se", "ha", "as", "ou", "io", "le", "ve", "co",
+  "me", "de", "hi", "ri", "ro", "ic", "ne", "ea", "ra", "ce",
+];
+
+fn get_word_difficulty(word: &str) -> &'static str {
+  let lower = word.to_lowercase();
+  let trimmed = lower.trim_matches(|c: char| matches!(c, '.' | ',' | '!' | '?' | ';' | ':'));
+  let common_set: HashSet<&str> = COMMON_WORDS.iter().copied().collect();
+  if common_set.contains(trimmed) {
+    return "common";
+  }
+  let is_long = trimmed.len() > 8;
+  let has_complex = trimmed.chars().any(|c| matches!(c, 'z' | 'x' | 'q' | 'j'));
+  if is_long || has_complex {
+    return "complex";
+  }
+  "normal"
+}
+
+fn is_common_bigram(c1: char, c2: char) -> bool {
+  let bigram = format!("{}{}", c1.to_ascii_lowercase(), c2.to_ascii_lowercase());
+  let bigram_set: HashSet<&str> = COMMON_BIGRAMS.iter().copied().collect();
+  bigram_set.contains(bigram.as_str())
+}
+
+pub struct MarkovTyper {
+  target: Vec<char>,
+  current: Vec<char>,
+  keyboard: KeyboardLayout,
+  base_keystroke_time: f64,
+  fatigue_multiplier: f64,
+  mental_cursor_pos: usize,
+  last_char_typed: Option<char>,
+  total_time: f64,
+  last_was_backspace: bool,
+  rng: rand::rngs::ThreadRng,
+}
+
+impl MarkovTyper {
+  pub fn new(text: &str, wpm: Option<f64>) -> Self {
+    let mut rng = rand::rng();
+    let target_wpm = wpm.unwrap_or(DEFAULT_WPM);
+    let session_wpm = normal_sample(&mut rng, target_wpm, WPM_STD).max(10.0);
+    let base_keystroke_time = 60.0 / (session_wpm * AVG_WORD_LENGTH);
+
+    MarkovTyper {
+      target: text.chars().collect(),
+      current: Vec::new(),
+      keyboard: KeyboardLayout::new(),
+      base_keystroke_time,
+      fatigue_multiplier: 1.0,
+      mental_cursor_pos: 0,
+      last_char_typed: None,
+      total_time: 0.0,
+      last_was_backspace: false,
+      rng,
+    }
+  }
+
+  fn get_current_word(&self) -> Option<String> {
+    if self.mental_cursor_pos >= self.target.len() {
+      return None;
+    }
+    let mut start = self.mental_cursor_pos;
+    while start > 0 && self.target[start - 1] != ' ' {
+      start -= 1;
+    }
+    let mut end = self.mental_cursor_pos;
+    while end < self.target.len() && self.target[end] != ' ' {
+      end += 1;
+    }
+    Some(self.target[start..end].iter().collect())
+  }
+
+  fn calculate_keystroke_time(&mut self, ch: char) -> f64 {
+    let mut time = self.base_keystroke_time * self.fatigue_multiplier;
+
+    if let Some(word) = self.get_current_word() {
+      match get_word_difficulty(&word) {
+        "common" => time *= SPEED_BOOST_COMMON_WORD,
+        "complex" => time *= SPEED_PENALTY_COMPLEX_WORD,
+        _ => {}
+      }
+    }
+
+    if let Some(last) = self.last_char_typed {
+      if is_common_bigram(last, ch) {
+        time *= SPEED_BOOST_BIGRAM;
+      } else {
+        let dist = self.keyboard.get_distance(last, ch);
+        if dist > 0.0 && dist < 2.0 {
+          time *= SPEED_BOOST_CLOSE_KEYS;
+        } else if dist > 4.0 {
+          time *= 1.2;
+        }
+      }
+    }
+
+    if ch == ' ' {
+      time += normal_sample(&mut self.rng, TIME_SPACE_PAUSE_MEAN, TIME_SPACE_PAUSE_STD);
+    } else if ch.is_uppercase() {
+      time += TIME_UPPERCASE_PENALTY;
+    }
+
+    let dt = normal_sample(&mut self.rng, time, TIME_KEYSTROKE_STD);
+    dt.max(0.02)
+  }
+
+  fn step(&mut self) -> Option<TypingEvent> {
+    if self.current == self.target {
+      return None;
+    }
+
+    // Find first error position
+    let mut first_error_pos = self.target.len();
+    let min_len = self.current.len().min(self.target.len());
+    for i in 0..min_len {
+      if self.current[i] != self.target[i] {
+        first_error_pos = i;
+        break;
+      }
+    }
+    if self.current.len() > self.target.len() && first_error_pos == self.target.len() {
+      first_error_pos = self.target.len();
+    }
+
+    // Error correction
+    if first_error_pos < self.current.len() {
+      let mut should_correct = false;
+
+      if self.last_was_backspace || self.mental_cursor_pos >= self.target.len() {
+        should_correct = true;
+      } else if !self.current.is_empty() {
+        let last_char = *self.current.last().unwrap();
+        let distance = self.current.len() - first_error_pos;
+
+        if " \n\t.,;!?:()[]{}\"'<>".contains(last_char) {
+          should_correct = true;
+        } else if distance >= 2 {
+          if self.rng.random::<f64>() < 0.8 {
+            should_correct = true;
+          }
+        } else if distance == 1 && self.rng.random::<f64>() < PROB_NOTICE_ERROR {
+          should_correct = true;
+        }
+      }
+
+      if should_correct {
+        if !self.last_was_backspace {
+          let dt = normal_sample(&mut self.rng, TIME_REACTION_MEAN, TIME_REACTION_STD).max(0.1);
+          self.total_time += dt;
+        }
+
+        let dt = normal_sample(&mut self.rng, TIME_BACKSPACE_MEAN, TIME_BACKSPACE_STD);
+        self.total_time += dt;
+        self.current.pop();
+        self.mental_cursor_pos = self.current.len();
+        self.last_was_backspace = true;
+
+        return Some(TypingEvent {
+          time: self.total_time,
+          action: TypingAction::Backspace,
+        });
+      }
+    }
+
+    self.last_was_backspace = false;
+
+    if self.mental_cursor_pos > self.current.len() {
+      self.mental_cursor_pos = self.current.len();
+    }
+    if self.mental_cursor_pos >= self.target.len() {
+      return None;
+    }
+
+    let char_intended = self.target[self.mental_cursor_pos];
+    self.fatigue_multiplier *= FATIGUE_FACTOR;
+
+    // Non-QWERTY characters (CJK, Cyrillic, etc.) are composed via IME —
+    // skip error simulation entirely, just apply realistic timing.
+    let on_keyboard = self.keyboard.has_key(char_intended);
+
+    // Swap error (only for characters on the physical keyboard)
+    if on_keyboard && self.mental_cursor_pos + 1 < self.target.len() {
+      let char_after = self.target[self.mental_cursor_pos + 1];
+      if char_after != ' '
+        && char_after != char_intended
+        && self.keyboard.has_key(char_after)
+        && self.rng.random::<f64>() < PROB_SWAP_ERROR
+      {
+        let dt = self.calculate_keystroke_time(char_after);
+        self.total_time += dt;
+        self.current.push(char_after);
+        self.last_char_typed = Some(char_after);
+        self.mental_cursor_pos += 1;
+        return Some(TypingEvent {
+          time: self.total_time,
+          action: TypingAction::Char(char_after),
+        });
+      }
+    }
+
+    // Normal typing with possible error (errors only for QWERTY characters)
+    let typed_char = if on_keyboard {
+      let mut current_prob_error = PROB_ERROR;
+      if let Some(word) = self.get_current_word() {
+        match get_word_difficulty(&word) {
+          "complex" => current_prob_error *= 1.5,
+          "common" => current_prob_error *= 0.5,
+          _ => {}
+        }
+      }
+      if self.rng.random::<f64>() < current_prob_error {
+        self
+          .keyboard
+          .get_random_neighbor(char_intended, &mut self.rng)
+      } else {
+        char_intended
+      }
+    } else {
+      char_intended
+    };
+
+    let dt = self.calculate_keystroke_time(typed_char);
+    self.total_time += dt;
+    self.current.push(typed_char);
+    self.last_char_typed = Some(typed_char);
+    self.mental_cursor_pos += 1;
+
+    Some(TypingEvent {
+      time: self.total_time,
+      action: TypingAction::Char(typed_char),
+    })
+  }
+
+  pub fn run(mut self) -> Vec<TypingEvent> {
+    let max_steps = self.target.len() * 10;
+    let mut events = Vec::new();
+    let mut steps = 0;
+    while let Some(event) = self.step() {
+      events.push(event);
+      steps += 1;
+      if steps > max_steps {
+        break;
+      }
+    }
+    events
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_generates_events() {
+    let typer = MarkovTyper::new("hello", Some(60.0));
+    let events = typer.run();
+    assert!(!events.is_empty());
+    // Final text should be "hello" — verify by replaying
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, "hello");
+  }
+
+  #[test]
+  fn test_timing_increases() {
+    let typer = MarkovTyper::new("test", Some(60.0));
+    let events = typer.run();
+    for window in events.windows(2) {
+      assert!(window[1].time >= window[0].time);
+    }
+  }
+
+  #[test]
+  fn test_empty_text() {
+    let typer = MarkovTyper::new("", Some(60.0));
+    let events = typer.run();
+    assert!(events.is_empty());
+  }
+
+  #[test]
+  fn test_chinese_text() {
+    let input = "你好世界";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_russian_text() {
+    let input = "Привет мир";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_japanese_text() {
+    let input = "東京タワー";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_mixed_latin_and_cjk() {
+    let input = "Hello 你好 world";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+}
@@ -5,6 +5,7 @@ use std::process::Command;

 // Platform-specific modules
 #[cfg(target_os = "macos")]
+#[allow(dead_code)]
 pub mod macos {
  use super::*;
  use sysinfo::{Pid, System};
@@ -468,6 +469,7 @@ end try
 }

 #[cfg(target_os = "windows")]
+#[allow(dead_code)]
 pub mod windows {
  use super::*;

@@ -651,8 +653,11 @@ pub mod windows {
    use std::process::Command;

    // Try taskkill command as fallback
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
    let output = Command::new("taskkill")
      .args(["/F", "/PID", &pid.to_string()])
+      .creation_flags(CREATE_NO_WINDOW)
      .output();

    match output {
@@ -677,6 +682,7 @@ pub mod windows {
 }

 #[cfg(target_os = "linux")]
+#[allow(dead_code)]
 pub mod linux {
  use super::*;

@@ -871,18 +877,158 @@ pub mod linux {

  pub async fn kill_browser_process_impl(
    pid: u32,
+    profile_data_path: Option<&str>,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    use sysinfo::{Pid, System};
-    let system = System::new_all();
-    if let Some(process) = system.process(Pid::from(pid as usize)) {
-      if !process.kill() {
-        return Err(format!("Failed to kill process {}", pid).into());
+    use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+
+    log::info!("Attempting to kill browser process with PID: {pid}");
+
+    let mut pids_to_kill = vec![pid];
+
+    // Find all descendant processes
+    let descendants = get_all_descendant_pids(pid);
+    pids_to_kill.extend(descendants);
+
+    // Find additional processes using the same profile path
+    if let Some(profile_path) = profile_data_path {
+      let additional_pids = find_processes_by_profile_path(profile_path);
+      for p in additional_pids {
+        if !pids_to_kill.contains(&p) {
+          log::info!("Found additional process {} using profile path", p);
+          pids_to_kill.push(p);
+        }
      }
-    } else {
-      return Err(format!("Process {} not found", pid).into());
    }

-    log::info!("Successfully killed browser process with PID: {pid}");
+    log::info!("Total processes to kill: {:?}", pids_to_kill);
+
+    // Send SIGKILL to all identified processes
+    for &p in &pids_to_kill {
+      log::info!("Sending SIGKILL to PID: {p}");
+      let _ = Command::new("kill")
+        .args(["-KILL", &p.to_string()])
+        .output();
+    }
+
+    // Also kill by process group and parent PID
+    let pid_str = pid.to_string();
+    let _ = Command::new("pkill")
+      .args(["-KILL", "-P", &pid_str])
+      .output();
+
+    tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+
+    // Verify processes are dead
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut still_running = Vec::new();
+    for &p in &pids_to_kill {
+      if system.process(Pid::from(p as usize)).is_some() {
+        still_running.push(p);
+      }
+    }
+
+    if !still_running.is_empty() {
+      log::info!(
+        "Processes {:?} still running, trying final termination",
+        still_running
+      );
+
+      for p in &still_running {
+        let _ = Command::new("kill")
+          .args(["-KILL", &p.to_string()])
+          .output();
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(1000)).await;
+
+      let system = System::new_with_specifics(
+        RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+      );
+      let mut final_still_running = Vec::new();
+      for &p in &pids_to_kill {
+        if system.process(Pid::from(p as usize)).is_some() {
+          final_still_running.push(p);
+        }
+      }
+
+      if !final_still_running.is_empty() {
+        log::error!(
+          "ERROR: Processes {:?} could not be terminated despite aggressive attempts",
+          final_still_running
+        );
+        return Err(
+          format!(
+            "Failed to terminate browser processes {:?} - still running",
+            final_still_running
+          )
+          .into(),
+        );
+      }
+    }
+
+    log::info!("Browser termination completed for PID: {pid}");
    Ok(())
  }
+
+  fn find_processes_by_profile_path(profile_path: &str) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let mut pids = Vec::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+
+    for (pid, process) in system.processes() {
+      let cmd = process.cmd();
+      if cmd.is_empty() {
+        continue;
+      }
+
+      let has_profile = cmd.iter().any(|arg| {
+        if let Some(arg_str) = arg.to_str() {
+          arg_str.contains(profile_path)
+        } else {
+          false
+        }
+      });
+
+      if has_profile {
+        pids.push(pid.as_u32());
+      }
+    }
+
+    pids
+  }
+
+  fn get_all_descendant_pids(parent_pid: u32) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut descendants = Vec::new();
+    let mut to_check = vec![parent_pid];
+    let mut checked = std::collections::HashSet::new();
+
+    while let Some(current_pid) = to_check.pop() {
+      if checked.contains(&current_pid) {
+        continue;
+      }
+      checked.insert(current_pid);
+
+      for (pid, process) in system.processes() {
+        let pid_u32 = pid.as_u32();
+        if let Some(parent) = process.parent() {
+          if parent.as_u32() == current_pid && !checked.contains(&pid_u32) {
+            descendants.push(pid_u32);
+            to_check.push(pid_u32);
+          }
+        }
+      }
+    }
+
+    descendants
+  }
 }
@@ -1,18 +1,17 @@
 use crate::api_client::is_browser_version_nightly;
 use crate::browser::{create_browser, BrowserType, ProxySettings};
 use crate::camoufox_manager::CamoufoxConfig;
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
 use crate::events;
-use crate::profile::types::BrowserProfile;
+use crate::profile::types::{get_host_os, BrowserProfile, SyncMode};
 use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::WayfernConfig;
-use directories::BaseDirs;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
-use sysinfo::{Pid, System};
+use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};

 pub struct ProfileManager {
-  base_dirs: BaseDirs,
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
  wayfern_manager: &'static crate::wayfern_manager::WayfernManager,
 }
@@ -20,7 +19,6 @@ pub struct ProfileManager {
 impl ProfileManager {
  fn new() -> Self {
    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      camoufox_manager: crate::camoufox_manager::CamoufoxManager::instance(),
      wayfern_manager: crate::wayfern_manager::WayfernManager::instance(),
    }
@@ -31,25 +29,11 @@ impl ProfileManager {
  }

  pub fn get_profiles_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("profiles");
-    path
+    crate::app_dirs::profiles_dir()
  }

  pub fn get_binaries_dir(&self) -> PathBuf {
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("binaries");
-    path
+    crate::app_dirs::binaries_dir()
  }

  #[allow(clippy::too_many_arguments)]
@@ -61,10 +45,24 @@ impl ProfileManager {
    version: &str,
    release_type: &str,
    proxy_id: Option<String>,
+    vpn_id: Option<String>,
    camoufox_config: Option<CamoufoxConfig>,
    wayfern_config: Option<WayfernConfig>,
    group_id: Option<String>,
+    ephemeral: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    if proxy_id.is_some() && vpn_id.is_some() {
+      return Err("Cannot set both proxy_id and vpn_id".into());
+    }
+
+    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
+    if let Some(ref pid) = proxy_id {
+      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
+        log::info!("Syncing cloud proxy credentials before profile creation");
+        CLOUD_AUTH.sync_cloud_proxy().await;
+      }
+    }
+
    log::info!("Attempting to create profile: {name}");

    // Check if a profile with this name already exists (case insensitive)
@@ -85,7 +83,9 @@ impl ProfileManager {

    // Create profile directory with UUID and profile subdirectory
    create_dir_all(&profile_uuid_dir)?;
-    create_dir_all(&profile_data_dir)?;
+    if !ephemeral {
+      create_dir_all(&profile_data_dir)?;
+    }

    // For Camoufox profiles, generate fingerprint during creation
    let final_camoufox_config = if browser == "camoufox" {
@@ -163,6 +163,7 @@ impl ProfileManager {
          browser: browser.to_string(),
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
+          vpn_id: None,
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -171,8 +172,15 @@ impl ProfileManager {
          group_id: group_id.clone(),
          tags: Vec::new(),
          note: None,
-          sync_enabled: false,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -276,6 +284,7 @@ impl ProfileManager {
          browser: browser.to_string(),
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
+          vpn_id: None,
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -284,8 +293,15 @@ impl ProfileManager {
          group_id: group_id.clone(),
          tags: Vec::new(),
          note: None,
-          sync_enabled: false,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -321,6 +337,7 @@ impl ProfileManager {
      browser: browser.to_string(),
      version: version.to_string(),
      proxy_id: proxy_id.clone(),
+      vpn_id: vpn_id.clone(),
      process_id: None,
      last_launch: None,
      release_type: release_type.to_string(),
@@ -329,8 +346,15 @@ impl ProfileManager {
      group_id: group_id.clone(),
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: Some(get_host_os()),
+      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

    // Save profile info
@@ -344,16 +368,19 @@ impl ProfileManager {
    log::info!("Profile '{name}' created successfully with ID: {profile_id}");

    // Create user.js with common Firefox preferences and apply proxy settings if provided
-    if let Some(proxy_id_ref) = &proxy_id {
-      if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
-        self.apply_proxy_settings_to_profile(&profile_data_dir, &proxy_settings, None)?;
+    // Skip for ephemeral profiles since the data dir is created at launch time
+    if !ephemeral {
+      if let Some(proxy_id_ref) = &proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
+          self.apply_proxy_settings_to_profile(&profile_data_dir, &proxy_settings, None)?;
+        } else {
+          // Proxy ID provided but not found, disable proxy
+          self.disable_proxy_settings_in_profile(&profile_data_dir)?;
+        }
      } else {
-        // Proxy ID provided but not found, disable proxy
+        // Create user.js with common Firefox preferences but no proxy
        self.disable_proxy_settings_in_profile(&profile_data_dir)?;
      }
-    } else {
-      // Create user.js with common Firefox preferences but no proxy
-      self.disable_proxy_settings_in_profile(&profile_data_dir)?;
    }

    // Emit profile creation event
@@ -466,15 +493,15 @@ impl ProfileManager {
      .find(|p| p.id == profile_uuid)
      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;

-    // Check if browser is running
-    if profile.process_id.is_some() {
+    // Check if browser is running (cross-OS profiles can't be running locally)
+    if profile.process_id.is_some() && !profile.is_cross_os() {
      return Err(
        "Cannot delete profile while browser is running. Please stop the browser first.".into(),
      );
    }

-    // Remember sync_enabled before deleting local files
-    let was_sync_enabled = profile.sync_enabled;
+    // Remember sync mode before deleting local files
+    let was_sync_enabled = profile.is_sync_enabled();

    let profiles_dir = self.get_profiles_dir();
    let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
@@ -620,7 +647,7 @@ impl ProfileManager {
      self.save_profile(&profile)?;

      // Auto-enable sync for new group if profile has sync enabled
-      if profile.sync_enabled {
+      if profile.is_sync_enabled() {
        if let Some(ref new_group_id) = group_id {
          let group_id_clone = new_group_id.clone();
          let app_handle_clone = app_handle.clone();
@@ -717,6 +744,31 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_proxy_bypass_rules(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    rules: Vec<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.proxy_bypass_rules = rules;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -733,8 +785,8 @@ impl ProfileManager {
        .find(|p| p.id == profile_uuid)
        .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;

-      // Check if browser is running
-      if profile.process_id.is_some() {
+      // Check if browser is running (cross-OS profiles can't be running locally)
+      if profile.process_id.is_some() && !profile.is_cross_os() {
        return Err(
          format!(
            "Cannot delete profile '{}' while browser is running. Please stop the browser first.",
@@ -745,7 +797,7 @@ impl ProfileManager {
      }

      // Track sync-enabled profiles for remote deletion
-      if profile.sync_enabled {
+      if profile.is_sync_enabled() {
        sync_enabled_ids.push(profile_id.clone());
      }

@@ -780,6 +832,96 @@ impl ProfileManager {
    Ok(())
  }

+  fn generate_clone_name(&self, original_name: &str) -> Result<String, Box<dyn std::error::Error>> {
+    let profiles = self.list_profiles()?;
+    let existing_names: std::collections::HashSet<String> =
+      profiles.iter().map(|p| p.name.clone()).collect();
+
+    let candidate = format!("{original_name} (Copy)");
+    if !existing_names.contains(&candidate) {
+      return Ok(candidate);
+    }
+
+    for i in 2.. {
+      let candidate = format!("{original_name} (Copy {i})");
+      if !existing_names.contains(&candidate) {
+        return Ok(candidate);
+      }
+    }
+
+    unreachable!()
+  }
+
+  pub fn clone_profile(
+    &self,
+    profile_id: &str,
+    custom_name: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let source = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    if source.process_id.is_some() {
+      return Err(
+        "Cannot clone profile while browser is running. Please stop the browser first.".into(),
+      );
+    }
+
+    let new_id = uuid::Uuid::new_v4();
+    let clone_name = match custom_name {
+      Some(name) if !name.trim().is_empty() => name.trim().to_string(),
+      _ => self.generate_clone_name(&source.name)?,
+    };
+
+    let profiles_dir = self.get_profiles_dir();
+    let source_dir = profiles_dir.join(source.id.to_string());
+    let dest_dir = profiles_dir.join(new_id.to_string());
+
+    if source_dir.exists() {
+      crate::profile_importer::ProfileImporter::copy_directory_recursive(&source_dir, &dest_dir)?;
+    } else {
+      fs::create_dir_all(&dest_dir)?;
+    }
+
+    let new_profile = BrowserProfile {
+      id: new_id,
+      name: clone_name,
+      browser: source.browser,
+      version: source.version,
+      proxy_id: source.proxy_id,
+      vpn_id: source.vpn_id,
+      process_id: None,
+      last_launch: None,
+      release_type: source.release_type,
+      camoufox_config: source.camoufox_config,
+      wayfern_config: source.wayfern_config,
+      group_id: source.group_id,
+      tags: source.tags,
+      note: source.note,
+      sync_mode: SyncMode::Disabled,
+      encryption_salt: None,
+      last_sync: None,
+      host_os: Some(get_host_os()),
+      ephemeral: false,
+      extension_group_id: source.extension_group_id,
+      proxy_bypass_rules: source.proxy_bypass_rules,
+      created_by_id: None,
+      created_by_email: None,
+    };
+
+    self.save_profile(&new_profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(new_profile)
+  }
+
  pub async fn update_camoufox_config(
    &self,
    app_handle: tauri::AppHandle,
@@ -929,8 +1071,9 @@ impl ProfileManager {
    // Remember old proxy_id for cleanup (not used yet, but may be needed for cleanup)
    let _old_proxy_id = profile.proxy_id.clone();

-    // Update proxy settings
+    // Update proxy settings and clear VPN (mutual exclusion)
    profile.proxy_id = proxy_id.clone();
+    profile.vpn_id = None;

    // Save the updated profile
    self
@@ -940,7 +1083,7 @@ impl ProfileManager {
      })?;

    // Auto-enable sync for new proxy if profile has sync enabled
-    if profile.sync_enabled {
+    if profile.is_sync_enabled() {
      if let Some(ref new_proxy_id) = proxy_id {
        let _ = crate::sync::enable_proxy_sync_if_needed(new_proxy_id, &app_handle).await;
        if let Some(scheduler) = crate::sync::get_global_scheduler() {
@@ -993,6 +1136,78 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub async fn update_profile_vpn(
+    &self,
+    _app_handle: tauri::AppHandle,
+    profile_id: &str,
+    vpn_id: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
+    let profile_uuid = uuid::Uuid::parse_str(profile_id).map_err(
+      |_| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Invalid profile ID: {profile_id}").into()
+      },
+    )?;
+    let profiles =
+      self
+        .list_profiles()
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+          format!("Failed to list profiles: {e}").into()
+        })?;
+
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Profile with ID '{profile_id}' not found").into()
+      })?;
+
+    // Update VPN and clear proxy (mutual exclusion)
+    profile.vpn_id = vpn_id;
+    profile.proxy_id = None;
+
+    self
+      .save_profile(&profile)
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Failed to save profile: {e}").into()
+      })?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Warning: Failed to emit profile update event: {e}");
+    }
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
+  pub fn update_profile_extension_group(
+    &self,
+    profile_id: &str,
+    extension_group_id: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.extension_group_id = extension_group_id;
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Failed to emit profile update event: {e}");
+    }
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub async fn check_browser_status(
    &self,
    app_handle: tauri::AppHandle,
@@ -1010,7 +1225,9 @@ impl ProfileManager {

    // For non-camoufox browsers, use the existing PID-based logic
    let inner_profile = profile.clone();
-    let mut system = System::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
    let mut is_running = false;
    let mut found_pid: Option<u32> = None;

@@ -1025,10 +1242,7 @@ impl ProfileManager {
        let profile_path_match = cmd.iter().any(|s| {
          let arg = s.to_str().unwrap_or("");
          // For Firefox-based browsers, check for exact profile path match
-          if profile.browser == "firefox"
-            || profile.browser == "firefox-developer"
-            || profile.browser == "zen"
-          {
+          if profile.browser == "camoufox" {
            arg == profile_data_path_str
              || arg == format!("-profile={profile_data_path_str}")
              || (arg == "-profile"
@@ -1036,7 +1250,7 @@ impl ProfileManager {
                  .iter()
                  .any(|s2| s2.to_str().unwrap_or("") == profile_data_path_str))
          } else {
-            // For Chromium-based browsers, check for user-data-dir
+            // For Chromium-based browsers (Wayfern), check for user-data-dir
            arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
              || arg == profile_data_path_str
          }
@@ -1045,31 +1259,24 @@ impl ProfileManager {
        if profile_path_match {
          is_running = true;
          found_pid = Some(pid);
-          // Found existing browser process
        }
      }
    }

    // If we didn't find the browser with the stored PID, search all processes
    if !is_running {
-      // Refresh all processes only when we need to search (expensive but necessary)
-      system.refresh_all();
      for (pid, process) in system.processes() {
        let cmd = process.cmd();
        if cmd.len() >= 2 {
          // Check if this is the right browser executable first
          let exe_name = process.name().to_string_lossy().to_lowercase();
          let is_correct_browser = match profile.browser.as_str() {
-            "firefox" => {
-              exe_name.contains("firefox")
-                && !exe_name.contains("developer")
-                && !exe_name.contains("camoufox")
+            "camoufox" => exe_name.contains("camoufox") || exe_name.contains("firefox"),
+            "wayfern" => {
+              exe_name.contains("wayfern")
+                || exe_name.contains("chromium")
+                || exe_name.contains("chrome")
            }
-            "firefox-developer" => exe_name.contains("firefox") && exe_name.contains("developer"),
-            "zen" => exe_name.contains("zen"),
-            "chromium" => exe_name.contains("chromium"),
-            "brave" => exe_name.contains("brave"),
-            // Camoufox is handled via CamoufoxManager, not PID-based checking
            _ => false,
          };

@@ -1085,13 +1292,6 @@ impl ProfileManager {
            let arg = s.to_str().unwrap_or("");
            // For Firefox-based browsers, check for exact profile path match
            if profile.browser == "camoufox" {
-              // Camoufox uses user_data_dir like Chromium browsers
-              arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
-                || arg == profile_data_path_str
-            } else if profile.browser == "firefox"
-              || profile.browser == "firefox-developer"
-              || profile.browser == "zen"
-            {
              arg == profile_data_path_str
                || arg == format!("-profile={profile_data_path_str}")
                || (arg == "-profile"
@@ -1099,7 +1299,7 @@ impl ProfileManager {
                    .iter()
                    .any(|s2| s2.to_str().unwrap_or("") == profile_data_path_str))
            } else {
-              // For Chromium-based browsers, check for user-data-dir
+              // For Chromium-based browsers (Wayfern), check for user-data-dir
              arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
                || arg == profile_data_path_str
            }
@@ -1170,7 +1370,8 @@ impl ProfileManager {
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
    let launcher = self.camoufox_manager;
    let profiles_dir = self.get_profiles_dir();
-    let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_data_path =
+      crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
    let profile_path_str = profile_data_path.to_string_lossy();

    // Check if there's a running Camoufox instance for this profile
@@ -1214,6 +1415,10 @@ impl ProfileManager {
      }
      Ok(None) => {
        // No running instance found, clear process ID if set and stop proxy
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1244,6 +1449,10 @@ impl ProfileManager {
      Err(e) => {
        // Error checking status, assume not running and clear process ID
        log::warn!("Warning: Failed to check Camoufox status: {e}");
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1285,7 +1494,8 @@ impl ProfileManager {
  ) -> Result<bool, Box<dyn std::error::Error + Send + Sync>> {
    let manager = self.wayfern_manager;
    let profiles_dir = self.get_profiles_dir();
-    let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+    let profile_data_path =
+      crate::ephemeral_dirs::get_effective_profile_path(profile, &profiles_dir);
    let profile_path_str = profile_data_path.to_string_lossy();

    // Check if there's a running Wayfern instance for this profile
@@ -1329,6 +1539,10 @@ impl ProfileManager {
      }
      None => {
        // No running instance found, clear process ID if set
+        if profile.ephemeral {
+          crate::ephemeral_dirs::remove_ephemeral_dir(&profile.id.to_string());
+        }
+
        let profiles_dir = self.get_profiles_dir();
        let profile_uuid_dir = profiles_dir.join(profile.id.to_string());
        let metadata_file = profile_uuid_dir.join("metadata.json");
@@ -1373,9 +1587,10 @@ impl ProfileManager {
      "user_pref(\"startup.homepage_welcome_url\", \"\");".to_string(),
      "user_pref(\"startup.homepage_welcome_url.additional\", \"\");".to_string(),
      "user_pref(\"startup.homepage_override_url\", \"\");".to_string(),
-      // Keep extension updates enabled
+      // Keep extension updates enabled and allow sideloaded extensions
      "user_pref(\"extensions.update.enabled\", true);".to_string(),
      "user_pref(\"extensions.update.autoUpdateDefault\", true);".to_string(),
+      "user_pref(\"extensions.autoDisableScopes\", 0);".to_string(),
      // Completely disable browser update checking
      "user_pref(\"app.update.enabled\", false);".to_string(),
      "user_pref(\"app.update.auto\", false);".to_string(),
@@ -1545,9 +1760,11 @@ impl ProfileManager {
    let pac_content = "function FindProxyForURL(url, host) { return 'DIRECT'; }";
    let pac_path = uuid_dir.join("proxy.pac");
    fs::write(&pac_path, pac_content)?;
+    let pac_url =
+      url::Url::from_file_path(&pac_path).map_err(|_| "Failed to convert PAC path to file URL")?;
    preferences.push(format!(
-      "user_pref(\"network.proxy.autoconfig_url\", \"file://{}\");",
-      pac_path.to_string_lossy()
+      "user_pref(\"network.proxy.autoconfig_url\", \"{}\");",
+      pac_url.as_str()
    ));

    fs::write(user_js_path, preferences.join("\n"))?;
@@ -1706,6 +1923,33 @@ mod tests {
      "Should set SSL proxy port"
    );
  }
+
+  #[test]
+  fn test_pac_url_encodes_spaces_in_path() {
+    let (manager, temp_dir) = create_test_profile_manager();
+
+    let uuid_dir = temp_dir.path().join("path with spaces");
+    let profile_dir = uuid_dir.join("profile");
+    fs::create_dir_all(&profile_dir).expect("Should create profile directory");
+
+    let result = manager.disable_proxy_settings_in_profile(&profile_dir);
+    assert!(result.is_ok(), "Should handle paths with spaces");
+
+    let user_js = fs::read_to_string(profile_dir.join("user.js")).unwrap();
+    let pac_line = user_js
+      .lines()
+      .find(|l| l.contains("autoconfig_url"))
+      .expect("Should have autoconfig_url preference");
+
+    assert!(
+      !pac_line.contains("path with spaces"),
+      "PAC URL should not contain raw spaces: {pac_line}"
+    );
+    assert!(
+      pac_line.contains("path%20with%20spaces"),
+      "PAC URL should percent-encode spaces: {pac_line}"
+    );
+  }
 }

 #[allow(clippy::too_many_arguments)]
@@ -1717,9 +1961,11 @@ pub async fn create_browser_profile_with_group(
  version: String,
  release_type: String,
  proxy_id: Option<String>,
+  vpn_id: Option<String>,
  camoufox_config: Option<CamoufoxConfig>,
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
+  ephemeral: bool,
 ) -> Result<BrowserProfile, String> {
  let profile_manager = ProfileManager::instance();
  profile_manager
@@ -1730,9 +1976,11 @@ pub async fn create_browser_profile_with_group(
      &version,
      &release_type,
      proxy_id,
+      vpn_id,
      camoufox_config,
      wayfern_config,
      group_id,
+      ephemeral,
    )
    .await
    .map_err(|e| format!("Failed to create profile: {e}"))
@@ -1759,6 +2007,19 @@ pub async fn update_profile_proxy(
    .map_err(|e| format!("Failed to update profile: {e}"))
 }

+#[tauri::command]
+pub async fn update_profile_vpn(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  vpn_id: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_vpn(app_handle, &profile_id, vpn_id)
+    .await
+    .map_err(|e| format!("Failed to update profile VPN: {e}"))
+}
+
 #[tauri::command]
 pub fn update_profile_tags(
  app_handle: tauri::AppHandle,
@@ -1783,6 +2044,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_proxy_bypass_rules(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  rules: Vec<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_proxy_bypass_rules(&app_handle, &profile_id, rules)
+    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -1816,10 +2089,24 @@ pub async fn create_browser_profile_new(
  version: String,
  release_type: String,
  proxy_id: Option<String>,
+  vpn_id: Option<String>,
  camoufox_config: Option<CamoufoxConfig>,
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
+  ephemeral: Option<bool>,
 ) -> Result<BrowserProfile, String> {
+  let fingerprint_os = camoufox_config
+    .as_ref()
+    .and_then(|c| c.os.as_deref())
+    .or_else(|| wayfern_config.as_ref().and_then(|c| c.os.as_deref()));
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(fingerprint_os)
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let browser_type =
    BrowserType::from_str(&browser_str).map_err(|e| format!("Invalid browser type: {e}"))?;
  create_browser_profile_with_group(
@@ -1829,9 +2116,11 @@ pub async fn create_browser_profile_new(
    version,
    release_type,
    proxy_id,
+    vpn_id,
    camoufox_config,
    wayfern_config,
    group_id,
+    ephemeral.unwrap_or(false),
  )
  .await
 }
@@ -1842,6 +2131,21 @@ pub async fn update_camoufox_config(
  profile_id: String,
  config: CamoufoxConfig,
 ) -> Result<(), String> {
+  if config.fingerprint.is_some()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .has_active_paid_subscription()
+      .await
+  {
+    return Err("Fingerprint editing requires an active Pro subscription".to_string());
+  }
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(config.os.as_deref())
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let profile_manager = ProfileManager::instance();
  profile_manager
    .update_camoufox_config(app_handle, &profile_id, config)
@@ -1855,6 +2159,21 @@ pub async fn update_wayfern_config(
  profile_id: String,
  config: WayfernConfig,
 ) -> Result<(), String> {
+  if config.fingerprint.is_some()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .has_active_paid_subscription()
+      .await
+  {
+    return Err("Fingerprint editing requires an active Pro subscription".to_string());
+  }
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(config.os.as_deref())
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let profile_manager = ProfileManager::instance();
  profile_manager
    .update_wayfern_config(app_handle, &profile_id, config)
@@ -1862,7 +2181,13 @@ pub async fn update_wayfern_config(
    .map_err(|e| format!("Failed to update Wayfern config: {e}"))
 }

-// Global singleton instance
+#[tauri::command]
+pub fn clone_profile(profile_id: String, name: Option<String>) -> Result<BrowserProfile, String> {
+  ProfileManager::instance()
+    .clone_profile(&profile_id, name)
+    .map_err(|e| format!("Failed to clone profile: {e}"))
+}
+
 #[tauri::command]
 pub fn delete_profile(app_handle: tauri::AppHandle, profile_id: String) -> Result<(), String> {
  ProfileManager::instance()
@@ -13,6 +13,14 @@ pub enum SyncStatus {
  Error,
 }

+#[derive(Debug, Serialize, Deserialize, Clone, Copy, PartialEq, Eq, Default)]
+pub enum SyncMode {
+  #[default]
+  Disabled,
+  Regular,
+  Encrypted,
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct BrowserProfile {
  pub id: uuid::Uuid,
@@ -22,6 +30,8 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub proxy_id: Option<String>, // Reference to stored proxy
  #[serde(default)]
+  pub vpn_id: Option<String>, // Reference to stored VPN config
+  #[serde(default)]
  pub process_id: Option<u32>,
  #[serde(default)]
  pub last_launch: Option<u64>,
@@ -38,18 +48,61 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub note: Option<String>, // User note
  #[serde(default)]
-  pub sync_enabled: bool, // Whether sync is enabled for this profile
+  pub sync_mode: SyncMode,
+  #[serde(default)]
+  pub encryption_salt: Option<String>,
  #[serde(default)]
  pub last_sync: Option<u64>, // Timestamp of last successful sync (epoch seconds)
+  #[serde(default)]
+  pub host_os: Option<String>, // OS where profile was created ("macos", "windows", "linux")
+  #[serde(default)]
+  pub ephemeral: bool,
+  #[serde(default)]
+  pub extension_group_id: Option<String>,
+  #[serde(default)]
+  pub proxy_bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub created_by_id: Option<String>,
+  #[serde(default)]
+  pub created_by_email: Option<String>,
 }

 pub fn default_release_type() -> String {
  "stable".to_string()
 }

+pub fn get_host_os() -> String {
+  if cfg!(target_os = "macos") {
+    "macos".to_string()
+  } else if cfg!(target_os = "windows") {
+    "windows".to_string()
+  } else {
+    "linux".to_string()
+  }
+}
+
 impl BrowserProfile {
  /// Get the path to the profile data directory (profiles/{uuid}/profile)
  pub fn get_profile_data_path(&self, profiles_dir: &Path) -> PathBuf {
    profiles_dir.join(self.id.to_string()).join("profile")
  }
+
+  /// Returns true when the profile was created on a different OS than the current host.
+  /// Profiles without an `os` field (backward compat) are treated as native.
+  pub fn is_cross_os(&self) -> bool {
+    match &self.host_os {
+      Some(host_os) => host_os != &get_host_os(),
+      None => false,
+    }
+  }
+
+  /// Returns true if sync is enabled (either Regular or Encrypted mode).
+  pub fn is_sync_enabled(&self) -> bool {
+    self.sync_mode != SyncMode::Disabled
+  }
+
+  /// Returns true if sync uses E2E encryption.
+  pub fn is_encrypted_sync(&self) -> bool {
+    self.sync_mode == SyncMode::Encrypted
+  }
 }
@@ -4,22 +4,38 @@ use std::collections::HashSet;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};

-use crate::browser::BrowserType;
+use crate::camoufox_manager::CamoufoxConfig;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
+use crate::profile::types::{get_host_os, BrowserProfile, SyncMode};
 use crate::profile::ProfileManager;
+use crate::proxy_manager::PROXY_MANAGER;
+use crate::wayfern_manager::WayfernConfig;

 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct DetectedProfile {
  pub browser: String,
+  pub mapped_browser: String,
  pub name: String,
  pub path: String,
  pub description: String,
 }

+fn map_browser_type(browser: &str) -> &str {
+  match browser {
+    "firefox" | "firefox-developer" | "zen" => "camoufox",
+    "chromium" | "brave" => "wayfern",
+    "camoufox" => "camoufox",
+    "wayfern" => "wayfern",
+    _ => "wayfern",
+  }
+}
+
 pub struct ProfileImporter {
  base_dirs: BaseDirs,
  downloaded_browsers_registry: &'static DownloadedBrowsersRegistry,
  profile_manager: &'static ProfileManager,
+  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
+  wayfern_manager: &'static crate::wayfern_manager::WayfernManager,
 }

 impl ProfileImporter {
@@ -28,6 +44,8 @@ impl ProfileImporter {
      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      downloaded_browsers_registry: DownloadedBrowsersRegistry::instance(),
      profile_manager: ProfileManager::instance(),
+      camoufox_manager: crate::camoufox_manager::CamoufoxManager::instance(),
+      wayfern_manager: crate::wayfern_manager::WayfernManager::instance(),
    }
  }

@@ -35,31 +53,18 @@ impl ProfileImporter {
    &PROFILE_IMPORTER
  }

-  /// Detect existing browser profiles on the system
  pub fn detect_existing_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut detected_profiles = Vec::new();

-    // Detect Firefox profiles
    detected_profiles.extend(self.detect_firefox_profiles()?);
-
-    // Detect Chrome profiles
    detected_profiles.extend(self.detect_chrome_profiles()?);
-
-    // Detect Brave profiles
    detected_profiles.extend(self.detect_brave_profiles()?);
-
-    // Detect Firefox Developer Edition profiles
    detected_profiles.extend(self.detect_firefox_developer_profiles()?);
-
-    // Detect Chromium profiles
    detected_profiles.extend(self.detect_chromium_profiles()?);
-
-    // Detect Zen Browser profiles
    detected_profiles.extend(self.detect_zen_browser_profiles()?);

-    // Remove duplicates based on path
    let mut seen_paths = HashSet::new();
    let unique_profiles: Vec<DetectedProfile> = detected_profiles
      .into_iter()
@@ -69,7 +74,6 @@ impl ProfileImporter {
    Ok(unique_profiles)
  }

-  /// Detect Firefox profiles
  fn detect_firefox_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -84,12 +88,10 @@ impl ProfileImporter {

    #[cfg(target_os = "windows")]
    {
-      // Primary location in AppData\Roaming
      let app_data = self.base_dirs.data_dir();
      let firefox_dir = app_data.join("Mozilla/Firefox/Profiles");
      profiles.extend(self.scan_firefox_profiles_dir(&firefox_dir, "firefox")?);

-      // Also check AppData\Local for portable installations
      let local_app_data = self.base_dirs.data_local_dir();
      let firefox_local_dir = local_app_data.join("Mozilla/Firefox/Profiles");
      if firefox_local_dir.exists() {
@@ -106,7 +108,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Firefox Developer Edition profiles
  fn detect_firefox_developer_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
@@ -114,13 +115,11 @@ impl ProfileImporter {

    #[cfg(target_os = "macos")]
    {
-      // Firefox Developer Edition on macOS uses separate profile directories
      let firefox_dev_alt_dir = self
        .base_dirs
        .home_dir()
        .join("Library/Application Support/Firefox Developer Edition/Profiles");

-      // Only scan the dedicated dev edition directory if it exists, otherwise skip to avoid duplicates
      if firefox_dev_alt_dir.exists() {
        profiles.extend(self.scan_firefox_profiles_dir(&firefox_dev_alt_dir, "firefox-developer")?);
      }
@@ -129,7 +128,6 @@ impl ProfileImporter {
    #[cfg(target_os = "windows")]
    {
      let app_data = self.base_dirs.data_dir();
-      // Firefox Developer Edition on Windows typically uses separate directories
      let firefox_dev_dir = app_data.join("Mozilla/Firefox Developer Edition/Profiles");
      if firefox_dev_dir.exists() {
        profiles.extend(self.scan_firefox_profiles_dir(&firefox_dev_dir, "firefox-developer")?);
@@ -138,7 +136,6 @@ impl ProfileImporter {

    #[cfg(target_os = "linux")]
    {
-      // Firefox Developer Edition on Linux uses separate directories
      let firefox_dev_dir = self
        .base_dirs
        .home_dir()
@@ -151,7 +148,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Chrome profiles
  fn detect_chrome_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -180,7 +176,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Chromium profiles
  fn detect_chromium_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -209,7 +204,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Brave profiles
  fn detect_brave_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -241,7 +235,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Zen Browser profiles
  fn detect_zen_browser_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
@@ -272,7 +265,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Scan Firefox-style profiles directory
  fn scan_firefox_profiles_dir(
    &self,
    profiles_dir: &Path,
@@ -284,7 +276,6 @@ impl ProfileImporter {
      return Ok(profiles);
    }

-    // Read profiles.ini file if it exists
    let profiles_ini = profiles_dir
      .parent()
      .unwrap_or(profiles_dir)
@@ -295,7 +286,6 @@ impl ProfileImporter {
      }
    }

-    // Also scan directory for any profile folders not in profiles.ini
    if let Ok(entries) = fs::read_dir(profiles_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
@@ -307,11 +297,11 @@ impl ProfileImporter {
              .and_then(|n| n.to_str())
              .unwrap_or("Unknown Profile");

-            // Check if this profile was already found in profiles.ini
            let already_added = profiles.iter().any(|p| p.path == path.to_string_lossy());
            if !already_added {
              profiles.push(DetectedProfile {
                browser: browser_type.to_string(),
+                mapped_browser: map_browser_type(browser_type).to_string(),
                name: format!(
                  "{} Profile - {}",
                  self.get_browser_display_name(browser_type),
@@ -329,7 +319,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Parse Firefox profiles.ini file
  fn parse_firefox_profiles_ini(
    &self,
    content: &str,
@@ -346,7 +335,6 @@ impl ProfileImporter {
      let line = line.trim();

      if line.starts_with('[') && line.ends_with(']') {
-        // Save previous profile if complete
        if !current_section.is_empty()
          && current_section.starts_with("Profile")
          && !profile_path.is_empty()
@@ -370,6 +358,7 @@ impl ProfileImporter {

            profiles.push(DetectedProfile {
              browser: browser_type.to_string(),
+              mapped_browser: map_browser_type(browser_type).to_string(),
              name: display_name,
              path: full_path.to_string_lossy().to_string(),
              description: format!("Profile: {profile_name}"),
@@ -377,7 +366,6 @@ impl ProfileImporter {
          }
        }

-        // Start new section
        current_section = line[1..line.len() - 1].to_string();
        profile_name.clear();
        profile_path.clear();
@@ -398,7 +386,6 @@ impl ProfileImporter {
      }
    }

-    // Handle last profile
    if !current_section.is_empty()
      && current_section.starts_with("Profile")
      && !profile_path.is_empty()
@@ -422,6 +409,7 @@ impl ProfileImporter {

        profiles.push(DetectedProfile {
          browser: browser_type.to_string(),
+          mapped_browser: map_browser_type(browser_type).to_string(),
          name: display_name,
          path: full_path.to_string_lossy().to_string(),
          description: format!("Profile: {profile_name}"),
@@ -432,7 +420,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Scan Chrome-style profiles directory
  fn scan_chrome_profiles_dir(
    &self,
    browser_dir: &Path,
@@ -444,11 +431,11 @@ impl ProfileImporter {
      return Ok(profiles);
    }

-    // Check for Default profile
    let default_profile = browser_dir.join("Default");
    if default_profile.exists() && default_profile.join("Preferences").exists() {
      profiles.push(DetectedProfile {
        browser: browser_type.to_string(),
+        mapped_browser: map_browser_type(browser_type).to_string(),
        name: format!(
          "{} - Default Profile",
          self.get_browser_display_name(browser_type)
@@ -458,7 +445,6 @@ impl ProfileImporter {
      });
    }

-    // Check for Profile X directories
    if let Ok(entries) = fs::read_dir(browser_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
@@ -466,9 +452,10 @@ impl ProfileImporter {
          let dir_name = path.file_name().and_then(|n| n.to_str()).unwrap_or("");

          if dir_name.starts_with("Profile ") && path.join("Preferences").exists() {
-            let profile_number = &dir_name[8..]; // Remove "Profile " prefix
+            let profile_number = &dir_name[8..];
            profiles.push(DetectedProfile {
              browser: browser_type.to_string(),
+              mapped_browser: map_browser_type(browser_type).to_string(),
              name: format!(
                "{} - Profile {}",
                self.get_browser_display_name(browser_type),
@@ -485,7 +472,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Get browser display name
  fn get_browser_display_name(&self, browser_type: &str) -> &str {
    match browser_type {
      "firefox" => "Firefox",
@@ -493,28 +479,36 @@ impl ProfileImporter {
      "chromium" => "Chrome/Chromium",
      "brave" => "Brave",
      "zen" => "Zen Browser",
+      "camoufox" => "Camoufox",
+      "wayfern" => "Wayfern",
      _ => "Unknown Browser",
    }
  }

-  /// Import a profile from an existing browser profile
-  pub fn import_profile(
+  #[allow(clippy::too_many_arguments)]
+  pub async fn import_profile(
    &self,
+    app_handle: &tauri::AppHandle,
    source_path: &str,
    browser_type: &str,
    new_profile_name: &str,
+    proxy_id: Option<String>,
+    camoufox_config: Option<CamoufoxConfig>,
+    wayfern_config: Option<WayfernConfig>,
  ) -> Result<(), Box<dyn std::error::Error>> {
-    // Validate that source path exists
    let source_path = Path::new(source_path);
    if !source_path.exists() {
      return Err("Source profile path does not exist".into());
    }

-    // Validate browser type
-    let _browser_type = BrowserType::from_str(browser_type)
-      .map_err(|_| format!("Invalid browser type: {browser_type}"))?;
+    let mapped = map_browser_type(browser_type);
+
+    if let Some(ref pid) = proxy_id {
+      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
+        crate::cloud_auth::CLOUD_AUTH.sync_cloud_proxy().await;
+      }
+    }

-    // Check if a profile with this name already exists
    let existing_profiles = self.profile_manager.list_profiles()?;
    if existing_profiles
      .iter()
@@ -523,7 +517,6 @@ impl ProfileImporter {
      return Err(format!("Profile with name '{new_profile_name}' already exists").into());
    }

-    // Generate UUID for new profile and create the directory structure
    let profile_id = uuid::Uuid::new_v4();
    let profiles_dir = self.profile_manager.get_profiles_dir();
    let new_profile_uuid_dir = profiles_dir.join(profile_id.to_string());
@@ -532,32 +525,234 @@ impl ProfileImporter {
    create_dir_all(&new_profile_uuid_dir)?;
    create_dir_all(&new_profile_data_dir)?;

-    // Copy all files from source to destination profile subdirectory
    Self::copy_directory_recursive(source_path, &new_profile_data_dir)?;

-    // Create the profile metadata without overwriting the imported data
-    // We need to find a suitable version for this browser type
-    let available_versions = self.get_default_version_for_browser(browser_type)?;
+    let version = self.get_default_version_for_browser(mapped)?;

-    let profile = crate::profile::BrowserProfile {
+    let final_camoufox_config = if mapped == "camoufox" {
+      let mut config = camoufox_config.unwrap_or_default();
+
+      if config.executable_path.is_none() {
+        let mut browser_dir = self.profile_manager.get_binaries_dir();
+        browser_dir.push(mapped);
+        browser_dir.push(&version);
+
+        #[cfg(target_os = "macos")]
+        let binary_path = browser_dir
+          .join("Camoufox.app")
+          .join("Contents")
+          .join("MacOS")
+          .join("camoufox");
+
+        #[cfg(target_os = "windows")]
+        let binary_path = browser_dir.join("camoufox.exe");
+
+        #[cfg(target_os = "linux")]
+        let binary_path = browser_dir.join("camoufox");
+
+        config.executable_path = Some(binary_path.to_string_lossy().to_string());
+      }
+
+      if let Some(ref proxy_id_val) = proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
+          let proxy_url = if let (Some(username), Some(password)) =
+            (&proxy_settings.username, &proxy_settings.password)
+          {
+            format!(
+              "{}://{}:{}@{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              username,
+              password,
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          } else {
+            format!(
+              "{}://{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          };
+          config.proxy = Some(proxy_url);
+        }
+      }
+
+      if config.fingerprint.is_none() {
+        let temp_profile = BrowserProfile {
+          id: uuid::Uuid::new_v4(),
+          name: new_profile_name.to_string(),
+          browser: mapped.to_string(),
+          version: version.clone(),
+          proxy_id: proxy_id.clone(),
+          vpn_id: None,
+          process_id: None,
+          last_launch: None,
+          release_type: "stable".to_string(),
+          camoufox_config: None,
+          wayfern_config: None,
+          group_id: None,
+          tags: Vec::new(),
+          note: None,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
+          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
+        };
+
+        match self
+          .camoufox_manager
+          .generate_fingerprint_config(app_handle, &temp_profile, &config)
+          .await
+        {
+          Ok(fp) => config.fingerprint = Some(fp),
+          Err(e) => {
+            return Err(
+              format!(
+                "Failed to generate fingerprint for imported profile '{new_profile_name}': {e}"
+              )
+              .into(),
+            );
+          }
+        }
+      }
+
+      config.proxy = None;
+      Some(config)
+    } else {
+      None
+    };
+
+    let final_wayfern_config = if mapped == "wayfern" {
+      let mut config = wayfern_config.unwrap_or_default();
+
+      if config.executable_path.is_none() {
+        let mut browser_dir = self.profile_manager.get_binaries_dir();
+        browser_dir.push(mapped);
+        browser_dir.push(&version);
+
+        #[cfg(target_os = "macos")]
+        let binary_path = browser_dir
+          .join("Chromium.app")
+          .join("Contents")
+          .join("MacOS")
+          .join("Chromium");
+
+        #[cfg(target_os = "windows")]
+        let binary_path = browser_dir.join("chrome.exe");
+
+        #[cfg(target_os = "linux")]
+        let binary_path = browser_dir.join("chrome");
+
+        config.executable_path = Some(binary_path.to_string_lossy().to_string());
+      }
+
+      if let Some(ref proxy_id_val) = proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
+          let proxy_url = if let (Some(username), Some(password)) =
+            (&proxy_settings.username, &proxy_settings.password)
+          {
+            format!(
+              "{}://{}:{}@{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              username,
+              password,
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          } else {
+            format!(
+              "{}://{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          };
+          config.proxy = Some(proxy_url);
+        }
+      }
+
+      if config.fingerprint.is_none() {
+        let temp_profile = BrowserProfile {
+          id: uuid::Uuid::new_v4(),
+          name: new_profile_name.to_string(),
+          browser: mapped.to_string(),
+          version: version.clone(),
+          proxy_id: proxy_id.clone(),
+          vpn_id: None,
+          process_id: None,
+          last_launch: None,
+          release_type: "stable".to_string(),
+          camoufox_config: None,
+          wayfern_config: None,
+          group_id: None,
+          tags: Vec::new(),
+          note: None,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
+          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
+        };
+
+        match self
+          .wayfern_manager
+          .generate_fingerprint_config(app_handle, &temp_profile, &config)
+          .await
+        {
+          Ok(fp) => config.fingerprint = Some(fp),
+          Err(e) => {
+            return Err(
+              format!(
+                "Failed to generate fingerprint for imported profile '{new_profile_name}': {e}"
+              )
+              .into(),
+            );
+          }
+        }
+      }
+
+      config.proxy = None;
+      Some(config)
+    } else {
+      None
+    };
+
+    let profile = BrowserProfile {
      id: profile_id,
      name: new_profile_name.to_string(),
-      browser: browser_type.to_string(),
-      version: available_versions,
-      proxy_id: None,
+      browser: mapped.to_string(),
+      version,
+      proxy_id,
+      vpn_id: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
-      camoufox_config: None,
-      wayfern_config: None,
+      camoufox_config: final_camoufox_config,
+      wayfern_config: final_wayfern_config,
      group_id: None,
      tags: Vec::new(),
      note: None,
-      sync_enabled: false,
+      sync_mode: SyncMode::Disabled,
+      encryption_salt: None,
      last_sync: None,
+      host_os: Some(get_host_os()),
+      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

-    // Save the profile metadata
    self.profile_manager.save_profile(&profile)?;

    log::info!(
@@ -569,12 +764,10 @@ impl ProfileImporter {
    Ok(())
  }

-  /// Get a default version for a browser type
  fn get_default_version_for_browser(
    &self,
    browser_type: &str,
  ) -> Result<String, Box<dyn std::error::Error>> {
-    // Check if any version of the browser is downloaded
    let downloaded_versions = self
      .downloaded_browsers_registry
      .get_downloaded_versions(browser_type);
@@ -583,16 +776,17 @@ impl ProfileImporter {
      return Ok(version.clone());
    }

-    // If no downloaded versions found, return an error
-    Err(format!(
-      "No downloaded versions found for browser '{}'. Please download a version of {} first before importing profiles.",
-      browser_type,
-      self.get_browser_display_name(browser_type)
-    ).into())
+    Err(
+      format!(
+        "No downloaded versions found for browser '{}'. Please download a version of {} first before importing profiles.",
+        browser_type,
+        self.get_browser_display_name(browser_type)
+      )
+      .into(),
+    )
  }

-  /// Recursively copy directory contents
-  fn copy_directory_recursive(
+  pub fn copy_directory_recursive(
    source: &Path,
    destination: &Path,
  ) -> Result<(), Box<dyn std::error::Error>> {
@@ -616,7 +810,6 @@ impl ProfileImporter {
  }
 }

-// Tauri commands
 #[tauri::command]
 pub async fn detect_existing_profiles() -> Result<Vec<DetectedProfile>, String> {
  let importer = ProfileImporter::instance();
@@ -627,17 +820,41 @@ pub async fn detect_existing_profiles() -> Result<Vec<DetectedProfile>, String>

 #[tauri::command]
 pub async fn import_browser_profile(
+  app_handle: tauri::AppHandle,
  source_path: String,
  browser_type: String,
  new_profile_name: String,
+  proxy_id: Option<String>,
+  camoufox_config: Option<CamoufoxConfig>,
+  wayfern_config: Option<WayfernConfig>,
 ) -> Result<(), String> {
+  let fingerprint_os = camoufox_config
+    .as_ref()
+    .and_then(|c| c.os.as_deref())
+    .or_else(|| wayfern_config.as_ref().and_then(|c| c.os.as_deref()));
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(fingerprint_os)
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let importer = ProfileImporter::instance();
  importer
-    .import_profile(&source_path, &browser_type, &new_profile_name)
+    .import_profile(
+      &app_handle,
+      &source_path,
+      &browser_type,
+      &new_profile_name,
+      proxy_id,
+      camoufox_config,
+      wayfern_config,
+    )
+    .await
    .map_err(|e| format!("Failed to import profile: {e}"))
 }

-// Global singleton instance
 lazy_static::lazy_static! {
  static ref PROFILE_IMPORTER: ProfileImporter = ProfileImporter::new();
 }
@@ -650,10 +867,7 @@ mod tests {

  fn create_test_profile_importer() -> (ProfileImporter, TempDir) {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");
-
-    // Set up a temporary home directory for testing
    env::set_var("HOME", temp_dir.path());
-
    let importer = ProfileImporter::new();
    (importer, temp_dir)
  }
@@ -661,7 +875,6 @@ mod tests {
  #[test]
  fn test_profile_importer_creation() {
    let (_importer, _temp_dir) = create_test_profile_importer();
-    // Test passes if no panic occurs
  }

  #[test]
@@ -685,19 +898,25 @@ mod tests {
    );
  }

+  #[test]
+  fn test_map_browser_type() {
+    assert_eq!(map_browser_type("firefox"), "camoufox");
+    assert_eq!(map_browser_type("firefox-developer"), "camoufox");
+    assert_eq!(map_browser_type("zen"), "camoufox");
+    assert_eq!(map_browser_type("chromium"), "wayfern");
+    assert_eq!(map_browser_type("brave"), "wayfern");
+    assert_eq!(map_browser_type("camoufox"), "camoufox");
+    assert_eq!(map_browser_type("wayfern"), "wayfern");
+    assert_eq!(map_browser_type("something_else"), "wayfern");
+  }
+
  #[test]
  fn test_detect_existing_profiles_no_panic() {
    let (importer, _temp_dir) = create_test_profile_importer();

-    // This should not panic even if no browser profiles exist
    let result = importer.detect_existing_profiles();
    assert!(result.is_ok(), "detect_existing_profiles should not fail");
-
    let _profiles = result.unwrap();
-    // We can't assert specific profiles since they depend on the system
-    // but we can verify the result is a valid Vec
-    // We can't assert specific profiles since they depend on the system
-    // but we can verify the result is a valid Vec (length check is always true for Vec, but shows intent)
  }

  #[test]
@@ -756,12 +975,10 @@ mod tests {
  fn test_parse_firefox_profiles_ini_valid() {
    let (importer, temp_dir) = create_test_profile_importer();

-    // Create a mock profile directory
    let profiles_dir = temp_dir.path().join("profiles");
    let profile_dir = profiles_dir.join("test.profile");
    fs::create_dir_all(&profile_dir).expect("Should create profile directory");

-    // Create a prefs.js file to make it look like a valid profile
    let prefs_file = profile_dir.join("prefs.js");
    fs::write(&prefs_file, "// Firefox preferences").expect("Should create prefs.js");

@@ -780,31 +997,27 @@ Path=test.profile
    assert_eq!(profiles.len(), 1, "Should find one profile");
    assert_eq!(profiles[0].name, "Firefox - Test Profile");
    assert_eq!(profiles[0].browser, "firefox");
+    assert_eq!(profiles[0].mapped_browser, "camoufox");
  }

  #[test]
  fn test_copy_directory_recursive() {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");

-    // Create source directory structure
    let source_dir = temp_dir.path().join("source");
    let source_subdir = source_dir.join("subdir");
    fs::create_dir_all(&source_subdir).expect("Should create source directories");

-    // Create some test files
    let source_file1 = source_dir.join("file1.txt");
    let source_file2 = source_subdir.join("file2.txt");
    fs::write(&source_file1, "content1").expect("Should create file1");
    fs::write(&source_file2, "content2").expect("Should create file2");

-    // Create destination directory
    let dest_dir = temp_dir.path().join("dest");

-    // Copy recursively
    let result = ProfileImporter::copy_directory_recursive(&source_dir, &dest_dir);
    assert!(result.is_ok(), "Should copy directory successfully");

-    // Verify files were copied
    let dest_file1 = dest_dir.join("file1.txt");
    let dest_file2 = dest_dir.join("subdir").join("file2.txt");

@@ -822,8 +1035,7 @@ Path=test.profile
  fn test_get_default_version_for_browser_no_versions() {
    let (importer, _temp_dir) = create_test_profile_importer();

-    // This should fail since no versions are downloaded in test environment
-    let result = importer.get_default_version_for_browser("firefox");
+    let result = importer.get_default_version_for_browser("camoufox");
    assert!(
      result.is_err(),
      "Should fail when no versions are available"
@@ -12,13 +12,14 @@ pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
 }

 pub async fn start_proxy_process_with_profile(
  upstream_url: Option<String>,
  port: Option<u16>,
  profile_id: Option<String>,
+  bypass_rules: Vec<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -30,8 +31,9 @@ pub async fn start_proxy_process_with_profile(
    listener.local_addr().unwrap().port()
  });

-  let config =
-    ProxyConfig::new(id.clone(), upstream, Some(local_port)).with_profile_id(profile_id.clone());
+  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
+    .with_profile_id(profile_id.clone())
+    .with_bypass_rules(bypass_rules);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -60,7 +62,7 @@ pub async fn start_proxy_process_with_profile(
    cmd.stdout(Stdio::null());

    // Always log to file for diagnostics (both debug and release builds)
-    let log_path = std::path::PathBuf::from("/tmp").join(format!("donut-proxy-{}.log", id));
+    let log_path = std::env::temp_dir().join(format!("donut-proxy-{}.log", id));
    if let Ok(file) = std::fs::File::create(&log_path) {
      log::info!("Proxy worker stderr will be logged to: {:?}", log_path);
      cmd.stderr(Stdio::from(file));
@@ -105,13 +107,28 @@ pub async fn start_proxy_process_with_profile(

  #[cfg(windows)]
  {
+    use std::os::windows::io::AsRawHandle;
    use std::os::windows::process::CommandExt;
    use std::process::Command as StdCommand;
-    use windows::Win32::Foundation::CloseHandle;
+    use windows::Win32::Foundation::{CloseHandle, SetHandleInformation, HANDLE, HANDLE_FLAGS};
    use windows::Win32::System::Threading::{
      OpenProcess, SetPriorityClass, ABOVE_NORMAL_PRIORITY_CLASS, PROCESS_SET_INFORMATION,
    };

+    // Mark current stdout/stderr as non-inheritable so the spawned worker process
+    // does not inherit pipe handles from our parent (prevents blocking when parent exits).
+    let stdout_handle = std::io::stdout().as_raw_handle();
+    let stderr_handle = std::io::stderr().as_raw_handle();
+    const HANDLE_FLAG_INHERIT: u32 = 0x00000001;
+    unsafe {
+      if !stdout_handle.is_null() {
+        let _ = SetHandleInformation(HANDLE(stdout_handle), HANDLE_FLAG_INHERIT, HANDLE_FLAGS(0));
+      }
+      if !stderr_handle.is_null() {
+        let _ = SetHandleInformation(HANDLE(stderr_handle), HANDLE_FLAG_INHERIT, HANDLE_FLAGS(0));
+      }
+    }
+
    let mut cmd = StdCommand::new(&exe);
    cmd.arg("proxy-worker");
    cmd.arg("start");
@@ -120,11 +137,20 @@ pub async fn start_proxy_process_with_profile(

    cmd.stdin(Stdio::null());
    cmd.stdout(Stdio::null());
-    cmd.stderr(Stdio::null());

-    // On Windows, use CREATE_NEW_PROCESS_GROUP flag for proper detachment
+    // Log to file for diagnostics (matching Unix behavior)
+    let log_path = std::env::temp_dir().join(format!("donut-proxy-{}.log", id));
+    if let Ok(file) = std::fs::File::create(&log_path) {
+      log::info!("Proxy worker stderr will be logged to: {:?}", log_path);
+      cmd.stderr(Stdio::from(file));
+    } else {
+      cmd.stderr(Stdio::null());
+    }
+
+    // On Windows, use DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP for proper detachment.
+    const DETACHED_PROCESS: u32 = 0x00000008;
    const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
-    cmd.creation_flags(CREATE_NEW_PROCESS_GROUP);
+    cmd.creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP);

    let child = cmd.spawn()?;
    let pid = child.id();
@@ -230,9 +256,12 @@ pub async fn stop_proxy_process(id: &str) -> Result<bool, Box<dyn std::error::Er
      }
      #[cfg(windows)]
      {
+        use std::os::windows::process::CommandExt;
        use std::process::Command;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
        let _ = Command::new("taskkill")
          .args(["/F", "/PID", &pid.to_string()])
+          .creation_flags(CREATE_NO_WINDOW)
          .output();
      }

@@ -6,6 +6,7 @@ use hyper::server::conn::http1;
 use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
+use regex_lite::Regex;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -18,6 +19,38 @@ use tokio::net::TcpListener;
 use tokio::net::TcpStream;
 use url::Url;

+enum CompiledRule {
+  Regex(Regex),
+  Exact(String),
+}
+
+#[derive(Clone)]
+pub struct BypassMatcher {
+  rules: Arc<Vec<CompiledRule>>,
+}
+
+impl BypassMatcher {
+  pub fn new(rules: &[String]) -> Self {
+    let compiled = rules
+      .iter()
+      .map(|rule| match Regex::new(rule) {
+        Ok(re) => CompiledRule::Regex(re),
+        Err(_) => CompiledRule::Exact(rule.clone()),
+      })
+      .collect();
+    Self {
+      rules: Arc::new(compiled),
+    }
+  }
+
+  pub fn should_bypass(&self, host: &str) -> bool {
+    self.rules.iter().any(|rule| match rule {
+      CompiledRule::Regex(re) => re.is_match(host),
+      CompiledRule::Exact(exact) => host == exact,
+    })
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -133,19 +166,21 @@ impl AsyncWrite for PrependReader {
 async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url).await;
+    return handle_connect(req, upstream_url, bypass_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url).await
+  handle_http(req, upstream_url, bypass_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -161,12 +196,13 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

-    // If no upstream proxy, connect directly
+    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
        .as_ref()
        .map(|s| s == "DIRECT")
        .unwrap_or(false)
+      || bypass_matcher.should_bypass(target_host)
    {
      match TcpStream::connect(&target_addr).await {
        Ok(_stream) => {
@@ -674,6 +710,7 @@ async fn handle_http_via_socks4(
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -689,13 +726,17 @@ async fn handle_http(
    req.uri().host()
  );

+  let should_bypass = bypass_matcher.should_bypass(&domain);
+
  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
-  if let Some(ref upstream) = upstream_url {
-    if upstream != "DIRECT" {
-      if let Ok(url) = Url::parse(upstream) {
-        if url.scheme() == "socks4" {
-          // Handle SOCKS4 manually for HTTP requests
-          return handle_http_via_socks4(req, upstream).await;
+  if !should_bypass {
+    if let Some(ref upstream) = upstream_url {
+      if upstream != "DIRECT" {
+        if let Ok(url) = Url::parse(upstream) {
+          if url.scheme() == "socks4" {
+            // Handle SOCKS4 manually for HTTP requests
+            return handle_http_via_socks4(req, upstream).await;
+          }
        }
      }
    }
@@ -705,7 +746,9 @@ async fn handle_http(
  use reqwest::Client;

  let client_builder = Client::builder();
-  let client = if let Some(ref upstream) = upstream_url {
+  let client = if should_bypass {
+    client_builder.build().unwrap_or_default()
+  } else if let Some(ref upstream) = upstream_url {
    if upstream == "DIRECT" {
      client_builder.build().unwrap_or_default()
    } else {
@@ -1003,6 +1046,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
    }
  });

+  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+
  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
  loop {
@@ -1014,16 +1059,19 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
        log::error!("DEBUG: Accepted connection from {:?}", peer_addr);

        let upstream = upstream_url.clone();
+        let matcher = bypass_matcher.clone();

        tokio::task::spawn(async move {
-          // Read first bytes to detect CONNECT requests
-          // CONNECT requests need special handling for tunneling
-          // Use a larger buffer to ensure we can detect CONNECT even with partial reads
+          // Wait for the stream to have readable data before attempting to read.
+          // This prevents read() from returning 0 on a fresh connection before
+          // the client's data arrives.
+          if stream.readable().await.is_err() {
+            return;
+          }
+
          let mut peek_buffer = [0u8; 16];
          match stream.read(&mut peek_buffer).await {
-            Ok(0) => {
-              log::error!("DEBUG: Connection closed immediately (0 bytes read)");
-            }
+            Ok(0) => {}
            Ok(n) => {
              // Check if this looks like a CONNECT request
              // Be more lenient - check if the first bytes match "CONNECT" (case-insensitive)
@@ -1108,7 +1156,9 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                  "DEBUG: Handling CONNECT manually for: {}",
                  String::from_utf8_lossy(&full_request[..full_request.len().min(200)])
                );
-                if let Err(e) = handle_connect_from_buffer(stream, full_request, upstream).await {
+                if let Err(e) =
+                  handle_connect_from_buffer(stream, full_request, upstream, matcher).await
+                {
                  log::error!("Error handling CONNECT request: {:?}", e);
                } else {
                  log::error!("DEBUG: CONNECT handled successfully");
@@ -1130,7 +1180,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                inner: stream,
              };
              let io = TokioIo::new(prepended_reader);
-              let service = service_fn(move |req| handle_request(req, upstream.clone()));
+              let service =
+                service_fn(move |req| handle_request(req, upstream.clone(), matcher.clone()));

              if let Err(err) = http1::Builder::new().serve_connection(io, service).await {
                log::error!("Error serving connection: {:?}", err);
@@ -1156,6 +1207,7 @@ async fn handle_connect_from_buffer(
  mut client_stream: TcpStream,
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1193,6 +1245,7 @@ async fn handle_connect_from_buffer(
  }

  // Connect to target (directly or via upstream proxy)
+  let should_bypass = bypass_matcher.should_bypass(target_host);
  let target_stream = match upstream_url.as_ref() {
    None => {
      // Direct connection
@@ -1202,6 +1255,10 @@ async fn handle_connect_from_buffer(
      // Direct connection
      TcpStream::connect((target_host, target_port)).await?
    }
+    _ if should_bypass => {
+      // Bypass rule matched - connect directly
+      TcpStream::connect((target_host, target_port)).await?
+    }
    Some(upstream_url_str) => {
      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
@@ -13,6 +12,8 @@ pub struct ProxyConfig {
  pub pid: Option<u32>,
  #[serde(default)]
  pub profile_id: Option<String>,
+  #[serde(default)]
+  pub bypass_rules: Vec<String>,
 }

 impl ProxyConfig {
@@ -25,6 +26,7 @@ impl ProxyConfig {
      local_url: None,
      pid: None,
      profile_id: None,
+      bypass_rules: Vec::new(),
    }
  }

@@ -32,18 +34,15 @@ impl ProxyConfig {
    self.profile_id = profile_id;
    self
  }
+
+  pub fn with_bypass_rules(mut self, bypass_rules: Vec<String>) -> Self {
+    self.bypass_rules = bypass_rules;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
-  let base_dirs = BaseDirs::new().expect("Failed to get base directories");
-  let mut path = base_dirs.data_local_dir().to_path_buf();
-  path.push(if cfg!(debug_assertions) {
-    "DonutBrowserDev"
-  } else {
-    "DonutBrowser"
-  });
-  path.push("proxies");
-  path
+  crate::app_dirs::proxy_workers_dir()
 }

 pub fn save_proxy_config(config: &ProxyConfig) -> Result<(), Box<dyn std::error::Error>> {
@@ -132,7 +131,60 @@ pub fn generate_proxy_id() -> String {
 }

 pub fn is_process_running(pid: u32) -> bool {
-  use sysinfo::{Pid, System};
-  let system = System::new();
-  system.process(Pid::from(pid as usize)).is_some()
+  use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+  let system = System::new_with_specifics(
+    RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+  );
+  system.process(sysinfo::Pid::from_u32(pid)).is_some()
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_is_process_running_detects_current_process() {
+    let pid = std::process::id();
+    assert!(
+      is_process_running(pid),
+      "is_process_running must detect the current process (PID {pid})"
+    );
+  }
+
+  #[test]
+  fn test_is_process_running_returns_false_for_dead_pid() {
+    // Spawn a short-lived child and wait for it to exit
+    let child = std::process::Command::new(if cfg!(windows) { "cmd" } else { "true" })
+      .args(if cfg!(windows) {
+        vec!["/C", "exit"]
+      } else {
+        vec![]
+      })
+      .spawn()
+      .expect("failed to spawn child");
+    let pid = child.id();
+    let mut child = child;
+    child.wait().expect("child failed");
+
+    assert!(
+      !is_process_running(pid),
+      "is_process_running must return false for a dead process (PID {pid})"
+    );
+  }
+
+  #[test]
+  fn test_is_process_running_returns_false_for_nonexistent_pid() {
+    // PID 0 is the "System Idle Process" on Windows and sysinfo reports it as running,
+    // so only assert on non-Windows platforms where PID 0 is not a real user process.
+    #[cfg(not(windows))]
+    assert!(
+      !is_process_running(0),
+      "is_process_running must return false for PID 0"
+    );
+    // Very high PID unlikely to exist
+    assert!(
+      !is_process_running(u32::MAX),
+      "is_process_running must return false for PID u32::MAX"
+    );
+  }
 }
@@ -1,4 +1,3 @@
-use directories::BaseDirs;
 use serde::{Deserialize, Serialize};
 use std::fs::{self, create_dir_all};
 use std::path::PathBuf;
@@ -52,6 +51,12 @@ pub struct AppSettings {
  pub mcp_token: Option<String>, // Displayed token for user to copy (not persisted, loaded from encrypted file)
  #[serde(default)]
  pub launch_on_login_declined: bool, // User permanently declined the launch-on-login prompt
+  #[serde(default)]
+  pub language: Option<String>, // ISO 639-1: "en", "es", "pt", "fr", "zh", "ja", "ru", or None for system default
+  #[serde(default)]
+  pub window_resize_warning_dismissed: bool,
+  #[serde(default)]
+  pub disable_auto_updates: bool,
 }

 #[derive(Debug, Serialize, Deserialize, Clone, Default)]
@@ -84,31 +89,18 @@ impl Default for AppSettings {
      mcp_port: None,
      mcp_token: None,
      launch_on_login_declined: false,
+      language: None,
+      window_resize_warning_dismissed: false,
+      disable_auto_updates: false,
    }
  }
 }

-pub struct SettingsManager {
-  base_dirs: BaseDirs,
-  data_dir_override: Option<PathBuf>,
-}
+pub struct SettingsManager;

 impl SettingsManager {
-  fn new() -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: std::env::var("DONUTBROWSER_DATA_DIR")
-        .ok()
-        .map(PathBuf::from),
-    }
-  }
-
-  #[cfg(test)]
-  fn with_data_dir_override(dir: &std::path::Path) -> Self {
-    Self {
-      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
-      data_dir_override: Some(dir.to_path_buf()),
-    }
+  pub(crate) fn new() -> Self {
+    Self
  }

  pub fn instance() -> &'static SettingsManager {
@@ -116,18 +108,7 @@ impl SettingsManager {
  }

  pub fn get_settings_dir(&self) -> PathBuf {
-    if let Some(dir) = &self.data_dir_override {
-      return dir.join("settings");
-    }
-
-    let mut path = self.base_dirs.data_local_dir().to_path_buf();
-    path.push(if cfg!(debug_assertions) {
-      "DonutBrowserDev"
-    } else {
-      "DonutBrowser"
-    });
-    path.push("settings");
-    path
+    crate::app_dirs::settings_dir()
  }

  pub fn get_settings_file(&self) -> PathBuf {
@@ -150,23 +131,10 @@ impl SettingsManager {

    // Parse the settings file - serde will use default values for missing fields
    match serde_json::from_str::<AppSettings>(&content) {
-      Ok(settings) => {
-        // Save the settings back to ensure any missing fields are written with defaults
-        if let Err(e) = self.save_settings(&settings) {
-          log::warn!("Warning: Failed to update settings file with defaults: {e}");
-        }
-        Ok(settings)
-      }
+      Ok(settings) => Ok(settings),
      Err(e) => {
        log::warn!("Warning: Failed to parse settings file, using defaults: {e}");
-        let default_settings = AppSettings::default();
-
-        // Try to save default settings to fix the corrupted file
-        if let Err(save_error) = self.save_settings(&default_settings) {
-          log::warn!("Warning: Failed to save default settings: {save_error}");
-        }
-
-        Ok(default_settings)
+        Ok(AppSettings::default())
      }
    }
  }
@@ -232,7 +200,7 @@ impl SettingsManager {
  ) -> Result<String, Box<dyn std::error::Error>> {
    // Generate a secure random token (base64 encoded for URL safety)
    let token_bytes: [u8; 32] = {
-      use rand::RngCore;
+      use rand::Rng;
      let mut rng = rand::rng();
      let mut bytes = [0u8; 32];
      rng.fill_bytes(&mut bytes);
@@ -422,7 +390,7 @@ impl SettingsManager {
    app_handle: &tauri::AppHandle,
  ) -> Result<String, Box<dyn std::error::Error>> {
    let token_bytes: [u8; 32] = {
-      use rand::RngCore;
+      use rand::Rng;
      let mut rng = rand::rng();
      let mut bytes = [0u8; 32];
      rng.fill_bytes(&mut bytes);
@@ -766,11 +734,17 @@ pub async fn save_app_settings(
        .await
        .map_err(|e| format!("Failed to store API token: {e}"))?;
    } else {
-      let token = manager
-        .generate_api_token(&app_handle)
-        .await
-        .map_err(|e| format!("Failed to generate API token: {e}"))?;
-      settings.api_token = Some(token);
+      // Check if a token already exists on disk before generating a new one
+      let existing = manager.get_api_token(&app_handle).await.ok().flatten();
+      if let Some(t) = existing {
+        settings.api_token = Some(t);
+      } else {
+        let token = manager
+          .generate_api_token(&app_handle)
+          .await
+          .map_err(|e| format!("Failed to generate API token: {e}"))?;
+        settings.api_token = Some(token);
+      }
    }
  }

@@ -790,11 +764,17 @@ pub async fn save_app_settings(
        .await
        .map_err(|e| format!("Failed to store MCP token: {e}"))?;
    } else {
-      let token = manager
-        .generate_mcp_token(&app_handle)
-        .await
-        .map_err(|e| format!("Failed to generate MCP token: {e}"))?;
-      settings.mcp_token = Some(token);
+      // Check if a token already exists on disk before generating a new one
+      let existing = manager.get_mcp_token(&app_handle).await.ok().flatten();
+      if let Some(t) = existing {
+        settings.mcp_token = Some(t);
+      } else {
+        let token = manager
+          .generate_mcp_token(&app_handle)
+          .await
+          .map_err(|e| format!("Failed to generate MCP token: {e}"))?;
+        settings.mcp_token = Some(token);
+      }
    }
  }

@@ -806,9 +786,29 @@ pub async fn save_app_settings(
    settings.mcp_token = None;
  }

+  // Preserve server-managed flags that the frontend may not have up-to-date.
+  // Read directly from file to avoid load_settings' save-on-load behavior.
+  if let Ok(content) = std::fs::read_to_string(manager.get_settings_file()) {
+    if let Ok(current) = serde_json::from_str::<AppSettings>(&content) {
+      settings.window_resize_warning_dismissed = current.window_resize_warning_dismissed;
+      settings.launch_on_login_declined = current.launch_on_login_declined;
+    }
+  }
+
  let mut persist_settings = settings.clone();
  persist_settings.api_token = None;
  persist_settings.mcp_token = None;
+
+  log::info!(
+    "[settings] Saving settings: theme={}, custom_theme_keys={}",
+    persist_settings.theme,
+    persist_settings
+      .custom_theme
+      .as_ref()
+      .map(|t| t.len())
+      .unwrap_or(0)
+  );
+
  manager
    .save_settings(&persist_settings)
    .map_err(|e| format!("Failed to save settings: {e}"))?;
@@ -856,6 +856,19 @@ pub async fn save_table_sorting_settings(sorting: TableSortingSettings) -> Resul

 #[tauri::command]
 pub async fn get_sync_settings(app_handle: tauri::AppHandle) -> Result<SyncSettings, String> {
+  // Cloud auth takes priority over self-hosted settings
+  if crate::cloud_auth::CLOUD_AUTH.is_logged_in().await {
+    let sync_token = crate::cloud_auth::CLOUD_AUTH
+      .get_or_refresh_sync_token()
+      .await
+      .map_err(|e| format!("Failed to get cloud sync token: {e}"))?;
+    return Ok(SyncSettings {
+      sync_server_url: Some(crate::cloud_auth::CLOUD_SYNC_URL.to_string()),
+      sync_token,
+    });
+  }
+
+  // Fall back to self-hosted settings
  let manager = SettingsManager::instance();
  let mut sync_settings = manager
    .get_sync_settings()
@@ -899,6 +912,41 @@ pub async fn save_sync_settings(
  })
 }

+#[tauri::command]
+pub async fn dismiss_window_resize_warning() -> Result<(), String> {
+  let manager = SettingsManager::instance();
+  let mut settings = manager
+    .load_settings()
+    .map_err(|e| format!("Failed to load settings: {e}"))?;
+  settings.window_resize_warning_dismissed = true;
+  manager
+    .save_settings(&settings)
+    .map_err(|e| format!("Failed to save settings: {e}"))
+}
+
+#[tauri::command]
+pub async fn get_window_resize_warning_dismissed() -> Result<bool, String> {
+  let manager = SettingsManager::instance();
+  let settings = manager
+    .load_settings()
+    .map_err(|e| format!("Failed to load settings: {e}"))?;
+  Ok(settings.window_resize_warning_dismissed)
+}
+
+#[tauri::command]
+pub fn get_system_language() -> String {
+  sys_locale::get_locale()
+    .map(|locale| {
+      // Extract just the language code (e.g., "en" from "en-US")
+      locale
+        .split(['-', '_'])
+        .next()
+        .unwrap_or("en")
+        .to_lowercase()
+    })
+    .unwrap_or_else(|| "en".to_string())
+}
+
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref SETTINGS_MANAGER: SettingsManager = SettingsManager::new();
@@ -909,16 +957,16 @@ mod tests {
  use super::*;
  use tempfile::TempDir;

-  fn create_test_settings_manager() -> (SettingsManager, TempDir) {
+  fn create_test_settings_manager() -> (SettingsManager, TempDir, crate::app_dirs::TestDirGuard) {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");
-    let manager = SettingsManager::with_data_dir_override(temp_dir.path());
-    (manager, temp_dir)
+    let guard = crate::app_dirs::set_test_data_dir(temp_dir.path().to_path_buf());
+    let manager = SettingsManager::new();
+    (manager, temp_dir, guard)
  }

  #[test]
  fn test_settings_manager_creation() {
-    let (_manager, _temp_dir) = create_test_settings_manager();
-    // Test passes if no panic occurs
+    let (_manager, _temp_dir, _guard) = create_test_settings_manager();
  }

  #[test]
@@ -951,7 +999,7 @@ mod tests {

  #[test]
  fn test_load_settings_nonexistent_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.load_settings();
    assert!(
@@ -969,7 +1017,7 @@ mod tests {

  #[test]
  fn test_save_and_load_settings() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let test_settings = AppSettings {
      set_as_default_browser: true,
@@ -985,13 +1033,14 @@ mod tests {
      mcp_port: None,
      mcp_token: None,
      launch_on_login_declined: false,
+      language: None,
+      window_resize_warning_dismissed: false,
+      disable_auto_updates: false,
    };

-    // Save settings
    let save_result = manager.save_settings(&test_settings);
    assert!(save_result.is_ok(), "Should save settings successfully");

-    // Load settings back
    let load_result = manager.load_settings();
    assert!(load_result.is_ok(), "Should load settings successfully");

@@ -1008,7 +1057,7 @@ mod tests {

  #[test]
  fn test_load_table_sorting_nonexistent_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.load_table_sorting();
    assert!(
@@ -1023,18 +1072,16 @@ mod tests {

  #[test]
  fn test_save_and_load_table_sorting() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let test_sorting = TableSortingSettings {
      column: "browser".to_string(),
      direction: "desc".to_string(),
    };

-    // Save sorting
    let save_result = manager.save_table_sorting(&test_sorting);
    assert!(save_result.is_ok(), "Should save sorting successfully");

-    // Load sorting back
    let load_result = manager.load_table_sorting();
    assert!(load_result.is_ok(), "Should load sorting successfully");

@@ -1051,45 +1098,37 @@ mod tests {

  #[test]
  fn test_should_show_launch_on_login_prompt() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let result = manager.should_show_launch_on_login_prompt();
    assert!(result.is_ok(), "Should not fail");

-    // By default, should show prompt (not declined, autostart not enabled)
    let _should_show = result.unwrap();
-    // Note: The actual value depends on system autostart state, so we just test it doesn't fail
  }

  #[test]
  fn test_decline_launch_on_login() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

-    // Initially not declined
    let settings = manager.load_settings().unwrap();
    assert!(!settings.launch_on_login_declined);

-    // Decline
    manager.decline_launch_on_login().unwrap();

-    // Should be declined now
    let settings = manager.load_settings().unwrap();
    assert!(settings.launch_on_login_declined);
  }

  #[test]
  fn test_load_corrupted_settings_file() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

-    // Create settings directory
    let settings_dir = manager.get_settings_dir();
    fs::create_dir_all(&settings_dir).expect("Should create settings directory");

-    // Write corrupted JSON
    let settings_file = manager.get_settings_file();
    fs::write(&settings_file, "{ invalid json }").expect("Should write corrupted file");

-    // Should handle corrupted file gracefully
    let result = manager.load_settings();
    assert!(
      result.is_ok(),
@@ -1109,7 +1148,7 @@ mod tests {

  #[test]
  fn test_settings_file_paths() {
-    let (manager, _temp_dir) = create_test_settings_manager();
+    let (manager, _temp_dir, _guard) = create_test_settings_manager();

    let settings_dir = manager.get_settings_dir();
    let settings_file = manager.get_settings_file();
@@ -34,7 +34,9 @@ impl SyncClient {
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -62,7 +64,9 @@ impl SyncClient {
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -85,7 +89,9 @@ impl SyncClient {
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -109,7 +115,9 @@ impl SyncClient {
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -119,6 +127,14 @@ impl SyncClient {
  }

  pub async fn list(&self, prefix: &str) -> SyncResult<ListResponse> {
+    self.list_page(prefix, None).await
+  }
+
+  async fn list_page(
+    &self,
+    prefix: &str,
+    continuation_token: Option<String>,
+  ) -> SyncResult<ListResponse> {
    let response = self
      .client
      .post(self.url("list"))
@@ -126,14 +142,16 @@ impl SyncClient {
      .json(&ListRequest {
        prefix: prefix.to_string(),
        max_keys: Some(1000),
-        continuation_token: None,
+        continuation_token,
      })
      .send()
      .await
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -142,13 +160,38 @@ impl SyncClient {
      .map_err(|e| SyncError::SerializationError(e.to_string()))
  }

+  /// List all objects under a prefix, paginating through all results
+  pub async fn list_all(&self, prefix: &str) -> SyncResult<Vec<ListObject>> {
+    let mut all_objects = Vec::new();
+    let mut continuation_token: Option<String> = None;
+
+    loop {
+      let response = self.list_page(prefix, continuation_token).await?;
+      all_objects.extend(response.objects);
+
+      if !response.is_truncated {
+        break;
+      }
+      continuation_token = response.next_continuation_token;
+      if continuation_token.is_none() {
+        break;
+      }
+    }
+
+    Ok(all_objects)
+  }
+
  pub async fn upload_bytes(
    &self,
    presigned_url: &str,
    data: &[u8],
    content_type: Option<&str>,
  ) -> SyncResult<()> {
-    let mut req = self.client.put(presigned_url).body(data.to_vec());
+    let mut req = self
+      .client
+      .put(presigned_url)
+      .header("Content-Length", data.len().to_string())
+      .body(data.to_vec());

    if let Some(ct) = content_type {
      req = req.header("Content-Type", ct);
@@ -196,59 +239,84 @@ impl SyncClient {
    &self,
    items: Vec<(String, Option<String>)>,
  ) -> SyncResult<PresignUploadBatchResponse> {
-    let request = PresignUploadBatchRequest {
-      items: items
-        .into_iter()
-        .map(|(key, content_type)| PresignUploadBatchItem { key, content_type })
-        .collect(),
-      expires_in: Some(3600),
-    };
+    let chunk_size = 500;
+    let mut all_items = Vec::new();

-    let response = self
-      .client
-      .post(self.url("presign-upload-batch"))
-      .header("Authorization", format!("Bearer {}", self.token))
-      .json(&request)
-      .send()
-      .await
-      .map_err(|e| SyncError::NetworkError(e.to_string()))?;
+    for chunk in items.chunks(chunk_size) {
+      let request = PresignUploadBatchRequest {
+        items: chunk
+          .iter()
+          .map(|(key, content_type)| PresignUploadBatchItem {
+            key: key.clone(),
+            content_type: content_type.clone(),
+          })
+          .collect(),
+        expires_in: Some(3600),
+      };

-    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let response = self
+        .client
+        .post(self.url("presign-upload-batch"))
+        .header("Authorization", format!("Bearer {}", self.token))
+        .json(&request)
+        .send()
+        .await
+        .map_err(|e| SyncError::NetworkError(e.to_string()))?;
+
+      if response.status().is_client_error() {
+        let status = response.status();
+        let body = response.text().await.unwrap_or_default();
+        return Err(SyncError::AuthError(format!("({status}) {body}")));
+      }
+
+      let batch_response: PresignUploadBatchResponse = response
+        .json()
+        .await
+        .map_err(|e| SyncError::SerializationError(e.to_string()))?;
+
+      all_items.extend(batch_response.items);
    }

-    response
-      .json()
-      .await
-      .map_err(|e| SyncError::SerializationError(e.to_string()))
+    Ok(PresignUploadBatchResponse { items: all_items })
  }

  pub async fn presign_download_batch(
    &self,
    keys: Vec<String>,
  ) -> SyncResult<PresignDownloadBatchResponse> {
-    let request = PresignDownloadBatchRequest {
-      keys,
-      expires_in: Some(3600),
-    };
+    let chunk_size = 500;
+    let mut all_items = Vec::new();

-    let response = self
-      .client
-      .post(self.url("presign-download-batch"))
-      .header("Authorization", format!("Bearer {}", self.token))
-      .json(&request)
-      .send()
-      .await
-      .map_err(|e| SyncError::NetworkError(e.to_string()))?;
+    for chunk in keys.chunks(chunk_size) {
+      let request = PresignDownloadBatchRequest {
+        keys: chunk.to_vec(),
+        expires_in: Some(3600),
+      };

-    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let response = self
+        .client
+        .post(self.url("presign-download-batch"))
+        .header("Authorization", format!("Bearer {}", self.token))
+        .json(&request)
+        .send()
+        .await
+        .map_err(|e| SyncError::NetworkError(e.to_string()))?;
+
+      if response.status().is_client_error() {
+        let status = response.status();
+        let body = response.text().await.unwrap_or_default();
+        return Err(SyncError::AuthError(format!("({status}) {body}")));
+      }
+
+      let batch_response: PresignDownloadBatchResponse = response
+        .json()
+        .await
+        .map_err(|e| SyncError::SerializationError(e.to_string()))?;
+
+      all_items.extend(batch_response.items);
    }

-    response
-      .json()
-      .await
-      .map_err(|e| SyncError::SerializationError(e.to_string()))
+    Ok(PresignDownloadBatchResponse { items: all_items })
  }

  pub async fn delete_prefix(
@@ -270,7 +338,9 @@ impl SyncClient {
      .map_err(|e| SyncError::NetworkError(e.to_string()))?;

    if response.status().is_client_error() {
-      return Err(SyncError::AuthError("Invalid or missing token".to_string()));
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(SyncError::AuthError(format!("({status}) {body}")));
    }

    response
@@ -0,0 +1,351 @@
+use aes_gcm::{
+  aead::{Aead, AeadCore, KeyInit, OsRng},
+  Aes256Gcm, Key,
+};
+use argon2::{password_hash::SaltString, Argon2, PasswordHasher};
+use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
+
+const E2E_FILE_HEADER: &[u8] = b"DBE2E";
+const E2E_FILE_VERSION: u8 = 1;
+
+fn get_e2e_password_path() -> std::path::PathBuf {
+  crate::app_dirs::settings_dir().join("e2e_password.dat")
+}
+
+fn get_vault_password() -> String {
+  env!("DONUT_BROWSER_VAULT_PASSWORD").to_string()
+}
+
+pub fn store_e2e_password(password: &str) -> Result<(), String> {
+  let file_path = get_e2e_password_path();
+
+  if let Some(parent) = file_path.parent() {
+    std::fs::create_dir_all(parent).map_err(|e| format!("Failed to create directory: {e}"))?;
+  }
+
+  let vault_password = get_vault_password();
+  let salt = SaltString::generate(&mut OsRng);
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(vault_password.as_bytes(), &salt)
+    .map_err(|e| format!("Argon2 key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let key_bytes: [u8; 32] = hash_bytes[..32]
+    .try_into()
+    .map_err(|_| "Invalid key length")?;
+  let key = Key::<Aes256Gcm>::from(key_bytes);
+  let cipher = Aes256Gcm::new(&key);
+  let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
+
+  let ciphertext = cipher
+    .encrypt(&nonce, password.as_bytes())
+    .map_err(|e| format!("Encryption failed: {e}"))?;
+
+  let mut file_data = Vec::new();
+  file_data.extend_from_slice(E2E_FILE_HEADER);
+  file_data.push(E2E_FILE_VERSION);
+
+  let salt_str = salt.as_str();
+  file_data.push(salt_str.len() as u8);
+  file_data.extend_from_slice(salt_str.as_bytes());
+  file_data.extend_from_slice(&nonce);
+  file_data.extend_from_slice(&(ciphertext.len() as u32).to_le_bytes());
+  file_data.extend_from_slice(&ciphertext);
+
+  std::fs::write(&file_path, file_data)
+    .map_err(|e| format!("Failed to write e2e password file: {e}"))?;
+
+  Ok(())
+}
+
+pub fn load_e2e_password() -> Result<Option<String>, String> {
+  let file_path = get_e2e_password_path();
+  if !file_path.exists() {
+    return Ok(None);
+  }
+
+  let file_data =
+    std::fs::read(&file_path).map_err(|e| format!("Failed to read e2e password file: {e}"))?;
+
+  if file_data.len() < E2E_FILE_HEADER.len() + 1 {
+    return Ok(None);
+  }
+
+  if &file_data[..E2E_FILE_HEADER.len()] != E2E_FILE_HEADER {
+    return Ok(None);
+  }
+
+  let version = file_data[E2E_FILE_HEADER.len()];
+  if version != E2E_FILE_VERSION {
+    return Ok(None);
+  }
+
+  let mut offset = E2E_FILE_HEADER.len() + 1;
+
+  if offset >= file_data.len() {
+    return Ok(None);
+  }
+  let salt_len = file_data[offset] as usize;
+  offset += 1;
+
+  if offset + salt_len > file_data.len() {
+    return Ok(None);
+  }
+  let salt_str = std::str::from_utf8(&file_data[offset..offset + salt_len])
+    .map_err(|_| "Invalid salt encoding")?;
+  offset += salt_len;
+
+  let salt = SaltString::from_b64(salt_str).map_err(|e| format!("Invalid salt: {e}"))?;
+
+  if offset + 12 > file_data.len() {
+    return Ok(None);
+  }
+  let nonce_bytes: [u8; 12] = file_data[offset..offset + 12]
+    .try_into()
+    .map_err(|_| "Invalid nonce")?;
+  let nonce = aes_gcm::Nonce::from(nonce_bytes);
+  offset += 12;
+
+  if offset + 4 > file_data.len() {
+    return Ok(None);
+  }
+  let ciphertext_len =
+    u32::from_le_bytes(file_data[offset..offset + 4].try_into().unwrap()) as usize;
+  offset += 4;
+
+  if offset + ciphertext_len > file_data.len() {
+    return Ok(None);
+  }
+  let ciphertext = &file_data[offset..offset + ciphertext_len];
+
+  let vault_password = get_vault_password();
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(vault_password.as_bytes(), &salt)
+    .map_err(|e| format!("Argon2 key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let key_bytes: [u8; 32] = hash_bytes[..32]
+    .try_into()
+    .map_err(|_| "Invalid key length")?;
+  let key = Key::<Aes256Gcm>::from(key_bytes);
+  let cipher = Aes256Gcm::new(&key);
+
+  let plaintext = cipher
+    .decrypt(&nonce, ciphertext)
+    .map_err(|e| format!("Decryption failed: {e}"))?;
+
+  let password =
+    String::from_utf8(plaintext).map_err(|e| format!("Invalid UTF-8 in password: {e}"))?;
+
+  Ok(Some(password))
+}
+
+pub fn has_e2e_password() -> bool {
+  get_e2e_password_path().exists()
+}
+
+pub fn remove_e2e_password() -> Result<(), String> {
+  let file_path = get_e2e_password_path();
+  if file_path.exists() {
+    std::fs::remove_file(&file_path)
+      .map_err(|e| format!("Failed to remove e2e password file: {e}"))?;
+  }
+  Ok(())
+}
+
+/// Derive a per-profile encryption key using Argon2id
+pub fn derive_profile_key(user_password: &str, profile_salt: &str) -> Result<[u8; 32], String> {
+  let salt_bytes = BASE64
+    .decode(profile_salt)
+    .map_err(|e| format!("Invalid salt encoding: {e}"))?;
+
+  let salt = SaltString::encode_b64(&salt_bytes)
+    .map_err(|e| format!("Failed to create salt string: {e}"))?;
+
+  let argon2 = Argon2::default();
+  let password_hash = argon2
+    .hash_password(user_password.as_bytes(), &salt)
+    .map_err(|e| format!("Key derivation failed: {e}"))?;
+  let hash_value = password_hash.hash.unwrap();
+  let hash_bytes = hash_value.as_bytes();
+
+  let mut key = [0u8; 32];
+  key.copy_from_slice(&hash_bytes[..32]);
+  Ok(key)
+}
+
+/// Generate a random 16-byte salt, base64-encoded
+pub fn generate_salt() -> String {
+  let mut salt = [0u8; 16];
+  use aes_gcm::aead::rand_core::RngCore;
+  OsRng.fill_bytes(&mut salt);
+  BASE64.encode(salt)
+}
+
+/// Encrypt bytes with AES-256-GCM. Output format: [nonce 12B][ciphertext]
+pub fn encrypt_bytes(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>, String> {
+  let aes_key = Key::<Aes256Gcm>::from(*key);
+  let cipher = Aes256Gcm::new(&aes_key);
+  let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
+
+  let ciphertext = cipher
+    .encrypt(&nonce, plaintext)
+    .map_err(|e| format!("Encryption failed: {e}"))?;
+
+  let mut output = Vec::with_capacity(12 + ciphertext.len());
+  output.extend_from_slice(&nonce);
+  output.extend_from_slice(&ciphertext);
+  Ok(output)
+}
+
+/// Decrypt bytes encrypted with encrypt_bytes. Input format: [nonce 12B][ciphertext]
+pub fn decrypt_bytes(key: &[u8; 32], encrypted: &[u8]) -> Result<Vec<u8>, String> {
+  if encrypted.len() < 12 {
+    return Err("Encrypted data too short".to_string());
+  }
+
+  let nonce_bytes: [u8; 12] = encrypted[..12].try_into().map_err(|_| "Invalid nonce")?;
+  let nonce = aes_gcm::Nonce::from(nonce_bytes);
+  let ciphertext = &encrypted[12..];
+
+  let aes_key = Key::<Aes256Gcm>::from(*key);
+  let cipher = Aes256Gcm::new(&aes_key);
+
+  cipher
+    .decrypt(&nonce, ciphertext)
+    .map_err(|e| format!("Decryption failed: {e}"))
+}
+
+// Tauri commands
+
+#[tauri::command]
+pub fn set_e2e_password(password: String) -> Result<(), String> {
+  if password.len() < 8 {
+    return Err("Password must be at least 8 characters".to_string());
+  }
+  store_e2e_password(&password)
+}
+
+#[tauri::command]
+pub fn check_has_e2e_password() -> bool {
+  has_e2e_password()
+}
+
+#[tauri::command]
+pub fn delete_e2e_password() -> Result<(), String> {
+  remove_e2e_password()
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_encrypt_decrypt_roundtrip() {
+    let key = [42u8; 32];
+    let plaintext = b"Hello, World!";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext);
+  }
+
+  #[test]
+  fn test_encrypt_decrypt_empty_data() {
+    let key = [1u8; 32];
+    let plaintext = b"";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext.to_vec());
+  }
+
+  #[test]
+  fn test_encrypt_decrypt_large_data() {
+    let key = [7u8; 32];
+    let plaintext = vec![0xABu8; 1_048_576]; // 1MB
+    let encrypted = encrypt_bytes(&key, &plaintext).unwrap();
+    let decrypted = decrypt_bytes(&key, &encrypted).unwrap();
+    assert_eq!(decrypted, plaintext);
+  }
+
+  #[test]
+  fn test_different_keys_different_ciphertext() {
+    let key1 = [1u8; 32];
+    let key2 = [2u8; 32];
+    let plaintext = b"same data";
+    let encrypted1 = encrypt_bytes(&key1, plaintext).unwrap();
+    let encrypted2 = encrypt_bytes(&key2, plaintext).unwrap();
+    // Nonces are random so ciphertexts will differ regardless,
+    // but decrypting with wrong key should fail
+    assert!(decrypt_bytes(&key2, &encrypted1).is_err());
+    assert!(decrypt_bytes(&key1, &encrypted2).is_err());
+  }
+
+  #[test]
+  fn test_nonce_uniqueness() {
+    let key = [5u8; 32];
+    let plaintext = b"same data encrypted twice";
+    let encrypted1 = encrypt_bytes(&key, plaintext).unwrap();
+    let encrypted2 = encrypt_bytes(&key, plaintext).unwrap();
+    // Different nonces should produce different ciphertext
+    assert_ne!(encrypted1, encrypted2);
+    // But both should decrypt to the same plaintext
+    assert_eq!(
+      decrypt_bytes(&key, &encrypted1).unwrap(),
+      decrypt_bytes(&key, &encrypted2).unwrap()
+    );
+  }
+
+  #[test]
+  fn test_wrong_key_fails() {
+    let key = [10u8; 32];
+    let wrong_key = [20u8; 32];
+    let plaintext = b"secret data";
+    let encrypted = encrypt_bytes(&key, plaintext).unwrap();
+    assert!(decrypt_bytes(&wrong_key, &encrypted).is_err());
+  }
+
+  #[test]
+  fn test_key_derivation_deterministic() {
+    let salt = generate_salt();
+    let key1 = derive_profile_key("my_password", &salt).unwrap();
+    let key2 = derive_profile_key("my_password", &salt).unwrap();
+    assert_eq!(key1, key2);
+  }
+
+  #[test]
+  fn test_key_derivation_different_salts() {
+    let salt1 = generate_salt();
+    let salt2 = generate_salt();
+    let key1 = derive_profile_key("my_password", &salt1).unwrap();
+    let key2 = derive_profile_key("my_password", &salt2).unwrap();
+    assert_ne!(key1, key2);
+  }
+
+  #[test]
+  fn test_salt_generation_unique() {
+    let salt1 = generate_salt();
+    let salt2 = generate_salt();
+    assert_ne!(salt1, salt2);
+  }
+
+  #[test]
+  fn test_password_storage_roundtrip() {
+    let password = "test_password_12345";
+    store_e2e_password(password).unwrap();
+    assert!(has_e2e_password());
+    let loaded = load_e2e_password().unwrap();
+    assert_eq!(loaded, Some(password.to_string()));
+    remove_e2e_password().unwrap();
+    assert!(!has_e2e_password());
+  }
+
+  #[test]
+  fn test_decrypt_too_short_data() {
+    let key = [1u8; 32];
+    assert!(decrypt_bytes(&key, &[0u8; 5]).is_err());
+  }
+}
--- a/Show More
+++ b/Show More