refactor: better cleanup

chore: version bump
chore: linting
2026-06-11 17:27:54 +02:00 · 2026-04-19 22:43:16 +04:00 · 2026-04-19 21:44:13 +04:00 · 2026-04-19 21:07:10 +04:00 · 2026-04-19 19:40:55 +04:00 · 2026-04-19 19:40:55 +04:00
211 changed files with 23021 additions and 9177 deletions
@@ -197,6 +197,7 @@ These are frequently overlooked issues that make UI look unprofessional:
 Before delivering UI code, verify these items:

 ### Visual Quality
+
 - [ ] No emojis used as icons (use SVG instead)
 - [ ] All icons from consistent icon set (Heroicons/Lucide)
 - [ ] Brand logos are correct (verified from Simple Icons)
@@ -204,24 +205,28 @@ Before delivering UI code, verify these items:
 - [ ] Use theme colors directly (bg-primary) not var() wrapper

 ### Interaction
+
 - [ ] All clickable elements have `cursor-pointer`
 - [ ] Hover states provide clear visual feedback
 - [ ] Transitions are smooth (150-300ms)
 - [ ] Focus states visible for keyboard navigation

 ### Light/Dark Mode
+
 - [ ] Light mode text has sufficient contrast (4.5:1 minimum)
 - [ ] Glass/transparent elements visible in light mode
 - [ ] Borders visible in both modes
 - [ ] Test both modes before delivery

 ### Layout
+
 - [ ] Floating elements have proper spacing from edges
 - [ ] No content hidden behind fixed navbars
 - [ ] Responsive at 320px, 768px, 1024px, 1440px
 - [ ] No horizontal scroll on mobile

 ### Accessibility
+
 - [ ] All images have alt text
 - [ ] Form inputs have labels
 - [ ] Color is not the only indicator
@@ -1,42 +0,0 @@
---
-name: "Bug report"
-about: Report a bug
---
-
-<!--
-Hi there! To expedite issue processing please search open and closed issues before submitting a new one. Existing issues often contain information about workarounds, resolution, or progress updates.
-->
-
-# Bug Report
-
-## Description
-
-<!-- A clear and concise description of the problem. -->
-
-## Is this a regression?
-
-<!-- Did this behavior use to work in the previous version? -->
-
-## Minimal Reproduction
-
-<!-- Clear steps to re-produce the issue. -->
-
-1.
-2.
-3.
-
-## Your Environment
-
-<!-- Please provide as much information as you feel comfortable to help the maintainers understand the issue better -->
-
-## Exception or Error or Screenshot
-
-<!-- Please provide any error messages, stack traces, or screenshots that might help -->
-
-<pre><code>
-<!-- Paste error logs here -->
-</code></pre>
-
-## Additional Context
-
-<!-- Add any other context about the problem here. -->
@@ -1,34 +0,0 @@
---
-name: "Feature request"
-about: Suggest a feature
---
-
-# Feature Request
-
-## Description
-
-<!-- A clear and concise description of the problem or missing capability. -->
-
-## Describe the solution you'd like
-
-<!-- If you have a solution in mind, please describe it. -->
-
-## Describe alternatives you've considered
-
-<!-- Have you considered any alternative solutions or workarounds? -->
-
-## Use Case
-
-<!-- Describe the specific use case and how this feature would benefit users. -->
-
-## Priority
-
-<!-- How important is this feature to you? -->
-
- [ ] Low - Nice to have
- [ ] Medium - Would improve my workflow
- [ ] High - Critical for my use case
-
-## Additional Context
-
-<!-- Add any other context, mockups, or examples about the feature request here. -->
@@ -0,0 +1,63 @@
+name: Bug Report
+description: Something isn't working
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      placeholder: Describe the bug. What did you expect vs what actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. Go to ...
+        2. Click on ...
+        3. See error
+    validations:
+      required: true
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      options:
+        - macOS (Apple Silicon)
+        - macOS (Intel)
+        - Windows
+        - Linux
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Donut Browser version
+      placeholder: e.g. 0.17.6 or nightly-2026-03-21
+    validations:
+      required: true
+
+  - type: dropdown
+    id: browser
+    attributes:
+      label: Which browser is affected?
+      options:
+        - Wayfern
+        - Camoufox
+        - Both
+        - Not browser-specific
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Error logs or screenshots
+      description: Run from terminal to get logs. Paste errors, screenshots, or screen recordings.
+      placeholder: Paste logs here or drag screenshots
+    validations:
+      required: false
@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Questions & Discussion
+    url: https://github.com/zhom/donutbrowser/discussions
+    about: Ask questions or discuss ideas here instead of opening an issue.
@@ -0,0 +1,30 @@
+name: Feature Request
+description: Suggest a new feature
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: What do you want?
+      placeholder: Describe the feature and why you need it.
+    validations:
+      required: true
+
+  - type: textarea
+    id: use-case
+    attributes:
+      label: Use case
+      placeholder: How would you use this feature? What problem does it solve?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: How important is this to you?
+      options:
+        - Nice to have
+        - Would improve my workflow
+        - Critical for my use case
+    validations:
+      required: true
@@ -1,54 +1,20 @@
-# ✨ Pull Request
+## Which issue does this PR fix?

-## 📓 Referenced Issue
+<!-- Link the issue. #123 -->

-<!-- Please link the related issue. Use # before the issue number and use the verbs 'fixes', 'resolves' to auto-link it, for eg, Fixes: #<issue-number> -->
+## How to test

-## ℹ️ About the PR
+<!-- Steps for the reviewer to verify your changes work -->

-<!-- Please provide a description of your solution if it is not clear in the related issue or if the PR has a breaking change. If there is an interesting topic to discuss or you have questions or there is an issue with Tauri, Rust, or another library that you have used. -->
+## Checklist

-## 🔄 Type of Change
+- [ ] Read [CONTRIBUTING.md](https://github.com/zhom/donutbrowser/blob/main/CONTRIBUTING.md)
+- [ ] Ran `pnpm format && pnpm lint && pnpm test` locally and it passes
+- [ ] I tested the changes myself by running the app locally
+- [ ] Updated translations in all locale files (if UI text changed)

-<!-- Mark the relevant option with an "x". -->
+## AI usage

- [ ] 🐛 Bug fix (non-breaking change which fixes an issue)
- [ ] ✨ New feature (non-breaking change which adds functionality)
- [ ] 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] 📚 Documentation update
- [ ] 🧹 Code cleanup/refactoring
- [ ] ⚡ Performance improvement
+- [ ] I used AI to help write this PR

-## 🖼️ Testing Scenarios / Screenshots
-
-<!-- Please include screenshots or gif to showcase the final output. Also, try to explain the testing you did to validate your change. -->
-
-## ✅ Checklist
-
-<!-- Mark completed items with an "x". -->
-
- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published
-
-## 🧪 How Has This Been Tested?
-
-<!-- Please describe the tests that you ran to verify your changes. -->
-
-## 📱 Platform Testing
-
-<!-- Which platforms have you tested on? -->
-
- [ ] macOS (Intel)
- [ ] macOS (Apple Silicon)
- [ ] Windows (if applicable)
- [ ] Linux (if applicable)
-
-## 📋 Additional Notes
-
-<!-- Any additional information that reviewers should know about this PR. -->
+<!-- If you checked the box above, briefly explain how AI was used (e.g. "generated the test", "wrote the initial implementation", "full PR"). -->
@@ -27,12 +27,14 @@ jobs:
            build-mode: none
          - language: javascript-typescript
            build-mode: none
+          - language: rust
+            build-mode: none
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -14,6 +14,7 @@ permissions:

 jobs:
  contrib-readme-job:
+    if: github.repository == 'zhom/donutbrowser'
    runs-on: ubuntu-latest
    name: Automatically update the contributors list in the README
    permissions:
@@ -21,7 +22,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Contribute List
        uses: akhilmhdh/contributors-readme-action@83ea0b4f1ac928fbfe88b9e8460a932a528eb79f #v2.3.11
        env:
@@ -12,8 +12,8 @@ permissions:
 jobs:
  security-scan:
    name: Security Vulnerability Scan
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -28,7 +28,7 @@ jobs:

  lint-js:
    name: Lint JavaScript/TypeScript
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
    permissions:
@@ -36,7 +36,7 @@ jobs:

  lint-rust:
    name: Lint Rust
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
    permissions:
@@ -44,7 +44,7 @@ jobs:

  codeql:
    name: CodeQL
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
    uses: ./.github/workflows/codeql.yml
    secrets: inherit
    permissions:
@@ -55,7 +55,7 @@ jobs:

  spellcheck:
    name: Spell Check
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
    permissions:
@@ -63,13 +63,13 @@ jobs:

  dependabot-automerge:
    name: Dependabot Automerge
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
    runs-on: ubuntu-latest
    steps:
      - name: Dependabot metadata
        id: metadata
-        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a #v2.5.0
+        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 #v3.0.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for minor and patch updates
@@ -0,0 +1,73 @@
+name: Build and Push donut-sync Docker Image
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "donut-sync/**"
+  workflow_call:
+    inputs:
+      tag:
+        description: "Docker tag (e.g., v1.0.0)"
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Docker tag (e.g., v1.0.0, latest)"
+        required: true
+        default: "latest"
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: donutbrowser/donut-sync
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Determine tags
+        id: tags
+        run: |
+          TAGS=""
+          INPUT_TAG="${{ inputs.tag }}"
+
+          if [ -n "$INPUT_TAG" ]; then
+            # Called from release workflow or manual dispatch
+            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${INPUT_TAG}"
+            TAGS="${TAGS},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+          elif [ "${{ github.event_name }}" = "push" ]; then
+            # Push to main (nightly): tag with nightly and commit SHA
+            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly"
+            TAGS="${TAGS},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly-${SHORT_SHA}"
+          fi
+
+          echo "tags=${TAGS}" >> "$GITHUB_OUTPUT"
+          echo "Tags: ${TAGS}"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
+        with:
+          context: .
+          file: ./donut-sync/Dockerfile
+          push: true
+          tags: ${{ steps.tags.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
@@ -0,0 +1,49 @@
+name: Flake Test
+
+on:
+  pull_request:
+    paths:
+      - "flake.nix"
+      - "flake.lock"
+      - ".github/workflows/flake-test.yml"
+  push:
+    branches:
+      - main
+    paths:
+      - "flake.nix"
+      - "flake.lock"
+      - ".github/workflows/flake-test.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  flake:
+    name: validate-flake
+    runs-on: ubuntu-22.04
+    timeout-minutes: 90
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@a6f7623b2e2401f485f1eead77ced45bd99b09b0 #v31
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Evaluate flake outputs
+        run: nix flake show --all-systems
+
+      - name: Check setup app is exposed
+        run: nix eval .#apps.x86_64-linux.setup.program --raw
+
+      - name: Run flake setup app
+        env:
+          CI: "true"
+        run: nix run .#setup
+
+      - name: Run flake info app
+        run: nix run .#info
@@ -3,7 +3,7 @@ name: Issue & PR Automation
 on:
  issues:
    types: [opened]
-  pull_request:
+  pull_request_target:
    types: [opened]
  issue_comment:
    types: [created]
@@ -14,16 +14,15 @@ permissions:
  contents: read
  issues: write
  pull-requests: write
-  models: read
  id-token: write

 jobs:
  analyze-issue:
-    if: github.event_name == 'issues'
+    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'issues'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Check if first-time contributor
        id: check-first-time
@@ -31,9 +30,9 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
        run: |
-          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues" \
-            --jq "map(select(.user.login == \"$ISSUE_AUTHOR\" and .number != ${{ github.event.issue.number }})) | length" \
-            --paginate || echo "0")
+          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues?state=all&creator=$ISSUE_AUTHOR&per_page=100" \
+            --jq "[.[] | select(.number != ${{ github.event.issue.number }}) ] | length" \
+            || echo "0")

          if [ "$ISSUE_COUNT" = "0" ]; then
            echo "is_first_time=true" >> $GITHUB_OUTPUT
@@ -41,38 +40,148 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

-      - name: Analyze issue
-        uses: anomalyco/opencode/github@6c7d968c4423a0cd6c85099c9377a6066313fa0a #v1.2.20
+      - name: Build repo context and find related files
        env:
-          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
-        with:
-          model: zai-coding-plan/glm-4.7
-          prompt: |
-            You are a triage bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+        run: |
+          # Read project guidelines (contains repo structure)
+          cp CLAUDE.md /tmp/repo-context.txt

-            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"' || '' }}
+          printf '%s' "$ISSUE_TITLE" > /tmp/issue-title.txt
+          printf '%s' "${ISSUE_BODY:-}" > /tmp/issue-body.txt

-            Analyze this issue and post a single concise comment. Format:
+          # List all source files for the AI to pick from
+          find . -type f \( -name "*.rs" -o -name "*.ts" -o -name "*.tsx" \) \
+            ! -path "*/node_modules/*" ! -path "*/target/*" ! -path "*/.next/*" ! -path "*/dist/*" \
+            ! -path "*/.git/*" ! -path "*/gen/*" ! -path "*/data/*" \
+            | sed 's|^\./||' | sort > /tmp/all-source-files.txt

-            1. One sentence acknowledging what the user wants.
-            2. A short **Action items** list — what specific info is missing or what the user should do next. Only include items that are actually missing. If the issue is complete, say so and skip this section.
-            3. Label the issue: add "bug" label for bug reports, "enhancement" label for feature requests.
+      - name: Select relevant files with AI
+        env:
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+        run: |
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/issue-title.txt \
+            --rawfile body /tmp/issue-body.txt \
+            --rawfile files /tmp/all-source-files.txt \
+            '{
+              model: "anthropic/claude-opus-4.6",
+              messages: [
+                {
+                  role: "system",
+                  content: "You are a file selector for Donut Browser (Tauri + Next.js + Rust anti-detect browser). Given an issue and a list of source files, output ONLY the 10 most likely relevant file paths, one per line. No explanations, no numbering, just paths."
+                },
+                {
+                  role: "user",
+                  content: ("Issue: " + $title + "\n\n" + $body + "\n\nFiles:\n" + $files)
+                }
+              ]
+            }')

-            Rules:
-            - Be brief. No filler, no generic tips, no templates.
-            - If it's a bug report, check for: reproduction steps, OS/version, error messages. Only ask for what's actually missing.
-            - If it's a feature request, check for: clear description of desired behavior, use case. Only ask for what's actually missing.
-            - If the issue already has everything needed, just acknowledge it and label it.
-            - Never exceed 6 items total.
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
+
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/selected-files.txt
+
+          # Read the selected files in full (skip binary files)
+          echo "" > /tmp/file-contents.txt
+          while IFS= read -r filepath; do
+            filepath=$(echo "$filepath" | xargs)
+            [ -z "$filepath" ] && continue
+            if [ -f "$filepath" ] && file --mime "$filepath" | grep -q "text/"; then
+              echo "=== $filepath ===" >> /tmp/file-contents.txt
+              cat "$filepath" >> /tmp/file-contents.txt
+              echo "" >> /tmp/file-contents.txt
+            fi
+          done < /tmp/selected-files.txt
+
+          # Cap total context at 100KB
+          head -c 100000 /tmp/file-contents.txt > /tmp/file-context.txt
+
+      - name: Analyze issue with AI
+        env:
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+          IS_FIRST_TIME: ${{ steps.check-first-time.outputs.is_first_time }}
+        run: |
+          GREETING=""
+          if [ "$IS_FIRST_TIME" = "true" ]; then
+            GREETING='This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"'
+          fi
+
+          printf '%s' "$ISSUE_TITLE" > /tmp/issue-title.txt
+          printf '%s' "${ISSUE_BODY:-}" > /tmp/issue-body.txt
+          printf '%s' "$ISSUE_AUTHOR" > /tmp/issue-author.txt
+          printf '%s' "$GREETING" > /tmp/greeting.txt
+
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/issue-title.txt \
+            --rawfile body /tmp/issue-body.txt \
+            --rawfile author /tmp/issue-author.txt \
+            --rawfile greeting /tmp/greeting.txt \
+            --rawfile repo_context /tmp/repo-context.txt \
+            --rawfile context /tmp/file-context.txt \
+            '{
+              model: "anthropic/claude-opus-4.6",
+              messages: [
+                {
+                  role: "system",
+                  content: ("You are a triage bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nYou have access to relevant source files for context.\n\nAnalyze the issue and produce a single comment. Your job is to collect missing information needed to diagnose the issue, NOT to guess the cause.\n\nFormat:\n\n1. One sentence acknowledging the issue.\n2. **Missing information** - Ask specific questions about what is missing from the report. Focus on reproducing the issue. Do NOT speculate about root causes or mention internal code/files — you will almost certainly be wrong without logs. Instead, ask for:\n   - Exact steps to reproduce (if not provided)\n   - Expected vs actual behavior (if unclear)\n   - Error messages or screenshots (if not provided)\n   - OS and app version (if not provided)\n   - For bug reports: if logs are needed, tell the user EXACTLY how to get them:\n     - macOS app logs: `~/Library/Logs/Donut Browser/`\n     - Linux app logs: `~/.local/share/DonutBrowser/logs/`\n     - Windows app logs: `%APPDATA%\\DonutBrowser\\logs\\`\n     - Sync server logs: `docker logs <container>` or check the server console\n     - Provide a ready-to-run shell command when possible.\n   - For self-hosted sync issues: check if the user is using the latest Docker image (`docker pull donutbrowser/donut-sync:latest`).\n   - Only ask for information that is actually missing. If the issue is already detailed, just acknowledge it.\n3. Suggest a label: `Label: bug` or `Label: enhancement` on its own line.\n\nRules:\n- Do NOT include a \"Possible cause\" section. Do not speculate about what code might be causing the issue.\n- Be brief and focused on collecting actionable information from the reporter.\n- If the issue already has everything needed (steps to reproduce, logs, version, OS), just acknowledge it.\n- Never exceed 15 lines.")
+                },
+                {
+                  role: "user",
+                  content: (
+                    (if ($greeting | length) > 0 then $greeting + "\n\n" else "" end) +
+                    "Analyze this issue:\n\nTitle: " + $title +
+                    "\nAuthor: " + $author +
+                    "\n\nBody:\n" + $body +
+                    "\n\nRelevant source files:\n" + $context
+                  )
+                }
+              ]
+            }')
+
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
+
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt
+
+          if [ ! -s /tmp/ai-comment.txt ]; then
+            echo "::error::AI response was empty"
+            echo "Raw response:"
+            echo "$RESPONSE"
+            exit 1
+          fi
+
+      - name: Post comment and label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          LABEL=$(grep -oP '^Label:\s*\K.*' /tmp/ai-comment.txt | tail -1 | tr '[:upper:]' '[:lower:]' | xargs)
+          sed -i '/^Label:/d' /tmp/ai-comment.txt
+
+          gh issue comment "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/ai-comment.txt
+
+          if [ "$LABEL" = "bug" ]; then
+            gh issue edit "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "bug" 2>/dev/null || true
+          elif [ "$LABEL" = "enhancement" ]; then
+            gh issue edit "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "enhancement" 2>/dev/null || true
+          fi

  analyze-pr:
-    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Check if first-time contributor
        id: check-first-time
@@ -90,32 +199,123 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

-      - name: Analyze PR
-        uses: anomalyco/opencode/github@6c7d968c4423a0cd6c85099c9377a6066313fa0a #v1.2.20
+      - name: Gather PR context
        env:
-          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
-        with:
-          model: zai-coding-plan/glm-4.7
-          prompt: |
-            You are a review bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Get changed files list
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" \
+            --jq '.[] | "- \(.filename) (\(.status)) +\(.additions)/-\(.deletions)"' \
+            > /tmp/pr-files.txt

-            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for your first PR!"' || '' }}
+          # Get the actual diff
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER" \
+            --header "Accept: application/vnd.github.diff" \
+            > /tmp/pr-diff-full.txt 2>/dev/null || true
+          head -c 20000 /tmp/pr-diff-full.txt > /tmp/pr-diff.txt

-            Review this PR and post a single concise comment. Format:
+          # Get CONTRIBUTING.md and README.md for context
+          cat CONTRIBUTING.md > /tmp/contributing.txt 2>/dev/null || echo "Not found" > /tmp/contributing.txt
+          head -50 README.md > /tmp/readme.txt 2>/dev/null || echo "Not found" > /tmp/readme.txt

-            1. One sentence summarizing what this PR does.
-            2. **Action items** — only list things that actually need to be fixed or addressed. If the PR looks good, say so and skip this section.
+          # Read project guidelines (contains repo structure)
+          cp CLAUDE.md /tmp/repo-context.txt

-            Rules:
-            - Be brief. No filler, no praise padding.
-            - Focus on: bugs, security issues, missing edge cases, breaking changes.
-            - If the PR touches UI text or adds new strings, remind to update translation files in src/i18n/locales/.
-            - If the PR modifies Tauri commands, remind to check the unused-commands test.
-            - Do not nitpick style or formatting — the project has automated linting.
-            - Never exceed 8 lines total.
+          # Read full contents of all changed files (skip binary)
+          echo "" > /tmp/related-file-contents.txt
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" --jq '.[].filename' | while IFS= read -r filepath; do
+            if [ -f "$filepath" ] && file --mime "$filepath" | grep -q "text/"; then
+              echo "=== $filepath (full file) ===" >> /tmp/related-file-contents.txt
+              cat "$filepath" >> /tmp/related-file-contents.txt
+              echo "" >> /tmp/related-file-contents.txt
+            fi
+          done
+          head -c 100000 /tmp/related-file-contents.txt > /tmp/pr-file-context.txt
+
+      - name: Analyze PR with AI
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_BASE: ${{ github.event.pull_request.base.ref }}
+          PR_HEAD: ${{ github.event.pull_request.head.ref }}
+          IS_FIRST_TIME: ${{ steps.check-first-time.outputs.is_first_time }}
+        run: |
+          GREETING=""
+          if [ "$IS_FIRST_TIME" = "true" ]; then
+            GREETING='This is a first-time contributor. Start your comment with: "Thanks for your first PR!"'
+          fi
+
+          printf '%s' "$PR_TITLE" > /tmp/pr-title.txt
+          printf '%s' "${PR_BODY:-}" > /tmp/pr-body.txt
+          printf '%s' "$PR_AUTHOR" > /tmp/pr-author.txt
+          printf '%s' "$PR_BASE" > /tmp/pr-base.txt
+          printf '%s' "$PR_HEAD" > /tmp/pr-head.txt
+          printf '%s' "$GREETING" > /tmp/greeting.txt
+
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/pr-title.txt \
+            --rawfile body /tmp/pr-body.txt \
+            --rawfile author /tmp/pr-author.txt \
+            --rawfile base /tmp/pr-base.txt \
+            --rawfile head /tmp/pr-head.txt \
+            --rawfile files /tmp/pr-files.txt \
+            --rawfile diff /tmp/pr-diff.txt \
+            --rawfile greeting /tmp/greeting.txt \
+            --rawfile repo_context /tmp/repo-context.txt \
+            --rawfile contributing /tmp/contributing.txt \
+            --rawfile file_context /tmp/pr-file-context.txt \
+            '{
+              model: "anthropic/claude-opus-4.6",
+              messages: [
+                {
+                  role: "system",
+                  content: ("You are a code review bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nContributing guidelines:\n" + $contributing + "\n\nYou have access to the full changed files and the diff. Use them to give a substantive review.\n\nReview this PR and produce a single comment. Format:\n\n1. One sentence summarizing what this PR does and whether the approach is sound.\n2. **Code review** - Specific observations about the actual code changes. Mention file names and what you see in the diff. Look for:\n   - Bugs or logic errors in the changed code\n   - Security issues (SQL injection, path traversal, XSS, command injection)\n   - Missing error handling or edge cases\n   - Breaking changes to existing APIs or behavior\n   - If UI text was added/changed, check if all 7 translation files (en, es, fr, ja, pt, ru, zh) in src/i18n/locales/ were updated\n   - If Tauri commands were added/removed, the unused-commands test in lib.rs needs updating\n3. **Suggestions** - Concrete improvements if any. Skip if the PR looks good.\n\nRules:\n- Be substantive. Review the actual diff, not just the description.\n- Do NOT nitpick formatting or style — the project has automated linting (biome + clippy + rustfmt).\n- Do NOT just summarize the PR description back to the user — they wrote it, they know what it says.\n- If the PR is good, say so briefly.\n- Never exceed 20 lines.")
+                },
+                {
+                  role: "user",
+                  content: (
+                    (if ($greeting | length) > 0 then $greeting + "\n\n" else "" end) +
+                    "Review this PR:\n\nTitle: " + $title +
+                    "\nAuthor: " + $author +
+                    "\nBase: " + $base + " <- Head: " + $head +
+                    "\n\nDescription:\n" + $body +
+                    "\n\nChanged files:\n" + $files +
+                    "\n\nDiff:\n" + $diff +
+                    "\n\nFull file contents:\n" + $file_context
+                  )
+                }
+              ]
+            }')
+
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
+
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt
+
+          if [ ! -s /tmp/ai-comment.txt ]; then
+            echo "::error::AI response was empty"
+            echo "Raw response:"
+            echo "$RESPONSE"
+            exit 1
+          fi
+
+      - name: Post comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/ai-comment.txt

  opencode-command:
    if: |
+      github.repository == 'zhom/donutbrowser' &&
      (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
      (contains(github.event.comment.body, ' /oc') ||
       startsWith(github.event.comment.body, '/oc') ||
@@ -124,11 +324,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Run opencode
-        uses: anomalyco/opencode/github@6c7d968c4423a0cd6c85099c9377a6066313fa0a #v1.2.20
+        uses: anomalyco/opencode/github@a35b8a95c27d28e979a3826e1289d7ee87f40251 #v1.4.11
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: zai-coding-plan/glm-4.7
@@ -34,10 +34,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -41,10 +41,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -67,7 +67,7 @@ jobs:
        if: matrix.os == 'ubuntu-22.04'
        run: |
          sudo apt-get update
-          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev openvpn

      - name: Install frontend dependencies
        run: pnpm install --frozen-lockfile
@@ -113,12 +113,8 @@ jobs:
        run: cargo clippy --all-targets --all-features -- -D warnings -D clippy::all
        working-directory: src-tauri

-      - name: Run Rust unit tests
-        run: cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration
-        working-directory: src-tauri
-
-      - name: Run Rust sync e2e tests
-        run: node scripts/sync-test-harness.mjs
+      - name: Run test suite
+        run: pnpm test

      - name: Run cargo audit security check
        run: cargo audit
@@ -46,7 +46,7 @@ jobs:
  scan-scheduled:
    name: Scheduled Security Scan
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -58,7 +58,7 @@ jobs:
  scan-pr:
    name: PR Security Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -29,7 +29,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -0,0 +1,221 @@
+name: Publish Linux Repos
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g. v0.18.1). Leave empty for latest."
+        required: false
+        type: string
+  workflow_run:
+    workflows: ["Release"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+jobs:
+  publish-repos:
+    if: >
+      github.repository == 'zhom/donutbrowser' &&
+      (github.event_name == 'workflow_dispatch' ||
+       github.event.workflow_run.conclusion == 'success')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine release tag
+        id: tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_TAG: ${{ inputs.tag }}
+        run: |
+          if [[ -n "${INPUT_TAG:-}" ]]; then
+            echo "tag=${INPUT_TAG}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            # The Release workflow is triggered by a tag push (v*),
+            # so head_branch is the tag name
+            echo "tag=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT"
+          else
+            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName -q .tagName)
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure aws-cli for R2
+        # aws-cli v2.23+ sends integrity checksums by default; Cloudflare R2
+        # rejects those headers with `Unauthorized` on ListObjectsV2.
+        # Also normalise the endpoint URL (must start with https://).
+        # Both values propagate to later steps via $GITHUB_ENV.
+        env:
+          RAW_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+        run: |
+          endpoint="$RAW_ENDPOINT"
+          if [[ "$endpoint" != https://* && "$endpoint" != http://* ]]; then
+            endpoint="https://$endpoint"
+          fi
+          echo "R2_ENDPOINT=$endpoint" >> "$GITHUB_ENV"
+          echo "AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+          echo "AWS_RESPONSE_CHECKSUM_VALIDATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dpkg-dev createrepo-c python3-pip
+          # Remove pre-installed aws-cli v2 — it sends CRC64NVME checksums
+          # that Cloudflare R2 rejects with Unauthorized, and the s3transfer
+          # lib has a confirmed bug where WHEN_REQUIRED is silently ignored
+          # (boto/s3transfer#327). Install aws-cli v1 via pip instead.
+          sudo rm -f /usr/local/bin/aws /usr/local/bin/aws_completer
+          sudo rm -rf /usr/local/aws-cli
+          pip3 install --break-system-packages awscli
+          # Ensure pip-installed aws is on PATH (pip may install to ~/.local/bin)
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          aws --version
+
+      - name: Download packages from GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          mkdir -p /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.deb" \
+            --dir /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.rpm" \
+            --dir /tmp/packages
+          echo "Downloaded packages:"
+          ls -lh /tmp/packages/
+
+      - name: Build DEB repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          DEB_DIR="/tmp/repo/deb"
+          mkdir -p "$DEB_DIR/pool/main"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+          # Sync existing pool from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/deb/pool" "$DEB_DIR/pool" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+          # Copy new .deb files into pool
+          cp /tmp/packages/*.deb "$DEB_DIR/pool/main/" 2>/dev/null || true
+
+          # Generate Packages and Packages.gz for each arch
+          for arch in amd64 arm64; do
+            BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+            (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+              > "$BINARY_DIR/Packages"
+            gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+            echo "  $arch: $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+          done
+
+          # Generate Release file
+          {
+            echo "Origin: Donut Browser"
+            echo "Label: Donut Browser"
+            echo "Suite: stable"
+            echo "Codename: stable"
+            echo "Architectures: amd64 arm64"
+            echo "Components: main"
+            echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+            echo "MD5Sum:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  md5=$(md5sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$md5" "$size" "$file"
+                fi
+              done
+            done
+            echo "SHA256:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  sha256=$(sha256sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$sha256" "$size" "$file"
+                fi
+              done
+            done
+          } > "$DEB_DIR/dists/stable/Release"
+
+          echo "DEB Release file created."
+
+      - name: Build RPM repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          RPM_DIR="/tmp/repo/rpm"
+          mkdir -p "$RPM_DIR/x86_64"
+          mkdir -p "$RPM_DIR/aarch64"
+
+          # Sync existing RPMs from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/rpm/x86_64" "$RPM_DIR/x86_64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+          aws s3 sync "s3://${R2_BUCKET}/rpm/aarch64" "$RPM_DIR/aarch64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+          # Copy new .rpm files into arch directories
+          for rpm in /tmp/packages/*.rpm; do
+            [[ -f "$rpm" ]] || continue
+            filename=$(basename "$rpm")
+            if [[ "$filename" == *x86_64* ]]; then
+              cp "$rpm" "$RPM_DIR/x86_64/"
+            elif [[ "$filename" == *aarch64* ]]; then
+              cp "$rpm" "$RPM_DIR/aarch64/"
+            fi
+          done
+
+          # Generate repodata
+          createrepo_c --update "$RPM_DIR"
+          echo "RPM repodata created."
+
+      - name: Upload to R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          echo "Uploading DEB repository..."
+          aws s3 sync /tmp/repo/deb/dists "s3://${R2_BUCKET}/deb/dists" \
+            --endpoint-url "$R2_ENDPOINT" --delete
+          aws s3 sync /tmp/repo/deb/pool "s3://${R2_BUCKET}/deb/pool" \
+            --endpoint-url "$R2_ENDPOINT"
+
+          echo "Uploading RPM repository..."
+          aws s3 sync /tmp/repo/rpm "s3://${R2_BUCKET}/rpm" \
+            --endpoint-url "$R2_ENDPOINT"
+
+      - name: Verify upload
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          echo "Published repos for $TAG"
+          echo ""
+          echo "DEB dists/stable/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/dists/stable/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "DEB pool/main/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/pool/main/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "RPM repodata/:"
+          aws s3 ls "s3://${R2_BUCKET}/rpm/repodata/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
@@ -13,11 +13,11 @@ permissions:
 jobs:
  generate-release-notes:
    runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v')
+    if: github.repository == 'zhom/donutbrowser' && github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v')

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0

@@ -18,8 +18,9 @@ env:

 jobs:
  security-scan:
+    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -33,6 +34,7 @@ jobs:
      actions: read

  lint-js:
+    if: github.repository == 'zhom/donutbrowser'
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
@@ -40,6 +42,7 @@ jobs:
      contents: read

  lint-rust:
+    if: github.repository == 'zhom/donutbrowser'
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
@@ -47,6 +50,7 @@ jobs:
      contents: read

  codeql:
+    if: github.repository == 'zhom/donutbrowser'
    name: CodeQL
    uses: ./.github/workflows/codeql.yml
    secrets: inherit
@@ -57,6 +61,7 @@ jobs:
      actions: read

  spellcheck:
+    if: github.repository == 'zhom/donutbrowser'
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
@@ -64,6 +69,7 @@ jobs:
      contents: read

  release:
+    if: github.repository == 'zhom/donutbrowser'
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
    permissions:
      contents: write
@@ -99,10 +105,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -125,7 +131,7 @@ jobs:
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils

      - name: Rust cache
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workdir: ./src-tauri

@@ -133,6 +139,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -202,7 +212,7 @@ jobs:
          rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH

      - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REF_NAME: ${{ github.ref_name }}
@@ -210,6 +220,12 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action invokes `pnpm tauri build`, which runs
+          # `beforeBuildCommand` from tauri.conf.json. That rebuilds the
+          # frontend in its own subprocess, so the env var MUST be forwarded
+          # here or the inner `next build` inlines an empty string and
+          # overwrites the dist the explicit "Build frontend" step produced.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: ${{ github.ref_name }}
@@ -219,101 +235,389 @@ jobs:
          prerelease: false
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          # Copy main executable
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+
+          # Copy sidecar binaries
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          # Copy WebView2Loader if present
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          # Create .portable marker
+          touch "$PORTABLE_DIR/.portable"
+
+          # Create ZIP
+          7z a "Donut_${VERSION}_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          gh release upload "$TAG" "Donut_${VERSION}_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
          rm -f $RUNNER_TEMP/build_certificate.p12 || true

-#      - name: Commit CHANGELOG.md
-#        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 #v6.0.1
-#        with:
-#          branch: main
-#          commit_message: "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"
-
-  publish-repos:
+  changelog:
+    if: github.repository == 'zhom/donutbrowser'
    needs: [release]
    runs-on: ubuntu-latest
    permissions:
-      contents: read
+      contents: write
+      pull-requests: write
    steps:
-      - name: Download Linux packages from release
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Generate changelog
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          PREV_TAG=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | grep -v "^${TAG}$" \
+            | head -n 1)
+
+          if [ -z "$PREV_TAG" ]; then
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          echo "Generating changelog: ${PREV_TAG}..${TAG}"
+
+          features=""
+          fixes=""
+          refactors=""
+          perf=""
+          docs=""
+          maintenance=""
+          other=""
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)
+                features="${features}- $(strip_prefix "$msg")"$'\n' ;;
+              fix\(*\):*|fix:*)
+                fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;;
+              refactor\(*\):*|refactor:*)
+                refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;;
+              perf\(*\):*|perf:*)
+                perf="${perf}- $(strip_prefix "$msg")"$'\n' ;;
+              docs\(*\):*|docs:*)
+                docs="${docs}- $(strip_prefix "$msg")"$'\n' ;;
+              build*|ci*|chore*|test*)
+                maintenance="${maintenance}- ${msg}"$'\n' ;;
+              *)
+                other="${other}- ${msg}"$'\n' ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges)
+
+          {
+            echo "## ${TAG} ($(date -u +%Y-%m-%d))"
+            echo ""
+            [ -n "$features" ]    && printf "### Features\n\n%s\n" "$features"
+            [ -n "$fixes" ]       && printf "### Bug Fixes\n\n%s\n" "$fixes"
+            [ -n "$refactors" ]   && printf "### Refactoring\n\n%s\n" "$refactors"
+            [ -n "$perf" ]        && printf "### Performance\n\n%s\n" "$perf"
+            [ -n "$docs" ]        && printf "### Documentation\n\n%s\n" "$docs"
+            [ -n "$maintenance" ] && printf "### Maintenance\n\n%s\n" "$maintenance"
+            [ -n "$other" ]       && printf "### Other\n\n%s\n" "$other"
+          } > /tmp/release-changelog.md
+
+          echo "Generated changelog:"
+          cat /tmp/release-changelog.md
+
+      - name: Update CHANGELOG.md
+        run: |
+          if [ -f CHANGELOG.md ]; then
+            # Insert new entry after the "# Changelog" header (first 2 lines)
+            {
+              head -n 2 CHANGELOG.md
+              echo ""
+              cat /tmp/release-changelog.md
+              tail -n +3 CHANGELOG.md
+            } > CHANGELOG.tmp
+            mv CHANGELOG.tmp CHANGELOG.md
+          else
+            {
+              echo "# Changelog"
+              echo ""
+              cat /tmp/release-changelog.md
+            } > CHANGELOG.md
+          fi
+
+      - name: Update README download links
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          BASE="https://github.com/zhom/donutbrowser/releases/download/${TAG}"
+
+          # Generate the new install section between markers
+          cat > /tmp/install-links.md << LINKS
+          ### macOS
+
+          | | Apple Silicon | Intel |
+          |---|---|---|
+          | **DMG** | [Download](${BASE}/Donut_${VERSION}_aarch64.dmg) | [Download](${BASE}/Donut_${VERSION}_x64.dmg) |
+
+          Or install via Homebrew:
+
+          \`\`\`bash
+          brew install --cask donut
+          \`\`\`
+
+          ### Windows
+
+          [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe) · [Portable (x64)](${BASE}/Donut_${VERSION}_x64-portable.zip)
+
+          ### Linux
+
+          | Format | x86_64 | ARM64 |
+          |---|---|---|
+          | **deb** | [Download](${BASE}/Donut_${VERSION}_amd64.deb) | [Download](${BASE}/Donut_${VERSION}_arm64.deb) |
+          | **rpm** | [Download](${BASE}/Donut-${VERSION}-1.x86_64.rpm) | [Download](${BASE}/Donut-${VERSION}-1.aarch64.rpm) |
+          | **AppImage** | [Download](${BASE}/Donut_${VERSION}_amd64.AppImage) | [Download](${BASE}/Donut_${VERSION}_aarch64.AppImage) |
+          LINKS
+
+          # Strip leading whitespace from heredoc
+          sed -i 's/^          //' /tmp/install-links.md
+
+          # Replace content between markers in README
+          sed -i '/<!-- install-links-start -->/,/<!-- install-links-end -->/{
+            /<!-- install-links-start -->/{
+              p
+              r /tmp/install-links.md
+            }
+            /<!-- install-links-end -->/!d
+          }' README.md
+
+      - name: Create release docs PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          BRANCH="docs/release-${VERSION}"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
+          git add CHANGELOG.md README.md
+          if git diff --cached --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "docs: update CHANGELOG.md and README.md for ${TAG} [skip ci]"
+            git push origin "$BRANCH"
+            gh pr create \
+              --title "docs: release notes for ${TAG}" \
+              --body "Automated update of CHANGELOG.md and README.md download links for ${TAG}." \
+              --base main \
+              --head "$BRANCH"
+            gh pr merge "$BRANCH" --squash --admin
+          fi
+
+      - name: Update release notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release edit "$TAG" --notes-file /tmp/release-changelog.md
+
+  notify-discord:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release, changelog]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Generate changelog summary
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          PREV_TAG=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | grep -v "^${TAG}$" \
+            | head -n 1)
+          if [ -z "$PREV_TAG" ]; then
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          CHANGES=""
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              fix\(*\):*|fix:*)     CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              refactor\(*\):*|refactor:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              perf\(*\):*|perf:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges)
+
+          # Truncate to fit Discord embed (max 4096 chars)
+          if [ ${#CHANGES} -gt 3900 ]; then
+            CHANGES="${CHANGES:0:3900}\n..."
+          fi
+
+          if [ -z "$CHANGES" ]; then
+            CHANGES="See the full changelog on GitHub."
+          fi
+
+          printf '%b' "$CHANGES" > /tmp/discord-changes.txt
+
+      - name: Send Discord notification
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG}"
+          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}"
+          CHANGES=$(cat /tmp/discord-changes.txt)
+
+          # Build JSON with jq to handle escaping
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser ${VERSION} Released" \
+            --arg url "$RELEASE_URL" \
+            --arg changes "$CHANGES" \
+            --arg dl_mac_arm "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_aarch64.dmg" \
+            --arg dl_mac_intel "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64.dmg" \
+            --arg dl_win "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64-setup.exe" \
+            --arg dl_linux "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_amd64.AppImage" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                description: $changes,
+                color: 5814783,
+                fields: [
+                  { name: "Download", value: ("[macOS (Apple Silicon)](" + $dl_mac_arm + ") · [macOS (Intel)](" + $dl_mac_intel + ")\n[Windows x64](" + $dl_win + ") · [Linux x64](" + $dl_linux + ")"), inline: false }
+                ],
+                footer: { text: "donutbrowser.com" }
+              }]
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
+
+  deploy-website:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Cloudflare Pages deployment
+        run: curl -fsSL -X POST "${{ secrets.CLOUDFLARE_WEB_DEPLOYMENT_HOOK }}"
+
+  docker:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release]
+    uses: ./.github/workflows/docker-sync.yml
+    with:
+      tag: ${{ github.ref_name }}
+    secrets: inherit
+
+  update-flake:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release, changelog]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: main
+
+      - name: Compute AppImage hashes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+
+          AMD64_URL="https://github.com/zhom/donutbrowser/releases/download/${TAG}/Donut_${VERSION}_amd64.AppImage"
+          AARCH64_URL="https://github.com/zhom/donutbrowser/releases/download/${TAG}/Donut_${VERSION}_aarch64.AppImage"
+
+          echo "Downloading x86_64 AppImage..."
+          curl -fsSL -o /tmp/amd64.AppImage "$AMD64_URL" || { echo "x86_64 AppImage not found"; exit 1; }
+
+          echo "Downloading aarch64 AppImage..."
+          curl -fsSL -o /tmp/aarch64.AppImage "$AARCH64_URL" || { echo "aarch64 AppImage not found"; exit 1; }
+
+          # Compute SRI hashes (sha256-<base64>)
+          AMD64_HASH="sha256-$(sha256sum /tmp/amd64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"
+          AARCH64_HASH="sha256-$(sha256sum /tmp/aarch64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"
+
+          echo "AMD64_HASH=${AMD64_HASH}" >> "$GITHUB_ENV"
+          echo "AARCH64_HASH=${AARCH64_HASH}" >> "$GITHUB_ENV"
+          echo "AMD64_URL=${AMD64_URL}" >> "$GITHUB_ENV"
+          echo "AARCH64_URL=${AARCH64_URL}" >> "$GITHUB_ENV"
+
+          echo "x86_64 hash: ${AMD64_HASH}"
+          echo "aarch64 hash: ${AARCH64_HASH}"
+
+      - name: Update flake.nix
+        run: |
+          # Update releaseVersion
+          sed -i "s/releaseVersion = \"[^\"]*\"/releaseVersion = \"${VERSION}\"/" flake.nix
+
+          # Update x86_64 URL and hash
+          sed -i "s|url = \"https://github.com/zhom/donutbrowser/releases/download/v[^\"]*_amd64.AppImage\"|url = \"${AMD64_URL}\"|" flake.nix
+          sed -i "/amd64.AppImage/{ n; s|hash = \"[^\"]*\"|hash = \"${AMD64_HASH}\"|; }" flake.nix
+
+          # Update aarch64 URL and hash
+          sed -i "s|url = \"https://github.com/zhom/donutbrowser/releases/download/v[^\"]*_aarch64.AppImage\"|url = \"${AARCH64_URL}\"|" flake.nix
+          sed -i "/aarch64.AppImage/{ n; s|hash = \"[^\"]*\"|hash = \"${AARCH64_HASH}\"|; }" flake.nix
+
+          echo "Updated flake.nix:"
+          grep -n "releaseVersion\|AppImage\|hash = " flake.nix
+
+      - name: Create pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          mkdir -p /tmp/packages
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "*.deb" \
-            --dir /tmp/packages
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "*.rpm" \
-            --dir /tmp/packages
-          echo "Downloaded packages:"
-          ls -la /tmp/packages/
-
-      - name: Setup Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
-        with:
-          go-version: "1.23"
-          cache: false
-
-      - name: Install repogen
-        run: |
-          go install github.com/ralt/repogen/cmd/repogen@latest
-          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
-
-      - name: Configure AWS CLI for Cloudflare R2
-        run: |
-          aws configure set aws_access_key_id "${{ secrets.R2_ACCESS_KEY_ID }}"
-          aws configure set aws_secret_access_key "${{ secrets.R2_SECRET_ACCESS_KEY }}"
-          aws configure set default.region auto
-
-      - name: Sync existing repo metadata from R2
-        env:
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
-        run: |
-          mkdir -p /tmp/repo
-          aws s3 sync "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
-            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
-          aws s3 sync "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
-            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
-
-      - name: Generate repository with repogen
-        run: |
-          repogen generate \
-            --input-dir /tmp/packages \
-            --output-dir /tmp/repo \
-            --incremental \
-            --arch amd64,arm64 \
-            --origin "Donut Browser" \
-            --label "Donut Browser" \
-            --codename stable \
-            --components main \
-            --verbose
-
-      - name: Upload repository to R2
-        env:
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
-        run: |
-          aws s3 sync /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
-            --endpoint-url "${R2_ENDPOINT}" --delete
-          aws s3 sync /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
-            --endpoint-url "${R2_ENDPOINT}"
-          aws s3 sync /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
-            --endpoint-url "${R2_ENDPOINT}" --delete
-          aws s3 sync /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
-            --endpoint-url "${R2_ENDPOINT}"
-
-      - name: Verify upload
-        env:
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
-        run: |
-          echo "DEB repo:"
-          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}"
-          echo "RPM repo:"
-          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}"
+          BRANCH="chore/update-flake-${VERSION}"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
+          git add flake.nix
+          if git diff --cached --quiet; then
+            echo "No flake changes needed"
+            exit 0
+          fi
+          git commit -m "chore: update flake.nix for v${VERSION} [skip ci]"
+          git push origin "$BRANCH"
+          gh pr create \
+            --title "chore: update flake.nix for v${VERSION}" \
+            --body "Automated update of flake.nix with new AppImage hashes for v${VERSION}." \
+            --base main \
+            --head "$BRANCH"
+          gh pr merge "$BRANCH" --squash --admin
@@ -17,8 +17,9 @@ env:

 jobs:
  security-scan:
+    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -32,6 +33,7 @@ jobs:
      actions: read

  lint-js:
+    if: github.repository == 'zhom/donutbrowser'
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
@@ -39,6 +41,7 @@ jobs:
      contents: read

  lint-rust:
+    if: github.repository == 'zhom/donutbrowser'
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
@@ -46,6 +49,7 @@ jobs:
      contents: read

  codeql:
+    if: github.repository == 'zhom/donutbrowser'
    name: CodeQL
    uses: ./.github/workflows/codeql.yml
    secrets: inherit
@@ -56,6 +60,7 @@ jobs:
      actions: read

  spellcheck:
+    if: github.repository == 'zhom/donutbrowser'
    name: Spell Check
    uses: ./.github/workflows/spellcheck.yml
    secrets: inherit
@@ -63,6 +68,7 @@ jobs:
      contents: read

  rolling-release:
+    if: github.repository == 'zhom/donutbrowser'
    needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
    permissions:
      contents: write
@@ -98,10 +104,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -124,7 +130,7 @@ jobs:
          sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libxdo-dev pkg-config xdg-utils

      - name: Rust cache
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workdir: ./src-tauri

@@ -132,6 +138,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -210,7 +220,7 @@ jobs:
          echo "Generated timestamp: ${TIMESTAMP}-${COMMIT_HASH}"

      - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -220,6 +230,9 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action's inner `pnpm tauri build` re-runs beforeBuildCommand
+          # which rebuilds dist/ in a subprocess. The env var must be here too.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -229,6 +242,34 @@ jobs:
          prerelease: true
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        run: |
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          touch "$PORTABLE_DIR/.portable"
+
+          7z a "Donut_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NIGHTLY_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
+        run: |
+          gh release upload "$NIGHTLY_TAG" "Donut_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
@@ -236,12 +277,13 @@ jobs:
          rm -f $RUNNER_TEMP/build_certificate.p12 || true

  update-nightly-release:
+    if: github.repository == 'zhom/donutbrowser'
    needs: [rolling-release]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Generate nightly tag
        id: tag
@@ -250,6 +292,57 @@ jobs:
          COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7)
          echo "nightly_tag=nightly-${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT

+      - name: Generate nightly changelog
+        id: nightly-changelog
+        run: |
+          LAST_STABLE=$(git tag --sort=-version:refname \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+\$" \
+            | head -n 1)
+
+          if [ -z "$LAST_STABLE" ]; then
+            LAST_STABLE=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          {
+            echo "**Nightly build from main branch**"
+            echo ""
+            echo "Commit: ${GITHUB_SHA}"
+            echo "Changes since ${LAST_STABLE}:"
+            echo ""
+          } > /tmp/nightly-notes.md
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          features=""
+          fixes=""
+          refactors=""
+          other=""
+
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)
+                features="${features}- $(strip_prefix "$msg")"$'\n' ;;
+              fix\(*\):*|fix:*)
+                fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;;
+              refactor\(*\):*|refactor:*)
+                refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;;
+              build*|ci*|chore*|test*|docs*|perf*)
+                ;; # skip maintenance commits from nightly notes
+              *)
+                other="${other}- ${msg}"$'\n' ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${LAST_STABLE}..HEAD" --no-merges)
+
+          {
+            [ -n "$features" ]  && printf "### Features\n\n%s\n" "$features"
+            [ -n "$fixes" ]     && printf "### Bug Fixes\n\n%s\n" "$fixes"
+            [ -n "$refactors" ] && printf "### Refactoring\n\n%s\n" "$refactors"
+            [ -n "$other" ]     && printf "### Other\n\n%s\n" "$other"
+            true
+          } >> /tmp/nightly-notes.md
+
      - name: Update rolling nightly release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -284,5 +377,46 @@ jobs:
            "$ASSETS_DIR"/Donut_aarch64.app.tar.gz \
            "$ASSETS_DIR"/Donut_x64.app.tar.gz \
            --title "Donut Browser Nightly" \
-            --notes "Automatically updated nightly build from the latest main branch.\n\nCommit: ${GITHUB_SHA}" \
+            --notes-file /tmp/nightly-notes.md \
            --prerelease
+
+  deploy-website:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [update-nightly-release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Cloudflare Pages deployment
+        run: curl -fsSL -X POST "${{ secrets.CLOUDFLARE_WEB_DEPLOYMENT_HOOK }}"
+
+  notify-discord:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [update-nightly-release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Discord notification
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_NIGHTLY_WEBHOOK_URL }}
+        run: |
+          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/nightly"
+          COMMIT_URL="https://github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"
+
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser Nightly (${COMMIT_SHORT})" \
+            --arg url "$RELEASE_URL" \
+            --arg commit_url "$COMMIT_URL" \
+            --arg commit_short "$COMMIT_SHORT" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                color: 16752128,
+                fields: [
+                  { name: "Commit", value: ("[" + $commit_short + "](" + $commit_url + ")"), inline: true },
+                  { name: "Download", value: ("[Nightly Release](" + $url + ")"), inline: true }
+                ],
+                footer: { text: "donutbrowser.com" }
+              }]
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
@@ -21,6 +21,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions Repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Spell Check Repo
-        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
+        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 #v1.45.1
@@ -6,6 +6,7 @@ on:

 jobs:
  stale:
+    if: github.repository == 'zhom/donutbrowser'
    runs-on: ubuntu-latest
    permissions:
      issues: write
@@ -15,7 +16,9 @@ jobs:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: "This issue has been inactive for 60 days. Please respond to keep it open."
-          stale-pr-message: "This pull request has been inactive for 60 days. Please respond to keep it open."
+          stale-issue-message: "This issue has been inactive for 30 days. Please respond to keep it open."
+          stale-pr-message: "This pull request has been inactive for 30 days. Please respond to keep it open."
          stale-issue-label: "stale"
          stale-pr-label: "stale"
+          days-before-stale: 30
+          days-before-close: 7
@@ -32,10 +32,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -51,7 +51,7 @@ jobs:
          toolchain: stable

      - name: Cache Rust dependencies
-        uses: swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 #v2.8.2
+        uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 #v2.9.1
        with:
          workspaces: "src-tauri"

@@ -73,7 +73,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Start MinIO
        run: |
@@ -85,7 +85,7 @@ jobs:

          # Wait for MinIO to be ready
          for i in {1..30}; do
-            if curl -sf http://localhost:8987/minio/health/live; then
+            if curl -sf http://127.0.0.1:8987/minio/health/live; then
              echo "MinIO is ready"
              break
            fi
@@ -94,7 +94,7 @@ jobs:
          done

      - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 #v4.2.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -111,7 +111,7 @@ jobs:
        working-directory: donut-sync
        env:
          SYNC_TOKEN: test-sync-token
-          S3_ENDPOINT: http://localhost:8987
+          S3_ENDPOINT: http://127.0.0.1:8987
          S3_ACCESS_KEY_ID: minioadmin
          S3_SECRET_ACCESS_KEY: minioadmin
          S3_BUCKET: donut-sync-test
@@ -58,4 +58,4 @@ nodecar/nodecar-bin
 .env

 # next
-next-env.d.ts
+**/next-env.d.ts
@@ -0,0 +1,10 @@
+# Prevent pushing the 'nightly' tag — it is managed by CI
+if git rev-parse nightly >/dev/null 2>&1; then
+  LOCAL_NIGHTLY=$(git rev-parse nightly)
+  REMOTE_NIGHTLY=$(git ls-remote --tags origin refs/tags/nightly 2>/dev/null | awk '{print $1}')
+  if [ -n "$REMOTE_NIGHTLY" ] && [ "$LOCAL_NIGHTLY" != "$REMOTE_NIGHTLY" ]; then
+    echo "⚠ Skipping push of 'nightly' tag (managed by CI)"
+    # Delete the local nightly tag so --tags won't try to push it
+    git tag -d nightly >/dev/null 2>&1 || true
+  fi
+fi
@@ -10,11 +10,15 @@
    "appindicator",
    "applescript",
    "asyncio",
+    "autocheckpoint",
    "autoconfig",
    "autologin",
+    "bintools",
    "biomejs",
+    "boringtun",
    "breezedark",
    "browserforge",
+    "Buildx",
    "busctl",
    "CAMOU",
    "camoufox",
@@ -33,6 +37,7 @@
    "codesign",
    "codesigning",
    "commitish",
+    "coreutils",
    "Crashpad",
    "CTYPE",
    "daijro",
@@ -40,49 +45,68 @@
    "datareporting",
    "datas",
    "DBAPI",
+    "dbus",
    "dconf",
    "debuginfo",
+    "desynced",
    "devedition",
    "direnv",
+    "diskutil",
    "distro",
    "dists",
    "DMABUF",
+    "DOCKERHUB",
    "doctest",
    "doesn",
    "domcontentloaded",
+    "dont",
    "donutbrowser",
    "doorhanger",
    "dpkg",
    "dtolnay",
    "dyld",
    "elif",
+    "erasevolume",
    "errorlevel",
    "esac",
    "esbuild",
    "etree",
+    "fetchurl",
+    "findutils",
    "firstrun",
    "flate",
+    "fontconfig",
+    "freetype",
+    "fribidi",
    "frontmost",
+    "fsprogs",
    "geoip",
    "getcwd",
    "gettimezone",
    "gifs",
    "globset",
+    "gnugrep",
+    "gnumake",
+    "gnused",
    "GOPATH",
    "gsettings",
+    "harfbuzz",
    "healthreport",
    "hiddenimports",
    "hkcu",
    "hooksconfig",
    "hookspath",
+    "hostable",
    "Hoverable",
    "icns",
    "idlelib",
    "idletime",
    "idna",
+    "imdisk",
    "infobars",
    "inkey",
    "Inno",
+    "isps",
    "kdeglobals",
    "keras",
    "KHTML",
@@ -92,18 +116,39 @@
    "langpack",
    "launchservices",
    "letterboxing",
+    "leveldb",
    "libappindicator",
    "libatk",
    "libayatana",
    "libc",
    "libcairo",
+    "libdrm",
    "libfuse",
+    "libgbm",
    "libgdk",
    "libglib",
+    "libglvnd",
+    "libgpg",
    "libpango",
    "librsvg",
+    "libsoup",
    "libwebkit",
+    "libx",
+    "libxcb",
+    "libxcomposite",
+    "libxcursor",
+    "libxdamage",
    "libxdo",
+    "libxext",
+    "libxfixes",
+    "libxi",
+    "libxinerama",
+    "libxkbcommon",
+    "libxrandr",
+    "libxrender",
+    "libxscrnsaver",
+    "libxshmfence",
+    "libxtst",
    "localtime",
    "lpdw",
    "lxml",
@@ -111,6 +156,7 @@
    "macchiato",
    "Matchalk",
    "maxminddb",
+    "minidumps",
    "minioadmin",
    "mmdb",
    "mountpoint",
@@ -120,24 +166,33 @@
    "msys",
    "muda",
    "mypy",
+    "nixos",
+    "nixpkgs",
    "noarchive",
    "nobrowse",
    "noconfirm",
    "nodecar",
    "NODELAY",
    "nodemon",
+    "nomount",
    "norestart",
    "NSIS",
+    "nspr",
+    "ntfs",
    "ntlm",
    "numpy",
+    "numtide",
    "objc",
+    "oneshot",
    "opencode",
+    "OPENROUTER",
    "orhun",
    "orjson",
    "osascript",
    "oscpu",
    "outpath",
    "OVPN",
+    "pango",
    "passout",
    "patchelf",
    "pathex",
@@ -145,12 +200,16 @@
    "peerconnection",
    "PHANDLER",
    "pids",
+    "pipefail",
    "pixbuf",
    "pkexec",
+    "pkgs",
    "pkill",
    "plasmohq",
    "platformdirs",
+    "pname",
    "prefs",
+    "presign",
    "PRIO",
    "propertylist",
    "psutil",
@@ -163,15 +222,22 @@
    "pyyaml",
    "quic",
    "ralt",
+    "ramdisk",
+    "rawfile",
    "repodata",
    "repogen",
    "reportingpolicy",
    "reqwest",
+    "resvg",
    "ridedott",
    "rlib",
+    "rsplit",
+    "rusqlite",
    "rustc",
    "rwxr",
+    "safebrowsing",
    "SARIF",
+    "sarifv",
    "scipy",
    "screeninfo",
    "selectables",
@@ -188,11 +254,13 @@
    "signon",
    "signum",
    "sklearn",
+    "smoltcp",
    "SMTO",
    "sonner",
    "splitn",
    "sspi",
    "staticlib",
+    "stdenv",
    "stefanzweifel",
    "subdirs",
    "subkey",
@@ -208,14 +276,19 @@
    "TERX",
    "testpass",
    "testuser",
+    "thiserror",
    "timedatectl",
    "titlebar",
    "tkinter",
+    "tmpfs",
+    "tombstoned",
    "tqdm",
    "trackingprotection",
    "trailhead",
+    "tungstenite",
    "turbopack",
    "turtledemo",
+    "typer",
    "udeps",
    "unlisten",
    "unminimize",
@@ -1,9 +1,109 @@
-# Instructions for AI Agents
+# Project Guidelines

- After your changes, instead of running specific tests or linting specific files, run "pnpm format && pnpm lint && pnpm test". It means that you first format the code, then lint it, then test it, so that no part is broken after your changes.
- Don't leave comments that don't add value.
- Do not duplicate code unless you have a very good reason to do so. It is important that the same logic is not duplicated multiple times.
- Before finishing the task and showing summary, always run "pnpm format && pnpm lint && pnpm test" at the root of the project to ensure that you don't finish with broken application.
- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless I have explicitly specified in the request otherwise.
- If you are modifying the UI, do not add random colors that are not controlled by src/lib/themes.ts file.
+> **NOTE**: CLAUDE.md is a symlink to AGENTS.md — editing either file updates both.
+> After significant changes (new modules, renamed files, new directories), re-evaluate the Repository Structure below and update it if needed.
+
+## Repository Structure
+
+```
+donutbrowser/
+├── src/                              # Next.js frontend
+│   ├── app/                          # App router (page.tsx, layout.tsx)
+│   ├── components/                   # 50+ React components (dialogs, tables, UI)
+│   ├── hooks/                        # Event-driven React hooks
+│   ├── i18n/locales/                 # Translations (en, es, fr, ja, pt, ru, zh)
+│   ├── lib/                          # Utilities (themes, toast, browser-utils)
+│   └── types.ts                      # Shared TypeScript interfaces
+├── src-tauri/                        # Rust backend (Tauri)
+│   ├── src/
+│   │   ├── lib.rs                    # Tauri command registration (100+ commands)
+│   │   ├── browser_runner.rs         # Profile launch/kill orchestration
+│   │   ├── browser.rs               # Browser trait & launch logic
+│   │   ├── profile/                  # Profile CRUD (manager.rs, types.rs)
+│   │   ├── proxy_manager.rs         # Proxy lifecycle & connection testing
+│   │   ├── proxy_server.rs          # Local proxy binary (donut-proxy)
+│   │   ├── proxy_storage.rs         # Proxy config persistence (JSON files)
+│   │   ├── api_server.rs            # REST API (utoipa + axum)
+│   │   ├── mcp_server.rs            # MCP protocol server
+│   │   ├── sync/                    # Cloud sync (engine, encryption, manifest, scheduler)
+│   │   ├── vpn/                     # WireGuard & OpenVPN tunnels
+│   │   ├── camoufox/                # Camoufox fingerprint engine (Bayesian network)
+│   │   ├── wayfern_manager.rs       # Wayfern (Chromium) browser management
+│   │   ├── camoufox_manager.rs      # Camoufox (Firefox) browser management
+│   │   ├── downloader.rs           # Browser binary downloader
+│   │   ├── extraction.rs           # Archive extraction (zip, tar, dmg, msi)
+│   │   ├── settings_manager.rs     # App settings persistence
+│   │   ├── cookie_manager.rs       # Cookie import/export
+│   │   ├── extension_manager.rs    # Browser extension management
+│   │   ├── group_manager.rs        # Profile group management
+│   │   ├── synchronizer.rs         # Real-time profile synchronizer
+│   │   ├── daemon/                 # Background daemon + tray icon (currently disabled)
+│   │   └── cloud_auth.rs           # Cloud authentication
+│   ├── tests/                      # Integration tests
+│   └── Cargo.toml                  # Rust dependencies
+├── donut-sync/                     # NestJS sync server (self-hostable)
+│   └── src/                        # Controllers, services, auth, S3 sync
+├── docs/                           # Documentation (self-hosting guide)
+├── flake.nix                       # Nix development environment
+└── .github/workflows/              # CI/CD pipelines
+```
+
+## Testing and Quality
+
+- After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
+- Always run this command before finishing a task to ensure the application isn't broken
+- `pnpm lint` includes spellcheck via [typos](https://github.com/crate-ci/typos). False positives can be allowlisted in `_typos.toml`
+
+## Code Quality
+
+- Don't leave comments that don't add value
+- Don't duplicate code unless there's a very good reason; keep the same logic in one place
 - Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files
+
+## Singletons
+
+- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless explicitly specified otherwise
+
+## UI Theming
+
+- Never use hardcoded Tailwind color classes (e.g., `text-red-500`, `bg-green-600`, `border-yellow-400`). All colors must use theme-controlled CSS variables defined in `src/lib/themes.ts`
+- Available semantic color classes:
+  - `background`, `foreground` — page/container background and text
+  - `card`, `card-foreground` — card surfaces
+  - `popover`, `popover-foreground` — dropdown/popover surfaces
+  - `primary`, `primary-foreground` — primary actions
+  - `secondary`, `secondary-foreground` — secondary actions
+  - `muted`, `muted-foreground` — muted/disabled elements
+  - `accent`, `accent-foreground` — accent highlights
+  - `destructive`, `destructive-foreground` — errors, danger, delete actions
+  - `success`, `success-foreground` — success states, valid indicators
+  - `warning`, `warning-foreground` — warnings, caution messages
+  - `border` — borders
+  - `chart-1` through `chart-5` — data visualization
+- Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
+- For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`
+
+## Publishing Linux Repositories
+
+The `scripts/publish-repo.sh` script publishes DEB and RPM packages to Cloudflare R2 (served at `repo.donutbrowser.com`). It requires Linux tools, so run it in Docker on macOS:
+
+```bash
+docker run --rm -v "$(pwd):/work" -w /work --env-file .env -e GH_TOKEN="$(gh auth token)" \
+  ubuntu:24.04 bash -c '
+    export DEBIAN_FRONTEND=noninteractive &&
+    apt-get update -qq > /dev/null 2>&1 &&
+    apt-get install -y -qq dpkg-dev createrepo-c gzip curl python3-pip > /dev/null 2>&1 &&
+    pip3 install --break-system-packages awscli > /dev/null 2>&1 &&
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg 2>/dev/null &&
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list &&
+    apt-get update -qq > /dev/null 2>&1 && apt-get install -y -qq gh > /dev/null 2>&1 &&
+    bash scripts/publish-repo.sh v0.18.1'
+```
+
+The `.github/workflows/publish-repos.yml` workflow runs automatically after stable releases and can also be triggered manually via `gh workflow run publish-repos.yml -f tag=v0.18.1`.
+
+Required env vars / secrets: `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `R2_ENDPOINT_URL`, `R2_BUCKET_NAME`.
+
+## Proprietary Changes
+
+This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -0,0 +1,195 @@
+# Changelog
+
+
+## v0.21.0 (2026-04-16)
+
+### Features
+
+- shadowsocks
+
+### Bug Fixes
+
+- vpn config discovery
+
+### Refactoring
+
+- cleanup
+- stricter proxy cleanup
+- wayfern launch
+- better error handling
+- self-updates
+- x64 performance
+
+### Maintenance
+
+- chore: version bump
+- chore: proper formatting
+- chore: remove pre-installed aws cli
+- chore: update flake.nix for v0.20.4 [skip ci] (#283)
+
+### Other
+
+- deps(rust)(deps): bump rand from 0.10.0 to 0.10.1 in /src-tauri (#285)
+- style: button should not become bigger on hover
+- style: scrollbars
+
+
+## v0.20.4 (2026-04-11)
+
+### Refactoring
+
+- vpn
+- save port
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: overwrite aws cli
+- ci(deps): bump the github-actions group with 3 updates
+- chore: update flake.nix for v0.20.3 [skip ci] (#278)
+
+### Other
+
+- style: copy
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump next from 16.2.2 to 16.2.3
+
+
+## v0.20.3 (2026-04-10)
+
+### Refactoring
+
+- debug wayfern launch
+
+### Maintenance
+
+- chore: version bump
+- chore: serialize changelog and flake jobs
+- chore: update flake.nix for v0.20.2 [skip ci] (#273)
+
+
+## v0.20.2 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: aws integrity checks
+- chore: inject NEXT_PUBLIC_TURNSTILE everywhere
+- chore: update flake.nix for v0.20.1 [skip ci] (#272)
+
+
+## v0.20.1 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: normalize r2 endpoint
+- chore: pull turnstile public key in frontend at build time
+- chore: update flake.nix for v0.20.0 [skip ci] (#270)
+
+
+## v0.20.0 (2026-04-08)
+
+### Bug Fixes
+
+- cookie copying for wayfern
+
+### Refactoring
+
+- cleanup
+- dynamic proxy
+
+### Documentation
+
+- update CHANGELOG.md and README.md for v0.19.0 [skip ci] (#261)
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: update flake.nix for v0.19.0 [skip ci] (#262)
+
+### Other
+
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump the frontend-dependencies group with 19 updates
+
+
+## v0.19.0 (2026-04-04)
+
+### Features
+
+- captcha on email input
+- dns block lists
+- portable build
+
+### Bug Fixes
+
+- follow latest MCP spec
+- wayfern initial connection on macos doesn't timeout
+
+### Refactoring
+
+- linux auto updates
+- more robust vpn handling
+- don't allow portable build to be set as the default browser
+- show app version in settings
+
+### Documentation
+
+- remove codacy badge
+- agents
+- contrib-readme-action has updated readme
+- update CHANGELOG.md and README.md for v0.18.1 [skip ci]
+- cleanup
+
+### Maintenance
+
+- test: simplify
+- chore: preserve cargo
+- chore: version bump
+- chore: linting
+- chore: update dependencies
+- chore: repo publish workflow
+- chore: copy and backlink
+- test: serialize
+- chore: copy correct file
+- chore: linting
+- chore: do not provide possible cause
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: linting
+- ci(deps): bump the github-actions group with 8 updates
+- chore: commit doc changes directly and pretty discord notifications
+- chore: update flake.nix for v0.18.1 [skip ci]
+- chore: fix linting and formatting
+
+### Other
+
+- deps(deps): bump the frontend-dependencies group with 35 updates
+- deps(rust)(deps): bump the rust-dependencies group
+
+## v0.18.1 (2026-03-24)
+
+### Refactoring
+
+- run docker workflow on release
+
+### Documentation
+
+- agents.md
+
+### Maintenance
+
+- chore: version bump
+- chore: require ai disclosure
+- chore: redeploy web on new release
+- chore: fix e2e in pr requests
+- chore: issues get stale after 30 days
+- chore: better issue validation
+- chore: update flake.nix for v0.18.0 [skip ci] (#247)
+
@@ -1,20 +0,0 @@
-# Project Guidelines
-
-## Testing and Quality
-
- After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
- Always run this command before finishing a task to ensure the application isn't broken
-
-## Code Quality
-
- Don't leave comments that don't add value
- Don't duplicate code unless there's a very good reason; keep the same logic in one place
- Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files
-
-## Singletons
-
- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless explicitly specified otherwise
-
-## UI Theming
-
- When modifying the UI, don't add random colors that are not controlled by `src/lib/themes.ts`
@@ -0,0 +1 @@
+AGENTS.md
@@ -1,194 +1,100 @@
 # Contributing to Donut Browser

-Contributions are welcome and always appreciated! 🍩
-
-To begin working on an issue, simply leave a comment indicating that you're taking it on. There's no need to be officially assigned to the issue before you start.
+Contributions are welcome! To start working on an issue, leave a comment indicating you're taking it on.

 ## Before Starting

-Do keep in mind before you start working on an issue / posting a PR:
-
- Search existing PRs related to that issue which might close them
- Confirm if other contributors are working on the same issue
- Check if the feature aligns with the project's roadmap and goals
+- Search existing PRs related to that issue
+- Confirm no other contributors are working on the same issue
+- Check if the feature aligns with the project's goals

 ## Contributor License Agreement

-By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to the [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:
-
- Your contributions can be used in the open source version of Donut Browser (licensed under AGPL-3.0)
- Donut Browser can offer commercial licenses for the software, including your contributions
- You retain all rights to use your contributions for any other purpose
-
-When you submit your first pull request, you acknowledge that you agree to the terms of the Contributor License Agreement.
-
-## Tips & Things to Consider
-
- PRs with tests are highly appreciated
- Avoid adding third party libraries, whenever possible
- Unless you are helping out by updating dependencies, you should not be uploading your lock files or updating any dependencies in your PR
- If you are unsure where to start, open a discussion to get pointed to a good first issue
+By contributing, you agree your contributions will be licensed under the same terms as the project. See [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md). This ensures contributions can be used in the open source version (AGPL-3.0) and commercially licensed. You retain all rights to use your contributions elsewhere.

 ## Development Setup

-### Using Nix
-
-If you have [Nix](https://nixos.org/) installed, you can skip the manual setup below and simply run:
+### Using Nix (recommended)

 ```bash
-nix develop
-# or if you use direnv
-direnv allow
+nix run .#setup     # Install dependencies
+nix run .#tauri-dev  # Start development server
+nix run .#test       # Run all checks
 ```

-This will provide Node.js, Rust, and all necessary system libraries.
+Or enter the dev shell: `nix develop`

 ### Manual Setup

-Ensure you have the following dependencies installed:
+Requirements:

- Node.js (see `.node-version` for exact version)
- pnpm package manager
- Latest Rust and Cargo toolchain
- [Tauri prerequisites guide](https://v2.tauri.app/start/prerequisites/).
-
-## Run Locally
-
-After having the above dependencies installed, proceed through the following steps to setup the codebase locally:
-
-1. **Fork the project** & [clone](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository) it locally.
-
-2. **Create a new separate branch.**
-
-   ```bash
-   git checkout -b feature/my-feature-name
-   ```
-
-3. **Install frontend dependencies**
-
-   ```bash
-   pnpm install
-   ```
-
-4. **Start the development server**
-
-   ```bash
-   pnpm tauri dev
-   ```
-
-This will start the app for local development with live reloading.
-
-## Code Style & Quality
-
-The project uses several tools to maintain code quality:
-
- **Biome** for JavaScript/TypeScript linting and formatting
- **Clippy** for Rust linting
- **rustfmt** for Rust formatting
-
-### Before Committing
-
-Run these commands to ensure your code meets the project's standards:
+- Node.js (see `.node-version`)
+- pnpm
+- Rust + Cargo (latest stable)
+- [Tauri v2 prerequisites](https://v2.tauri.app/start/prerequisites/)

 ```bash
-# Format and lint frontend code
-pnpm format:js
-
-# Format and lint Rust code
-pnpm format:rust
-
-# Run all linting
-pnpm lint
+git checkout -b feature/my-feature-name
+pnpm install
+pnpm tauri dev
 ```

-## Building
+## Quality Checks

-It is crucial to test your code before submitting a pull request. Please ensure that you can make a complete production build before you submit your code for merging.
+Run before every commit:

 ```bash
-# Build the frontend
-pnpm build
-
-# Build the backend
-cd src-tauri && cargo build
-
-# Build the Tauri application
-pnpm tauri build
+pnpm format && pnpm lint && pnpm test
 ```

-Make sure the build completes successfully without errors.
+This runs:

-## Testing
+- **Biome** — JS/TS linting and formatting
+- **Clippy + rustfmt** — Rust linting and formatting
+- **typos** — Spellcheck (allowlist in `_typos.toml`)
+- **CodeQL** — Security analysis (JS, Actions, Rust) — runs in CI
+- **Unit tests** — 330+ Rust tests
+- **Integration tests** — proxy, sync e2e

- Always test your changes on the target platform
- Verify that existing functionality still works
- Add tests for new features when possible
+### Running CodeQL locally
+
+```bash
+# Install: brew install codeql
+codeql pack download codeql/javascript-queries codeql/rust-queries
+
+# JavaScript
+codeql database create /tmp/codeql-js --language=javascript --source-root=.
+codeql database analyze /tmp/codeql-js --format=sarifv2.1.0 --output=/tmp/js.sarif codeql/javascript-queries
+
+# Rust
+codeql database create /tmp/codeql-rust --language=rust --source-root=.
+codeql database analyze /tmp/codeql-rust --format=sarifv2.1.0 --output=/tmp/rust.sarif codeql/rust-queries
+```
+
+## Key Rules
+
+- **Translations**: Any UI text changes must be reflected in all 7 locale files (`src/i18n/locales/`)
+- **Tauri commands**: If you modify Tauri commands, the `test_no_unused_tauri_commands` test will catch unused ones
+- **No hardcoded colors**: Use theme CSS variables (see `src/lib/themes.ts`), never Tailwind color classes like `text-red-500`
+- **No lock file changes**: Don't update `pnpm-lock.yaml` or `Cargo.lock` unless updating dependencies is the purpose of the PR
+- **AGPL-3.0**: This project is AGPL-licensed. Derivatives must be open source with the same license

 ## Pull Request Guidelines

-🎉 Now that you're ready to submit your code for merging, there are some points to keep in mind:
+- Fill the PR description template
+- Reference related issues (`Fixes #123` or `Refs #123`)
+- Include screenshots/videos for UI changes
+- Ensure "Allow edits from maintainers" is checked

-### PR Description
+## Architecture

- Fill your PR description template accordingly
- Have an appropriate title and description
- Include relevant screenshots for UI changes. If you can include video/gifs, it is even better.
- Reference related issues
-
-### Linking Issues
-
-If your PR fixes an issue, add this line **in the body** of the Pull Request description:
-
-```text
-Fixes #00000
-```
-
-If your PR is referencing an issue:
-
-```text
-Refs #00000
-```
-
-### PR Checklist
-
- [ ] Code follows the project's style guidelines
- [ ] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published
-
-### Options
-
- Ensure that "Allow edits from maintainers" option is checked
-
-## Architecture Overview
-
-Donut Browser is built with:
-
- **Frontend**: Next.js React application
- **Backend**: Tauri (Rust) for native functionality
- **Node.js Sidecar**: `nodecar` binary for access to JavaScript ecosystem
- **Build System**: GitHub Actions for CI/CD
-
-Understanding this architecture will help you contribute more effectively.
+- **Frontend**: Next.js (React) — `src/`
+- **Backend**: Tauri (Rust) — `src-tauri/src/`
+- **Proxy Worker**: Detached process for proxy tunneling — `src-tauri/src/bin/proxy_server.rs`
+- **Sync**: Cloud sync via S3-compatible storage — `src-tauri/src/sync/`, `donut-sync/`
+- **Browsers**: Camoufox (Firefox-based) and Wayfern (Chromium-based)

 ## Getting Help

- **Issues**: Use for bug reports and feature requests
- **Discussions**: Use for questions and general discussion
- **Pull Requests**: Use for code contributions
-
-## Code of Conduct
-
-Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
-
-## Recognition
-
-All contributors will be recognized! The project uses the all-contributors specification to acknowledge everyone who contributes.
-
---
-
-Thank you for contributing to Donut Browser! 🍩✨
+- **Issues**: Bug reports and feature requests
+- **Discussions**: Questions and general discussion
@@ -1,7 +1,9 @@
 <div align="center">
  <img src="assets/logo.png" alt="Donut Browser Logo" width="150">
  <h1>Donut Browser</h1>
-  <strong>A powerful anti-detect browser that puts you in control of your browsing experience. 🍩</strong>
+  <strong>Open Source Anti-Detect Browser</strong>
+  <br>
+  <a href="https://donutbrowser.com">donutbrowser.com</a>
 </div>
 <br>

@@ -14,14 +16,14 @@
  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/blob/main/LICENSE" target="_blank">
    <img src="https://img.shields.io/badge/license-AGPL--3.0-blue.svg" alt="License">
  </a>
-  <a href="https://app.codacy.com/gh/zhom/donutbrowser/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade">
-    <img src="https://app.codacy.com/project/badge/Grade/b9c9beafc92d4bc8bc7c5b42c6c4ba81"/>
-  </a>
  <a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser?ref=badge_shield&issueType=security" alt="FOSSA Status">
-    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security"/>
+    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security" alt="FOSSA Security Status"/>
  </a>
-  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/stargazers" target="_blank">
-    <img src="https://img.shields.io/github/stars/zhom/donutbrowser?style=social" alt="GitHub stars">
+  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/network/members" target="_blank">
+    <img src="https://img.shields.io/github/forks/zhom/donutbrowser?style=social" alt="GitHub forks">
+  </a>
+  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/releases" target="_blank">
+    <img src="https://img.shields.io/github/downloads/zhom/donutbrowser/total" alt="Downloads">
  </a>
 </p>

@@ -29,21 +31,55 @@

 ## Features

- Create unlimited number of local browser profiles completely isolated from each other
- Safely use multiple accounts on one device by using anti-detect browser profiles, powered by [Camoufox](https://camoufox.com)
- Proxy support with basic auth for all browsers
- Import profiles from your existing browsers
- Automatic updates for browsers
- Set Donut Browser as your default browser to control in which profile to open links
+- **Unlimited browser profiles** — each fully isolated with its own fingerprint, cookies, extensions, and data
+- **Chromium & Firefox engines** — Chromium powered by [Wayfern](https://wayfern.com), Firefox powered by [Camoufox](https://camoufox.com), both with advanced fingerprint spoofing
+- **Proxy support** — HTTP, HTTPS, SOCKS4, SOCKS5 per profile, with dynamic proxy URLs
+- **VPN support** — WireGuard and OpenVPN configs per profile
+- **Local API & MCP** — REST API and [Model Context Protocol](https://modelcontextprotocol.io) server for integration with Claude, automation tools, and custom workflows
+- **Profile groups** — organize profiles and apply bulk settings
+- **Import profiles** — migrate from Chrome, Firefox, Edge, Brave, or other Chromium browsers
+- **Cookie & extension management** — import/export cookies, manage extensions per profile
+- **Default browser** — set Donut as your default browser and choose which profile opens each link
+- **Cloud sync** — sync profiles, proxies, and groups across devices (self-hostable)
+- **E2E encryption** — optional end-to-end encrypted sync with a password only you know
+- **Zero telemetry** — no tracking or device fingerprinting

-## Download
+## Install

-> For Linux, .deb and .rpm packages are available as well as standalone .AppImage files.
+<!-- install-links-start -->
+### macOS

-The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).
+| | Apple Silicon | Intel |
+|---|---|---|
+| **DMG** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.dmg) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64.dmg) |
+
+Or install via Homebrew:
+
+```bash
+brew install --cask donut
+```
+
+### Windows
+
+[Download Windows Installer (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64-setup.exe) · [Portable (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64-portable.zip)
+
+### Linux
+
+| Format | x86_64 | ARM64 |
+|---|---|---|
+| **deb** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.deb) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_arm64.deb) |
+| **rpm** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut-0.21.0-1.x86_64.rpm) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut-0.21.0-1.aarch64.rpm) |
+| **AppImage** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.AppImage) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.AppImage) |
+<!-- install-links-end -->
+
+Or install via package manager:
+
+```bash
+curl -fsSL https://donutbrowser.com/install.sh | sh
+```

 <details>
-<summary>Troubleshooting AppImage on Linux</summary>
+<summary>Troubleshooting AppImage</summary>

 If the AppImage segfaults on launch, install **libfuse2** (`sudo apt install libfuse2` / `yay -S libfuse2` / `sudo dnf install fuse-libs`), or bypass FUSE entirely:

@@ -55,40 +91,32 @@ If that gives an EGL display error, try adding `WEBKIT_DISABLE_DMABUF_RENDERER=1

 </details>

-<!-- ## Supported Platforms
+### Nix

- ✅ **macOS** (Apple Silicon)
- ✅ **Linux** (x64)
- ✅ **Windows** (x64) -->
-
-## Development
-
-### Contributing
-
-See [CONTRIBUTING.md](CONTRIBUTING.md).
-
-## Issues
-
-If you face any problems while using the application, please [open an issue](https://github.com/zhom/donutbrowser/issues).
+```bash
+nix run github:zhom/donutbrowser#release-start
+```

 ## Self-Hosting Sync

 Donut Browser supports syncing profiles, proxies, and groups across devices via a self-hosted sync server. See the [Self-Hosting Guide](docs/self-hosting-donut-sync.md) for Docker-based setup instructions.

-## Community
+## Development

-Have questions or want to contribute? The team would love to hear from you!
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## Community

 - **Issues**: [GitHub Issues](https://github.com/zhom/donutbrowser/issues)
 - **Discussions**: [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)

 ## Star History

-<a href="https://www.star-history.com/#zhom/donutbrowser&Date">
+<a href="https://www.star-history.com/?repos=zhom%2Fdonutbrowser&type=date&legend=top-left">
 <picture>
-   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date&theme=dark" />
-   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date" />
-   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date" />
+   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&theme=dark&legend=top-left" />
+   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&legend=top-left" />
+   <img alt="Star History Chart" src="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&legend=top-left" />
 </picture>
 </a>

@@ -112,6 +140,20 @@ Have questions or want to contribute? The team would love to hear from you!
                    <sub><b>Hassiy</b></sub>
                </a>
            </td>
+            <td align="center">
+                <a href="https://github.com/yb403">
+                    <img src="https://avatars.githubusercontent.com/u/87396571?v=4" width="100;" alt="yb403"/>
+                    <br />
+                    <sub><b>yb403</b></sub>
+                </a>
+            </td>
+            <td align="center">
+                <a href="https://github.com/drunkod">
+                    <img src="https://avatars.githubusercontent.com/u/9677471?v=4" width="100;" alt="drunkod"/>
+                    <br />
+                    <sub><b>drunkod</b></sub>
+                </a>
+            </td>
            <td align="center">
                <a href="https://github.com/JorySeverijnse">
                    <img src="https://avatars.githubusercontent.com/u/117462355?v=4" width="100;" alt="JorySeverijnse"/>
@@ -126,7 +168,7 @@ Have questions or want to contribute? The team would love to hear from you!

 ## Contact

-Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and the team will get back to you as fast as possible.
+Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com).

 ## License

@@ -4,13 +4,13 @@

 Thanks for helping make Donut Browser safe for everyone! ❤️

-We take the security of Donut Browser seriously. If you believe you have found a security vulnerability in Donut Browser, please report it to us through coordinated disclosure.
+I take the security of Donut Browser seriously. If you believe you have found a security vulnerability in Donut Browser, please report it to me through coordinated disclosure.

 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

 Instead, please send an email to **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)** with the subject line "Security Vulnerability Report".

-Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+Please include as much of the information listed below as you can to help me better understand and resolve the issue:

 - The type of issue (e.g., buffer overflow, injection attack, privilege escalation, or cross-site scripting)
 - Full paths of source file(s) related to the manifestation of the issue
@@ -21,18 +21,18 @@ Please include as much of the information listed below as you can to help us bet
 - Impact of the issue, including how an attacker might exploit the issue
 - Your assessment of the severity level

-This information will help us triage your report more quickly.
+This information will help me triage your report more quickly.

 ## What to Expect

- **Response Time**: We will acknowledge receipt of your vulnerability report within 72 hours.
- **Investigation**: We will investigate the issue and provide you with updates on our progress.
- **Resolution**: We aim to resolve critical security issues as fast as possible, but no longer than in 30 days after the initial report.
- **Disclosure**: We will coordinate with you on the timing of any public disclosure.
+- **Response Time**: I will acknowledge receipt of your vulnerability report within 72 hours.
+- **Investigation**: I will investigate the issue and provide you with updates on my progress.
+- **Resolution**: I aim to resolve critical security issues as fast as possible, but no longer than in 30 days after the initial report.
+- **Disclosure**: I will coordinate with you on the timing of any public disclosure.

 ## Contact

-For urgent security matters, please contact us at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.
+For urgent security matters, please contact me at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.

 For general questions about this security policy, you can also reach out through:

@@ -9,3 +9,4 @@ extend-exclude = [

 [default.extend-words]
 DBE = "DBE"
+nd = "nd"
@@ -1,12 +1,21 @@
+FROM node:22-alpine AS builder
+
+WORKDIR /build
+COPY donut-sync/package.json donut-sync/tsconfig.json donut-sync/tsconfig.build.json ./
+COPY donut-sync/src/ src/
+RUN npm install
+RUN npm run build
+RUN npm prune --omit=dev
+
 FROM node:22-alpine

 WORKDIR /app
-
-COPY package.json .
-COPY dist/ dist/
-COPY node_modules/ node_modules/
+COPY --from=builder /build/package.json .
+COPY --from=builder /build/dist/ dist/
+COPY --from=builder /build/node_modules/ node_modules/

 ENV NODE_ENV=production
 EXPOSE 12342

+USER node
 CMD ["node", "dist/main"]
@@ -2,8 +2,6 @@
  <a href="http://nestjs.com/" target="blank"><img src="https://nestjs.com/img/logo-small.svg" width="120" alt="Nest Logo" /></a>
 </p>

-[circleci-image]: https://img.shields.io/circleci/build/github/nestjs/nest/master?token=abc123def456
-[circleci-url]: https://circleci.com/gh/nestjs/nest

  <p align="center">A progressive <a href="http://nodejs.org" target="_blank">Node.js</a> framework for building efficient and scalable server-side applications.</p>
    <p align="center">
@@ -28,33 +26,33 @@
 ## Project setup

 ```bash
-$ pnpm install
+pnpm install
 ```

 ## Compile and run the project

 ```bash
 # development
-$ pnpm run start
+pnpm run start

 # watch mode
-$ pnpm run start:dev
+pnpm run start:dev

 # production mode
-$ pnpm run start:prod
+pnpm run start:prod
 ```

 ## Run tests

 ```bash
 # unit tests
-$ pnpm run test
+pnpm run test

 # e2e tests
-$ pnpm run test:e2e
+pnpm run test:e2e

 # test coverage
-$ pnpm run test:cov
+pnpm run test:cov
 ```

 ## Deployment
@@ -64,8 +62,8 @@ When you're ready to deploy your NestJS application to production, there are som
 If you are looking for a cloud-based platform to deploy your NestJS application, check out [Mau](https://mau.nestjs.com), our official platform for deploying NestJS applications on AWS. Mau makes deployment straightforward and fast, requiring just a few simple steps:

 ```bash
-$ pnpm install -g @nestjs/mau
-$ mau deploy
+pnpm install -g @nestjs/mau
+mau deploy
 ```

 With Mau, you can deploy your application in just a few clicks, allowing you to focus on building features rather than managing infrastructure.
@@ -18,4 +18,3 @@ services:

 volumes:
  minio_data:
-
@@ -15,36 +15,36 @@
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json"
+    "test:e2e": "NODE_OPTIONS='--experimental-vm-modules' jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.1004.0",
-    "@aws-sdk/s3-request-presigner": "^3.1004.0",
-    "@nestjs/common": "^11.1.16",
+    "@aws-sdk/client-s3": "^3.1024.0",
+    "@aws-sdk/s3-request-presigner": "^3.1024.0",
+    "@nestjs/common": "^11.1.18",
    "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.16",
-    "@nestjs/platform-express": "^11.1.16",
+    "@nestjs/core": "^11.1.18",
+    "@nestjs/platform-express": "^11.1.18",
    "jsonwebtoken": "^9.0.3",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
  },
  "devDependencies": {
-    "@nestjs/cli": "^11.0.16",
-    "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.16",
+    "@nestjs/cli": "^11.0.17",
+    "@nestjs/schematics": "^11.0.10",
+    "@nestjs/testing": "^11.1.18",
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.3.5",
+    "@types/node": "^25.5.2",
    "@types/supertest": "^7.2.0",
-    "jest": "^30.2.0",
+    "jest": "^30.3.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
-    "ts-jest": "^29.4.6",
-    "ts-loader": "^9.5.4",
+    "ts-jest": "^29.4.9",
+    "ts-loader": "^9.5.7",
    "ts-node": "^10.9.2",
    "tsconfig-paths": "^4.2.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
  },
  "jest": {
    "moduleFileExtensions": [
@@ -27,7 +27,7 @@ export class AuthGuard implements CanActivate {
    const request = context.switchToHttp().getRequest<Request>();
    const authHeader = request.headers.authorization;

-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (!authHeader?.startsWith("Bearer ")) {
      throw new UnauthorizedException(
        "Missing or invalid authorization header",
      );
@@ -38,7 +38,7 @@ export class AuthGuard implements CanActivate {
    // Try SYNC_TOKEN first (self-hosted mode)
    const expectedToken = this.configService.get<string>("SYNC_TOKEN");
    if (expectedToken && token === expectedToken) {
-      (request as any).user = {
+      (request as unknown as Record<string, unknown>).user = {
        mode: "self-hosted",
        prefix: "",
        teamPrefix: null,
@@ -55,7 +55,7 @@ export class AuthGuard implements CanActivate {
          algorithms: ["RS256"],
        }) as jwt.JwtPayload;

-        (request as any).user = {
+        (request as unknown as Record<string, unknown>).user = {
          mode: "cloud",
          prefix: decoded.prefix || `users/${decoded.sub}/`,
          teamPrefix: decoded.teamPrefix || null,
@@ -39,7 +39,7 @@ export class SyncController {
  constructor(private readonly syncService: SyncService) {}

  private getUserContext(req: Request): UserContext {
-    return (req as any).user as UserContext;
+    return (req as unknown as Record<string, unknown>).user as UserContext;
  }

  @Post("stat")
@@ -2,18 +2,29 @@ import { INestApplication } from "@nestjs/common";
 import { Test, TestingModule } from "@nestjs/testing";
 import request from "supertest";
 import { App } from "supertest/types";
-import { AppModule } from "./../src/app.module.js";
+import { AppController } from "./../src/app.controller.js";
+import { AppService } from "./../src/app.service.js";
+import { SyncService } from "./../src/sync/sync.service.js";

 describe("AppController (e2e)", () => {
  let app: INestApplication<App>;

  beforeEach(async () => {
    const moduleFixture: TestingModule = await Test.createTestingModule({
-      imports: [AppModule],
+      controllers: [AppController],
+      providers: [
+        AppService,
+        {
+          provide: SyncService,
+          useValue: {
+            checkS3Connectivity: async () => true,
+          },
+        },
+      ],
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterEach(async () => {
@@ -1,10 +1,16 @@
 {
  "moduleFileExtensions": ["js", "json", "ts"],
  "rootDir": ".",
+  "maxWorkers": 1,
  "testEnvironment": "node",
  "testRegex": ".e2e-spec.ts$",
  "transform": {
-    "^.+\\.(t|j)s$": "ts-jest"
+    "^.+\\.(t|j)s$": [
+      "ts-jest",
+      {
+        "tsconfig": "<rootDir>/tsconfig.json"
+      }
+    ]
  },
  "moduleNameMapper": {
    "^(\\.{1,2}/.*)\\.js$": "$1"
@@ -1,3 +1,5 @@
+import type { Server } from "node:http";
+import type { AddressInfo } from "node:net";
 import { INestApplication } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { Test, TestingModule } from "@nestjs/testing";
@@ -6,6 +8,11 @@ import { App } from "supertest/types";
 import { AppController } from "./../src/app.controller.js";
 import { AppService } from "./../src/app.service.js";
 import { SyncModule } from "./../src/sync/sync.module.js";
+import {
+  configureTestEnv,
+  TEST_SYNC_TOKEN,
+  waitForTestS3,
+} from "./test-env.js";

 interface PresignResponse {
  url: string;
@@ -29,26 +36,12 @@ interface StatResponse {
  lastModified?: string;
 }

-interface SSEError {
-  code?: string;
-  timeout?: boolean;
-  response?: { status: number };
-}
-
-const TEST_TOKEN = "test-sync-token";
-
 describe("SyncController (e2e)", () => {
  let app: INestApplication<App>;

  beforeAll(async () => {
-    process.env.SYNC_TOKEN = TEST_TOKEN;
-    process.env.S3_ENDPOINT =
-      process.env.S3_ENDPOINT || "http://localhost:8987";
-    process.env.S3_ACCESS_KEY_ID = process.env.S3_ACCESS_KEY_ID || "minioadmin";
-    process.env.S3_SECRET_ACCESS_KEY =
-      process.env.S3_SECRET_ACCESS_KEY || "minioadmin";
-    process.env.S3_BUCKET = "donut-sync-test";
-    process.env.S3_FORCE_PATH_STYLE = "true";
+    configureTestEnv();
+    await waitForTestS3();

    const moduleFixture: TestingModule = await Test.createTestingModule({
      imports: [
@@ -62,7 +55,7 @@ describe("SyncController (e2e)", () => {
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterAll(async () => {
@@ -88,7 +81,7 @@ describe("SyncController (e2e)", () => {
    it("should accept requests with valid token", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "nonexistent-key" })
        .expect(200)
        .expect({ exists: false });
@@ -99,7 +92,7 @@ describe("SyncController (e2e)", () => {
    it("should return exists: false for non-existent key", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "does-not-exist" })
        .expect(200)
        .expect({ exists: false });
@@ -110,7 +103,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned upload URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/upload-key.txt", contentType: "text/plain" })
        .expect(200);

@@ -125,7 +118,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned download URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/download-key.txt" })
        .expect(200);

@@ -140,7 +133,7 @@ describe("SyncController (e2e)", () => {
    it("should list objects with prefix", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/list")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ prefix: "profiles/" })
        .expect(200);

@@ -155,7 +148,7 @@ describe("SyncController (e2e)", () => {
    it("should delete object and create tombstone", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({
          key: "test/to-delete.txt",
          tombstoneKey: "tombstones/test/to-delete.json",
@@ -176,7 +169,7 @@ describe("SyncController (e2e)", () => {
    it("should complete full upload/download cycle with presigned URLs", async () => {
      const uploadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey, contentType: "text/plain" })
        .expect(200);

@@ -192,7 +185,7 @@ describe("SyncController (e2e)", () => {

      const statResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -202,7 +195,7 @@ describe("SyncController (e2e)", () => {

      const downloadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -215,13 +208,13 @@ describe("SyncController (e2e)", () => {

      await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

      const finalStatResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -238,20 +231,28 @@ describe("SyncController (e2e)", () => {
    });

    it("should return SSE stream with valid token", async () => {
-      const response = await request(app.getHttpServer())
-        .get("/v1/objects/subscribe")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
-        .set("Accept", "text/event-stream")
-        .buffer(true)
-        .timeout(3000)
-        .catch((err: SSEError) => {
-          if (err.code === "ECONNABORTED" || err.timeout) {
-            return err.response ?? { status: 200 };
-          }
-          throw err;
-        });
+      const address = (
+        app.getHttpServer() as Server
+      ).address() as AddressInfo | null;
+      if (!address || typeof address === "string") {
+        throw new Error("Expected app to be listening on a TCP port");
+      }
+
+      const response = await fetch(
+        `http://127.0.0.1:${address.port}/v1/objects/subscribe`,
+        {
+          headers: {
+            Accept: "text/event-stream",
+            Authorization: `Bearer ${TEST_SYNC_TOKEN}`,
+          },
+        },
+      );

      expect(response.status).toBe(200);
+      expect(response.headers.get("content-type")).toContain(
+        "text/event-stream",
+      );
+      await response.body?.cancel();
    });
  });
 });
@@ -0,0 +1,37 @@
+import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
+
+export const TEST_SYNC_TOKEN = "test-sync-token";
+export const TEST_S3_ENDPOINT = "http://127.0.0.1:8987";
+
+export function configureTestEnv() {
+  process.env.SYNC_TOKEN ||= TEST_SYNC_TOKEN;
+  process.env.S3_ENDPOINT ||= TEST_S3_ENDPOINT;
+  process.env.S3_ACCESS_KEY_ID ||= "minioadmin";
+  process.env.S3_SECRET_ACCESS_KEY ||= "minioadmin";
+  process.env.S3_BUCKET ||= "donut-sync-test";
+  process.env.S3_FORCE_PATH_STYLE ||= "true";
+}
+
+export async function waitForTestS3(timeoutMs = 30_000) {
+  const deadline = Date.now() + timeoutMs;
+  const s3Client = new S3Client({
+    endpoint: TEST_S3_ENDPOINT,
+    region: "us-east-1",
+    credentials: {
+      accessKeyId: "minioadmin",
+      secretAccessKey: "minioadmin",
+    },
+    forcePathStyle: true,
+  });
+
+  while (Date.now() < deadline) {
+    try {
+      await s3Client.send(new ListBucketsCommand({}));
+      return;
+    } catch {}
+
+    await new Promise((resolve) => setTimeout(resolve, 500));
+  }
+
+  throw new Error(`Timed out waiting for S3 at ${TEST_S3_ENDPOINT}`);
+}
@@ -0,0 +1,6 @@
+{
+  "extends": "../tsconfig.json",
+  "compilerOptions": {
+    "rootDir": ".."
+  }
+}
@@ -1,4 +1,7 @@
 {
  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "rootDir": "./src"
+  },
  "exclude": ["node_modules", "test", "dist", "**/*spec.ts"]
 }
@@ -13,10 +13,11 @@
    "target": "ES2023",
    "sourceMap": true,
    "outDir": "./dist",
-    "baseUrl": "./",
    "incremental": true,
    "skipLibCheck": true,
    "strictNullChecks": true,
+    "strictPropertyInitialization": false,
+    "types": ["jest", "node"],
    "forceConsistentCasingInFileNames": true,
    "noImplicitAny": false,
    "strictBindCallApply": false,
@@ -37,28 +37,7 @@
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs",
-        "rust-overlay": "rust-overlay"
-      }
-    },
-    "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1767926800,
-        "narHash": "sha256-x0n73J6ufD/EhDlVdcoAmF0OQHZ+b0a2cKDc8RZyt+o=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "499e9eed88ff9494b6604205b42847e847dfeb91",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
+        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
@@ -1,66 +1,341 @@
 {
-  description = "Donut Browser Development Environment";
+  description = "Donut Browser development environment and quick-start commands";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
-    rust-overlay = {
-      url = "github:oxalica/rust-overlay";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

-  outputs = { self, nixpkgs, flake-utils, rust-overlay, ... }:
+  outputs = { self, nixpkgs, flake-utils, ... }:
    flake-utils.lib.eachDefaultSystem (system:
      let
-        overlays = [ (import rust-overlay) ];
        pkgs = import nixpkgs {
-          inherit system overlays;
+          inherit system;
+          config.allowUnfree = true;
        };
+        lib = pkgs.lib;

-        # Rust toolchain
-        rustToolchain = pkgs.rust-bin.stable.latest.default.override {
-          extensions = [ "rust-src" "rust-analyzer" "clippy" "rustfmt" ];
-        };
+        nodejs =
+          if pkgs ? nodejs_23 then
+            pkgs.nodejs_23
+          else
+            pkgs.nodejs_22;

-        # System dependencies for Tauri on Linux
-        libraries = with pkgs; [
+        rustPackages = with pkgs; [
+          cargo
+          clippy
+          rust-analyzer
+          rustc
+          rustfmt
+        ];
+
+        commonLibs = with pkgs; [
          webkitgtk_4_1
+          libsoup_3
+          glib
          gtk3
          cairo
          gdk-pixbuf
-          glib
+          pango
+          atk
+          at-spi2-atk
+          at-spi2-core
          dbus
-          librsvg
-          libsoup_3
+          nss
+          nspr
+          libdrm
+          libgbm
+          libxkbcommon
+          libx11
+          libxcomposite
+          libxdamage
+          libxext
+          libxfixes
+          libxrandr
+          libxcb
+          libxshmfence
+          libxtst
+          libxi
+          xdotool
+          libxrender
+          libxinerama
+          libxcursor
+          libxscrnsaver
+          fontconfig
+          freetype
+          fribidi
+          harfbuzz
+          expat
+          libglvnd
+          libgpg-error
+          e2fsprogs
+          gmp
+          zlib
+          stdenv.cc.cc.lib
        ];

-        packages = with pkgs; [
-          rustToolchain
-          nodejs_22
-          pnpm
-          pkg-config
-          cargo-tauri
-          openssl
-          # App specific tools
-          biome
-        ] ++ libraries;
+        runtimeLibPath = lib.makeLibraryPath commonLibs;
+        nixLd = pkgs.stdenv.cc.bintools.dynamicLinker;
+        pkgConfigLibs = [
+          pkgs.at-spi2-atk
+          pkgs.at-spi2-core
+          pkgs.cairo
+          pkgs.dbus
+          pkgs.gdk-pixbuf
+          pkgs.glib
+          pkgs.gtk3
+          pkgs.libsoup_3
+          pkgs.libxkbcommon
+          pkgs.openssl
+          pkgs.pango
+          pkgs.harfbuzz
+          pkgs.webkitgtk_4_1
+        ];
+        pkgConfigPath = lib.makeSearchPath "lib/pkgconfig" (
+          pkgConfigLibs ++ map lib.getDev pkgConfigLibs
+        );
+        releaseVersion = "0.21.0";
+        releaseAppImage =
+          if system == "x86_64-linux" then
+            pkgs.fetchurl {
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.AppImage";
+              hash = "sha256-Qrg+8uh9RTDMHUNqWChWBHIIsy2Dgzu5wOH+FuPN35k=";
+            }
+          else if system == "aarch64-linux" then
+            pkgs.fetchurl {
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.AppImage";
+              hash = "sha256-UBGer3/8xleadHaZ/5OY2KaC03OE40SOewCAdcxw2CM=";
+            }
+          else
+            null;
+        releaseUnpacked =
+          if releaseAppImage != null then
+            pkgs.stdenvNoCC.mkDerivation {
+              pname = "donut-release-unpacked";
+              version = releaseVersion;
+              src = releaseAppImage;
+              dontUnpack = true;
+              nativeBuildInputs = [ pkgs.xz ];
+              installPhase = ''
+                runHook preInstall

+                cp "$src" ./donut.AppImage
+                chmod +x ./donut.AppImage
+                ./donut.AppImage --appimage-extract >/dev/null
+
+                mkdir -p "$out"
+                cp -a ./squashfs-root "$out/"
+
+                runHook postInstall
+              '';
+            }
+          else
+            null;
+        releaseWrapped =
+          if releaseAppImage != null then
+            pkgs.appimageTools.wrapType2 {
+              pname = "donut";
+              version = releaseVersion;
+              src = releaseAppImage;
+              extraPkgs = _: commonLibs;
+              extraInstallCommands = ''
+                for bin in "$out"/bin/*; do
+                  if [ -f "$bin" ]; then
+                    mv "$bin" "$out/bin/donut-release"
+                    break
+                  fi
+                done
+              '';
+            }
+          else
+            null;
+        releaseLauncher =
+          if releaseUnpacked != null then
+            pkgs.writeShellApplication {
+              name = "donut-release-start";
+              runtimeInputs = with pkgs; [
+                coreutils
+                xdg-utils
+              ];
+              text = ''
+                set -euo pipefail
+
+                if [ -x "${releaseWrapped}/bin/donut-release" ]; then
+                  if "${releaseWrapped}/bin/donut-release" "$@"; then
+                    exit 0
+                  fi
+                  echo "Wrapped AppImage failed, retrying with direct AppRun..." >&2
+                fi
+
+                export LD_LIBRARY_PATH="${releaseUnpacked}/squashfs-root/usr/lib:${releaseUnpacked}/squashfs-root/usr/lib64:${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+                export NIX_LD_LIBRARY_PATH="$LD_LIBRARY_PATH"
+                export LIBRARY_PATH="$LD_LIBRARY_PATH"
+                export XDG_DATA_DIRS="${releaseUnpacked}/squashfs-root/usr/share:''${XDG_DATA_DIRS:-}"
+                exec "${releaseUnpacked}/squashfs-root/AppRun" "$@"
+              '';
+            }
+          else
+            pkgs.writeShellApplication {
+              name = "donut-release-start";
+              text = ''
+                echo "Release launcher is supported only on Linux (x86_64/aarch64)."
+                exit 1
+              '';
+            };
+
+        mkApp = name: text:
+          let
+            app = pkgs.writeShellApplication {
+              inherit name;
+              runtimeInputs = with pkgs; [
+                bash
+                coreutils
+                findutils
+                git
+                gnugrep
+                gnused
+                curl
+                gcc
+                pkg-config
+                openssl
+                cargo
+                clippy
+                rustc
+                rustfmt
+                nodejs
+                pnpm
+                cargo-tauri
+              ];
+              text = ''
+                export NODE_ENV=development
+                export NIX_LD="${nixLd}"
+                export NIX_LD_LIBRARY_PATH="${runtimeLibPath}:''${NIX_LD_LIBRARY_PATH:-}"
+                export LD_LIBRARY_PATH="${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+                export LIBRARY_PATH="${runtimeLibPath}:''${LIBRARY_PATH:-}"
+                export PKG_CONFIG_PATH="${pkgConfigPath}:''${PKG_CONFIG_PATH:-}"
+                export RUST_SRC_PATH="${pkgs.rustPlatform.rustLibSrc}"
+                ${text}
+              '';
+            };
+          in
+          {
+            type = "app";
+            program = "${app}/bin/${name}";
+          };
      in
      {
        devShells.default = pkgs.mkShell {
-          buildInputs = packages;
+          packages = with pkgs; [
+            nodejs
+            pnpm
+            cargo-tauri
+            pkg-config
+            openssl
+            git
+            bashInteractive
+            gnumake
+            clang
+            llvmPackages.bintools
+            python3
+            curl
+            wget
+            unzip
+            zip
+            xz
+            biome
+            docker
+          ] ++ rustPackages ++ commonLibs;

          shellHook = ''
-            export LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath libraries}:$LD_LIBRARY_PATH
-            export XDG_DATA_DIRS=${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}:$XDG_DATA_DIRS
-            
-            echo "🍩 Donut Browser Dev Environment Loaded!"
-            echo "Node: $(node --version)"
-            echo "Rust: $(rustc --version)"
-            echo "Tauri CLI: $(cargo-tauri --version)"
+            export NODE_ENV=development
+            export NIX_LD="${nixLd}"
+            export NIX_LD_LIBRARY_PATH="${runtimeLibPath}:''${NIX_LD_LIBRARY_PATH:-}"
+            export LD_LIBRARY_PATH="${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+            export LIBRARY_PATH="${runtimeLibPath}:''${LIBRARY_PATH:-}"
+            export PKG_CONFIG_PATH="${pkgConfigPath}:''${PKG_CONFIG_PATH:-}"
+            export RUST_SRC_PATH="${pkgs.rustPlatform.rustLibSrc}"
+            export XDG_DATA_DIRS="${pkgs.gsettings-desktop-schemas}/share:${pkgs.gtk3}/share:''${XDG_DATA_DIRS:-}"
+
+            echo "Donut Browser dev shell ready."
+            echo "Quick start:"
+            echo "  nix run .#setup"
+            echo "  nix run .#tauri-dev"
+            echo "  nix run .#full-dev"
+            echo "  nix run .#build"
+            echo "  nix run .#test"
+            echo "  nix run .#release-start"
          '';
        };
-      }
-    );
+
+        apps.info = mkApp "donut-info" ''
+          set -euo pipefail
+          echo "Node: $(node --version)"
+          echo "pnpm: $(pnpm --version)"
+          echo "Rust: $(rustc --version)"
+          echo "Cargo: $(cargo --version)"
+          echo "Tauri CLI: $(cargo-tauri --version)"
+        '';
+
+        apps.deps = mkApp "donut-deps" ''
+          set -euo pipefail
+          pnpm install
+        '';
+
+        apps.dev = mkApp "donut-dev" ''
+          set -euo pipefail
+          pnpm dev
+        '';
+
+        apps."tauri-dev" = mkApp "donut-tauri-dev" ''
+          set -euo pipefail
+          pnpm tauri dev
+        '';
+
+        apps."full-dev" = mkApp "donut-full-dev" ''
+          set -euo pipefail
+          chmod +x ./scripts/dev.sh
+          ./scripts/dev.sh
+        '';
+
+        apps.build = mkApp "donut-build" ''
+          set -euo pipefail
+          pnpm build
+          (cd src-tauri && cargo build)
+        '';
+
+        apps.start = mkApp "donut-start" ''
+          set -euo pipefail
+          pnpm start
+        '';
+
+        apps.test = mkApp "donut-test" ''
+          set -euo pipefail
+          pnpm format && pnpm lint && pnpm test
+        '';
+
+        apps.setup = mkApp "donut-setup" ''
+          set -euo pipefail
+
+          if [ ! -f "package.json" ]; then
+            echo "package.json not found. Run this from the donutbrowser repo root."
+            exit 1
+          fi
+
+          pnpm install
+          pnpm copy-proxy-binary
+
+          echo "Setup complete."
+          echo "Run the app with:"
+          echo "  nix run .#tauri-dev"
+          echo "Or run full local stack (sync + minio + tauri):"
+          echo "  nix run .#full-dev"
+        '';
+
+        apps."release-start" = {
+          type = "app";
+          program = "${releaseLauncher}/bin/donut-release-start";
+        };
+
+        apps.default = self.apps.${system}.setup;
+      });
 }
@@ -1,6 +0,0 @@
-/// <reference types="next" />
-/// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
-
-// NOTE: This file should not be edited
-// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
@@ -2,19 +2,21 @@
  "name": "donutbrowser",
  "private": true,
  "license": "AGPL-3.0",
-  "version": "0.16.0",
+  "version": "0.21.1",
  "type": "module",
  "scripts": {
    "dev": "next dev --turbopack -p 12341",
    "build": "next build",
    "start": "next start",
-    "test": "pnpm test:rust:unit && pnpm test:sync-e2e",
+    "test": "pnpm test:rust:unit && pnpm test:openvpn-e2e && pnpm test:sync-e2e",
+    "test:openvpn-e2e": "node scripts/openvpn-test-harness.mjs",
    "test:rust": "cd src-tauri && cargo test",
-    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration",
+    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration",
    "test:sync-e2e": "node scripts/sync-test-harness.mjs",
-    "lint": "pnpm lint:js && pnpm lint:rust",
+    "lint": "pnpm lint:js && pnpm lint:rust && pnpm lint:spell",
    "lint:js": "biome check src/ && tsc --noEmit && cd donut-sync && biome check src/ && tsc --noEmit",
    "lint:rust": "cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all && cargo fmt --all",
+    "lint:spell": "typos .",
    "tauri": "tauri",
    "shadcn:add": "pnpm dlx shadcn@latest add",
    "prepare": "husky && husky install",
@@ -46,48 +48,54 @@
    "@tanstack/react-table": "^8.21.3",
    "@tauri-apps/api": "~2.10.1",
    "@tauri-apps/plugin-deep-link": "^2.4.7",
-    "@tauri-apps/plugin-dialog": "^2.6.0",
-    "@tauri-apps/plugin-fs": "~2.4.5",
+    "@tauri-apps/plugin-dialog": "^2.7.0",
+    "@tauri-apps/plugin-fs": "~2.5.0",
    "@tauri-apps/plugin-log": "^2.8.0",
    "@tauri-apps/plugin-opener": "^2.5.3",
-    "ahooks": "^3.9.6",
+    "ahooks": "^3.9.7",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "cmdk": "^1.1.1",
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
-    "i18next": "^25.8.14",
-    "lucide-react": "^0.577.0",
-    "motion": "^12.35.0",
-    "next": "^16.1.6",
+    "i18next": "^26.0.3",
+    "lucide-react": "^1.7.0",
+    "motion": "^12.38.0",
+    "next": "^16.2.3",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
-    "react-i18next": "^16.5.6",
+    "react-i18next": "^17.0.2",
    "react-icons": "^5.6.0",
-    "recharts": "3.8.0",
+    "recharts": "3.8.1",
    "sonner": "^2.0.7",
    "tailwind-merge": "^3.5.0",
    "tauri-plugin-macos-permissions-api": "^2.3.0"
  },
  "devDependencies": {
-    "@biomejs/biome": "2.4.6",
-    "@tailwindcss/postcss": "^4.2.1",
+    "@biomejs/biome": "2.4.10",
+    "@tailwindcss/postcss": "^4.2.2",
    "@tauri-apps/cli": "~2.10.1",
-    "@types/color": "^4.2.0",
-    "@types/node": "^25.3.5",
+    "@types/color": "^4.2.1",
+    "@types/node": "^25.5.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.4",
+    "@vitejs/plugin-react": "^6.0.1",
    "husky": "^9.1.7",
-    "lint-staged": "^16.3.2",
-    "tailwindcss": "^4.2.1",
+    "lint-staged": "^16.4.0",
+    "tailwindcss": "^4.2.2",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
-    "typescript": "~5.9.3"
+    "typescript": "~6.0.2"
  },
-  "packageManager": "pnpm@10.30.1",
+  "pnpm": {
+    "overrides": {
+      "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
+      "path-to-regexp@>=8.0.0 <8.4.0": ">=8.4.0"
+    }
+  },
+  "packageManager": "pnpm@10.33.0",
  "lint-staged": {
    "**/*.{js,jsx,ts,tsx,json,css}": [
      "biome check --fix"
@@ -96,6 +104,9 @@
      "bash -c 'cd src-tauri && cargo fmt --all'",
      "bash -c 'cd src-tauri && cargo clippy --all-targets --all-features -- -D warnings -D clippy::all'",
      "bash -c 'cd src-tauri && cargo test --lib'"
+    ],
+    "**/*.{rs,ts,tsx,js,jsx,md}": [
+      "typos"
    ]
  }
 }
@@ -81,7 +81,7 @@ echo -e "${YELLOW}Waiting for MinIO to be healthy...${NC}"
 MAX_RETRIES=30
 RETRY_COUNT=0
 while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
-  if curl -sf http://localhost:8987/minio/health/live > /dev/null 2>&1; then
+  if curl -sf http://127.0.0.1:8987/minio/health/live > /dev/null 2>&1; then
    echo -e "${GREEN}MinIO is ready!${NC}"
    break
  fi
@@ -0,0 +1,161 @@
+#!/usr/bin/env node
+/**
+ * OpenVPN E2E Test Harness
+ *
+ * This script:
+ * 1. Skips unless explicitly enabled via DONUTBROWSER_RUN_OPENVPN_E2E=1
+ * 2. Builds the Rust vpn_integration test binary without running it
+ * 3. Runs the OpenVPN e2e test binary under sudo
+ *
+ * Usage: DONUTBROWSER_RUN_OPENVPN_E2E=1 node scripts/openvpn-test-harness.mjs
+ */
+
+import { spawn } from "child_process";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT_DIR = path.resolve(__dirname, "..");
+const SRC_TAURI_DIR = path.join(ROOT_DIR, "src-tauri");
+const TEST_NAME = "test_openvpn_traffic_flows_through_donut_proxy";
+
+function log(message) {
+  console.log(`[openvpn-harness] ${message}`);
+}
+
+function error(message) {
+  console.error(`[openvpn-harness] ERROR: ${message}`);
+}
+
+function shouldRun() {
+  if (process.env.DONUTBROWSER_RUN_OPENVPN_E2E !== "1") {
+    log("Skipping OpenVPN e2e test because DONUTBROWSER_RUN_OPENVPN_E2E is not set");
+    return false;
+  }
+
+  if (process.platform !== "linux") {
+    log(`Skipping OpenVPN e2e test on unsupported platform: ${process.platform}`);
+    return false;
+  }
+
+  return true;
+}
+
+async function buildTestBinary() {
+  log("Building OpenVPN e2e test binary...");
+
+  return new Promise((resolve, reject) => {
+    let executablePath = "";
+    let stdoutBuffer = "";
+
+    const proc = spawn(
+      "cargo",
+      [
+        "test",
+        "--test",
+        "vpn_integration",
+        TEST_NAME,
+        "--no-run",
+        "--message-format=json",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: ["ignore", "pipe", "pipe"],
+      }
+    );
+
+    const parseBuffer = (flush = false) => {
+      const lines = stdoutBuffer.split("\n");
+      const completeLines = flush ? lines : lines.slice(0, -1);
+      stdoutBuffer = flush ? "" : lines.at(-1) ?? "";
+
+      for (const line of completeLines.filter(Boolean)) {
+        try {
+          const message = JSON.parse(line);
+          if (message.reason === "compiler-artifact" && message.executable) {
+            executablePath = message.executable;
+          }
+        } catch {
+          // Ignore non-JSON lines.
+        }
+      }
+    };
+
+    proc.stdout.on("data", (data) => {
+      stdoutBuffer += data.toString();
+      parseBuffer();
+    });
+
+    proc.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      parseBuffer(true);
+
+      if (code !== 0) {
+        reject(new Error(`cargo test --no-run exited with code ${code}`));
+        return;
+      }
+
+      if (!executablePath) {
+        reject(new Error("Could not determine the vpn_integration test binary path"));
+        return;
+      }
+
+      resolve(path.isAbsolute(executablePath) ? executablePath : path.resolve(SRC_TAURI_DIR, executablePath));
+    });
+  });
+}
+
+async function runOpenVpnE2e(executablePath) {
+  log("Running OpenVPN e2e test under sudo...");
+
+  return new Promise((resolve, reject) => {
+    const proc = spawn(
+      "sudo",
+      [
+        "--preserve-env=CI,GITHUB_ACTIONS,VPN_TEST_OVPN_HOST,VPN_TEST_OVPN_PORT,DONUTBROWSER_RUN_OPENVPN_E2E",
+        executablePath,
+        TEST_NAME,
+        "--exact",
+        "--nocapture",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: "inherit",
+      }
+    );
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      resolve(code ?? 1);
+    });
+  });
+}
+
+async function main() {
+  if (!shouldRun()) {
+    process.exit(0);
+  }
+
+  try {
+    const executablePath = await buildTestBinary();
+    const exitCode = await runOpenVpnE2e(executablePath);
+    process.exit(exitCode);
+  } catch (err) {
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+main();
@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+GITHUB_REPO="zhom/donutbrowser"
+
+# Load .env if running locally
+if [[ -f "$REPO_ROOT/.env" ]]; then
+  set -a
+  # shellcheck disable=SC1091
+  source "$REPO_ROOT/.env"
+  set +a
+fi
+
+# Validate required env vars
+for var in R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY R2_ENDPOINT_URL R2_BUCKET_NAME; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "Error: $var is not set. Configure it in .env or export it."
+    exit 1
+  fi
+done
+
+# Export for AWS CLI
+export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID"
+export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY"
+export AWS_DEFAULT_REGION="auto"
+# aws-cli v2.23+ sends integrity checksums by default; R2 rejects them
+# with `Unauthorized` on ListObjectsV2. Disable.
+export AWS_REQUEST_CHECKSUM_CALCULATION="WHEN_REQUIRED"
+export AWS_RESPONSE_CHECKSUM_VALIDATION="WHEN_REQUIRED"
+
+# Ensure endpoint URL has https:// prefix
+R2_ENDPOINT="$R2_ENDPOINT_URL"
+if [[ "$R2_ENDPOINT" != https://* ]]; then
+  R2_ENDPOINT="https://$R2_ENDPOINT"
+fi
+
+# Determine version tag
+if [[ $# -ge 1 ]]; then
+  TAG="$1"
+else
+  echo "Fetching latest release tag..."
+  TAG=$(gh release view --repo "$GITHUB_REPO" --json tagName -q .tagName)
+  echo "Latest release: $TAG"
+fi
+
+VERSION="${TAG#v}"
+echo "Publishing repositories for version $VERSION"
+
+# Check required tools
+for cmd in aws gh dpkg-scanpackages gzip createrepo_c; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "Error: $cmd is not installed."
+    case "$cmd" in
+      dpkg-scanpackages) echo "  Install with: sudo apt-get install dpkg-dev" ;;
+      createrepo_c) echo "  Install with: sudo apt-get install createrepo-c" ;;
+      aws) echo "  Install with: pip install awscli" ;;
+      gh) echo "  Install with: https://cli.github.com/" ;;
+    esac
+    exit 1
+  fi
+done
+
+PACKAGES_DIR="$WORK_DIR/packages"
+REPO_DIR="$WORK_DIR/repo"
+mkdir -p "$PACKAGES_DIR" "$REPO_DIR"
+
+# ---------------------------------------------------------------------------
+# Download .deb and .rpm from GitHub release
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Downloading packages from GitHub release $TAG..."
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.deb" \
+  --dir "$PACKAGES_DIR"
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.rpm" \
+  --dir "$PACKAGES_DIR"
+
+echo "Downloaded:"
+ls -lh "$PACKAGES_DIR/"
+
+# ---------------------------------------------------------------------------
+# DEB repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building DEB repository..."
+
+DEB_DIR="$REPO_DIR/deb"
+mkdir -p "$DEB_DIR/pool/main"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+# Pull existing pool from R2 (incremental)
+echo "  Syncing existing DEB pool from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/deb/pool" "$DEB_DIR/pool" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+# Copy new .deb files into pool
+for deb in "$PACKAGES_DIR"/*.deb; do
+  [[ -f "$deb" ]] || continue
+  cp "$deb" "$DEB_DIR/pool/main/"
+done
+
+# Generate Packages and Packages.gz for each arch
+for arch in amd64 arm64; do
+  echo "  Generating Packages for $arch..."
+  BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+
+  # dpkg-scanpackages needs to run from the repo root
+  # and needs paths relative to that root
+  (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+    > "$BINARY_DIR/Packages"
+
+  gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+
+  echo "    $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+done
+
+# Generate Release file
+echo "  Generating Release file..."
+{
+  echo "Origin: Donut Browser"
+  echo "Label: Donut Browser"
+  echo "Suite: stable"
+  echo "Codename: stable"
+  echo "Architectures: amd64 arm64"
+  echo "Components: main"
+  echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+  echo "MD5Sum:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        md5=$(md5sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$md5" "$size" "$file"
+      fi
+    done
+  done
+  echo "SHA256:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        sha256=$(sha256sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$sha256" "$size" "$file"
+      fi
+    done
+  done
+} > "$DEB_DIR/dists/stable/Release"
+
+echo "  DEB Release file created."
+
+# ---------------------------------------------------------------------------
+# RPM repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building RPM repository..."
+
+RPM_DIR="$REPO_DIR/rpm"
+mkdir -p "$RPM_DIR/x86_64"
+mkdir -p "$RPM_DIR/aarch64"
+
+# Pull existing RPMs from R2 (incremental)
+echo "  Syncing existing RPM packages from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/x86_64" "$RPM_DIR/x86_64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/aarch64" "$RPM_DIR/aarch64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+# Copy new .rpm files into arch directories
+for rpm in "$PACKAGES_DIR"/*.rpm; do
+  [[ -f "$rpm" ]] || continue
+  filename=$(basename "$rpm")
+  if [[ "$filename" == *x86_64* ]]; then
+    cp "$rpm" "$RPM_DIR/x86_64/"
+  elif [[ "$filename" == *aarch64* ]]; then
+    cp "$rpm" "$RPM_DIR/aarch64/"
+  fi
+done
+
+# Generate repodata using createrepo_c
+# We point createrepo_c at the top-level rpm dir so it indexes all subdirs
+echo "  Generating RPM repodata..."
+createrepo_c --update "$RPM_DIR"
+
+echo "  RPM repodata created."
+
+# ---------------------------------------------------------------------------
+# Upload to R2
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Uploading DEB repository to R2..."
+aws s3 sync "$DEB_DIR/dists" "s3://${R2_BUCKET_NAME}/deb/dists" \
+  --endpoint-url "$R2_ENDPOINT" --delete
+aws s3 sync "$DEB_DIR/pool" "s3://${R2_BUCKET_NAME}/deb/pool" \
+  --endpoint-url "$R2_ENDPOINT"
+
+echo "==> Uploading RPM repository to R2..."
+aws s3 sync "$RPM_DIR" "s3://${R2_BUCKET_NAME}/rpm" \
+  --endpoint-url "$R2_ENDPOINT"
+
+# ---------------------------------------------------------------------------
+# Verify
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Verifying upload..."
+echo "DEB dists/stable/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/dists/stable/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "DEB pool/main/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/pool/main/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "RPM repodata/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/rpm/repodata/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+
+echo ""
+echo "Done! Repository published for $TAG"
+echo ""
+echo "Users can add the DEB repo with:"
+echo "  echo 'deb [trusted=yes] https://repo.donutbrowser.com/deb stable main' | sudo tee /etc/apt/sources.list.d/donutbrowser.list"
+echo "  sudo apt update && sudo apt install donut"
+echo ""
+echo "Users can add the RPM repo with:"
+echo "  sudo tee /etc/yum.repos.d/donutbrowser.repo << 'EOF'"
+echo "  [donutbrowser]"
+echo "  name=Donut Browser"
+echo "  baseurl=https://repo.donutbrowser.com/rpm"
+echo "  enabled=1"
+echo "  gpgcheck=0"
+echo "  EOF"
+echo "  sudo dnf install Donut"
@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.16.0"
+version = "0.21.1"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -30,7 +30,7 @@ path = "src/bin/donut_daemon.rs"

 [build-dependencies]
 tauri-build = { version = "2", features = [] }
-resvg = "0.46"
+resvg = "0.47"

 [dependencies]
 serde_json = "1"
@@ -57,14 +57,14 @@ base64 = "0.22"
 libc = "0.2"
 async-trait = "0.1"
 futures-util = "0.3"
-zip = { version = "7", default-features = false, features = ["deflate-flate2"] }
+zip = { version = "8", default-features = false, features = ["deflate-flate2"] }
 tar = "0"
 bzip2 = "0"
 flate2 = "1"
 lzma-rs = "0"
 msi-extract = "0"

-uuid = { version = "1.20", features = ["v4", "serde"] }
+uuid = { version = "1.23", features = ["v4", "serde"] }
 url = "2.5"
 blake3 = "1"
 globset = "0.4"
@@ -72,14 +72,20 @@ mime_guess = "2"
 once_cell = "1"
 urlencoding = "2.1"
 chrono = { version = "0.4", features = ["serde"] }
+chrono-tz = "0.10"
 axum = { version = "0.8.8", features = ["ws"] }
 tower = "0.5"
 tower-http = { version = "0.6", features = ["cors"] }
-rand = "0.9.2"
+rand = "0.10.1"
 utoipa = { version = "5", features = ["axum_extras", "chrono"] }
 utoipa-axum = "0.2"
 argon2 = "0.5"
 aes-gcm = "0.10"
+aes = "0.9"
+cbc = "0.2"
+ring = "0.17"
+sha2 = "0.11"
+shadowsocks = { version = "1.24", default-features = false, features = ["aead-cipher"] }
 hyper = { version = "1.8", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
 http-body-util = "0.1"
@@ -87,11 +93,11 @@ clap = { version = "4", features = ["derive"] }
 async-socks5 = "0.6"

 # Camoufox/Playwright integration
-playwright = { git = "https://github.com/sctg-development/playwright-rust", branch = "master" }
+playwright = { git = "https://github.com/zhom/playwright-rust", branch = "master" }

 # Wayfern CDP integration
-tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
-rusqlite = { version = "0.38", features = ["bundled"] }
+tokio-tungstenite = { version = "0.29", features = ["native-tls"] }
+rusqlite = { version = "0.39", features = ["bundled"] }
 serde_yaml = "0.9"
 thiserror = "2.0"
 regex-lite = "0.1"
@@ -100,14 +106,13 @@ maxminddb = "0.27"
 quick-xml = { version = "0.39", features = ["serialize"] }

 # VPN support
-lz4_flex = "0.11"
 boringtun = "0.7"
-smoltcp = { version = "0.11", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }
+smoltcp = { version = "0.13", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

 # Daemon dependencies (tray icon)
-tray-icon = "0.21"
+tray-icon = "0.22"
 muda = "0.17"
-tao = "0.34"
+tao = "0.35"
 image = "0.25"
 dirs = "6"
 crossbeam-channel = "0.5"
@@ -122,7 +127,7 @@ objc2 = "0.6.3"
 objc2-app-kit = { version = "0.3.2", features = ["NSWindow", "NSApplication", "NSRunningApplication"] }

 [target.'cfg(target_os = "windows")'.dependencies]
-winreg = "0.55"
+winreg = "0.56"
 windows = { version = "0.62", features = [
  "Win32_Foundation",
  "Win32_System_ProcessStatus",
@@ -31,6 +31,7 @@ pub struct ApiProfile {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub process_id: Option<u32>,
  pub last_launch: Option<u64>,
  pub release_type: String,
@@ -59,6 +60,7 @@ pub struct CreateProfileRequest {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -74,6 +76,7 @@ pub struct UpdateProfileRequest {
  pub browser: Option<String>,
  pub version: Option<String>,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -480,6 +483,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          browser: profile.browser.clone(),
          version: profile.version.clone(),
          proxy_id: profile.proxy_id.clone(),
+          launch_hook: profile.launch_hook.clone(),
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type.clone(),
@@ -535,6 +539,7 @@ async fn get_profile(
            browser: profile.browser.clone(),
            version: profile.version.clone(),
            proxy_id: profile.proxy_id.clone(),
+            launch_hook: profile.launch_hook.clone(),
            process_id: profile.process_id,
            last_launch: profile.last_launch,
            release_type: profile.release_type.clone(),
@@ -605,6 +610,8 @@ async fn create_profile(
      wayfern_config,
      request.group_id.clone(),
      false,
+      None,
+      request.launch_hook.clone(),
    )
    .await
  {
@@ -634,6 +641,7 @@ async fn create_profile(
          browser: profile.browser,
          version: profile.version,
          proxy_id: profile.proxy_id,
+          launch_hook: profile.launch_hook,
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type,
@@ -707,6 +715,21 @@ async fn update_profile(
    }
  }

+  if let Some(launch_hook) = request.launch_hook {
+    let normalized = if launch_hook.trim().is_empty() {
+      None
+    } else {
+      Some(launch_hook)
+    };
+
+    if profile_manager
+      .update_profile_launch_hook(&state.app_handle, &id, normalized)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  if let Some(camoufox_config) = request.camoufox_config {
    let config: Result<CamoufoxConfig, _> = serde_json::from_value(camoufox_config);
    match config {
@@ -1086,11 +1109,13 @@ async fn create_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<CreateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  match PROXY_MANAGER.create_stored_proxy(
+  let result = PROXY_MANAGER.create_stored_proxy(
    &state.app_handle,
    request.name.clone(),
    request.proxy_settings,
-  ) {
+  );
+
+  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
@@ -1124,28 +1149,16 @@ async fn update_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<UpdateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let proxies = PROXY_MANAGER.get_stored_proxies();
-  if let Some(proxy) = proxies.into_iter().find(|p| p.id == id) {
-    let new_name = request.name.unwrap_or(proxy.name.clone());
-    let new_proxy_settings = request
-      .proxy_settings
-      .unwrap_or(proxy.proxy_settings.clone());
+  let result =
+    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings);

-    match PROXY_MANAGER.update_stored_proxy(
-      &state.app_handle,
-      &id,
-      Some(new_name.clone()),
-      Some(new_proxy_settings.clone()),
-    ) {
-      Ok(_) => Ok(Json(ApiProxyResponse {
-        id,
-        name: new_name,
-        proxy_settings: new_proxy_settings,
-      })),
-      Err(_) => Err(StatusCode::BAD_REQUEST),
-    }
-  } else {
-    Err(StatusCode::NOT_FOUND)
+  match result {
+    Ok(proxy) => Ok(Json(ApiProxyResponse {
+      id: proxy.id,
+      name: proxy.name,
+      proxy_settings: proxy.proxy_settings,
+    })),
+    Err(_) => Err(StatusCode::NOT_FOUND),
  }
 }

@@ -1289,6 +1302,13 @@ async fn run_profile(
  State(state): State<ApiServerState>,
  Json(request): Json<RunProfileRequest>,
 ) -> Result<Json<RunProfileResponse>, StatusCode> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err(StatusCode::PAYMENT_REQUIRED);
+  }
+
  let headless = request.headless.unwrap_or(false);
  let url = request.url;

@@ -1357,6 +1377,13 @@ async fn open_url_in_profile(
  State(state): State<ApiServerState>,
  Json(request): Json<OpenUrlRequest>,
 ) -> Result<StatusCode, StatusCode> {
+  if !crate::cloud_auth::CLOUD_AUTH
+    .has_active_paid_subscription()
+    .await
+  {
+    return Err(StatusCode::PAYMENT_REQUIRED);
+  }
+
  let browser_runner = crate::browser_runner::BrowserRunner::instance();

  browser_runner
@@ -109,6 +109,8 @@ pub struct AppUpdateInfo {
  pub published_at: String,
  pub manual_update_required: bool,
  pub release_page_url: Option<String>,
+  /// True when a system package manager repo is configured (apt/dnf/zypper)
+  pub repo_update: bool,
 }

 pub struct AppAutoUpdater {
@@ -212,11 +214,12 @@ impl AppAutoUpdater {
      // Find the appropriate asset for current platform
      let download_url = self.get_download_url_for_platform(&latest_release.assets);

-      // On Linux, we show the update notification even if auto-update is disabled
-      // Users can manually download from the release page
+      // On Linux, when a package repo is configured, notify users to update via
+      // their package manager instead of auto-downloading from GitHub.
      #[cfg(target_os = "linux")]
      {
-        let manual_update_required = download_url.is_none();
+        let repo_update = self.is_repo_configured();
+        let manual_update_required = download_url.is_none() || repo_update;
        let update_info = AppUpdateInfo {
          current_version,
          new_version: latest_release.tag_name.clone(),
@@ -226,13 +229,15 @@ impl AppAutoUpdater {
          published_at: latest_release.published_at.clone(),
          manual_update_required,
          release_page_url: Some(release_page_url),
+          repo_update,
        };

        log::info!(
-          "Update info prepared: {} -> {} (manual_update_required: {})",
+          "Update info prepared: {} -> {} (manual_update_required: {}, repo_update: {})",
          update_info.current_version,
          update_info.new_version,
-          update_info.manual_update_required
+          update_info.manual_update_required,
+          update_info.repo_update
        );
        return Ok(Some(update_info));
      }
@@ -249,6 +254,7 @@ impl AppAutoUpdater {
            published_at: latest_release.published_at.clone(),
            manual_update_required: false,
            release_page_url: Some(release_page_url),
+            repo_update: false,
          };

          log::info!(
@@ -455,6 +461,30 @@ impl AppAutoUpdater {
    LinuxInstallationMethod::Unknown
  }

+  /// Check if the APT repository is configured
+  #[cfg(target_os = "linux")]
+  fn is_deb_repo_configured() -> bool {
+    Path::new("/etc/apt/sources.list.d/donutbrowser.list").exists()
+  }
+
+  /// Check if an RPM repository is configured (yum/dnf or zypper)
+  #[cfg(target_os = "linux")]
+  fn is_rpm_repo_configured() -> bool {
+    Path::new("/etc/yum.repos.d/donutbrowser.repo").exists()
+      || Path::new("/etc/zypp/repos.d/donutbrowser.repo").exists()
+  }
+
+  /// Check if a system package manager repo is configured for this installation.
+  #[cfg(target_os = "linux")]
+  fn is_repo_configured(&self) -> bool {
+    let installation_method = self.detect_linux_installation_method();
+    match installation_method {
+      LinuxInstallationMethod::Deb => Self::is_deb_repo_configured(),
+      LinuxInstallationMethod::Rpm => Self::is_rpm_repo_configured(),
+      _ => false,
+    }
+  }
+
  /// Get the appropriate download URL for the current platform
  fn get_download_url_for_platform(&self, assets: &[AppReleaseAsset]) -> Option<String> {
    let arch = if cfg!(target_arch = "aarch64") {
@@ -704,7 +734,8 @@ impl AppAutoUpdater {

    let total_size = response.content_length().unwrap_or(0);
    log::info!("Silent download size: {} bytes", total_size);
-    let mut file = fs::File::create(&file_path)?;
+    let raw_file = fs::File::create(&file_path)?;
+    let mut file = std::io::BufWriter::with_capacity(8 * 1024 * 1024, raw_file);
    let mut stream = response.bytes_stream();

    use futures_util::StreamExt;
@@ -712,6 +743,7 @@ impl AppAutoUpdater {
      let chunk = chunk?;
      file.write_all(&chunk)?;
    }
+    std::io::Write::flush(&mut file)?;

    log::info!("Silent download completed: {}", file_path.display());
    Ok(file_path)
@@ -956,6 +988,10 @@ impl AppAutoUpdater {
            &format!("{}.log", installer_path.to_str().unwrap()),
          ]);

+          use std::os::windows::process::CommandExt;
+          const CREATE_NO_WINDOW: u32 = 0x08000000;
+          cmd.creation_flags(CREATE_NO_WINDOW);
+
          let output = cmd.output()?;

          if !output.status.success() {
@@ -1146,41 +1182,7 @@ impl AppAutoUpdater {
    deb_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing DEB package: {}", deb_path.display());
-
-    // Try different package managers in order of preference
-    let package_managers = [
-      ("dpkg", vec!["-i", deb_path.to_str().unwrap()]),
-      ("apt", vec!["install", "-y", deb_path.to_str().unwrap()]),
-    ];
-
-    let mut last_error = String::new();
-
-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
-
-        let output = Command::new("pkexec").arg(manager).args(args).output();
-
-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("DEB installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
-        }
-      }
-    }
-
-    Err(format!("DEB installation failed. Last error: {last_error}").into())
+    Self::install_linux_package_with_privileges(deb_path, "dpkg", "-i")
  }

  /// Install Linux RPM package
@@ -1190,43 +1192,121 @@ impl AppAutoUpdater {
    rpm_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing RPM package: {}", rpm_path.display());
+    Self::install_linux_package_with_privileges(rpm_path, "rpm", "-Uvh")
+  }

-    // Try different package managers in order of preference
-    let package_managers = [
-      ("rpm", vec!["-Uvh", rpm_path.to_str().unwrap()]),
-      ("dnf", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("yum", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("zypper", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-    ];
+  /// Install a Linux package with privilege escalation, using a fallback chain:
+  /// 1. pkexec (graphical PolicyKit prompt — most common on desktop Linux)
+  /// 2. zenity/kdialog password dialog → sudo -S (graphical sudo experience)
+  /// 3. sudo (terminal fallback — works in TTY sessions)
+  #[cfg(target_os = "linux")]
+  fn install_linux_package_with_privileges(
+    pkg_path: &Path,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let pkg = pkg_path.to_str().unwrap_or_default();

-    let mut last_error = String::new();
+    // 1. Try pkexec (graphical PolicyKit prompt)
+    if let Ok(status) = Command::new("pkexec")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with pkexec");
+        return Ok(());
+      }
+    }

-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
+    // 2. Try graphical password dialog → sudo -S
+    if let Some(password) = Self::get_password_graphically() {
+      if Self::install_with_sudo_stdin(pkg_path, &password, install_cmd, install_arg) {
+        log::info!("Installed {pkg} with graphical sudo");
+        return Ok(());
+      }
+    }

-        let output = Command::new("pkexec").arg(manager).args(args).output();
+    // 3. Terminal sudo fallback
+    if let Ok(status) = Command::new("sudo")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with sudo");
+        return Ok(());
+      }
+    }

-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("RPM installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
+    Err(format!("Failed to install {pkg} — all privilege escalation methods failed").into())
+  }
+
+  /// Try zenity then kdialog to get a password graphically.
+  #[cfg(target_os = "linux")]
+  fn get_password_graphically() -> Option<String> {
+    // Try zenity
+    if let Ok(output) = Command::new("zenity")
+      .args([
+        "--password",
+        "--title=Authentication Required",
+        "--text=Enter your password to install the update:",
+      ])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
        }
      }
    }

-    Err(format!("RPM installation failed. Last error: {last_error}").into())
+    // Fall back to kdialog
+    if let Ok(output) = Command::new("kdialog")
+      .args(["--password", "Enter your password to install the update:"])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
+        }
+      }
+    }
+
+    None
+  }
+
+  /// Pipe a password to `sudo -S <install_cmd> <install_arg> <pkg>`.
+  #[cfg(target_os = "linux")]
+  fn install_with_sudo_stdin(
+    pkg_path: &Path,
+    password: &str,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> bool {
+    use std::io::Write;
+
+    let child = Command::new("sudo")
+      .args([
+        "-S",
+        install_cmd,
+        install_arg,
+        pkg_path.to_str().unwrap_or_default(),
+      ])
+      .stdin(std::process::Stdio::piped())
+      .stdout(std::process::Stdio::piped())
+      .stderr(std::process::Stdio::piped())
+      .spawn();
+
+    match child {
+      Ok(mut child) => {
+        if let Some(mut stdin) = child.stdin.take() {
+          let _ = writeln!(stdin, "{password}");
+        }
+        child.wait().map(|s| s.success()).unwrap_or(false)
+      }
+      Err(_) => false,
+    }
  }

  /// Install Linux AppImage
@@ -1442,96 +1522,121 @@ rm "{}"

    #[cfg(target_os = "windows")]
    {
-      let app_path = self.get_current_app_path()?;
-      let current_pid = std::process::id();
+      use std::ffi::OsStr;
+      use std::os::windows::ffi::OsStrExt;
+
      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      let temp_dir = std::env::temp_dir();
-      let script_path = temp_dir.join("donut_restart.bat");
-      let update_temp_dir = temp_dir.join("donut_app_update");
-
-      let script_content = if let Some(installer_path) = pending {
+      if let Some(installer_path) = pending {
+        // Use ShellExecuteW to run the installer directly — no batch script,
+        // no cmd.exe console window. The NSIS/MSI installer handles killing the
+        // old process and restarting the app natively (via /UPDATE and
+        // AUTOLAUNCHAPP flags).
        let ext = installer_path
          .extension()
          .and_then(|e| e.to_str())
          .unwrap_or("")
          .to_lowercase();
-        let install_cmd = match ext.as_str() {
-          "msi" => format!(
-            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
-            installer_path.to_str().unwrap()
-          ),
-          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
-          _ => String::new(),
+
+        let (file, parameters) = match ext.as_str() {
+          "exe" => {
+            // NSIS installer: /S for silent, /UPDATE tells it this is an update
+            let file = installer_path.as_os_str().to_os_string();
+            let params = std::ffi::OsString::from("/S /UPDATE");
+            (file, params)
+          }
+          "msi" => {
+            // MSI: run msiexec.exe with the package
+            let msiexec = std::env::var("SYSTEMROOT")
+              .map(|p| format!("{p}\\System32\\msiexec.exe"))
+              .unwrap_or_else(|_| "msiexec.exe".to_string());
+            let file = std::ffi::OsString::from(msiexec);
+            let params = std::ffi::OsString::from(format!(
+              "/i {} /quiet /norestart /promptrestart AUTOLAUNCHAPP=True",
+              installer_path
+                .to_str()
+                .map(|p| format!("\"{p}\""))
+                .unwrap_or_default()
+            ));
+            (file, params)
+          }
+          _ => {
+            return Err("Unsupported Windows installer format for restart".into());
+          }
        };

-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {pid}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        fn encode_wide(s: impl AsRef<OsStr>) -> Vec<u16> {
+          s.as_ref().encode_wide().chain(std::iter::once(0)).collect()
+        }

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let file_w = encode_wide(&file);
+        let params_w = encode_wide(&parameters);

-rem Run the installer
-{install_cmd}
+        log::info!(
+          "Running installer via ShellExecuteW: {:?} {:?}",
+          file,
+          parameters
+        );

-rem Wait for installation to complete
-timeout /t 3 /nobreak >nul
+        // windows-sys is not a direct dep, so use the raw FFI via the
+        // windows crate that Tauri pulls in. ShellExecuteW returns an
+        // HINSTANCE > 32 on success.
+        #[link(name = "shell32")]
+        extern "system" {
+          fn ShellExecuteW(
+            hwnd: *mut std::ffi::c_void,
+            operation: *const u16,
+            file: *const u16,
+            parameters: *const u16,
+            directory: *const u16,
+            show_cmd: i32,
+          ) -> isize;
+        }
+        const SW_SHOWNORMAL: i32 = 1;
+        let open: Vec<u16> = "open\0".encode_utf16().collect();

-rem Start the new application
-start "" "{app_path}"
+        let result = unsafe {
+          ShellExecuteW(
+            std::ptr::null_mut(),
+            open.as_ptr(),
+            file_w.as_ptr(),
+            params_w.as_ptr(),
+            std::ptr::null(),
+            SW_SHOWNORMAL,
+          )
+        };

-rem Clean up installer temp files
-rmdir /s /q "{update_temp}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          pid = current_pid,
-          install_cmd = install_cmd,
-          app_path = app_path.to_str().unwrap(),
-          update_temp = update_temp_dir.to_str().unwrap(),
-        )
+        if result as usize <= 32 {
+          return Err(format!("ShellExecuteW failed with code {result}").into());
+        }
      } else {
-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        // No pending installer — just restart the app. Use a minimal
+        // detached process to relaunch after we exit.
+        let app_path = self.get_current_app_path()?;
+        let current_pid = std::process::id();
+        let temp_dir = std::env::temp_dir();
+        let script_path = temp_dir.join("donut_restart.bat");

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let script_content = format!(
+          "@echo off\n\
+           :w\n\
+           tasklist /fi \"PID eq {current_pid}\" 2>nul | find \"{current_pid}\" >nul && (timeout /t 1 /nobreak >nul & goto w)\n\
+           timeout /t 1 /nobreak >nul\n\
+           start \"\" \"{app}\"\n\
+           del \"%~f0\"\n",
+          app = app_path.to_str().unwrap(),
+        );
+        fs::write(&script_path, script_content)?;

-rem Start the new application
-start "" "{}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          current_pid,
-          app_path.to_str().unwrap()
-        )
-      };
-
-      fs::write(&script_path, script_content)?;
-
-      let mut cmd = Command::new("cmd");
-      cmd.args(["/C", script_path.to_str().unwrap()]);
-
-      let _child = cmd.spawn()?;
+        use std::os::windows::process::CommandExt;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
+        let _child = Command::new("cmd")
+          .args(["/C", script_path.to_str().unwrap()])
+          .creation_flags(CREATE_NO_WINDOW)
+          .spawn()?;
+      }

      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
-
      std::process::exit(0);
    }

@@ -1602,6 +1707,10 @@ rm "{}"

 #[tauri::command]
 pub async fn check_for_app_updates() -> Result<Option<AppUpdateInfo>, String> {
+  if crate::app_dirs::is_portable() {
+    log::info!("App auto-updates disabled in portable mode");
+    return Ok(None);
+  }
  // The disable_auto_updates setting controls app self-updates only
  let disabled = crate::settings_manager::SettingsManager::instance()
    .load_settings()
@@ -1999,6 +2108,15 @@ mod tests {
      // If url is None, it means AppImage was detected and auto-updates are disabled
    }
  }
+
+  #[test]
+  #[cfg(target_os = "linux")]
+  fn test_repo_detection_returns_bool() {
+    // These just verify the functions run without panicking.
+    // Actual values depend on the host system configuration.
+    let _deb = AppAutoUpdater::is_deb_repo_configured();
+    let _rpm = AppAutoUpdater::is_rpm_repo_configured();
+  }
 }

 // Global singleton instance
@@ -3,11 +3,29 @@ use std::path::PathBuf;
 use std::sync::OnceLock;

 static BASE_DIRS: OnceLock<BaseDirs> = OnceLock::new();
+static PORTABLE_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();

 fn base_dirs() -> &'static BaseDirs {
  BASE_DIRS.get_or_init(|| BaseDirs::new().expect("Failed to get base directories"))
 }

+/// Returns the portable base directory if a `.portable` marker exists next to the executable.
+fn portable_dir() -> Option<&'static PathBuf> {
+  PORTABLE_DIR
+    .get_or_init(|| {
+      std::env::current_exe()
+        .ok()
+        .and_then(|exe| exe.parent().map(|p| p.to_path_buf()))
+        .filter(|dir| dir.join(".portable").exists())
+    })
+    .as_ref()
+}
+
+/// Returns true if the app is running in portable mode.
+pub fn is_portable() -> bool {
+  portable_dir().is_some()
+}
+
 pub fn app_name() -> &'static str {
  if cfg!(debug_assertions) {
    "DonutBrowserDev"
@@ -28,6 +46,10 @@ pub fn data_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("data");
+  }
+
  base_dirs().data_local_dir().join(app_name())
 }

@@ -43,6 +65,10 @@ pub fn cache_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("cache");
+  }
+
  base_dirs().cache_dir().join(app_name())
 }

@@ -78,6 +104,10 @@ pub fn extensions_dir() -> PathBuf {
  data_dir().join("extensions")
 }

+pub fn dns_blocklist_dir() -> PathBuf {
+  cache_dir().join("dns_blocklists")
+}
+
 #[cfg(test)]
 thread_local! {
  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
@@ -162,6 +192,7 @@ mod tests {
    assert!(proxy_workers_dir().ends_with("proxy_workers"));
    assert!(vpn_dir().ends_with("vpn"));
    assert!(extensions_dir().ends_with("extensions"));
+    assert!(dns_blocklist_dir().ends_with("dns_blocklists"));
  }

  #[test]
@@ -106,35 +106,7 @@ impl AutoUpdater {
      // Check each profile for updates
      for profile in profiles {
        if let Some(update) = self.check_profile_update(&profile, &versions)? {
-          // Apply chromium threshold logic
-          if browser == "chromium" {
-            // For chromium, only show notifications if there's a significant version jump
-            // Compare the major version component (first number before the dot)
-            let current_major: u32 = profile
-              .version
-              .split('.')
-              .next()
-              .and_then(|s| s.parse().ok())
-              .unwrap_or(0);
-            let new_major: u32 = update
-              .new_version
-              .split('.')
-              .next()
-              .and_then(|s| s.parse().ok())
-              .unwrap_or(0);
-
-            let result = new_major.saturating_sub(current_major);
-            log::info!(
-              "Current major version: {current_major}, New major version: {new_major}, Diff: {result}"
-            );
-            if result > 0 {
-              notifications.push(update);
-            } else {
-              log::info!("Skipping chromium update notification: same major version");
-            }
-          } else {
-            notifications.push(update);
-          }
+          notifications.push(update);
        }
      }
    }
@@ -173,6 +145,14 @@ impl AutoUpdater {
              let registry =
                crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();

+              // Skip if this browser-version pair is already being downloaded
+              if crate::downloader::is_downloading(&browser, &new_version) {
+                log::info!(
+                  "Browser {browser} {new_version} is already being downloaded, skipping duplicate"
+                );
+                return;
+              }
+
              if registry.is_browser_downloaded(&browser, &new_version) {
                log::info!("Browser {browser} {new_version} already downloaded, proceeding to auto-update profiles");

@@ -703,6 +683,7 @@ mod tests {
      process_id: None,
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      last_launch: None,
      release_type: "stable".to_string(),
      camoufox_config: None,
@@ -719,6 +700,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

@@ -121,7 +121,7 @@ async fn main() {
            .arg(
              Arg::new("type")
                .long("type")
-                .help("Proxy type (http, https, socks4, socks5)"),
+                .help("Proxy type (http, https, socks4, socks5, ss)"),
            )
            .arg(Arg::new("username").long("username").help("Proxy username"))
            .arg(Arg::new("password").long("password").help("Proxy password"))
@@ -152,6 +152,11 @@ async fn main() {
              Arg::new("bypass-rules")
                .long("bypass-rules")
                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
+            )
+            .arg(
+              Arg::new("blocklist-file")
+                .long("blocklist-file")
+                .help("Path to DNS blocklist file (one domain per line)"),
            ),
        )
        .subcommand(
@@ -193,7 +198,21 @@ async fn main() {
            .required(true)
            .help("Local SOCKS5 port"),
        )
-        .arg(Arg::new("action").required(true).help("Action (start)")),
+        .arg(Arg::new("action").required(true).help("Action (start)"))
+        .arg(
+          Arg::new("config-path")
+            .long("config-path")
+            .help("Direct path to the VPN worker config JSON file"),
+        ),
+    )
+    .subcommand(
+      Command::new("mcp-bridge")
+        .about("Bridge stdio MCP to a local HTTP MCP server")
+        .arg(
+          Arg::new("url")
+            .required(true)
+            .help("HTTP MCP server URL (e.g. http://127.0.0.1:51080/mcp/TOKEN)"),
+        ),
    )
    .get_matches();

@@ -226,8 +245,17 @@ async fn main() {
        .get_one::<String>("bypass-rules")
        .and_then(|s| serde_json::from_str(s).ok())
        .unwrap_or_default();
+      let blocklist_file = start_matches.get_one::<String>("blocklist-file").cloned();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
+      match start_proxy_process_with_profile(
+        upstream_url,
+        port,
+        profile_id,
+        bypass_rules,
+        blocklist_file,
+      )
+      .await
+      {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -368,6 +396,7 @@ async fn main() {
    let port = *vpn_matches
      .get_one::<u16>("port")
      .expect("port is required");
+    let config_path = vpn_matches.get_one::<String>("config-path");

    if action == "start" {
      set_high_priority();
@@ -375,8 +404,37 @@ async fn main() {
      log::info!("VPN worker starting, config id: {}", id);
      log::info!("Process PID: {}", std::process::id());

-      // Retry config loading to handle file system race condition
-      let config = {
+      let config = if let Some(path) = config_path {
+        // Load config directly from the provided path
+        log::info!("Loading VPN worker config from: {}", path);
+        match std::fs::read_to_string(path) {
+          Ok(content) => match serde_json::from_str::<
+            donutbrowser_lib::vpn_worker_storage::VpnWorkerConfig,
+          >(&content)
+          {
+            Ok(config) => {
+              log::info!(
+                "Found VPN worker config: id={}, vpn_type={}, vpn_id={}",
+                config.id,
+                config.vpn_type,
+                config.vpn_id
+              );
+              config
+            }
+            Err(e) => {
+              log::error!("Failed to parse VPN worker config from {}: {}", path, e);
+              process::exit(1);
+            }
+          },
+          Err(e) => {
+            log::error!("Failed to read VPN worker config from {}: {}", path, e);
+            process::exit(1);
+          }
+        }
+      } else {
+        // Fallback: discover config by ID with retries
+        let storage_dir = donutbrowser_lib::proxy_storage::get_storage_dir();
+        log::info!("Looking for VPN worker config in: {:?}", storage_dir);
        let mut attempts = 0;
        loop {
          if let Some(config) = donutbrowser_lib::vpn_worker_storage::get_vpn_worker_config(id) {
@@ -389,20 +447,21 @@ async fn main() {
            break config;
          }
          attempts += 1;
-          if attempts >= 10 {
+          if attempts >= 50 {
            log::error!(
-              "VPN worker configuration {} not found after {} attempts",
+              "VPN worker configuration {} not found after {} attempts in {:?}",
              id,
-              attempts
+              attempts,
+              storage_dir
            );
            process::exit(1);
          }
          log::info!(
-            "VPN worker config {} not found yet, retrying ({}/10)...",
+            "VPN worker config {} not found yet, retrying ({}/50)...",
            id,
            attempts
          );
-          std::thread::sleep(std::time::Duration::from_millis(50));
+          std::thread::sleep(std::time::Duration::from_millis(100));
        }
      };

@@ -461,6 +520,81 @@ async fn main() {
      log::error!("Invalid action for vpn-worker. Use 'start'");
      process::exit(1);
    }
+  } else if let Some(bridge_matches) = matches.subcommand_matches("mcp-bridge") {
+    let url = bridge_matches
+      .get_one::<String>("url")
+      .expect("url is required")
+      .clone();
+
+    // Suppress debug logging for bridge mode — stderr noise confuses MCP clients
+    log::set_max_level(log::LevelFilter::Warn);
+
+    // stdio↔HTTP MCP bridge: translates stdio JSON-RPC to Streamable HTTP transport
+    let client = reqwest::Client::new();
+    let stdin = tokio::io::stdin();
+    let reader = tokio::io::BufReader::new(stdin);
+    let mut session_id: Option<String> = None;
+
+    use tokio::io::{AsyncBufReadExt, AsyncWriteExt};
+    let mut lines = reader.lines();
+    let mut stdout = tokio::io::stdout();
+
+    while let Ok(Some(line)) = lines.next_line().await {
+      if line.trim().is_empty() {
+        continue;
+      }
+
+      // Check if this is a notification (no "id" field) to handle 202 responses
+      let is_notification = serde_json::from_str::<serde_json::Value>(&line)
+        .ok()
+        .map(|v| v.get("id").is_none() || v["id"].is_null())
+        .unwrap_or(false);
+
+      let mut req = client
+        .post(&url)
+        .header("Content-Type", "application/json")
+        .header("Accept", "application/json");
+
+      if let Some(sid) = &session_id {
+        req = req.header("mcp-session-id", sid);
+      }
+
+      match req.body(line).send().await {
+        Ok(resp) => {
+          // Capture session ID from initialize response
+          if let Some(sid) = resp.headers().get("mcp-session-id") {
+            if let Ok(s) = sid.to_str() {
+              session_id = Some(s.to_string());
+            }
+          }
+
+          // Notifications return 202 with no body — don't write anything
+          if is_notification {
+            continue;
+          }
+
+          if let Ok(body) = resp.text().await {
+            if !body.is_empty() {
+              let _ = stdout.write_all(body.as_bytes()).await;
+              let _ = stdout.write_all(b"\n").await;
+              let _ = stdout.flush().await;
+            }
+          }
+        }
+        Err(e) => {
+          if !is_notification {
+            let err = serde_json::json!({
+              "jsonrpc": "2.0",
+              "id": null,
+              "error": {"code": -32000, "message": format!("HTTP error: {e}")},
+            });
+            let _ = stdout.write_all(err.to_string().as_bytes()).await;
+            let _ = stdout.write_all(b"\n").await;
+            let _ = stdout.flush().await;
+          }
+        }
+      }
+    }
  } else {
    log::error!("No command specified");
    process::exit(1);
@@ -1,4 +1,4 @@
-use crate::browser::{create_browser, BrowserType, ProxySettings};
+use crate::browser::ProxySettings;
 use crate::camoufox_manager::{CamoufoxConfig, CamoufoxManager};
 use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
@@ -9,7 +9,7 @@ use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::{WayfernConfig, WayfernManager};
 use serde::Serialize;
 use std::path::PathBuf;
-use std::time::{SystemTime, UNIX_EPOCH};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use sysinfo::System;
 pub struct BrowserRunner {
  pub profile_manager: &'static ProfileManager,
@@ -38,14 +38,38 @@ impl BrowserRunner {
    crate::app_dirs::binaries_dir()
  }

+  /// Resolve the DNS blocklist level to a cached file path.
+  /// If a level is set but the cache is missing, fetches on demand (blocks until done).
+  async fn resolve_blocklist_file(
+    profile: &crate::profile::BrowserProfile,
+  ) -> Result<Option<String>, String> {
+    let Some(ref level_str) = profile.dns_blocklist else {
+      return Ok(None);
+    };
+    let Some(level) = crate::dns_blocklist::BlocklistLevel::parse_level(level_str) else {
+      return Ok(None);
+    };
+    if level == crate::dns_blocklist::BlocklistLevel::None {
+      return Ok(None);
+    }
+    let path = crate::dns_blocklist::BlocklistManager::ensure_cached(level)
+      .await
+      .map_err(|e| format!("Failed to fetch DNS blocklist: {e}"))?;
+    Ok(Some(path.to_string_lossy().to_string()))
+  }
+
  /// Refresh cloud proxy credentials if the profile uses a cloud or cloud-derived proxy,
  /// then resolve the proxy settings with profile-specific sid for sticky sessions.
  async fn resolve_proxy_with_refresh(
    &self,
    proxy_id: Option<&String>,
    profile_id: Option<&str>,
-  ) -> Option<ProxySettings> {
-    let proxy_id = proxy_id?;
+  ) -> Result<Option<ProxySettings>, String> {
+    let proxy_id = match proxy_id {
+      Some(id) => id,
+      None => return Ok(None),
+    };
+
    if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
      log::info!("Refreshing cloud proxy credentials before launch for proxy {proxy_id}");
      CLOUD_AUTH.sync_cloud_proxy().await;
@@ -53,10 +77,42 @@ impl BrowserRunner {
    // For cloud-derived proxies, inject profile-specific sid for sticky sessions
    if let Some(pid) = profile_id {
      if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
-        return PROXY_MANAGER.resolve_proxy_for_profile(proxy_id, pid);
+        return Ok(PROXY_MANAGER.resolve_proxy_for_profile(proxy_id, pid));
      }
    }
-    PROXY_MANAGER.get_proxy_settings_by_id(proxy_id)
+    Ok(PROXY_MANAGER.get_proxy_settings_by_id(proxy_id))
+  }
+
+  async fn resolve_launch_hook_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    let Some(url) = profile.launch_hook.as_deref() else {
+      return Ok(None);
+    };
+
+    log::info!(
+      "Calling launch hook for profile {} (ID: {})",
+      profile.name,
+      profile.id
+    );
+
+    PROXY_MANAGER
+      .fetch_proxy_from_url(url, Duration::from_millis(500))
+      .await
+  }
+
+  async fn resolve_launch_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    if let Some(proxy_settings) = self.resolve_launch_hook_proxy(profile).await? {
+      return Ok(Some(proxy_settings));
+    }
+
+    self
+      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+      .await
  }

  /// Get the executable path for a browser profile
@@ -98,9 +154,9 @@ impl BrowserRunner {
    app_handle: tauri::AppHandle,
    profile: &BrowserProfile,
    url: Option<String>,
-    local_proxy_settings: Option<&ProxySettings>,
+    _local_proxy_settings: Option<&ProxySettings>,
    remote_debugging_port: Option<u16>,
-    headless: bool,
+    _headless: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
    // Handle Camoufox profiles using CamoufoxManager
    if profile.browser == "camoufox" {
@@ -114,10 +170,10 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Camoufox (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
-        .await;
+        .resolve_launch_proxy(profile)
+        .await
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
      if upstream_proxy.is_none() {
@@ -154,6 +210,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Camoufox - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -161,6 +218,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -372,10 +430,10 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Wayfern (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
-        .await;
+        .resolve_launch_proxy(profile)
+        .await
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
      if upstream_proxy.is_none() {
@@ -412,6 +470,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Wayfern - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -419,6 +478,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -613,248 +673,12 @@ impl BrowserRunner {
      return Ok(updated_profile);
    }

-    // Create browser instance
-    let browser_type = BrowserType::from_str(&profile.browser)
-      .map_err(|_| format!("Invalid browser type: {}", profile.browser))?;
-    let browser = create_browser(browser_type.clone());
-
-    // Get executable path using common helper
-    let executable_path = self
-      .get_browser_executable_path(profile)
-      .expect("Failed to get executable path");
-
-    log::info!("Executable path: {executable_path:?}");
-
-    // Prepare the executable (set permissions, etc.)
-    if let Err(e) = browser.prepare_executable(&executable_path) {
-      log::warn!("Warning: Failed to prepare executable: {e}");
-      // Continue anyway, the error might not be critical
-    }
-
-    // Refresh cloud proxy credentials if needed before resolving
-    let _stored_proxy_settings = self
-      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
-      .await;
-
-    // Use provided local proxy for Chromium-based browsers launch arguments
-    let proxy_for_launch_args: Option<&ProxySettings> = local_proxy_settings;
-
-    // Get profile data path and launch arguments
-    let profiles_dir = self.profile_manager.get_profiles_dir();
-    let profile_data_path = profile.get_profile_data_path(&profiles_dir);
-    let browser_args = browser
-      .create_launch_args(
-        &profile_data_path.to_string_lossy(),
-        proxy_for_launch_args,
-        url,
-        remote_debugging_port,
-        headless,
-      )
-      .expect("Failed to create launch arguments");
-
-    // Launch browser using platform-specific method
-    let child = {
-      #[cfg(target_os = "macos")]
-      {
-        platform_browser::macos::launch_browser_process(&executable_path, &browser_args).await?
-      }
-
-      #[cfg(target_os = "windows")]
-      {
-        platform_browser::windows::launch_browser_process(&executable_path, &browser_args).await?
-      }
-
-      #[cfg(target_os = "linux")]
-      {
-        platform_browser::linux::launch_browser_process(&executable_path, &browser_args).await?
-      }
-
-      #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "linux")))]
-      {
-        return Err("Unsupported platform for browser launching".into());
-      }
-    };
-
-    let launcher_pid = child.id();
-
-    log::info!(
-      "Launched browser with launcher PID: {} for profile: {} (ID: {})",
-      launcher_pid,
-      profile.name,
-      profile.id
-    );
-
-    // On macOS, when launching via `open -a`, the child PID is the `open` helper.
-    // Resolve and store the actual browser PID for all browser types.
-    let actual_pid = {
-      #[cfg(target_os = "macos")]
-      {
-        // Give the browser a moment to start
-        tokio::time::sleep(tokio::time::Duration::from_millis(1500)).await;
-
-        let system = System::new_all();
-        let profiles_dir = self.profile_manager.get_profiles_dir();
-        let profile_data_path = profile.get_profile_data_path(&profiles_dir);
-        let profile_data_path_str = profile_data_path.to_string_lossy();
-
-        let mut resolved_pid = launcher_pid;
-
-        for (pid, process) in system.processes() {
-          let cmd = process.cmd();
-          if cmd.is_empty() {
-            continue;
-          }
-
-          // Determine if this process matches the intended browser type
-          let exe_name_lower = process.name().to_string_lossy().to_lowercase();
-          let is_correct_browser = match profile.browser.as_str() {
-            "firefox" => {
-              exe_name_lower.contains("firefox")
-                && !exe_name_lower.contains("developer")
-                && !exe_name_lower.contains("camoufox")
-            }
-            "firefox-developer" => {
-              // More flexible detection for Firefox Developer Edition
-              (exe_name_lower.contains("firefox") && exe_name_lower.contains("developer"))
-                || (exe_name_lower.contains("firefox")
-                  && cmd.iter().any(|arg| {
-                    let arg_str = arg.to_str().unwrap_or("");
-                    arg_str.contains("Developer")
-                      || arg_str.contains("developer")
-                      || arg_str.contains("FirefoxDeveloperEdition")
-                      || arg_str.contains("firefox-developer")
-                  }))
-                || exe_name_lower == "firefox" // Firefox Developer might just show as "firefox"
-            }
-            "zen" => exe_name_lower.contains("zen"),
-            "chromium" => exe_name_lower.contains("chromium") || exe_name_lower.contains("chrome"),
-            "brave" => exe_name_lower.contains("brave") || exe_name_lower.contains("Brave"),
-            _ => false,
-          };
-
-          if !is_correct_browser {
-            continue;
-          }
-
-          // Check for profile path match
-          let profile_path_match = if matches!(
-            profile.browser.as_str(),
-            "firefox" | "firefox-developer" | "zen"
-          ) {
-            // Firefox-based browsers: look for -profile argument followed by path
-            let mut found_profile_arg = false;
-            for (i, arg) in cmd.iter().enumerate() {
-              if let Some(arg_str) = arg.to_str() {
-                if arg_str == "-profile" && i + 1 < cmd.len() {
-                  if let Some(next_arg) = cmd.get(i + 1).and_then(|a| a.to_str()) {
-                    if next_arg == profile_data_path_str {
-                      found_profile_arg = true;
-                      break;
-                    }
-                  }
-                }
-                // Also check for combined -profile=path format
-                if arg_str == format!("-profile={profile_data_path_str}") {
-                  found_profile_arg = true;
-                  break;
-                }
-                // Check if the argument is the profile path directly
-                if arg_str == profile_data_path_str {
-                  found_profile_arg = true;
-                  break;
-                }
-              }
-            }
-            found_profile_arg
-          } else {
-            // Chromium-based browsers: look for --user-data-dir argument
-            cmd.iter().any(|s| {
-              if let Some(arg) = s.to_str() {
-                arg == format!("--user-data-dir={profile_data_path_str}")
-                  || arg == profile_data_path_str
-              } else {
-                false
-              }
-            })
-          };
-
-          if profile_path_match {
-            let pid_u32 = pid.as_u32();
-            if pid_u32 != launcher_pid {
-              resolved_pid = pid_u32;
-              break;
-            }
-          }
-        }
-
-        resolved_pid
-      }
-
-      #[cfg(not(target_os = "macos"))]
-      {
-        launcher_pid
-      }
-    };
-
-    // Update profile with process info and save
-    let mut updated_profile = profile.clone();
-    updated_profile.process_id = Some(actual_pid);
-    updated_profile.last_launch = Some(SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs());
-
-    self.save_process_info(&updated_profile)?;
-    let _ = crate::tag_manager::TAG_MANAGER.lock().map(|tm| {
-      let _ = tm.rebuild_from_profiles(&self.profile_manager.list_profiles().unwrap_or_default());
-    });
-
-    // Apply proxy settings if needed (for Firefox-based browsers)
-    if profile.proxy_id.is_some()
-      && matches!(
-        browser_type,
-        BrowserType::Firefox | BrowserType::FirefoxDeveloper | BrowserType::Zen
-      )
-    {
-      // Proxy settings for Firefox-based browsers are applied via user.js file
-      // which is already handled in the profile creation process
-    }
-
-    log::info!(
-      "Emitting profile events for successful launch: {} (ID: {})",
-      updated_profile.name,
-      updated_profile.id
-    );
-
-    // Emit profile update event to frontend
-    if let Err(e) = events::emit("profile-updated", &updated_profile) {
-      log::warn!("Warning: Failed to emit profile update event: {e}");
-    }
-
-    // Emit minimal running changed event to frontend with a small delay to ensure UI consistency
-    #[derive(Serialize)]
-    struct RunningChangedPayload {
-      id: String,
-      is_running: bool,
-    }
-    let payload = RunningChangedPayload {
-      id: updated_profile.id.to_string(),
-      is_running: updated_profile.process_id.is_some(),
-    };
-
-    if let Err(e) = events::emit("profile-running-changed", &payload) {
-      log::warn!("Warning: Failed to emit profile running changed event: {e}");
-    } else {
-      log::info!(
-        "Successfully emitted profile-running-changed event for {}: running={}",
-        updated_profile.name,
-        payload.is_running
-      );
-    }
-
-    Ok(updated_profile)
+    Err(format!("Unsupported browser type: {}", profile.browser).into())
  }

  pub async fn open_url_in_existing_browser(
    &self,
-    app_handle: tauri::AppHandle,
+    _app_handle: tauri::AppHandle,
    profile: &BrowserProfile,
    url: &str,
    _internal_proxy_settings: Option<&ProxySettings>,
@@ -948,134 +772,7 @@ impl BrowserRunner {
      }
    }

-    // Use the comprehensive browser status check for non-camoufox/wayfern browsers
-    let is_running = self
-      .check_browser_status(app_handle.clone(), profile)
-      .await?;
-
-    if !is_running {
-      return Err("Browser is not running".into());
-    }
-
-    // Get the updated profile with current PID
-    let profiles = self
-      .profile_manager
-      .list_profiles()
-      .expect("Failed to list profiles");
-    let updated_profile = profiles
-      .into_iter()
-      .find(|p| p.id == profile.id)
-      .unwrap_or_else(|| profile.clone());
-
-    // Ensure we have a valid process ID
-    if updated_profile.process_id.is_none() {
-      return Err("No valid process ID found for the browser".into());
-    }
-
-    let browser_type = BrowserType::from_str(&updated_profile.browser)
-      .map_err(|_| format!("Invalid browser type: {}", updated_profile.browser))?;
-
-    // Get browser directory for all platforms - path structure: binaries/<browser>/<version>/
-    let mut browser_dir = self.get_binaries_dir();
-    browser_dir.push(&updated_profile.browser);
-    browser_dir.push(&updated_profile.version);
-
-    match browser_type {
-      BrowserType::Firefox | BrowserType::FirefoxDeveloper | BrowserType::Zen => {
-        #[cfg(target_os = "macos")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::macos::open_url_in_existing_browser_firefox_like(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(target_os = "windows")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::windows::open_url_in_existing_browser_firefox_like(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(target_os = "linux")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::linux::open_url_in_existing_browser_firefox_like(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "linux")))]
-        return Err("Unsupported platform".into());
-      }
-      BrowserType::Camoufox => {
-        // Camoufox URL opening is handled differently
-        Err("URL opening in existing Camoufox instance is not supported".into())
-      }
-      BrowserType::Wayfern => {
-        // Wayfern URL opening is handled differently
-        Err("URL opening in existing Wayfern instance is not supported".into())
-      }
-      BrowserType::Chromium | BrowserType::Brave => {
-        #[cfg(target_os = "macos")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::macos::open_url_in_existing_browser_chromium(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(target_os = "windows")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::windows::open_url_in_existing_browser_chromium(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(target_os = "linux")]
-        {
-          let profiles_dir = self.profile_manager.get_profiles_dir();
-          return platform_browser::linux::open_url_in_existing_browser_chromium(
-            &updated_profile,
-            url,
-            browser_type,
-            &browser_dir,
-            &profiles_dir,
-          )
-          .await;
-        }
-
-        #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "linux")))]
-        return Err("Unsupported platform".into());
-      }
-    }
+    Err(format!("Unsupported browser type: {}", profile.browser).into())
  }

  pub async fn launch_browser_with_debugging(
@@ -1087,17 +784,19 @@ impl BrowserRunner {
    headless: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
    // Always start a local proxy for API launches
-    // Determine upstream proxy if configured; otherwise use DIRECT
-    // Refresh cloud proxy credentials before resolving
    let upstream_proxy = self
-      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
-      .await;
+      .resolve_launch_proxy(profile)
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

    // Use a temporary PID (1) to start the proxy, we'll update it after browser launch
    let temp_pid = 1u32;
    let profile_id_str = profile.id.to_string();

    // Start local proxy - if this fails, DO NOT launch browser
+    let blocklist_file = Self::resolve_blocklist_file(profile)
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;
    let internal_proxy = PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -1105,6 +804,7 @@ impl BrowserRunner {
        temp_pid,
        Some(&profile_id_str),
        profile.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
      .map_err(|e| {
@@ -1115,32 +815,6 @@ impl BrowserRunner {

    let internal_proxy_settings = Some(internal_proxy.clone());

-    // Configure Firefox profiles to use local proxy
-    {
-      // For Firefox-based browsers, apply PAC/user.js to point to the local proxy
-      if matches!(
-        profile.browser.as_str(),
-        "firefox" | "firefox-developer" | "zen"
-      ) {
-        let profiles_dir = self.profile_manager.get_profiles_dir();
-        let profile_path = profiles_dir.join(profile.id.to_string()).join("profile");
-
-        // Provide a dummy upstream (ignored when internal proxy is provided)
-        let dummy_upstream = ProxySettings {
-          proxy_type: "http".to_string(),
-          host: "127.0.0.1".to_string(),
-          port: internal_proxy.port,
-          username: None,
-          password: None,
-        };
-
-        self
-          .profile_manager
-          .apply_proxy_settings_to_profile(&profile_path, &dummy_upstream, Some(&internal_proxy))
-          .map_err(|e| format!("Failed to update profile proxy: {e}"))?;
-      }
-    }
-
    let result = self
      .launch_browser_internal(
        app_handle.clone(),
@@ -1662,9 +1336,14 @@ impl BrowserRunner {
        );
      }

-      // Clear the process ID from the profile
+      // Clear the process ID from the profile and save immediately so that
+      // subsequent calls to update_profile_version (which re-reads from disk)
+      // see the cleared process_id.
      let mut updated_profile = profile.clone();
      updated_profile.process_id = None;
+      self
+        .save_process_info(&updated_profile)
+        .map_err(|e| format!("Failed to update profile: {e}"))?;

      // Check for pending updates and apply them for Camoufox profiles too
      if let Ok(Some(pending_update)) = self
@@ -1678,7 +1357,6 @@ impl BrowserRunner {
          pending_update.new_version
        );

-        // Update the profile to the new version
        match self.profile_manager.update_profile_version(
          &app_handle,
          &profile.id.to_string(),
@@ -1693,7 +1371,6 @@ impl BrowserRunner {
            );
            updated_profile = updated_profile_after_update;

-            // Remove the pending update from the auto updater state
            if let Err(e) = self
              .auto_updater
              .dismiss_update_notification(&pending_update.id)
@@ -1707,7 +1384,6 @@ impl BrowserRunner {
              profile.name,
              e
            );
-            // Continue with the original profile update (just clearing process_id)
          }
        }
      }
@@ -1722,10 +1398,6 @@ impl BrowserRunner {
        }
      }

-      self
-        .save_process_info(&updated_profile)
-        .map_err(|e| format!("Failed to update profile: {e}"))?;
-
      log::info!(
        "Emitting profile events for successful Camoufox kill: {}",
        updated_profile.name
@@ -2004,9 +1676,14 @@ impl BrowserRunner {
        );
      }

-      // Clear the process ID from the profile
+      // Clear the process ID from the profile and save immediately so that
+      // subsequent calls to update_profile_version (which re-reads from disk)
+      // see the cleared process_id.
      let mut updated_profile = profile.clone();
      updated_profile.process_id = None;
+      self
+        .save_process_info(&updated_profile)
+        .map_err(|e| format!("Failed to update profile: {e}"))?;

      // Check for pending updates and apply them
      if let Ok(Some(pending_update)) = self
@@ -2061,10 +1738,6 @@ impl BrowserRunner {
        }
      }

-      self
-        .save_process_info(&updated_profile)
-        .map_err(|e| format!("Failed to update profile: {e}"))?;
-
      log::info!(
        "Emitting profile events for successful Wayfern kill: {}",
        updated_profile.name
@@ -2289,9 +1962,14 @@ impl BrowserRunner {
      profile.id
    );

-    // Clear the process ID from the profile
+    // Clear the process ID from the profile and save immediately so that
+    // subsequent calls to update_profile_version (which re-reads from disk)
+    // see the cleared process_id.
    let mut updated_profile = profile.clone();
    updated_profile.process_id = None;
+    self
+      .save_process_info(&updated_profile)
+      .map_err(|e| format!("Failed to update profile: {e}"))?;

    // Check for pending updates and apply them
    if let Ok(Some(pending_update)) = self
@@ -2305,7 +1983,6 @@ impl BrowserRunner {
        pending_update.new_version
      );

-      // Update the profile to the new version
      match self.profile_manager.update_profile_version(
        &app_handle,
        &profile.id.to_string(),
@@ -2320,7 +1997,6 @@ impl BrowserRunner {
          );
          updated_profile = updated_profile_after_update;

-          // Remove the pending update from the auto updater state
          if let Err(e) = self
            .auto_updater
            .dismiss_update_notification(&pending_update.id)
@@ -2334,7 +2010,6 @@ impl BrowserRunner {
            profile.name,
            e
          );
-          // Continue with the original profile update (just clearing process_id)
        }
      }
    }
@@ -2349,10 +2024,6 @@ impl BrowserRunner {
      }
    }

-    self
-      .save_process_info(&updated_profile)
-      .map_err(|e| format!("Failed to update profile: {e}"))?;
-
    log::info!(
      "Emitting profile events for successful kill: {}",
      updated_profile.name
@@ -2535,9 +2206,9 @@ impl BrowserRunner {

    if profile.is_cross_os() {
      return Err(format!(
-        "Cannot open URL with profile '{}': it was created on {} and is not supported on this system",
+        "Cannot open URL with profile '{}': this profile was created on {} and cannot be used on a different operating system",
        profile.name,
-        profile.host_os.as_deref().unwrap_or("unknown")
+        profile.host_os.as_deref().unwrap_or("another OS"),
      ));
    }

@@ -2571,20 +2242,22 @@ pub async fn launch_browser_profile(

  if profile.is_cross_os() {
    return Err(format!(
-      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      "Cannot launch profile '{}': this profile was created on {} and cannot be launched on a different operating system",
      profile.name,
-      profile.host_os.as_deref().unwrap_or("unknown")
+      profile.host_os.as_deref().unwrap_or("another OS"),
    ));
  }

  // Team lock check: if profile is sync-enabled and user is on a team, acquire lock
  crate::team_lock::acquire_team_lock_if_needed(&profile).await?;

-  // Notify sync scheduler that profile is now running
+  // Notify sync scheduler that profile is now running and queue sync for when it stops
  if let Some(scheduler) = crate::sync::get_global_scheduler() {
-    scheduler
-      .mark_profile_running(&profile.id.to_string())
-      .await;
+    let pid = profile.id.to_string();
+    scheduler.mark_profile_running(&pid).await;
+    if profile.is_sync_enabled() {
+      scheduler.queue_profile_sync(pid).await;
+    }
  }

  let browser_runner = BrowserRunner::instance();
@@ -2619,11 +2292,8 @@ pub async fn launch_browser_profile(
    // Determine upstream proxy if configured; otherwise use DIRECT (no upstream)
    // Refresh cloud proxy credentials and inject profile-specific sid
    let mut upstream_proxy = BrowserRunner::instance()
-      .resolve_proxy_with_refresh(
-        profile_for_launch.proxy_id.as_ref(),
-        Some(&profile_for_launch.id.to_string()),
-      )
-      .await;
+      .resolve_launch_proxy(&profile_for_launch)
+      .await?;

    // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
    if upstream_proxy.is_none() {
@@ -2654,6 +2324,7 @@ pub async fn launch_browser_profile(

    // Always start a local proxy, even if there's no upstream proxy
    // This allows for traffic monitoring and future features
+    let blocklist_file = BrowserRunner::resolve_blocklist_file(&profile_for_launch).await?;
    match PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -2661,6 +2332,7 @@ pub async fn launch_browser_profile(
        temp_pid,
        Some(&profile_id_str),
        profile_for_launch.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
    {
@@ -2797,14 +2469,11 @@ pub async fn kill_browser_profile(
      // Release team lock if applicable
      crate::team_lock::release_team_lock_if_needed(&profile).await;

-      // Notify sync scheduler that profile stopped and queue sync
+      // Notify sync scheduler that profile stopped (sync was queued at launch)
      if let Some(scheduler) = crate::sync::get_global_scheduler() {
-        let pid = profile.id.to_string();
-        scheduler.mark_profile_stopped(&pid).await;
-        if profile.is_sync_enabled() {
-          log::info!("Profile '{}' killed, queuing sync", profile.name);
-          scheduler.queue_profile_sync(pid).await;
-        }
+        scheduler
+          .mark_profile_stopped(&profile.id.to_string())
+          .await;
      }

      // Auto-update non-running profiles and cleanup unused binaries
@@ -2888,9 +2557,9 @@ pub async fn launch_browser_profile_with_debugging(
 ) -> Result<BrowserProfile, String> {
  if profile.is_cross_os() {
    return Err(format!(
-      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      "Cannot launch profile '{}': this profile was created on {} and cannot be launched on a different operating system",
      profile.name,
-      profile.host_os.as_deref().unwrap_or("unknown")
+      profile.host_os.as_deref().unwrap_or("another OS"),
    ));
  }

@@ -2,7 +2,7 @@
 //!
 //! Converts fingerprints to Camoufox configuration format and builds launch options.

-use rand::Rng;
+use rand::RngExt;
 use serde_yaml;
 use std::collections::HashMap;
 use std::path::Path;
@@ -425,8 +425,28 @@ impl CamoufoxConfigBuilder {
  /// Build the complete Camoufox launch configuration with async geolocation support.
  /// This method should be used when geoip option is set to Auto.
  pub async fn build_async(self) -> Result<CamoufoxLaunchConfig, ConfigError> {
-    // Get proxy URL for IP detection if set
-    let proxy_url = self.proxy.as_ref().map(|p| p.server.clone());
+    // Get full proxy URL (with credentials) for IP detection
+    let proxy_url = self.proxy.as_ref().map(|p| {
+      if let (Some(user), Some(pass)) = (&p.username, &p.password) {
+        // Reconstruct URL with credentials: scheme://user:pass@host:port
+        if let Ok(mut parsed) = url::Url::parse(&p.server) {
+          let _ = parsed.set_username(user);
+          let _ = parsed.set_password(Some(pass));
+          parsed.to_string()
+        } else {
+          p.server.clone()
+        }
+      } else if let Some(user) = &p.username {
+        if let Ok(mut parsed) = url::Url::parse(&p.server) {
+          let _ = parsed.set_username(user);
+          parsed.to_string()
+        } else {
+          p.server.clone()
+        }
+      } else {
+        p.server.clone()
+      }
+    });
    let geoip_option = self.geoip.clone();
    let block_webrtc = self.block_webrtc;

@@ -2,7 +2,7 @@
 //!
 //! Implements weighted random sampling from conditional probability distributions.

-use rand::Rng;
+use rand::RngExt;
 use serde::Deserialize;
 use std::collections::HashMap;

@@ -9,7 +9,7 @@ use directories::BaseDirs;
 use maxminddb::{geoip2, Reader};
 use quick_xml::events::Event;
 use quick_xml::Reader as XmlReader;
-use rand::Rng;
+use rand::RngExt;
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::PathBuf;
@@ -2,7 +2,7 @@
 //!
 //! Samples realistic WebGL configurations based on OS-specific probability distributions.

-use rand::Rng;
+use rand::RngExt;
 use rusqlite::{Connection, Result as SqliteResult};
 use std::collections::HashMap;
 use std::io::Write;
@@ -21,7 +21,6 @@ pub struct CamoufoxConfig {
  pub block_images: Option<bool>,
  pub block_webrtc: Option<bool>,
  pub block_webgl: Option<bool>,
-  pub executable_path: Option<String>,
  pub fingerprint: Option<String>, // JSON string of the complete fingerprint config
  pub randomize_fingerprint_on_launch: Option<bool>, // Generate new fingerprint on every launch
  pub os: Option<String>, // Operating system for fingerprint generation: "windows", "macos", or "linux"
@@ -39,7 +38,6 @@ impl Default for CamoufoxConfig {
      block_images: None,
      block_webrtc: None,
      block_webgl: None,
-      executable_path: None,
      fingerprint: None,
      randomize_fingerprint_on_launch: None,
      os: None,
@@ -56,6 +54,7 @@ pub struct CamoufoxLaunchResult {
  #[serde(alias = "profile_path")]
  pub profilePath: Option<String>,
  pub url: Option<String>,
+  pub cdp_port: Option<u16>,
 }

 #[derive(Debug)]
@@ -65,6 +64,7 @@ struct CamoufoxInstance {
  process_id: Option<u32>,
  profile_path: Option<String>,
  url: Option<String>,
+  cdp_port: Option<u16>,
 }

 struct CamoufoxManagerInner {
@@ -88,6 +88,33 @@ impl CamoufoxManager {
    &CAMOUFOX_LAUNCHER
  }

+  async fn find_free_port() -> Result<u16, Box<dyn std::error::Error + Send + Sync>> {
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
+    let port = listener.local_addr()?.port();
+    drop(listener);
+    Ok(port)
+  }
+
+  #[allow(dead_code)]
+  pub async fn get_cdp_port(&self, profile_path: &str) -> Option<u16> {
+    let inner = self.inner.lock().await;
+    let target_path = std::path::Path::new(profile_path)
+      .canonicalize()
+      .unwrap_or_else(|_| std::path::Path::new(profile_path).to_path_buf());
+
+    for instance in inner.instances.values() {
+      if let Some(path) = &instance.profile_path {
+        let instance_path = std::path::Path::new(path)
+          .canonicalize()
+          .unwrap_or_else(|_| std::path::Path::new(path).to_path_buf());
+        if instance_path == target_path {
+          return instance.cdp_port;
+        }
+      }
+    }
+    None
+  }
+
  pub fn get_profiles_dir(&self) -> PathBuf {
    crate::app_dirs::profiles_dir()
  }
@@ -100,21 +127,9 @@ impl CamoufoxManager {
    config: &CamoufoxConfig,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    // Get executable path
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?;

    // Build the config using CamoufoxConfigBuilder
    let mut builder = CamoufoxConfigBuilder::new()
@@ -201,21 +216,9 @@ impl CamoufoxManager {
    };

    // Get executable path
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?;

    // Parse the fingerprint config JSON
    let fingerprint_config: HashMap<String, serde_json::Value> =
@@ -239,6 +242,9 @@ impl CamoufoxManager {
        .to_string(),
    ];

+    let cdp_port = Self::find_free_port().await?;
+    args.push(format!("--remote-debugging-port={cdp_port}"));
+
    // Add URL if provided
    if let Some(url) = url {
      args.push("-new-tab".to_string());
@@ -294,6 +300,7 @@ impl CamoufoxManager {
      process_id,
      profile_path: Some(profile_path.to_string()),
      url: url.map(String::from),
+      cdp_port: Some(cdp_port),
    };

    let launch_result = CamoufoxLaunchResult {
@@ -301,6 +308,7 @@ impl CamoufoxManager {
      processId: process_id,
      profilePath: Some(profile_path.to_string()),
      url: url.map(String::from),
+      cdp_port: Some(cdp_port),
    };

    {
@@ -418,6 +426,7 @@ impl CamoufoxManager {
                  processId: instance.process_id,
                  profilePath: instance.profile_path.clone(),
                  url: instance.url.clone(),
+                  cdp_port: instance.cdp_port,
                }));
              }
            }
@@ -428,7 +437,9 @@ impl CamoufoxManager {

    // If not found in in-memory instances, scan system processes
    // This handles the case where the app was restarted but Camoufox is still running
-    if let Some((pid, found_profile_path)) = self.find_camoufox_process_by_profile(&target_path) {
+    if let Some((pid, found_profile_path, cdp_port)) =
+      self.find_camoufox_process_by_profile(&target_path)
+    {
      log::info!(
        "Found running Camoufox process (PID: {}) for profile path via system scan",
        pid
@@ -444,6 +455,7 @@ impl CamoufoxManager {
          process_id: Some(pid),
          profile_path: Some(found_profile_path.clone()),
          url: None,
+          cdp_port,
        },
      );

@@ -452,6 +464,7 @@ impl CamoufoxManager {
        processId: Some(pid),
        profilePath: Some(found_profile_path),
        url: None,
+        cdp_port,
      }));
    }

@@ -462,7 +475,7 @@ impl CamoufoxManager {
  fn find_camoufox_process_by_profile(
    &self,
    target_path: &std::path::Path,
-  ) -> Option<(u32, String)> {
+  ) -> Option<(u32, String, Option<u16>)> {
    use sysinfo::{ProcessRefreshKind, RefreshKind, System};

    let system = System::new_with_specifics(
@@ -487,6 +500,10 @@ impl CamoufoxManager {
        continue;
      }

+      let mut matched = false;
+      let mut found_profile_path = None;
+      let mut cdp_port: Option<u16> = None;
+
      // Check if the command line contains our profile path
      for (i, arg) in cmd.iter().enumerate() {
        if let Some(arg_str) = arg.to_str() {
@@ -498,15 +515,27 @@ impl CamoufoxManager {
                .unwrap_or_else(|_| std::path::Path::new(next_arg).to_path_buf());

              if cmd_path == target_path {
-                return Some((pid.as_u32(), next_arg.to_string()));
+                matched = true;
+                found_profile_path = Some(next_arg.to_string());
              }
            }
          }

          // Also check if the argument contains the profile path directly
-          if arg_str.contains(&*target_path_str) {
-            return Some((pid.as_u32(), target_path_str.to_string()));
+          if !matched && arg_str.contains(&*target_path_str) {
+            matched = true;
+            found_profile_path = Some(target_path_str.to_string());
          }
+
+          if let Some(port_val) = arg_str.strip_prefix("--remote-debugging-port=") {
+            cdp_port = port_val.parse().ok();
+          }
+        }
+      }
+
+      if matched {
+        if let Some(profile_path) = found_profile_path {
+          return Some((pid.as_u32(), profile_path, cdp_port));
        }
      }
    }
@@ -630,8 +659,55 @@ impl CamoufoxManager {
      }
    }

-    // Write search.json.mozlz4 with default search engines (DuckDuckGo + Google)
-    write_default_search_config(&profile_path);
+    // Write explicit proxy prefs to user.js so Firefox always uses the local
+    // donut-proxy and never falls back to stale proxy settings baked into prefs.js
+    // from a previous session. user.js values override prefs.js on every launch.
+    if let Some(proxy_str) = &config.proxy {
+      let user_js_path = profile_path.join("user.js");
+      let mut prefs = String::new();
+
+      // Preserve existing user.js content (ephemeral prefs, etc.)
+      if let Ok(existing) = std::fs::read_to_string(&user_js_path) {
+        // Strip old proxy prefs so we don't duplicate
+        for line in existing.lines() {
+          if !line.contains("network.proxy.") {
+            prefs.push_str(line);
+            prefs.push('\n');
+          }
+        }
+      }
+
+      if let Ok(parsed) = url::Url::parse(proxy_str) {
+        let host = parsed.host_str().unwrap_or("127.0.0.1");
+        let port = parsed.port().unwrap_or(8080);
+        let scheme = parsed.scheme();
+
+        if scheme == "socks5" || scheme == "socks4" {
+          prefs.push_str(&format!(
+            "user_pref(\"network.proxy.type\", 1);\n\
+             user_pref(\"network.proxy.socks\", \"{host}\");\n\
+             user_pref(\"network.proxy.socks_port\", {port});\n\
+             user_pref(\"network.proxy.socks_version\", {});\n\
+             user_pref(\"network.proxy.socks_remote_dns\", true);\n",
+            if scheme == "socks5" { 5 } else { 4 }
+          ));
+        } else {
+          // HTTP/HTTPS proxy
+          prefs.push_str(&format!(
+            "user_pref(\"network.proxy.type\", 1);\n\
+             user_pref(\"network.proxy.http\", \"{host}\");\n\
+             user_pref(\"network.proxy.http_port\", {port});\n\
+             user_pref(\"network.proxy.ssl\", \"{host}\");\n\
+             user_pref(\"network.proxy.ssl_port\", {port});\n\
+             user_pref(\"network.proxy.no_proxies_on\", \"\");\n"
+          ));
+        }
+
+        if let Err(e) = std::fs::write(&user_js_path, prefs) {
+          log::warn!("Failed to write proxy prefs to user.js: {e}");
+        }
+      }
+    }

    self
      .launch_camoufox(
@@ -646,77 +722,6 @@ impl CamoufoxManager {
  }
 }

-fn write_default_search_config(profile_path: &std::path::Path) {
-  let search_file = profile_path.join("search.json.mozlz4");
-  if search_file.exists() {
-    return;
-  }
-
-  let json = serde_json::json!({
-    "version": 6,
-    "engines": [
-      {
-        "_name": "DuckDuckGo",
-        "_isAppProvided": false,
-        "_metaData": { "order": 1 },
-        "_urls": [
-          {
-            "template": "https://duckduckgo.com/?q={searchTerms}",
-            "type": "text/html",
-            "params": []
-          },
-          {
-            "template": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
-            "type": "application/x-suggestions+json",
-            "params": []
-          }
-        ],
-        "_iconURL": "https://duckduckgo.com/favicon.ico"
-      },
-      {
-        "_name": "Google",
-        "_isAppProvided": false,
-        "_metaData": { "order": 2 },
-        "_urls": [
-          {
-            "template": "https://www.google.com/search?q={searchTerms}",
-            "type": "text/html",
-            "params": []
-          },
-          {
-            "template": "https://www.google.com/complete/search?client=firefox&q={searchTerms}",
-            "type": "application/x-suggestions+json",
-            "params": []
-          }
-        ],
-        "_iconURL": "https://www.google.com/favicon.ico"
-      }
-    ],
-    "metaData": {
-      "useSavedOrder": false,
-      "defaultEngineId": "DuckDuckGo"
-    }
-  });
-
-  let json_bytes = match serde_json::to_vec(&json) {
-    Ok(bytes) => bytes,
-    Err(e) => {
-      log::warn!("Failed to serialize search config: {e}");
-      return;
-    }
-  };
-
-  let magic = b"mozLz40\0";
-  let compressed = lz4_flex::block::compress_prepend_size(&json_bytes);
-  let mut output = Vec::with_capacity(magic.len() + compressed.len());
-  output.extend_from_slice(magic);
-  output.extend_from_slice(&compressed);
-
-  if let Err(e) = std::fs::write(&search_file, &output) {
-    log::warn!("Failed to write search.json.mozlz4: {e}");
-  }
-}
-
 #[cfg(test)]
 mod tests {
  use super::*;
@@ -362,12 +362,12 @@ impl CloudAuthManager {

  // --- API methods ---

-  pub async fn request_otp(&self, email: &str) -> Result<String, String> {
+  pub async fn request_otp(&self, email: &str, captcha_token: &str) -> Result<String, String> {
    let url = format!("{CLOUD_API_URL}/api/auth/otp/request");
    let response = self
      .client
      .post(&url)
-      .json(&serde_json::json!({ "email": email }))
+      .json(&serde_json::json!({ "email": email, "captchaToken": captcha_token }))
      .send()
      .await
      .map_err(|e| format!("Failed to request OTP: {e}"))?;
@@ -591,8 +591,8 @@ impl CloudAuthManager {
    // Clear wayfern token
    self.clear_wayfern_token().await;

-    // Disconnect team lock manager
-    crate::team_lock::TEAM_LOCK.disconnect().await;
+    // Disconnect profile lock manager
+    crate::team_lock::PROFILE_LOCK.disconnect().await;

    // Try to call the logout API (best-effort)
    if let Ok(Some(access_token)) = Self::load_access_token() {
@@ -1070,18 +1070,18 @@ impl CloudAuthManager {
        log::debug!("Failed to refresh cloud profile: {e}");
      }

-      // Reconnect team lock manager if needed
+      // Reconnect profile lock manager if needed
      if let Some(auth_state) = CLOUD_AUTH.get_user().await {
-        if let Some(tid) = &auth_state.user.team_id {
-          crate::team_lock::TEAM_LOCK.connect(tid).await;
+        if auth_state.user.plan != "free" && !crate::team_lock::PROFILE_LOCK.is_connected().await {
+          crate::team_lock::PROFILE_LOCK.connect().await;
        }
      }

      // Sync cloud proxy credentials
      CLOUD_AUTH.sync_cloud_proxy().await;

-      // Refresh wayfern token every 12 hours (72 iterations of 10-minute loop)
-      if wayfern_refresh_counter >= 72 {
+      // Refresh wayfern token every 10 hours (60 iterations of 10-minute loop)
+      if wayfern_refresh_counter >= 60 {
        wayfern_refresh_counter = 0;
        if CLOUD_AUTH.has_active_paid_subscription().await {
          if let Err(e) = CLOUD_AUTH.request_wayfern_token().await {
@@ -1100,8 +1100,8 @@ impl CloudAuthManager {
 // --- Tauri commands ---

 #[tauri::command]
-pub async fn cloud_request_otp(email: String) -> Result<String, String> {
-  CLOUD_AUTH.request_otp(&email).await
+pub async fn cloud_request_otp(email: String, captcha_token: String) -> Result<String, String> {
+  CLOUD_AUTH.request_otp(&email, &captcha_token).await
 }

 #[tauri::command]
@@ -1137,11 +1137,9 @@ pub async fn cloud_verify_otp(
  // Sync cloud proxy after login
  CLOUD_AUTH.sync_cloud_proxy().await;

-  // Connect team lock manager if on a team plan
-  if state.user.team_id.is_some() {
-    if let Some(tid) = &state.user.team_id {
-      crate::team_lock::TEAM_LOCK.connect(tid).await;
-    }
+  // Connect profile lock manager for paid users
+  if state.user.plan != "free" {
+    crate::team_lock::PROFILE_LOCK.connect().await;
  }

  let _ = crate::events::emit_empty("cloud-auth-changed");
@@ -1390,7 +1388,7 @@ pub async fn restart_sync_service(app_handle: tauri::AppHandle) -> Result<(), St
          }
        }
        Err(e) => {
-          log::debug!("Sync not configured, skipping missing profile check: {}", e);
+          log::warn!("Sync not configured, skipping missing profile check: {}", e);
        }
      }

@@ -340,6 +340,9 @@ pub fn is_autostart_enabled() -> bool {
 }

 pub fn get_data_dir() -> Option<PathBuf> {
+  if crate::app_dirs::is_portable() {
+    return Some(crate::app_dirs::data_dir());
+  }
  if let Some(proj_dirs) = ProjectDirs::from("com", "donutbrowser", "Donut Browser") {
    Some(proj_dirs.data_dir().to_path_buf())
  } else {
@@ -1,4 +1,5 @@
 // Daemon Spawn - Start the daemon from the GUI
+// Currently disabled; will be re-enabled in the future

 use serde::Deserialize;
 use std::fs;
@@ -0,0 +1,343 @@
+use serde::{Deserialize, Serialize};
+use std::path::PathBuf;
+use std::time::{Duration, SystemTime};
+
+use crate::app_dirs;
+
+const REFRESH_INTERVAL: Duration = Duration::from_secs(43200); // 12 hours
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum BlocklistLevel {
+  #[default]
+  None,
+  Light,
+  Normal,
+  Pro,
+  ProPlus,
+  Ultimate,
+}
+
+impl BlocklistLevel {
+  pub fn parse_level(s: &str) -> Option<Self> {
+    match s {
+      "light" => Some(Self::Light),
+      "normal" => Some(Self::Normal),
+      "pro" => Some(Self::Pro),
+      "pro_plus" => Some(Self::ProPlus),
+      "ultimate" => Some(Self::Ultimate),
+      "none" => Some(Self::None),
+      _ => None,
+    }
+  }
+
+  pub fn as_str(&self) -> &'static str {
+    match self {
+      Self::None => "none",
+      Self::Light => "light",
+      Self::Normal => "normal",
+      Self::Pro => "pro",
+      Self::ProPlus => "pro_plus",
+      Self::Ultimate => "ultimate",
+    }
+  }
+
+  pub fn display_name(&self) -> &'static str {
+    match self {
+      Self::None => "None",
+      Self::Light => "Light",
+      Self::Normal => "Normal",
+      Self::Pro => "Pro",
+      Self::ProPlus => "Pro++",
+      Self::Ultimate => "Ultimate",
+    }
+  }
+
+  pub fn url(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/light.txt")
+      }
+      Self::Normal => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/multi.txt")
+      }
+      Self::Pro => Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.txt"),
+      Self::ProPlus => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.plus.txt")
+      }
+      Self::Ultimate => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/ultimate.txt")
+      }
+    }
+  }
+
+  pub fn filename(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => Some("light.txt"),
+      Self::Normal => Some("multi.txt"),
+      Self::Pro => Some("pro.txt"),
+      Self::ProPlus => Some("pro.plus.txt"),
+      Self::Ultimate => Some("ultimate.txt"),
+    }
+  }
+
+  pub fn all_downloadable() -> &'static [BlocklistLevel] {
+    &[
+      Self::Light,
+      Self::Normal,
+      Self::Pro,
+      Self::ProPlus,
+      Self::Ultimate,
+    ]
+  }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct BlocklistCacheStatus {
+  pub level: String,
+  pub display_name: String,
+  pub entry_count: usize,
+  pub file_size_bytes: u64,
+  pub last_updated: Option<u64>,
+  pub is_fresh: bool,
+  pub is_cached: bool,
+}
+
+pub struct BlocklistManager;
+
+lazy_static::lazy_static! {
+  static ref HTTP_CLIENT: reqwest::Client = reqwest::Client::builder()
+    .timeout(Duration::from_secs(60))
+    .build()
+    .expect("Failed to create HTTP client");
+}
+
+impl BlocklistManager {
+  pub fn instance() -> &'static BlocklistManager {
+    &BLOCKLIST_MANAGER
+  }
+
+  fn cache_dir() -> PathBuf {
+    app_dirs::dns_blocklist_dir()
+  }
+
+  pub fn cached_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    level.filename().map(|f| Self::cache_dir().join(f))
+  }
+
+  pub fn is_cache_fresh(level: BlocklistLevel) -> bool {
+    let Some(path) = Self::cached_file_path(level) else {
+      return false;
+    };
+    if !path.exists() {
+      return false;
+    }
+    match std::fs::metadata(&path).and_then(|m| m.modified()) {
+      Ok(modified) => SystemTime::now()
+        .duration_since(modified)
+        .map(|age| age < REFRESH_INTERVAL)
+        .unwrap_or(false),
+      Err(_) => false,
+    }
+  }
+
+  pub async fn fetch_blocklist(level: BlocklistLevel) -> Result<PathBuf, String> {
+    let url = level
+      .url()
+      .ok_or_else(|| format!("No URL for level {:?}", level))?;
+    let path =
+      Self::cached_file_path(level).ok_or_else(|| format!("No filename for level {:?}", level))?;
+
+    let cache_dir = Self::cache_dir();
+    std::fs::create_dir_all(&cache_dir).map_err(|e| format!("Failed to create cache dir: {e}"))?;
+
+    log::info!(
+      "[dns-blocklist] Fetching {} from {}",
+      level.display_name(),
+      url
+    );
+
+    let response = HTTP_CLIENT
+      .get(url)
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch blocklist: {e}"))?;
+
+    if !response.status().is_success() {
+      return Err(format!("HTTP {} when fetching {}", response.status(), url));
+    }
+
+    let body = response
+      .text()
+      .await
+      .map_err(|e| format!("Failed to read response body: {e}"))?;
+
+    // Write atomically: write to temp file, then rename
+    let tmp_path = path.with_extension("tmp");
+    std::fs::write(&tmp_path, &body).map_err(|e| format!("Failed to write blocklist: {e}"))?;
+    std::fs::rename(&tmp_path, &path).map_err(|e| format!("Failed to rename blocklist: {e}"))?;
+
+    let entry_count = body
+      .lines()
+      .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+      .count();
+    log::info!(
+      "[dns-blocklist] Cached {} ({} domains)",
+      level.display_name(),
+      entry_count
+    );
+
+    Ok(path)
+  }
+
+  pub async fn ensure_cached(level: BlocklistLevel) -> Result<PathBuf, String> {
+    if let Some(path) = Self::cached_file_path(level) {
+      if path.exists() {
+        return Ok(path);
+      }
+    }
+    Self::fetch_blocklist(level).await
+  }
+
+  pub async fn refresh_all_stale(&self) {
+    for &level in BlocklistLevel::all_downloadable() {
+      if !Self::is_cache_fresh(level) {
+        if let Err(e) = Self::fetch_blocklist(level).await {
+          log::error!(
+            "[dns-blocklist] Failed to refresh {}: {e}",
+            level.display_name()
+          );
+          let _ = crate::events::emit(
+            "dns-blocklist-refresh-failed",
+            serde_json::json!({
+              "level": level.as_str(),
+              "error": e,
+            }),
+          );
+        }
+      }
+    }
+  }
+
+  pub fn get_blocklist_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    Self::cached_file_path(level).filter(|p| p.exists())
+  }
+
+  pub fn get_cache_status() -> Vec<BlocklistCacheStatus> {
+    BlocklistLevel::all_downloadable()
+      .iter()
+      .map(|&level| {
+        let path = Self::cached_file_path(level);
+        let metadata = path.as_ref().and_then(|p| std::fs::metadata(p).ok());
+        let is_cached = metadata.is_some();
+
+        let entry_count = if is_cached {
+          path
+            .as_ref()
+            .and_then(|p| std::fs::read_to_string(p).ok())
+            .map(|content| {
+              content
+                .lines()
+                .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+                .count()
+            })
+            .unwrap_or(0)
+        } else {
+          0
+        };
+
+        let file_size_bytes = metadata.as_ref().map(|m| m.len()).unwrap_or(0);
+
+        let last_updated = metadata
+          .as_ref()
+          .and_then(|m| m.modified().ok())
+          .and_then(|t| t.duration_since(SystemTime::UNIX_EPOCH).ok())
+          .map(|d| d.as_secs());
+
+        BlocklistCacheStatus {
+          level: level.as_str().to_string(),
+          display_name: level.display_name().to_string(),
+          entry_count,
+          file_size_bytes,
+          last_updated,
+          is_fresh: Self::is_cache_fresh(level),
+          is_cached,
+        }
+      })
+      .collect()
+  }
+}
+
+lazy_static::lazy_static! {
+  static ref BLOCKLIST_MANAGER: BlocklistManager = BlocklistManager;
+}
+
+// Tauri commands
+
+#[tauri::command]
+pub async fn get_dns_blocklist_cache_status() -> Result<Vec<BlocklistCacheStatus>, String> {
+  Ok(BlocklistManager::get_cache_status())
+}
+
+#[tauri::command]
+pub async fn refresh_dns_blocklists() -> Result<(), String> {
+  for &level in BlocklistLevel::all_downloadable() {
+    BlocklistManager::fetch_blocklist(level).await?;
+  }
+  Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_level_roundtrip() {
+    for &level in BlocklistLevel::all_downloadable() {
+      let s = level.as_str();
+      let parsed = BlocklistLevel::parse_level(s);
+      assert_eq!(parsed, Some(level), "Roundtrip failed for {s}");
+    }
+    assert_eq!(
+      BlocklistLevel::parse_level("none"),
+      Some(BlocklistLevel::None)
+    );
+  }
+
+  #[test]
+  fn test_level_urls_all_present() {
+    for &level in BlocklistLevel::all_downloadable() {
+      assert!(
+        level.url().is_some(),
+        "{} should have a URL",
+        level.as_str()
+      );
+      assert!(
+        level.filename().is_some(),
+        "{} should have a filename",
+        level.as_str()
+      );
+    }
+    assert!(BlocklistLevel::None.url().is_none());
+    assert!(BlocklistLevel::None.filename().is_none());
+  }
+
+  #[test]
+  fn test_cache_status_returns_all_levels() {
+    let statuses = BlocklistManager::get_cache_status();
+    assert_eq!(statuses.len(), 5);
+    assert_eq!(statuses[0].level, "light");
+    assert_eq!(statuses[1].level, "normal");
+    assert_eq!(statuses[2].level, "pro");
+    assert_eq!(statuses[3].level, "pro_plus");
+    assert_eq!(statuses[4].level, "ultimate");
+  }
+
+  #[test]
+  fn test_cache_fresh_returns_false_when_missing() {
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::Light));
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::None));
+  }
+}
@@ -513,6 +513,11 @@ impl DownloadedBrowsersRegistry {
    browser: &str,
    version: &str,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    // Never remove a directory if a download is in progress for this browser/version
+    if crate::downloader::is_downloading(browser, version) {
+      return Ok(());
+    }
+
    let binaries_dir = crate::app_dirs::binaries_dir();

    let version_dir = binaries_dir.join(browser).join(version);
@@ -593,6 +598,12 @@ impl DownloadedBrowsersRegistry {
          continue;
        }

+        // Skip if a download is in progress for this browser/version
+        if crate::downloader::is_downloading(browser_name, version_name) {
+          has_non_empty_versions = true;
+          continue;
+        }
+
        // Check if version directory is empty
        match fs::read_dir(&version_path) {
          Ok(mut entries) => {
@@ -1237,12 +1248,13 @@ pub async fn ensure_active_browsers_downloaded(
    // Check if any version is already downloaded
    let existing = registry.get_downloaded_versions(browser);
    if !existing.is_empty() {
-      log::debug!(
-        "Skipping {browser}: already have {} version(s) downloaded",
+      log::info!(
+        "ensure_active: Skipping {browser}: already have {} version(s) downloaded",
        existing.len()
      );
      continue;
    }
+    log::info!("ensure_active: No {browser} versions found, will download");

    // Get the latest release type for this browser
    let release_types = match version_manager.get_browser_release_types(browser).await {
@@ -42,7 +42,10 @@ pub struct Downloader {
 impl Downloader {
  fn new() -> Self {
    Self {
-      client: Client::new(),
+      client: Client::builder()
+        .connect_timeout(std::time::Duration::from_secs(30))
+        .build()
+        .unwrap_or_else(|_| Client::new()),
      api_client: ApiClient::instance(),
      registry: crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance(),
      version_service: crate::browser_version_manager::BrowserVersionManager::instance(),
@@ -56,7 +59,7 @@ impl Downloader {
  }

  #[cfg(test)]
-  pub fn new_with_api_client(_api_client: ApiClient) -> Self {
+  pub fn new_for_test() -> Self {
    Self {
      client: Client::new(),
      api_client: ApiClient::instance(),
@@ -67,87 +70,53 @@ impl Downloader {
    }
  }

+  #[cfg(test)]
+  pub async fn download_file(
+    &self,
+    download_url: &str,
+    dest_path: &Path,
+    filename: &str,
+  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
+    let file_path = dest_path.join(filename);
+
+    let response = self
+      .client
+      .get(download_url)
+      .header(
+        "User-Agent",
+        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+      )
+      .send()
+      .await?;
+
+    if !response.status().is_success() {
+      return Err(format!("Download failed with status: {}", response.status()).into());
+    }
+
+    let mut file = std::fs::OpenOptions::new()
+      .create(true)
+      .truncate(true)
+      .write(true)
+      .open(&file_path)?;
+
+    let mut stream = response.bytes_stream();
+    use futures_util::StreamExt;
+    while let Some(chunk) = stream.next().await {
+      let chunk = chunk?;
+      io::copy(&mut chunk.as_ref(), &mut file)?;
+    }
+
+    Ok(file_path)
+  }
+
  /// Resolve the actual download URL for browsers that need dynamic asset resolution
  pub async fn resolve_download_url(
    &self,
    browser_type: BrowserType,
    version: &str,
-    download_info: &DownloadInfo,
+    _download_info: &DownloadInfo,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
    match browser_type {
-      BrowserType::Brave => {
-        // For Brave, we need to find the actual platform-specific asset
-        let releases = self
-          .api_client
-          .fetch_brave_releases_with_caching(true)
-          .await?;
-
-        // Find the release with the matching version
-        let release = releases
-          .iter()
-          .find(|r| {
-            r.tag_name == version || r.tag_name == format!("v{}", version.trim_start_matches('v'))
-          })
-          .ok_or(format!("Brave version {version} not found"))?;
-
-        // Get platform and architecture info
-        let (os, arch) = Self::get_platform_info();
-
-        // Find the appropriate asset based on platform and architecture
-        let asset_url = self
-          .find_brave_asset(&release.assets, &os, &arch)
-          .ok_or(format!(
-            "No compatible asset found for Brave version {version} on {os}/{arch}"
-          ))?;
-
-        Ok(asset_url)
-      }
-      BrowserType::Zen => {
-        // For Zen, verify the asset exists and handle different naming patterns
-        let releases = match self.api_client.fetch_zen_releases_with_caching(true).await {
-          Ok(releases) => releases,
-          Err(e) => {
-            log::error!("Failed to fetch Zen releases: {e}");
-            return Err(format!("Failed to fetch Zen releases from GitHub API: {e}. This might be due to GitHub API rate limiting or network issues. Please try again later.").into());
-          }
-        };
-
-        let release = releases
-          .iter()
-          .find(|r| r.tag_name == version)
-          .ok_or_else(|| {
-            format!(
-              "Zen version {} not found. Available versions: {}",
-              version,
-              releases
-                .iter()
-                .take(5)
-                .map(|r| r.tag_name.as_str())
-                .collect::<Vec<_>>()
-                .join(", ")
-            )
-          })?;
-
-        // Get platform and architecture info
-        let (os, arch) = Self::get_platform_info();
-
-        // Find the appropriate asset
-        let asset_url = self
-          .find_zen_asset(&release.assets, &os, &arch)
-          .ok_or_else(|| {
-            let available_assets: Vec<&str> =
-              release.assets.iter().map(|a| a.name.as_str()).collect();
-            format!(
-              "No compatible asset found for Zen version {} on {}/{}. Available assets: {}",
-              version,
-              os,
-              arch,
-              available_assets.join(", ")
-            )
-          })?;
-
-        Ok(asset_url)
-      }
      BrowserType::Camoufox => {
        // For Camoufox, verify the asset exists and find the correct download URL
        let releases = self
@@ -209,10 +178,6 @@ impl Downloader {

        Ok(download_url)
      }
-      _ => {
-        // For other browsers, use the provided URL
-        Ok(download_info.url.clone())
-      }
    }
  }

@@ -239,110 +204,6 @@ impl Downloader {
    (os.to_string(), arch.to_string())
  }

-  /// Find the appropriate Brave asset for the current platform and architecture
-  fn find_brave_asset(
-    &self,
-    assets: &[crate::browser::GithubAsset],
-    os: &str,
-    arch: &str,
-  ) -> Option<String> {
-    // Brave asset naming patterns:
-    // Windows: BraveBrowserStandaloneNightlySetup.exe, BraveBrowserStandaloneSilentNightlySetup.exe
-    // macOS: Brave-Browser-Nightly-universal.dmg, Brave-Browser-Nightly-universal.pkg
-    // Linux: brave-browser-1.79.119-linux-arm64.zip, brave-browser-1.79.119-linux-amd64.zip
-
-    let asset = match os {
-      "windows" => {
-        // For Windows, look for standalone setup EXE (not the auto-updater one)
-        assets
-          .iter()
-          .find(|asset| {
-            let name = asset.name.to_lowercase();
-            name.contains("standalone") && name.ends_with(".exe") && !name.contains("silent")
-          })
-          .or_else(|| {
-            // Fallback to any EXE if standalone not found
-            assets.iter().find(|asset| asset.name.ends_with(".exe"))
-          })
-      }
-      "macos" => {
-        // For macOS, prefer universal DMG
-        assets
-          .iter()
-          .find(|asset| {
-            let name = asset.name.to_lowercase();
-            name.contains("universal") && name.ends_with(".dmg")
-          })
-          .or_else(|| {
-            // Fallback to any DMG
-            assets.iter().find(|asset| asset.name.ends_with(".dmg"))
-          })
-      }
-      "linux" => {
-        // For Linux, be strict about architecture matching - same logic as has_compatible_brave_asset
-        let arch_pattern = if arch == "arm64" { "arm64" } else { "amd64" };
-
-        assets.iter().find(|asset| {
-          let name = asset.name.to_lowercase();
-          name.contains("linux") && name.contains(arch_pattern) && name.ends_with(".zip")
-        })
-      }
-      _ => None,
-    };
-
-    asset.map(|a| a.browser_download_url.clone())
-  }
-
-  /// Find the appropriate Zen asset for the current platform and architecture
-  fn find_zen_asset(
-    &self,
-    assets: &[crate::browser::GithubAsset],
-    os: &str,
-    arch: &str,
-  ) -> Option<String> {
-    // Zen asset naming patterns:
-    // Windows: zen.installer.exe, zen.installer-arm64.exe
-    // macOS: zen.macos-universal.dmg
-    // Linux: zen.linux-x86_64.tar.xz, zen.linux-aarch64.tar.xz, zen-x86_64.AppImage, zen-aarch64.AppImage
-
-    let asset = match (os, arch) {
-      ("windows", "x64") => assets
-        .iter()
-        .find(|asset| asset.name == "zen.installer.exe"),
-      ("windows", "arm64") => assets
-        .iter()
-        .find(|asset| asset.name == "zen.installer-arm64.exe"),
-      ("macos", _) => assets
-        .iter()
-        .find(|asset| asset.name == "zen.macos-universal.dmg"),
-      ("linux", "x64") => {
-        // Prefer tar.xz, fallback to AppImage
-        assets
-          .iter()
-          .find(|asset| asset.name == "zen.linux-x86_64.tar.xz")
-          .or_else(|| {
-            assets
-              .iter()
-              .find(|asset| asset.name == "zen-x86_64.AppImage")
-          })
-      }
-      ("linux", "arm64") => {
-        // Prefer tar.xz, fallback to AppImage
-        assets
-          .iter()
-          .find(|asset| asset.name == "zen.linux-aarch64.tar.xz")
-          .or_else(|| {
-            assets
-              .iter()
-              .find(|asset| asset.name == "zen-aarch64.AppImage")
-          })
-      }
-      _ => None,
-    };
-
-    asset.map(|a| a.browser_download_url.clone())
-  }
-
  /// Find the appropriate Camoufox asset for the current platform and architecture
  fn find_camoufox_asset(
    &self,
@@ -434,13 +295,6 @@ impl Downloader {
    Ok(())
  }

-  fn configure_camoufox_search_engine(
-    &self,
-    browser_dir: &Path,
-  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    configure_camoufox_search_engine(browser_dir)
-  }
-
  pub async fn download_browser<R: tauri::Runtime>(
    &self,
    _app_handle: &tauri::AppHandle<R>,
@@ -453,13 +307,15 @@ impl Downloader {
    let file_path = dest_path.join(&download_info.filename);

    // Resolve the actual download URL
+    log::info!(
+      "Resolving download URL for {} {}",
+      browser_type.as_str(),
+      version
+    );
    let download_url = self
      .resolve_download_url(browser_type.clone(), version, download_info)
      .await?;
-
-    // Check if this is a twilight release for special handling
-    let is_twilight =
-      browser_type == BrowserType::Zen && version.to_lowercase().contains("twilight");
+    log::info!("Download URL resolved: {}", download_url);

    // Determine if we have a partial file to resume
    let mut existing_size: u64 = 0;
@@ -467,9 +323,10 @@ impl Downloader {
      existing_size = meta.len();
    }

-    // Build request, add Range only if we have bytes. If the server responds with 416 (Range Not
-    // Satisfiable), delete the partial file and retry once without the Range header.
-    let response = {
+    // Build request with retry logic for transient network errors.
+    let max_retries = 3u32;
+    let mut response: Option<reqwest::Response> = None;
+    for attempt in 0..=max_retries {
      let mut request = self
        .client
        .get(&download_url)
@@ -482,27 +339,43 @@ impl Downloader {
        request = request.header("Range", format!("bytes={existing_size}-"));
      }

-      let first = request.send().await?;
-
-      if first.status().as_u16() == 416 && existing_size > 0 {
-        // Partial file on disk is not acceptable to the server — remove it and retry from scratch
-        let _ = std::fs::remove_file(&file_path);
-        existing_size = 0;
-
-        let retry = self
-          .client
-          .get(&download_url)
-          .header(
-            "User-Agent",
-            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
-          )
-          .send()
-          .await?;
-        retry
-      } else {
-        first
+      log::info!("Sending download request (attempt {})...", attempt + 1);
+      match request.send().await {
+        Ok(resp) => {
+          log::info!(
+            "Download response received: status={}, content-length={:?}",
+            resp.status(),
+            resp.content_length()
+          );
+          if resp.status().as_u16() == 416 && existing_size > 0 {
+            let _ = std::fs::remove_file(&file_path);
+            existing_size = 0;
+            log::warn!("Download returned 416, retrying without Range header");
+            continue;
+          }
+          response = Some(resp);
+          break;
+        }
+        Err(e) => {
+          let is_retryable = e.is_connect() || e.is_timeout() || e.is_request();
+          if is_retryable && attempt < max_retries {
+            let delay = 2u64.pow(attempt);
+            log::warn!(
+              "Download attempt {} failed ({}), retrying in {}s...",
+              attempt + 1,
+              e,
+              delay
+            );
+            tokio::time::sleep(std::time::Duration::from_secs(delay)).await;
+          } else {
+            return Err(format!("Download failed after {} attempts: {}", attempt + 1, e).into());
+          }
+        }
      }
-    };
+    }
+    let response = response.ok_or_else(|| -> Box<dyn std::error::Error + Send + Sync> {
+      "Download failed: no response received".into()
+    })?;

    // Check if the response is successful (200 OK or 206 Partial Content)
    if !(response.status().is_success() || response.status().as_u16() == 206) {
@@ -540,6 +413,20 @@ impl Downloader {
      existing_size = 0;
    }

+    // If the existing file already matches the total size, skip the download
+    if existing_size > 0 {
+      if let Some(total) = total_size {
+        if existing_size >= total {
+          log::info!(
+            "Archive {} already complete ({} bytes), skipping download",
+            file_path.display(),
+            existing_size
+          );
+          return Ok(file_path);
+        }
+      }
+    }
+
    let mut downloaded = existing_size;
    let start_time = std::time::Instant::now();
    let mut last_update = start_time;
@@ -555,11 +442,7 @@ impl Downloader {
      0.0
    };

-    let initial_stage = if is_twilight {
-      "downloading (twilight rolling release)".to_string()
-    } else {
-      "downloading".to_string()
-    };
+    let initial_stage = "downloading".to_string();

    let progress = DownloadProgress {
      browser: browser_type.as_str().to_string(),
@@ -574,12 +457,16 @@ impl Downloader {

    let _ = events::emit("download-progress", &progress);

-    // Open file in append mode (resuming) or create new
+    // Open file in append mode (resuming) or create new.
+    // Wrap in BufWriter with a large buffer to reduce the number of disk writes,
+    // which dramatically improves download speed on Windows (NTFS + Defender overhead).
    use std::fs::OpenOptions;
-    let mut file = OpenOptions::new()
+    use std::io::Write;
+    let raw_file = OpenOptions::new()
      .create(true)
      .append(true)
      .open(&file_path)?;
+    let mut file = io::BufWriter::with_capacity(8 * 1024 * 1024, raw_file);
    let mut stream = response.bytes_stream();

    use futures_util::StreamExt;
@@ -592,7 +479,7 @@ impl Downloader {
        }
      }
      let chunk = chunk?;
-      io::copy(&mut chunk.as_ref(), &mut file)?;
+      file.write_all(&chunk)?;
      downloaded += chunk.len() as u64;

      let now = std::time::Instant::now();
@@ -621,11 +508,7 @@ impl Downloader {
          None
        };

-        let stage_description = if is_twilight {
-          "downloading (twilight rolling release)".to_string()
-        } else {
-          "downloading".to_string()
-        };
+        let stage_description = "downloading".to_string();

        let progress = DownloadProgress {
          browser: browser_type.as_str().to_string(),
@@ -643,6 +526,9 @@ impl Downloader {
      }
    }

+    // Flush remaining buffered data to disk
+    file.flush()?;
+
    Ok(file_path)
  }

@@ -844,11 +730,16 @@ impl Downloader {
          // Do not remove the archive here. We keep it until verification succeeds.
        }
        Err(e) => {
-          // Do not remove the archive or extracted files. Just drop the registry entry
-          // so it won't be reported as downloaded.
+          log::error!("Extraction failed for {browser_str} {version}: {e}");
+
+          // Delete the corrupt/invalid archive so a fresh download happens next time
+          if download_path.exists() {
+            log::info!("Deleting corrupt archive: {}", download_path.display());
+            let _ = std::fs::remove_file(&download_path);
+          }
+
          let _ = self.registry.remove_browser(&browser_str, &version);
          let _ = self.registry.save();
-          // Remove browser-version pair from downloading set on error
          {
            let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
            downloading.remove(&download_key);
@@ -857,6 +748,20 @@ impl Downloader {
            let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
            tokens.remove(&download_key);
          }
+
+          // Emit error stage so the UI shows a toast
+          let progress = DownloadProgress {
+            browser: browser_str.clone(),
+            version: version.clone(),
+            downloaded_bytes: 0,
+            total_bytes: None,
+            percentage: 0.0,
+            speed_bytes_per_sec: 0.0,
+            eta_seconds: None,
+            stage: "error".to_string(),
+          };
+          let _ = events::emit("download-progress", &progress);
+
          return Err(format!("Failed to extract browser: {e}").into());
        }
      }
@@ -1004,10 +909,6 @@ impl Downloader {
      {
        log::warn!("Failed to create version.json for Camoufox: {e}");
      }
-
-      if let Err(e) = self.configure_camoufox_search_engine(&browser_dir) {
-        log::warn!("Failed to configure Camoufox search engine: {e}");
-      }
    }

    // Emit completion
@@ -1071,6 +972,13 @@ impl Downloader {
  }
 }

+/// Check if a specific browser-version pair is currently being downloaded
+pub fn is_downloading(browser: &str, version: &str) -> bool {
+  let download_key = format!("{browser}-{version}");
+  let downloading = DOWNLOADING_BROWSERS.lock().unwrap();
+  downloading.contains(&download_key)
+}
+
 #[tauri::command]
 pub async fn download_browser(
  app_handle: tauri::AppHandle,
@@ -1102,250 +1010,24 @@ pub async fn cancel_download(browser_str: String, version: String) -> Result<(),
  }
 }

-/// Find all candidate `distribution/` directories inside the Camoufox browser dir.
-/// On macOS: `<browser_dir>/<app>.app/Contents/Resources/distribution/`
-/// On Linux: `<browser_dir>/camoufox/distribution/`
-/// On Windows: `<browser_dir>/distribution/`
-/// Also includes `<browser_dir>/distribution/` as a fallback for all platforms.
-#[allow(clippy::vec_init_then_push)]
-fn find_camoufox_distribution_dirs(browser_dir: &Path) -> Vec<std::path::PathBuf> {
-  let mut dirs = Vec::new();
-
-  #[cfg(target_os = "macos")]
-  {
-    if let Ok(entries) = std::fs::read_dir(browser_dir) {
-      for entry in entries.flatten() {
-        if entry.path().extension().is_some_and(|ext| ext == "app") {
-          dirs.push(
-            entry
-              .path()
-              .join("Contents")
-              .join("Resources")
-              .join("distribution"),
-          );
-        }
-      }
-    }
-  }
-
-  #[cfg(target_os = "linux")]
-  {
-    dirs.push(browser_dir.join("camoufox").join("distribution"));
-  }
-
-  // Fallback for all platforms
-  dirs.push(browser_dir.join("distribution"));
-
-  dirs
-}
-
-/// Set DuckDuckGo as the default search engine in Camoufox.
-/// Creates or updates distribution/policies.json with a proper DuckDuckGo engine definition.
-/// Called both at download time and at launch time to cover existing installations.
-pub fn configure_camoufox_search_engine(
-  browser_dir: &Path,
-) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-  let distribution_dirs = find_camoufox_distribution_dirs(browser_dir);
-
-  // Find an existing policies.json, or pick the first candidate dir to create one
-  let (policies_path, mut policies) = {
-    let mut found = None;
-    for dir in &distribution_dirs {
-      let path = dir.join("policies.json");
-      if path.exists() {
-        if let Ok(content) = std::fs::read_to_string(&path) {
-          if let Ok(val) = serde_json::from_str::<serde_json::Value>(&content) {
-            found = Some((path, val));
-            break;
-          }
-        }
-      }
-    }
-    match found {
-      Some(f) => f,
-      None => {
-        // Pick the first candidate directory that exists (or can be created)
-        let target_dir = distribution_dirs
-          .iter()
-          .find(|d| d.parent().is_some_and(|p| p.exists()))
-          .or(distribution_dirs.first())
-          .ok_or("No suitable distribution directory found")?;
-        std::fs::create_dir_all(target_dir)?;
-        (
-          target_dir.join("policies.json"),
-          serde_json::json!({"policies": {}}),
-        )
-      }
-    }
-  };
-
-  // Check if already configured
-  let has_ddg_default = policies
-    .get("policies")
-    .and_then(|p| p.get("SearchEngines"))
-    .and_then(|se| se.get("Default"))
-    .and_then(|d| d.as_str())
-    == Some("DuckDuckGo");
-
-  let has_ddg_engine = policies
-    .get("policies")
-    .and_then(|p| p.get("SearchEngines"))
-    .and_then(|se| se.get("Add"))
-    .and_then(|a| a.as_array())
-    .is_some_and(|arr| {
-      arr
-        .iter()
-        .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
-    });
-
-  if has_ddg_default && has_ddg_engine {
-    return Ok(());
-  }
-
-  let ddg_engine = serde_json::json!({
-    "Name": "DuckDuckGo",
-    "URLTemplate": "https://duckduckgo.com/?q={searchTerms}",
-    "SuggestURLTemplate": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
-    "Method": "GET",
-    "IconURL": "https://duckduckgo.com/favicon.ico",
-    "Alias": "ddg"
-  });
-
-  // Ensure policies.SearchEngines exists
-  let policies_obj = policies
-    .as_object_mut()
-    .ok_or("Invalid policies.json")?
-    .entry("policies")
-    .or_insert(serde_json::json!({}));
-  let se = policies_obj
-    .as_object_mut()
-    .ok_or("Invalid policies object")?
-    .entry("SearchEngines")
-    .or_insert(serde_json::json!({}));
-
-  if let Some(se_obj) = se.as_object_mut() {
-    // Set DuckDuckGo as default
-    se_obj.insert(
-      "Default".to_string(),
-      serde_json::Value::String("DuckDuckGo".to_string()),
-    );
-
-    // Add DuckDuckGo engine definition if not present
-    let add_arr = se_obj
-      .entry("Add")
-      .or_insert(serde_json::json!([]))
-      .as_array_mut()
-      .ok_or("SearchEngines.Add is not an array")?;
-
-    // Remove fake "None" engine
-    add_arr.retain(|entry| entry.get("Name").and_then(|n| n.as_str()) != Some("None"));
-
-    // Add DuckDuckGo if not already present
-    if !add_arr
-      .iter()
-      .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
-    {
-      add_arr.push(ddg_engine);
-    }
-
-    // Ensure DuckDuckGo is not in the Remove list
-    if let Some(remove_arr) = se_obj.get_mut("Remove").and_then(|r| r.as_array_mut()) {
-      remove_arr.retain(|v| v.as_str() != Some("DuckDuckGo"));
-    }
-  }
-
-  let updated = serde_json::to_string_pretty(&policies)?;
-  std::fs::write(&policies_path, updated)?;
-  log::info!(
-    "Configured DuckDuckGo search engine in {}",
-    policies_path.display()
-  );
-
-  Ok(())
-}
-
 #[cfg(test)]
 mod tests {
  use super::*;
-  use crate::api_client::ApiClient;
-  use crate::browser::BrowserType;
-  use crate::browser_version_manager::DownloadInfo;

  use tempfile::TempDir;
  use wiremock::matchers::{method, path};
  use wiremock::{Mock, MockServer, ResponseTemplate};

-  async fn setup_mock_server() -> MockServer {
-    MockServer::start().await
-  }
-
-  fn create_test_api_client(server: &MockServer) -> ApiClient {
-    let base_url = server.uri();
-    ApiClient::new_with_base_urls(
-      base_url.clone(), // firefox_api_base
-      base_url.clone(), // firefox_dev_api_base
-      base_url.clone(), // github_api_base
-      base_url.clone(), // chromium_api_base
-    )
-  }
-
  #[tokio::test]
-  async fn test_resolve_firefox_download_url() {
-    let server = setup_mock_server().await;
+  async fn test_download_file_with_progress() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    let download_info = DownloadInfo {
-      url: "https://download.mozilla.org/?product=firefox-139.0&os=osx&lang=en-US".to_string(),
-      filename: "firefox-test.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let result = downloader
-      .resolve_download_url(BrowserType::Firefox, "139.0", &download_info)
-      .await;
-
-    assert!(result.is_ok());
-    let url = result.unwrap();
-    assert_eq!(url, download_info.url);
-  }
-
-  #[tokio::test]
-  async fn test_resolve_chromium_download_url() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    let download_info = DownloadInfo {
-      url: "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Mac/1465660/chrome-mac.zip".to_string(),
-      filename: "chromium-test.zip".to_string(),
-      is_archive: true,
-    };
-
-    let result = downloader
-      .resolve_download_url(BrowserType::Chromium, "1465660", &download_info)
-      .await;
-
-    assert!(result.is_ok());
-    let url = result.unwrap();
-    assert_eq!(url, download_info.url);
-  }
-
-  #[tokio::test]
-  async fn test_download_browser_with_progress() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
-
-    // Create a temporary directory for the test
    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Create test file content (simulating a small download)
    let test_content = b"This is a test file content for download simulation";

-    // Mock the download endpoint
    Mock::given(method("GET"))
      .and(path("/test-download"))
      .respond_with(
@@ -1357,85 +1039,51 @@ mod tests {
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/test-download", server.uri()),
-      filename: "test-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    // Create a mock app handle for testing
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/test-download", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Firefox,
-        "139.0",
-        &download_info,
-        dest_path,
-        None,
-      )
+      .download_file(&download_url, dest_path, "test-file.dmg")
      .await;

    assert!(result.is_ok());
    let downloaded_file = result.unwrap();
    assert!(downloaded_file.exists());

-    // Verify file content
    let downloaded_content = std::fs::read(&downloaded_file).unwrap();
    assert_eq!(downloaded_content, test_content);
  }

  #[tokio::test]
-  async fn test_download_browser_network_error() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
+  async fn test_download_file_network_error() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Mock a 404 response
    Mock::given(method("GET"))
      .and(path("/missing-file"))
      .respond_with(ResponseTemplate::new(404))
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/missing-file", server.uri()),
-      filename: "missing-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/missing-file", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Firefox,
-        "139.0",
-        &download_info,
-        dest_path,
-        None,
-      )
+      .download_file(&download_url, dest_path, "missing-file.dmg")
      .await;

    assert!(result.is_err());
  }

  #[tokio::test]
-  async fn test_download_browser_chunked_response() {
-    let server = setup_mock_server().await;
-    let api_client = create_test_api_client(&server);
-    let downloader = Downloader::new_with_api_client(api_client);
+  async fn test_download_file_chunked_response() {
+    let server = MockServer::start().await;
+    let downloader = Downloader::new_for_test();

    let temp_dir = TempDir::new().unwrap();
    let dest_path = temp_dir.path();

-    // Create larger test content to simulate chunked transfer
    let test_content = vec![42u8; 1024]; // 1KB of data

    Mock::given(method("GET"))
@@ -1449,24 +1097,10 @@ mod tests {
      .mount(&server)
      .await;

-    let download_info = DownloadInfo {
-      url: format!("{}/chunked-download", server.uri()),
-      filename: "chunked-file.dmg".to_string(),
-      is_archive: true,
-    };
-
-    let app = tauri::test::mock_app();
-    let app_handle = app.handle().clone();
+    let download_url = format!("{}/chunked-download", server.uri());

    let result = downloader
-      .download_browser(
-        &app_handle,
-        BrowserType::Chromium,
-        "1465660",
-        &download_info,
-        dest_path,
-        None,
-      )
+      .download_file(&download_url, dest_path, "chunked-file.dmg")
      .await;

    assert!(result.is_ok());
@@ -260,6 +260,7 @@ mod tests {
      version: "1.0".to_string(),
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -277,11 +278,16 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

  #[test]
+  #[serial_test::serial]
  fn test_ephemeral_dir_lifecycle() {
+    // Clear global state to avoid interference from other tests
+    EPHEMERAL_DIRS.lock().unwrap().clear();
+
    let profile_id = uuid::Uuid::new_v4();
    let id_str = profile_id.to_string();

@@ -309,6 +315,7 @@ mod tests {
  }

  #[test]
+  #[serial_test::serial]
  fn test_recover_ephemeral_dirs() {
    let base = get_ephemeral_base_dir().unwrap();
    let test_id = uuid::Uuid::new_v4().to_string();
@@ -362,7 +362,7 @@ impl ExtensionManager {
      }
    }

-    extensions.sort_by(|a, b| a.created_at.cmp(&b.created_at));
+    extensions.sort_by_key(|a| a.created_at);
    Ok(extensions)
  }

@@ -829,8 +829,8 @@ impl ExtensionManager {
  ) -> Result<(), Box<dyn std::error::Error>> {
    let group = self.get_group(group_id)?;
    let browser_type = match browser {
-      "camoufox" | "firefox" | "firefox-developer" | "zen" => "firefox",
-      "wayfern" | "chromium" | "brave" => "chromium",
+      "camoufox" => "firefox",
+      "wayfern" => "chromium",
      _ => return Err(format!("Extensions are not supported for browser '{browser}'").into()),
    };

@@ -871,8 +871,8 @@ impl ExtensionManager {
    }

    let browser_type = match profile.browser.as_str() {
-      "camoufox" | "firefox" | "firefox-developer" | "zen" => "firefox",
-      "wayfern" | "chromium" | "brave" => "chromium",
+      "camoufox" => "firefox",
+      "wayfern" => "chromium",
      _ => return Ok(Vec::new()),
    };

@@ -1091,12 +1091,6 @@ lazy_static::lazy_static! {

 #[tauri::command]
 pub async fn list_extensions() -> Result<Vec<Extension>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .list_extensions()
@@ -1115,12 +1109,6 @@ pub async fn add_extension(
  file_name: String,
  file_data: Vec<u8>,
 ) -> Result<Extension, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .add_extension(name, file_name, file_data)
@@ -1134,12 +1122,6 @@ pub async fn update_extension(
  file_name: Option<String>,
  file_data: Option<Vec<u8>>,
 ) -> Result<Extension, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .update_extension(&extension_id, name, file_name, file_data)
@@ -1151,12 +1133,6 @@ pub async fn delete_extension(
  app_handle: tauri::AppHandle,
  extension_id: String,
 ) -> Result<(), String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .delete_extension(&app_handle, &extension_id)
@@ -1165,12 +1141,6 @@ pub async fn delete_extension(

 #[tauri::command]
 pub async fn list_extension_groups() -> Result<Vec<ExtensionGroup>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .list_groups()
@@ -1179,12 +1149,6 @@ pub async fn list_extension_groups() -> Result<Vec<ExtensionGroup>, String> {

 #[tauri::command]
 pub async fn create_extension_group(name: String) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .create_group(name)
@@ -1197,12 +1161,6 @@ pub async fn update_extension_group(
  name: Option<String>,
  extension_ids: Option<Vec<String>>,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .update_group(&group_id, name, extension_ids)
@@ -1214,12 +1172,6 @@ pub async fn delete_extension_group(
  app_handle: tauri::AppHandle,
  group_id: String,
 ) -> Result<(), String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .delete_group(&app_handle, &group_id)
@@ -1231,12 +1183,6 @@ pub async fn add_extension_to_group(
  group_id: String,
  extension_id: String,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .add_extension_to_group(&group_id, &extension_id)
@@ -1248,12 +1194,6 @@ pub async fn remove_extension_from_group(
  group_id: String,
  extension_id: String,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
  let mgr = EXTENSION_MANAGER.lock().unwrap();
  mgr
    .remove_extension_from_group(&group_id, &extension_id)
@@ -1265,13 +1205,6 @@ pub async fn assign_extension_group_to_profile(
  profile_id: String,
  extension_group_id: Option<String>,
 ) -> Result<crate::profile::BrowserProfile, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
-
  // Validate compatibility if assigning a group
  if let Some(ref group_id) = extension_group_id {
    let profile_manager = crate::profile::ProfileManager::instance();
@@ -6,8 +6,8 @@ use crate::browser::BrowserType;
 use crate::downloader::DownloadProgress;
 use crate::events;

-#[cfg(any(target_os = "macos", target_os = "windows"))]
-use std::process::Command;
+#[cfg(target_os = "macos")]
+use tokio::process::Command;

 #[cfg(target_os = "macos")]
 use std::fs::create_dir_all;
@@ -38,12 +38,7 @@ impl Extractor {
      "camoufox"
    } else if dest_dir.to_string_lossy().contains("wayfern") {
      "wayfern"
-    } else if dest_dir.to_string_lossy().contains("firefox") {
-      "firefox"
-    } else if dest_dir.to_string_lossy().contains("zen") {
-      "zen"
    } else {
-      // For other browsers, assume the structure is already correct
      return Ok(());
    };

@@ -212,6 +207,20 @@ impl Extractor {

    match extraction_result {
      Ok(path) => {
+        // Remove quarantine attributes on macOS to prevent
+        // "app was prevented from modifying data" prompts
+        #[cfg(target_os = "macos")]
+        {
+          let _ = tokio::process::Command::new("xattr")
+            .args([
+              "-dr",
+              "com.apple.quarantine",
+              dest_dir.to_str().unwrap_or("."),
+            ])
+            .output()
+            .await;
+        }
+
        log::info!(
          "Successfully extracted {} {} to: {}",
          browser_type.as_str(),
@@ -237,22 +246,21 @@ impl Extractor {
    &self,
    file_path: &Path,
  ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    // First check file extension for DMG files since they're common on macOS
-    // and can have misleading magic numbers
+    // Check file extension first for container formats (DMG, MSI) whose internal
+    // compression makes magic bytes unreliable
    if let Some(ext) = file_path.extension().and_then(|ext| ext.to_str()) {
-      if ext.to_lowercase() == "dmg" {
-        return Ok("dmg".to_string());
-      }
-      if ext.to_lowercase() == "msi" {
-        return Ok("msi".to_string());
+      match ext.to_lowercase().as_str() {
+        "dmg" => return Ok("dmg".to_string()),
+        "msi" => return Ok("msi".to_string()),
+        _ => {}
      }
    }

    let mut file = File::open(file_path)?;
-    let mut buffer = [0u8; 12]; // Read first 12 bytes for magic number detection
+    let mut buffer = [0u8; 12];
    file.read_exact(&mut buffer)?;

-    // Check magic numbers for different file types
+    // Check magic numbers for other file types
    match &buffer[0..4] {
      [0x50, 0x4B, 0x03, 0x04] | [0x50, 0x4B, 0x05, 0x06] | [0x50, 0x4B, 0x07, 0x08] => {
        return Ok("zip".to_string())
@@ -362,16 +370,20 @@ impl Extractor {
      .args([
        "attach",
        "-nobrowse",
+        "-noverify",
+        "-noautoopen",
        "-mountpoint",
        mount_point.to_str().unwrap(),
        dmg_path.to_str().unwrap(),
      ])
-      .output()?;
+      .stdin(std::process::Stdio::null())
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
      let stdout = String::from_utf8_lossy(&output.stdout);
-      log::info!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");
+      log::error!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");

      // Clean up mount point before returning error
      let _ = fs::remove_dir_all(&mount_point);
@@ -387,12 +399,13 @@ impl Extractor {
    let app_entry = match app_result {
      Ok(app_path) => app_path,
      Err(e) => {
-        log::info!("Failed to find .app in mount point: {e}");
+        log::error!("Failed to find .app in mount point: {e}");

        // Try to unmount before returning error
        let _ = Command::new("hdiutil")
          .args(["detach", "-force", mount_point.to_str().unwrap()])
-          .output();
+          .output()
+          .await;
        let _ = fs::remove_dir_all(&mount_point);

        return Err("No .app found after extraction".into());
@@ -412,16 +425,18 @@ impl Extractor {
        app_entry.to_str().unwrap(),
        app_path.to_str().unwrap(),
      ])
-      .output()?;
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
-      log::info!("Failed to copy app: {stderr}");
+      log::error!("Failed to copy app: {stderr}");

      // Unmount before returning error
      let _ = Command::new("hdiutil")
        .args(["detach", "-force", mount_point.to_str().unwrap()])
-        .output();
+        .output()
+        .await;
      let _ = fs::remove_dir_all(&mount_point);

      return Err(format!("Failed to copy app: {stderr}").into());
@@ -432,18 +447,21 @@ impl Extractor {
    // Remove quarantine attributes
    let _ = Command::new("xattr")
      .args(["-dr", "com.apple.quarantine", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;

    let _ = Command::new("xattr")
      .args(["-cr", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;

    log::info!("Removed quarantine attributes");

    // Unmount the DMG
    let output = Command::new("hdiutil")
      .args(["detach", mount_point.to_str().unwrap()])
-      .output()?;
+      .output()
+      .await?;

    if !output.status.success() {
      let stderr = String::from_utf8_lossy(&output.stderr);
@@ -739,57 +757,19 @@ impl Extractor {
    dest_dir: &Path,
    browser_type: BrowserType,
  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    match browser_type {
-      BrowserType::Zen => {
-        // Zen installer EXE needs to be run to install
-        #[cfg(target_os = "windows")]
-        {
-          self.install_zen_windows(exe_path, dest_dir).await
-        }
-        #[cfg(not(target_os = "windows"))]
-        {
-          Err("Zen EXE installation is only supported on Windows".into())
-        }
-      }
-      _ => {
-        // For other browsers (Firefox, TOR, etc.), the EXE is typically just copied
-        let exe_name = exe_path
-          .file_name()
-          .and_then(|name| name.to_str())
-          .unwrap_or("browser.exe");
+    {
+      let _ = browser_type;
+      let exe_name = exe_path
+        .file_name()
+        .and_then(|name| name.to_str())
+        .unwrap_or("browser.exe");

-        let dest_path = dest_dir.join(exe_name);
-        fs::copy(exe_path, &dest_path)?;
-        Ok(dest_path)
-      }
+      let dest_path = dest_dir.join(exe_name);
+      fs::copy(exe_path, &dest_path)?;
+      Ok(dest_path)
    }
  }

-  #[cfg(target_os = "windows")]
-  async fn install_zen_windows(
-    &self,
-    installer_path: &Path,
-    dest_dir: &Path,
-  ) -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
-    // For Zen installer, we need to run it silently
-    let output = Command::new(installer_path)
-      .args(["/S", &format!("/D={}", dest_dir.display())])
-      .output()?;
-
-    if !output.status.success() {
-      return Err(
-        format!(
-          "Failed to install Zen: {}",
-          String::from_utf8_lossy(&output.stderr)
-        )
-        .into(),
-      );
-    }
-
-    // Find the installed executable
-    self.find_extracted_executable(dest_dir).await
-  }
-
  fn flatten_single_directory_archive(
    &self,
    dest_dir: &Path,
@@ -954,8 +934,6 @@ impl Extractor {
      "firefox.exe",
      "chrome.exe",
      "chromium.exe",
-      "zen.exe",
-      "brave.exe",
      "camoufox.exe",
      "wayfern.exe",
    ];
@@ -1023,8 +1001,6 @@ impl Extractor {
            if file_name.contains("firefox")
              || file_name.contains("chrome")
              || file_name.contains("chromium")
-              || file_name.contains("zen")
-              || file_name.contains("brave")
              || file_name.contains("browser")
              || file_name.contains("camoufox")
              || file_name.contains("wayfern")
@@ -1075,31 +1051,14 @@ impl Extractor {

    // Enhanced list of common browser executable names
    let exe_names = [
-      // Firefox variants
+      // Firefox variants (used by Camoufox)
      "firefox",
      "firefox-bin",
-      "firefox-esr",
-      "firefox-trunk",
-      // Chrome/Chromium variants
+      // Chrome/Chromium variants (used by Wayfern)
      "chrome",
-      "google-chrome",
-      "google-chrome-stable",
-      "google-chrome-beta",
-      "google-chrome-unstable",
      "chromium",
      "chromium-browser",
      "chromium-bin",
-      // Zen Browser
-      "zen",
-      "zen-browser",
-      "zen-bin",
-      // Brave variants
-      "brave",
-      "brave-browser",
-      "brave-browser-stable",
-      "brave-browser-beta",
-      "brave-browser-dev",
-      "brave-bin",
      // Camoufox variants
      "camoufox",
      "camoufox-bin",
@@ -1130,17 +1089,12 @@ impl Extractor {
      "firefox",
      "chrome",
      "chromium",
-      "brave",
-      "zen",
      "camoufox",
      "wayfern",
      ".",
      "./",
-      "firefox",
      "Browser",
      "browser",
-      "opt/google/chrome",
-      "opt/brave.com/brave",
      "opt/camoufox",
      "usr/lib/firefox",
      "usr/lib/chromium",
@@ -174,6 +174,13 @@ impl GeoIPDownloader {

    let mmdb_path = Self::get_mmdb_file_path()?;

+    // Always download to a temp file first, then atomically rename.
+    // This prevents corruption if the app is closed mid-download.
+    let temp_path = mmdb_path.with_extension("mmdb.downloading");
+
+    // Remove any leftover temp file from a previous interrupted download
+    let _ = fs::remove_file(&temp_path).await;
+
    // Download the file
    let response = self.client.get(&download_url).send().await?;

@@ -189,7 +196,7 @@ impl GeoIPDownloader {

    let total_size = response.content_length().unwrap_or(0);
    let mut downloaded: u64 = 0;
-    let mut file = fs::File::create(&mmdb_path).await?;
+    let mut file = fs::File::create(&temp_path).await?;
    let mut stream = response.bytes_stream();

    use futures_util::StreamExt;
@@ -237,6 +244,10 @@ impl GeoIPDownloader {
    }

    file.flush().await?;
+    drop(file);
+
+    // Atomically replace the old database with the new one
+    fs::rename(&temp_path, &mmdb_path).await?;

    // Write download timestamp
    let timestamp_path = Self::get_timestamp_path();
@@ -0,0 +1,492 @@
+use rand::{Rng, RngExt};
+use std::collections::{HashMap, HashSet};
+
+const PROB_ERROR: f64 = 0.04;
+const PROB_SWAP_ERROR: f64 = 0.015;
+const PROB_NOTICE_ERROR: f64 = 0.85;
+const SPEED_BOOST_COMMON_WORD: f64 = 0.6;
+const SPEED_PENALTY_COMPLEX_WORD: f64 = 1.3;
+const SPEED_BOOST_CLOSE_KEYS: f64 = 0.5;
+const SPEED_BOOST_BIGRAM: f64 = 0.4;
+const TIME_KEYSTROKE_STD: f64 = 0.03;
+const TIME_BACKSPACE_MEAN: f64 = 0.12;
+const TIME_BACKSPACE_STD: f64 = 0.02;
+const TIME_REACTION_MEAN: f64 = 0.35;
+const TIME_REACTION_STD: f64 = 0.1;
+const TIME_UPPERCASE_PENALTY: f64 = 0.2;
+const TIME_SPACE_PAUSE_MEAN: f64 = 0.25;
+const TIME_SPACE_PAUSE_STD: f64 = 0.05;
+const FATIGUE_FACTOR: f64 = 1.0005;
+const AVG_WORD_LENGTH: f64 = 5.0;
+const WPM_STD: f64 = 10.0;
+const DEFAULT_WPM: f64 = 80.0;
+
+#[derive(Debug, Clone)]
+pub enum TypingAction {
+  Char(char),
+  Backspace,
+}
+
+#[derive(Debug, Clone)]
+pub struct TypingEvent {
+  pub time: f64,
+  pub action: TypingAction,
+}
+
+struct KeyboardLayout {
+  pos_map: HashMap<char, (usize, usize)>,
+  grid: Vec<Vec<char>>,
+}
+
+impl KeyboardLayout {
+  fn new() -> Self {
+    let grid: Vec<Vec<char>> = vec![
+      "`1234567890-=".chars().collect(),
+      "qwertyuiop[]\\".chars().collect(),
+      "asdfghjkl;'".chars().collect(),
+      "zxcvbnm,./".chars().collect(),
+    ];
+    let mut pos_map = HashMap::new();
+    for (r, row) in grid.iter().enumerate() {
+      for (c, &ch) in row.iter().enumerate() {
+        pos_map.insert(ch, (r, c));
+      }
+    }
+    KeyboardLayout { pos_map, grid }
+  }
+
+  fn has_key(&self, ch: char) -> bool {
+    self.pos_map.contains_key(&ch.to_ascii_lowercase())
+  }
+
+  fn get_neighbor_keys(&self, ch: char) -> Vec<char> {
+    let ch = ch.to_ascii_lowercase();
+    let (r, c) = match self.pos_map.get(&ch) {
+      Some(&pos) => pos,
+      None => return vec![],
+    };
+    let deltas: [(i32, i32); 8] = [
+      (-1, -1),
+      (-1, 0),
+      (-1, 1),
+      (0, -1),
+      (0, 1),
+      (1, -1),
+      (1, 0),
+      (1, 1),
+    ];
+    let mut neighbors = Vec::new();
+    for (dr, dc) in &deltas {
+      let nr = r as i32 + dr;
+      let nc = c as i32 + dc;
+      if nr >= 0 && (nr as usize) < self.grid.len() {
+        let row = &self.grid[nr as usize];
+        if nc >= 0 && (nc as usize) < row.len() {
+          neighbors.push(row[nc as usize]);
+        }
+      }
+    }
+    neighbors
+  }
+
+  fn get_distance(&self, c1: char, c2: char) -> f64 {
+    let c1 = c1.to_ascii_lowercase();
+    let c2 = c2.to_ascii_lowercase();
+    match (self.pos_map.get(&c1), self.pos_map.get(&c2)) {
+      (Some(&(r1, c1p)), Some(&(r2, c2p))) => {
+        let dr = r1 as f64 - r2 as f64;
+        let dc = c1p as f64 - c2p as f64;
+        (dr * dr + dc * dc).sqrt()
+      }
+      _ => 4.0,
+    }
+  }
+
+  fn get_random_neighbor(&self, ch: char, rng: &mut impl Rng) -> char {
+    let neighbors = self.get_neighbor_keys(ch);
+    if neighbors.is_empty() {
+      let flat: Vec<char> = self.grid.iter().flat_map(|r| r.iter().copied()).collect();
+      flat[rng.random_range(0..flat.len())]
+    } else {
+      neighbors[rng.random_range(0..neighbors.len())]
+    }
+  }
+}
+
+fn normal_sample(rng: &mut impl Rng, mean: f64, std_dev: f64) -> f64 {
+  // Box-Muller transform
+  let u1: f64 = rng.random::<f64>().max(1e-10);
+  let u2: f64 = rng.random::<f64>();
+  let z = (-2.0_f64 * u1.ln()).sqrt() * (2.0_f64 * std::f64::consts::PI * u2).cos();
+  mean + std_dev * z
+}
+
+static COMMON_WORDS: &[&str] = &[
+  "the", "be", "to", "of", "and", "a", "in", "that", "have", "it", "for", "not", "on", "with",
+  "he", "as", "you", "do", "at", "this", "but", "his", "by", "from", "they", "we", "say", "her",
+  "she", "or", "an", "will", "my", "one", "all", "would", "there", "their", "what", "so", "up",
+  "out", "if", "about", "who", "get", "which", "go", "me", "when", "make", "can", "like", "time",
+  "no", "just", "him", "know", "take", "people", "into", "year", "your", "good", "some", "could",
+  "them", "see", "other", "than", "then", "now", "look", "only", "come", "its", "over", "think",
+  "also", "back", "after", "use", "two", "how", "our", "work", "first", "well", "way", "even",
+  "new", "want", "because",
+];
+
+static COMMON_BIGRAMS: &[&str] = &[
+  "th", "he", "in", "er", "an", "re", "on", "at", "en", "nd", "ti", "es", "or", "te", "of", "ed",
+  "is", "it", "al", "ar", "st", "to", "nt", "ng", "se", "ha", "as", "ou", "io", "le", "ve", "co",
+  "me", "de", "hi", "ri", "ro", "ic", "ne", "ea", "ra", "ce",
+];
+
+fn get_word_difficulty(word: &str) -> &'static str {
+  let lower = word.to_lowercase();
+  let trimmed = lower.trim_matches(|c: char| matches!(c, '.' | ',' | '!' | '?' | ';' | ':'));
+  let common_set: HashSet<&str> = COMMON_WORDS.iter().copied().collect();
+  if common_set.contains(trimmed) {
+    return "common";
+  }
+  let is_long = trimmed.len() > 8;
+  let has_complex = trimmed.chars().any(|c| matches!(c, 'z' | 'x' | 'q' | 'j'));
+  if is_long || has_complex {
+    return "complex";
+  }
+  "normal"
+}
+
+fn is_common_bigram(c1: char, c2: char) -> bool {
+  let bigram = format!("{}{}", c1.to_ascii_lowercase(), c2.to_ascii_lowercase());
+  let bigram_set: HashSet<&str> = COMMON_BIGRAMS.iter().copied().collect();
+  bigram_set.contains(bigram.as_str())
+}
+
+pub struct MarkovTyper {
+  target: Vec<char>,
+  current: Vec<char>,
+  keyboard: KeyboardLayout,
+  base_keystroke_time: f64,
+  fatigue_multiplier: f64,
+  mental_cursor_pos: usize,
+  last_char_typed: Option<char>,
+  total_time: f64,
+  last_was_backspace: bool,
+  rng: rand::rngs::ThreadRng,
+}
+
+impl MarkovTyper {
+  pub fn new(text: &str, wpm: Option<f64>) -> Self {
+    let mut rng = rand::rng();
+    let target_wpm = wpm.unwrap_or(DEFAULT_WPM);
+    let session_wpm = normal_sample(&mut rng, target_wpm, WPM_STD).max(10.0);
+    let base_keystroke_time = 60.0 / (session_wpm * AVG_WORD_LENGTH);
+
+    MarkovTyper {
+      target: text.chars().collect(),
+      current: Vec::new(),
+      keyboard: KeyboardLayout::new(),
+      base_keystroke_time,
+      fatigue_multiplier: 1.0,
+      mental_cursor_pos: 0,
+      last_char_typed: None,
+      total_time: 0.0,
+      last_was_backspace: false,
+      rng,
+    }
+  }
+
+  fn get_current_word(&self) -> Option<String> {
+    if self.mental_cursor_pos >= self.target.len() {
+      return None;
+    }
+    let mut start = self.mental_cursor_pos;
+    while start > 0 && self.target[start - 1] != ' ' {
+      start -= 1;
+    }
+    let mut end = self.mental_cursor_pos;
+    while end < self.target.len() && self.target[end] != ' ' {
+      end += 1;
+    }
+    Some(self.target[start..end].iter().collect())
+  }
+
+  fn calculate_keystroke_time(&mut self, ch: char) -> f64 {
+    let mut time = self.base_keystroke_time * self.fatigue_multiplier;
+
+    if let Some(word) = self.get_current_word() {
+      match get_word_difficulty(&word) {
+        "common" => time *= SPEED_BOOST_COMMON_WORD,
+        "complex" => time *= SPEED_PENALTY_COMPLEX_WORD,
+        _ => {}
+      }
+    }
+
+    if let Some(last) = self.last_char_typed {
+      if is_common_bigram(last, ch) {
+        time *= SPEED_BOOST_BIGRAM;
+      } else {
+        let dist = self.keyboard.get_distance(last, ch);
+        if dist > 0.0 && dist < 2.0 {
+          time *= SPEED_BOOST_CLOSE_KEYS;
+        } else if dist > 4.0 {
+          time *= 1.2;
+        }
+      }
+    }
+
+    if ch == ' ' {
+      time += normal_sample(&mut self.rng, TIME_SPACE_PAUSE_MEAN, TIME_SPACE_PAUSE_STD);
+    } else if ch.is_uppercase() {
+      time += TIME_UPPERCASE_PENALTY;
+    }
+
+    let dt = normal_sample(&mut self.rng, time, TIME_KEYSTROKE_STD);
+    dt.max(0.02)
+  }
+
+  fn step(&mut self) -> Option<TypingEvent> {
+    if self.current == self.target {
+      return None;
+    }
+
+    // Find first error position
+    let mut first_error_pos = self.target.len();
+    let min_len = self.current.len().min(self.target.len());
+    for i in 0..min_len {
+      if self.current[i] != self.target[i] {
+        first_error_pos = i;
+        break;
+      }
+    }
+    if self.current.len() > self.target.len() && first_error_pos == self.target.len() {
+      first_error_pos = self.target.len();
+    }
+
+    // Error correction
+    if first_error_pos < self.current.len() {
+      let mut should_correct = false;
+
+      if self.last_was_backspace || self.mental_cursor_pos >= self.target.len() {
+        should_correct = true;
+      } else if !self.current.is_empty() {
+        let last_char = *self.current.last().unwrap();
+        let distance = self.current.len() - first_error_pos;
+
+        if " \n\t.,;!?:()[]{}\"'<>".contains(last_char) {
+          should_correct = true;
+        } else if distance >= 2 {
+          if self.rng.random::<f64>() < 0.8 {
+            should_correct = true;
+          }
+        } else if distance == 1 && self.rng.random::<f64>() < PROB_NOTICE_ERROR {
+          should_correct = true;
+        }
+      }
+
+      if should_correct {
+        if !self.last_was_backspace {
+          let dt = normal_sample(&mut self.rng, TIME_REACTION_MEAN, TIME_REACTION_STD).max(0.1);
+          self.total_time += dt;
+        }
+
+        let dt = normal_sample(&mut self.rng, TIME_BACKSPACE_MEAN, TIME_BACKSPACE_STD);
+        self.total_time += dt;
+        self.current.pop();
+        self.mental_cursor_pos = self.current.len();
+        self.last_was_backspace = true;
+
+        return Some(TypingEvent {
+          time: self.total_time,
+          action: TypingAction::Backspace,
+        });
+      }
+    }
+
+    self.last_was_backspace = false;
+
+    if self.mental_cursor_pos > self.current.len() {
+      self.mental_cursor_pos = self.current.len();
+    }
+    if self.mental_cursor_pos >= self.target.len() {
+      return None;
+    }
+
+    let char_intended = self.target[self.mental_cursor_pos];
+    self.fatigue_multiplier *= FATIGUE_FACTOR;
+
+    // Non-QWERTY characters (CJK, Cyrillic, etc.) are composed via IME —
+    // skip error simulation entirely, just apply realistic timing.
+    let on_keyboard = self.keyboard.has_key(char_intended);
+
+    // Swap error (only for characters on the physical keyboard)
+    if on_keyboard && self.mental_cursor_pos + 1 < self.target.len() {
+      let char_after = self.target[self.mental_cursor_pos + 1];
+      if char_after != ' '
+        && char_after != char_intended
+        && self.keyboard.has_key(char_after)
+        && self.rng.random::<f64>() < PROB_SWAP_ERROR
+      {
+        let dt = self.calculate_keystroke_time(char_after);
+        self.total_time += dt;
+        self.current.push(char_after);
+        self.last_char_typed = Some(char_after);
+        self.mental_cursor_pos += 1;
+        return Some(TypingEvent {
+          time: self.total_time,
+          action: TypingAction::Char(char_after),
+        });
+      }
+    }
+
+    // Normal typing with possible error (errors only for QWERTY characters)
+    let typed_char = if on_keyboard {
+      let mut current_prob_error = PROB_ERROR;
+      if let Some(word) = self.get_current_word() {
+        match get_word_difficulty(&word) {
+          "complex" => current_prob_error *= 1.5,
+          "common" => current_prob_error *= 0.5,
+          _ => {}
+        }
+      }
+      if self.rng.random::<f64>() < current_prob_error {
+        self
+          .keyboard
+          .get_random_neighbor(char_intended, &mut self.rng)
+      } else {
+        char_intended
+      }
+    } else {
+      char_intended
+    };
+
+    let dt = self.calculate_keystroke_time(typed_char);
+    self.total_time += dt;
+    self.current.push(typed_char);
+    self.last_char_typed = Some(typed_char);
+    self.mental_cursor_pos += 1;
+
+    Some(TypingEvent {
+      time: self.total_time,
+      action: TypingAction::Char(typed_char),
+    })
+  }
+
+  pub fn run(mut self) -> Vec<TypingEvent> {
+    let max_steps = self.target.len() * 10;
+    let mut events = Vec::new();
+    let mut steps = 0;
+    while let Some(event) = self.step() {
+      events.push(event);
+      steps += 1;
+      if steps > max_steps {
+        break;
+      }
+    }
+    events
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_generates_events() {
+    let typer = MarkovTyper::new("hello", Some(60.0));
+    let events = typer.run();
+    assert!(!events.is_empty());
+    // Final text should be "hello" — verify by replaying
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, "hello");
+  }
+
+  #[test]
+  fn test_timing_increases() {
+    let typer = MarkovTyper::new("test", Some(60.0));
+    let events = typer.run();
+    for window in events.windows(2) {
+      assert!(window[1].time >= window[0].time);
+    }
+  }
+
+  #[test]
+  fn test_empty_text() {
+    let typer = MarkovTyper::new("", Some(60.0));
+    let events = typer.run();
+    assert!(events.is_empty());
+  }
+
+  #[test]
+  fn test_chinese_text() {
+    let input = "你好世界";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_russian_text() {
+    let input = "Привет мир";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_japanese_text() {
+    let input = "東京タワー";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+
+  #[test]
+  fn test_mixed_latin_and_cjk() {
+    let input = "Hello 你好 world";
+    let typer = MarkovTyper::new(input, Some(60.0));
+    let events = typer.run();
+    let mut text = String::new();
+    for event in &events {
+      match &event.action {
+        TypingAction::Char(c) => text.push(*c),
+        TypingAction::Backspace => {
+          text.pop();
+        }
+      }
+    }
+    assert_eq!(text, input);
+  }
+}
@@ -55,6 +55,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
    let proxy = reqwest::Proxy::all(proxy_url)
      .map_err(|e| IpError::Network(format!("Invalid proxy: {}", e)))?;
    client_builder
+      .no_proxy()
      .proxy(proxy)
      .build()
      .map_err(|e| IpError::Network(e.to_string()))?
@@ -64,7 +65,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
      .map_err(|e| IpError::Network(e.to_string()))?
  };

-  let mut last_error = None;
+  let mut errors = Vec::new();

  for url in &urls {
    match client.get(*url).send().await {
@@ -76,21 +77,29 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
          }
        }
        Err(e) => {
-          last_error = Some(format!("Failed to read response from {}: {}", url, e));
+          errors.push(format!("{}: {}", url, e));
        }
      },
      Ok(response) => {
-        last_error = Some(format!("HTTP {} from {}", response.status(), url));
+        errors.push(format!("{}: HTTP {}", url, response.status()));
      }
      Err(e) => {
-        last_error = Some(format!("Request to {} failed: {}", url, e));
+        errors.push(format!("{}: {}", url, e));
      }
    }
  }

-  Err(IpError::Network(last_error.unwrap_or_else(|| {
-    "Failed to fetch public IP from any endpoint".to_string()
-  })))
+  if errors.is_empty() {
+    Err(IpError::Network(
+      "Failed to fetch public IP from any endpoint".to_string(),
+    ))
+  } else {
+    Err(IpError::Network(format!(
+      "All {} endpoints failed: {}",
+      errors.len(),
+      errors.join("; ")
+    )))
+  }
 }

 #[cfg(test)]
@@ -19,6 +19,7 @@ mod browser_version_manager;
 pub mod camoufox;
 mod camoufox_manager;
 mod default_browser;
+pub mod dns_blocklist;
 mod downloaded_browsers_registry;
 mod downloader;
 mod ephemeral_dirs;
@@ -26,6 +27,7 @@ mod extension_manager;
 mod extraction;
 mod geoip_downloader;
 mod group_manager;
+mod human_typing;
 mod ip_utils;
 mod platform_browser;
 mod profile;
@@ -36,6 +38,7 @@ pub mod proxy_server;
 pub mod proxy_storage;
 mod settings_manager;
 pub mod sync;
+mod synchronizer;
 pub mod traffic_stats;
 mod wayfern_manager;
 mod wayfern_terms;
@@ -45,6 +48,7 @@ mod commercial_license;
 mod cookie_manager;
 pub mod daemon;
 pub mod daemon_client;
+#[allow(dead_code)]
 mod daemon_spawn;
 pub mod daemon_ws;
 pub mod events;
@@ -62,8 +66,9 @@ use browser_runner::{

 use profile::manager::{
  check_browser_status, clone_profile, create_browser_profile_new, delete_profile,
-  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_note,
-  update_profile_proxy, update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
+  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_dns_blocklist,
+  update_profile_launch_hook, update_profile_note, update_profile_proxy,
+  update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
  update_wayfern_config,
 };

@@ -82,7 +87,7 @@ use downloader::{cancel_download, download_browser};

 use settings_manager::{
  decline_launch_on_login, dismiss_window_resize_warning, enable_launch_on_login, get_app_settings,
-  get_sync_settings, get_system_language, get_table_sorting_settings,
+  get_sync_settings, get_system_info, get_system_language, get_table_sorting_settings,
  get_window_resize_warning_dismissed, save_app_settings, save_sync_settings,
  save_table_sorting_settings, should_show_launch_on_login_prompt,
 };
@@ -207,11 +212,15 @@ async fn handle_url_open(app: tauri::AppHandle, url: String) -> Result<(), Strin
 async fn create_stored_proxy(
  app_handle: tauri::AppHandle,
  name: String,
-  proxy_settings: crate::browser::ProxySettings,
+  proxy_settings: Option<crate::browser::ProxySettings>,
 ) -> Result<crate::proxy_manager::StoredProxy, String> {
-  crate::proxy_manager::PROXY_MANAGER
-    .create_stored_proxy(&app_handle, name, proxy_settings)
-    .map_err(|e| format!("Failed to create stored proxy: {e}"))
+  if let Some(settings) = proxy_settings {
+    crate::proxy_manager::PROXY_MANAGER
+      .create_stored_proxy(&app_handle, name, settings)
+      .map_err(|e| format!("Failed to create stored proxy: {e}"))
+  } else {
+    Err("proxy_settings is required".to_string())
+  }
 }

 #[tauri::command]
@@ -241,10 +250,17 @@ async fn delete_stored_proxy(app_handle: tauri::AppHandle, proxy_id: String) ->
 #[tauri::command]
 async fn check_proxy_validity(
  proxy_id: String,
-  proxy_settings: crate::browser::ProxySettings,
+  proxy_settings: Option<crate::browser::ProxySettings>,
 ) -> Result<crate::proxy_manager::ProxyCheckResult, String> {
+  let settings = if let Some(s) = proxy_settings {
+    s
+  } else {
+    crate::proxy_manager::PROXY_MANAGER
+      .get_proxy_settings_by_id(&proxy_id)
+      .ok_or_else(|| format!("Proxy '{proxy_id}' not found"))?
+  };
  crate::proxy_manager::PROXY_MANAGER
-    .check_proxy_validity(&proxy_id, &proxy_settings)
+    .check_proxy_validity(&proxy_id, &settings)
    .await
 }

@@ -298,12 +314,6 @@ async fn copy_profile_cookies(
  app_handle: tauri::AppHandle,
  request: cookie_manager::CookieCopyRequest,
 ) -> Result<Vec<cookie_manager::CookieCopyResult>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie copying requires an active Pro subscription".to_string());
-  }
  let target_ids = request.target_profile_ids.clone();
  let results = cookie_manager::CookieManager::copy_cookies(&app_handle, request).await?;

@@ -339,12 +349,6 @@ async fn import_cookies_from_file(
  profile_id: String,
  content: String,
 ) -> Result<cookie_manager::CookieImportResult, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie import requires an active Pro subscription".to_string());
-  }
  let result =
    cookie_manager::CookieManager::import_cookies(&app_handle, &profile_id, &content).await?;

@@ -368,12 +372,6 @@ async fn import_cookies_from_file(

 #[tauri::command]
 async fn export_profile_cookies(profile_id: String, format: String) -> Result<String, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie export requires an active Pro subscription".to_string());
-  }
  cookie_manager::CookieManager::export_cookies(&profile_id, &format)
 }

@@ -434,7 +432,6 @@ fn get_mcp_server_status() -> bool {
 struct McpConfig {
  port: u16,
  token: String,
-  config_json: String,
 }

 #[tauri::command]
@@ -455,23 +452,283 @@ async fn get_mcp_config(app_handle: tauri::AppHandle) -> Result<Option<McpConfig
    .map_err(|e| format!("Failed to get MCP token: {e}"))?
    .ok_or("MCP token not found")?;

-  let config_json = serde_json::json!({
-    "mcpServers": {
-      "donut-browser": {
-        "url": format!("http://127.0.0.1:{}/mcp", port),
-        "headers": {
-          "Authorization": format!("Bearer {}", token)
-        }
+  Ok(Some(McpConfig { port, token }))
+}
+
+fn claude_desktop_extension_dir() -> Option<std::path::PathBuf> {
+  #[cfg(target_os = "macos")]
+  {
+    dirs::home_dir().map(|h| {
+      h.join("Library")
+        .join("Application Support")
+        .join("Claude")
+        .join("Claude Extensions")
+        .join("local.mcpb.donut-browser.donut-browser")
+    })
+  }
+  #[cfg(target_os = "windows")]
+  {
+    std::env::var("APPDATA").ok().map(|appdata| {
+      std::path::PathBuf::from(appdata)
+        .join("Claude")
+        .join("Claude Extensions")
+        .join("local.mcpb.donut-browser.donut-browser")
+    })
+  }
+  #[cfg(target_os = "linux")]
+  {
+    dirs::config_dir().map(|c| {
+      c.join("Claude")
+        .join("Claude Extensions")
+        .join("local.mcpb.donut-browser.donut-browser")
+    })
+  }
+}
+
+#[tauri::command]
+fn is_mcp_in_claude_desktop() -> Result<bool, String> {
+  let dir = claude_desktop_extension_dir().ok_or("Unsupported platform")?;
+  Ok(dir.join("manifest.json").exists())
+}
+
+#[tauri::command]
+async fn add_mcp_to_claude_desktop(app_handle: tauri::AppHandle) -> Result<(), String> {
+  let mcp_server = mcp_server::McpServer::instance();
+  let port = mcp_server.get_port().ok_or("MCP server is not running")?;
+
+  let settings_manager = settings_manager::SettingsManager::instance();
+  let token = settings_manager
+    .get_mcp_token(&app_handle)
+    .await
+    .map_err(|e| format!("Failed to get MCP token: {e}"))?
+    .ok_or("MCP token not found")?;
+
+  let ext_dir = claude_desktop_extension_dir().ok_or("Unsupported platform")?;
+  let server_dir = ext_dir.join("server");
+  std::fs::create_dir_all(&server_dir)
+    .map_err(|e| format!("Failed to create extension directory: {e}"))?;
+
+  let mcp_url = format!("http://127.0.0.1:{port}/mcp/{token}");
+
+  let manifest = serde_json::json!({
+    "manifest_version": "0.3",
+    "name": "donut-browser",
+    "display_name": "Donut Browser",
+    "version": env!("CARGO_PKG_VERSION"),
+    "description": "Control Donut Browser profiles, proxies, and automation via MCP",
+    "author": { "name": "Donut Browser" },
+    "tools_generated": true,
+    "server": {
+      "type": "node",
+      "entry_point": "server/index.js",
+      "mcp_config": {
+        "command": "node",
+        "args": ["${__dirname}/server/index.js"],
+        "env": {}
+      }
+    },
+    "license": "AGPL-3.0"
+  });
+  std::fs::write(
+    ext_dir.join("manifest.json"),
+    serde_json::to_string_pretty(&manifest)
+      .map_err(|e| format!("Failed to serialize manifest: {e}"))?,
+  )
+  .map_err(|e| format!("Failed to write manifest: {e}"))?;
+
+  let bridge_js = format!(
+    r#"#!/usr/bin/env node
+const http = require("http");
+const readline = require("readline");
+const MCP_URL = "{mcp_url}";
+let sid = null;
+function post(line) {{
+  return new Promise((resolve, reject) => {{
+    const u = new URL(MCP_URL);
+    const o = {{
+      hostname: u.hostname, port: u.port, path: u.pathname, method: "POST",
+      headers: {{ "Content-Type": "application/json", Accept: "application/json" }},
+    }};
+    if (sid) o.headers["mcp-session-id"] = sid;
+    const r = http.request(o, (res) => {{
+      const s = res.headers["mcp-session-id"];
+      if (s) sid = s;
+      let b = "";
+      res.on("data", (c) => (b += c));
+      res.on("end", () => resolve(b));
+    }});
+    r.on("error", reject);
+    r.write(line);
+    r.end();
+  }});
+}}
+const rl = readline.createInterface({{ input: process.stdin, crlfDelay: Infinity }});
+rl.on("line", (line) => {{
+  if (!line.trim()) return;
+  let notif = false;
+  try {{ notif = JSON.parse(line).id == null; }} catch {{}}
+  post(line).then((b) => {{
+    if (!notif && b.trim()) process.stdout.write(b.trim() + "\n");
+  }}).catch((e) => {{
+    if (!notif) process.stdout.write(JSON.stringify({{
+      jsonrpc: "2.0", id: null, error: {{ code: -32000, message: "HTTP error: " + e.message }}
+    }}) + "\n");
+  }});
+}});
+rl.on("close", () => setTimeout(() => process.exit(0), 500));
+"#
+  );
+  std::fs::write(server_dir.join("index.js"), bridge_js)
+    .map_err(|e| format!("Failed to write bridge script: {e}"))?;
+
+  // Update the extensions-installations.json registry so Claude Desktop picks it up
+  update_claude_extensions_registry("local.mcpb.donut-browser.donut-browser", Some(manifest))?;
+
+  Ok(())
+}
+
+#[tauri::command]
+fn remove_mcp_from_claude_desktop() -> Result<(), String> {
+  let ext_dir = claude_desktop_extension_dir().ok_or("Unsupported platform")?;
+  if ext_dir.exists() {
+    std::fs::remove_dir_all(&ext_dir).map_err(|e| format!("Failed to remove extension: {e}"))?;
+  }
+  update_claude_extensions_registry("local.mcpb.donut-browser.donut-browser", None)?;
+  Ok(())
+}
+
+fn update_claude_extensions_registry(
+  ext_id: &str,
+  manifest: Option<serde_json::Value>,
+) -> Result<(), String> {
+  let registry_path = claude_desktop_extension_dir()
+    .ok_or("Unsupported platform")?
+    .parent()
+    .and_then(|p| p.parent())
+    .map(|p| p.join("extensions-installations.json"))
+    .ok_or("Failed to resolve registry path")?;
+
+  let mut registry: serde_json::Value = if registry_path.exists() {
+    let content = std::fs::read_to_string(&registry_path)
+      .map_err(|e| format!("Failed to read registry: {e}"))?;
+    serde_json::from_str(&content).unwrap_or(serde_json::json!({"extensions": {}}))
+  } else {
+    serde_json::json!({"extensions": {}})
+  };
+
+  if registry.get("extensions").is_none() {
+    registry["extensions"] = serde_json::json!({});
+  }
+
+  match manifest {
+    Some(m) => {
+      registry["extensions"][ext_id] = serde_json::json!({
+        "id": ext_id,
+        "version": m.get("version").and_then(|v| v.as_str()).unwrap_or("0.0.0"),
+        "hash": "",
+        "installedAt": chrono::Utc::now().to_rfc3339(),
+        "manifest": m,
+        "signatureInfo": { "status": "unsigned" },
+        "source": "local"
+      });
+    }
+    None => {
+      if let Some(exts) = registry
+        .get_mut("extensions")
+        .and_then(|e| e.as_object_mut())
+      {
+        exts.remove(ext_id);
      }
    }
-  })
-  .to_string();
+  }

-  Ok(Some(McpConfig {
-    port,
-    token,
-    config_json,
-  }))
+  let output =
+    serde_json::to_string(&registry).map_err(|e| format!("Failed to serialize registry: {e}"))?;
+  let tmp = registry_path.with_extension("json.tmp");
+  std::fs::write(&tmp, &output).map_err(|e| format!("Failed to write registry: {e}"))?;
+  std::fs::rename(&tmp, &registry_path).map_err(|e| format!("Failed to save registry: {e}"))?;
+  Ok(())
+}
+
+fn find_claude_cli() -> Option<std::path::PathBuf> {
+  let mut candidates: Vec<std::path::PathBuf> = vec![
+    std::path::PathBuf::from("/usr/local/bin/claude"),
+    std::path::PathBuf::from("/opt/homebrew/bin/claude"),
+  ];
+  if let Some(home) = dirs::home_dir() {
+    candidates.insert(0, home.join(".local/bin/claude"));
+    candidates.push(home.join(".claude/local/claude"));
+  }
+  #[cfg(windows)]
+  if let Ok(appdata) = std::env::var("APPDATA") {
+    candidates.insert(
+      0,
+      std::path::PathBuf::from(appdata).join("Claude/claude.exe"),
+    );
+  }
+  for p in &candidates {
+    if p.exists() {
+      return Some(p.clone());
+    }
+  }
+  None
+}
+
+#[tauri::command]
+fn is_mcp_in_claude_code() -> Result<bool, String> {
+  let cli = find_claude_cli().ok_or("Claude Code CLI not found")?;
+  let output = std::process::Command::new(&cli)
+    .args(["mcp", "list"])
+    .output()
+    .map_err(|e| format!("Failed to run claude: {e}"))?;
+  let stdout = String::from_utf8_lossy(&output.stdout);
+  Ok(stdout.contains("donut-browser"))
+}
+
+#[tauri::command]
+async fn add_mcp_to_claude_code(app_handle: tauri::AppHandle) -> Result<(), String> {
+  let cli = find_claude_cli().ok_or("Claude Code CLI not found")?;
+
+  let mcp_server = mcp_server::McpServer::instance();
+  let port = mcp_server.get_port().ok_or("MCP server is not running")?;
+
+  let settings_manager = settings_manager::SettingsManager::instance();
+  let token = settings_manager
+    .get_mcp_token(&app_handle)
+    .await
+    .map_err(|e| format!("Failed to get MCP token: {e}"))?
+    .ok_or("MCP token not found")?;
+
+  let url = format!("http://127.0.0.1:{port}/mcp/{token}");
+
+  let _ = std::process::Command::new(&cli)
+    .args(["mcp", "remove", "donut-browser"])
+    .output();
+
+  let output = std::process::Command::new(&cli)
+    .args(["mcp", "add", "--transport", "http", "donut-browser", &url])
+    .output()
+    .map_err(|e| format!("Failed to run claude: {e}"))?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    return Err(format!("Failed to add MCP to Claude Code: {stderr}"));
+  }
+  Ok(())
+}
+
+#[tauri::command]
+fn remove_mcp_from_claude_code() -> Result<(), String> {
+  let cli = find_claude_cli().ok_or("Claude Code CLI not found")?;
+  let output = std::process::Command::new(&cli)
+    .args(["mcp", "remove", "donut-browser"])
+    .output()
+    .map_err(|e| format!("Failed to run claude: {e}"))?;
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    return Err(format!("Failed to remove MCP from Claude Code: {stderr}"));
+  }
+  Ok(())
 }

 #[tauri::command]
@@ -512,6 +769,42 @@ async fn download_geoip_database(app_handle: tauri::AppHandle) -> Result<(), Str
 }

 // VPN commands
+#[derive(serde::Serialize)]
+#[serde(rename_all = "camelCase")]
+struct VpnDependencyStatus {
+  is_available: bool,
+  requires_external_install: bool,
+  missing_binary: bool,
+  missing_windows_adapter: bool,
+  dependency_check_failed: bool,
+}
+
+#[tauri::command]
+async fn get_vpn_dependency_status(vpn_type: vpn::VpnType) -> Result<VpnDependencyStatus, String> {
+  match vpn_type {
+    vpn::VpnType::WireGuard => Ok(VpnDependencyStatus {
+      is_available: true,
+      requires_external_install: false,
+      missing_binary: false,
+      missing_windows_adapter: false,
+      dependency_check_failed: false,
+    }),
+    vpn::VpnType::OpenVPN => {
+      let status = crate::vpn::openvpn_socks5::OpenVpnSocks5Server::dependency_status();
+      let is_available =
+        status.binary_found && !status.missing_windows_adapter && !status.dependency_check_failed;
+
+      Ok(VpnDependencyStatus {
+        is_available,
+        requires_external_install: true,
+        missing_binary: !status.binary_found,
+        missing_windows_adapter: status.missing_windows_adapter,
+        dependency_check_failed: status.dependency_check_failed,
+      })
+    }
+  }
+}
+
 #[tauri::command]
 async fn import_vpn_config(
  content: String,
@@ -685,45 +978,81 @@ async fn check_vpn_validity(
    .unwrap_or_default()
    .as_secs();

-  // Start a temporary VPN worker to send real traffic
+  let had_existing_worker = vpn_worker_storage::find_vpn_worker_by_vpn_id(&vpn_id).is_some();
+
  let vpn_worker = vpn_worker_runner::start_vpn_worker(&vpn_id)
    .await
    .map_err(|e| format!("Failed to start VPN worker: {e}"))?;

-  let socks_url = format!("socks5://127.0.0.1:{}", vpn_worker.local_port.unwrap_or(0));
+  let socks_url = format!(
+    "socks5://127.0.0.1:{}",
+    vpn_worker.local_port.unwrap_or_default()
+  );

-  // Fetch public IP through the VPN SOCKS5 proxy
-  let result = match ip_utils::fetch_public_ip(Some(&socks_url)).await {
-    Ok(ip) => {
-      let (city, country, country_code) =
-        crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
-          .await
-          .unwrap_or_default();
-
-      crate::proxy_manager::ProxyCheckResult {
-        ip,
-        city,
-        country,
-        country_code,
-        timestamp: now,
-        is_valid: true,
-      }
-    }
-    Err(e) => {
-      log::warn!("VPN check failed to fetch public IP: {e}");
-      crate::proxy_manager::ProxyCheckResult {
-        ip: String::new(),
-        city: None,
-        country: None,
-        country_code: None,
-        timestamp: now,
-        is_valid: false,
+  let local_proxy = crate::proxy_runner::start_proxy_process(Some(socks_url), None)
+    .await
+    .map_err(|error| error.to_string());
+  let local_proxy = match local_proxy {
+    Ok(proxy) => proxy,
+    Err(error_message) => {
+      if !had_existing_worker {
+        let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
      }
+      return Err(format!("Failed to start validation proxy: {error_message}"));
    }
  };

-  // Stop the temporary VPN worker
-  let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  let local_proxy_url = format!(
+    "http://127.0.0.1:{}",
+    local_proxy.local_port.unwrap_or_default()
+  );
+
+  let mut result = None;
+  for attempt in 0..3 {
+    if attempt > 0 {
+      tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+    }
+
+    match ip_utils::fetch_public_ip(Some(&local_proxy_url)).await {
+      Ok(ip) => {
+        let (city, country, country_code) =
+          crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
+            .await
+            .unwrap_or_default();
+
+        result = Some(crate::proxy_manager::ProxyCheckResult {
+          ip,
+          city,
+          country,
+          country_code,
+          timestamp: now,
+          is_valid: true,
+        });
+        break;
+      }
+      Err(error) => {
+        log::warn!(
+          "VPN validation attempt {} failed to fetch public IP through donut-proxy: {}",
+          attempt + 1,
+          error
+        );
+      }
+    }
+  }
+
+  let _ = crate::proxy_runner::stop_proxy_process(&local_proxy.id).await;
+  if !had_existing_worker {
+    let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  }
+
+  let result = result.unwrap_or(crate::proxy_manager::ProxyCheckResult {
+    ip: String::new(),
+    city: None,
+    country: None,
+    country_code: None,
+    timestamp: now,
+    is_valid: false,
+  });

  Ok(result)
 }
@@ -816,6 +1145,7 @@ async fn generate_sample_fingerprint(
    process_id: None,
    proxy_id: None,
    vpn_id: None,
+    launch_hook: None,
    last_launch: None,
    release_type: "stable".to_string(),
    camoufox_config: None,
@@ -832,6 +1162,7 @@ async fn generate_sample_fingerprint(
    proxy_bypass_rules: Vec::new(),
    created_by_id: None,
    created_by_email: None,
+    dns_blocklist: None,
  };

  if browser == "camoufox" {
@@ -925,38 +1256,13 @@ pub fn run() {
        mgr.ensure_icons_extracted();
      }

-      // Start the daemon for tray icon
-      if let Err(e) = daemon_spawn::ensure_daemon_running() {
-        log::warn!("Failed to start daemon: {e}");
-      }
-
-      // Register this GUI's PID in daemon state so the daemon can kill us directly
-      daemon_spawn::register_gui_pid();
-
-      // Monitor daemon health - quit GUI if daemon dies
-      tauri::async_runtime::spawn(async move {
-        // Give the daemon time to fully start
-        tokio::time::sleep(tokio::time::Duration::from_secs(3)).await;
-
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(1));
-        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
-
-        loop {
-          interval.tick().await;
-
-          let is_running = tokio::task::spawn_blocking(daemon_spawn::is_daemon_running)
-            .await
-            .unwrap_or(false);
-
-          if !is_running {
-            log::warn!("Daemon is no longer running, quitting GUI immediately");
-            // Use process::exit for immediate termination. Tauri's exit()
-            // triggers a slow graceful shutdown that can take over a minute
-            // waiting for async tasks (sync, version updater, etc.) to finish.
-            std::process::exit(0);
-          }
+      // Daemon (tray icon) is currently disabled — clean up any existing autostart
+      if daemon::autostart::is_autostart_enabled() {
+        log::info!("Removing daemon autostart (daemon is disabled)");
+        if let Err(e) = daemon::autostart::disable_autostart() {
+          log::warn!("Failed to remove daemon autostart: {e}");
        }
-      });
+      }

      // Create the main window programmatically
      #[allow(unused_variables)]
@@ -1068,41 +1374,18 @@ pub fn run() {
        version_updater::VersionUpdater::run_background_task().await;
      });

-      // TODO(v0.17+): Remove this migration block after a few releases.
-      // Migrate proxy/VPN worker configs from old proxies/ dir to new proxy_workers/ cache dir.
-      // Before v0.16, ephemeral worker configs (proxy_*, vpnw_*) lived alongside persistent
-      // StoredProxy files in proxies/. Now they live in cache_dir/proxy_workers/.
+      // Auto-start MCP server if it was previously enabled
      {
-        let old_dir = crate::app_dirs::proxies_dir();
-        let new_dir = crate::app_dirs::proxy_workers_dir();
-        if old_dir.exists() {
-          if let Err(e) = std::fs::create_dir_all(&new_dir) {
-            log::error!("Failed to create proxy_workers dir: {e}");
-          } else if let Ok(entries) = std::fs::read_dir(&old_dir) {
-            for entry in entries.flatten() {
-              let path = entry.path();
-              if let Some(name) = path.file_name().and_then(|n| n.to_str()) {
-                if (name.starts_with("proxy_") || name.starts_with("vpnw_"))
-                  && name.ends_with(".json")
-                {
-                  let dest = new_dir.join(name);
-                  match std::fs::rename(&path, &dest) {
-                    Ok(()) => log::info!("Migrated worker config {name} to proxy_workers/"),
-                    Err(e) => {
-                      // rename fails across filesystems, fall back to copy+delete
-                      if let Ok(content) = std::fs::read(&path) {
-                        if std::fs::write(&dest, &content).is_ok() {
-                          let _ = std::fs::remove_file(&path);
-                          log::info!("Migrated worker config {name} to proxy_workers/ (copy)");
-                        }
-                      } else {
-                        log::warn!("Failed to migrate worker config {name}: {e}");
-                      }
-                    }
-                  }
-                }
+        let mcp_handle = app.handle().clone();
+        let settings_mgr = settings_manager::SettingsManager::instance();
+        if let Ok(settings) = settings_mgr.load_settings() {
+          if settings.mcp_enabled {
+            tauri::async_runtime::spawn(async move {
+              match mcp_server::McpServer::instance().start(mcp_handle).await {
+                Ok(port) => log::info!("MCP server auto-started on port {port}"),
+                Err(e) => log::warn!("Failed to auto-start MCP server: {e}"),
              }
-            }
+            });
          }
        }
      }
@@ -1133,6 +1416,88 @@ pub fn run() {
        }
      }

+      // Kill orphaned proxy and VPN worker processes from previous app runs.
+      // Since active_proxies is an in-memory map that starts empty, any running
+      // donut-proxy workers on disk must be orphans the current app can't track.
+      // Without this cleanup, users on Windows accumulate dozens of idle workers
+      // (one per profile launch) that the periodic cleanup won't touch because
+      // profile-associated workers are deliberately skipped to avoid regressions.
+      //
+      // Preserves workers whose associated profile still has a running browser
+      // process — if the app crashed while a browser was running, its detached
+      // browser keeps going and needs the proxy/VPN worker to stay alive.
+      tauri::async_runtime::spawn(async move {
+        use crate::proxy_storage::{delete_proxy_config, is_process_running, list_proxy_configs};
+        use crate::vpn_worker_storage::{delete_vpn_worker_config, list_vpn_worker_configs};
+
+        // Build sets of (profile_id, vpn_id) whose browsers are still running
+        let profile_manager = crate::profile::ProfileManager::instance();
+        let profiles = profile_manager.list_profiles().unwrap_or_default();
+
+        let running_profile_ids: std::collections::HashSet<String> = profiles
+          .iter()
+          .filter(|p| p.process_id.is_some_and(is_process_running))
+          .map(|p| p.id.to_string())
+          .collect();
+
+        let running_vpn_ids: std::collections::HashSet<String> = profiles
+          .iter()
+          .filter(|p| p.process_id.is_some_and(is_process_running))
+          .filter_map(|p| p.vpn_id.clone())
+          .collect();
+
+        for config in list_proxy_configs() {
+          let has_running_browser = config
+            .profile_id
+            .as_ref()
+            .is_some_and(|pid| running_profile_ids.contains(pid));
+          if has_running_browser {
+            log::info!(
+              "Startup: preserving proxy worker {} (profile browser still running)",
+              config.id
+            );
+            continue;
+          }
+
+          if let Some(pid) = config.pid {
+            if is_process_running(pid) {
+              log::info!(
+                "Startup: killing orphaned proxy worker {} (PID {})",
+                config.id,
+                pid
+              );
+              let _ = crate::proxy_runner::stop_proxy_process(&config.id).await;
+              continue;
+            }
+          }
+          delete_proxy_config(&config.id);
+        }
+
+        for worker in list_vpn_worker_configs() {
+          if running_vpn_ids.contains(&worker.vpn_id) {
+            log::info!(
+              "Startup: preserving VPN worker {} (profile browser using vpn_id {} still running)",
+              worker.id,
+              worker.vpn_id
+            );
+            continue;
+          }
+
+          if let Some(pid) = worker.pid {
+            if is_process_running(pid) {
+              log::info!(
+                "Startup: killing orphaned VPN worker {} (PID {})",
+                worker.id,
+                pid
+              );
+              let _ = crate::vpn_worker_runner::stop_vpn_worker(&worker.id).await;
+              continue;
+            }
+          }
+          delete_vpn_worker_config(&worker.id);
+        }
+      });
+
      // Immediately bump non-running profiles to the latest installed browser version.
      // This runs synchronously before any network calls so profiles are updated on launch.
      {
@@ -1210,6 +1575,17 @@ pub fn run() {
        }
      });

+      // DNS blocklist refresh task (every 12 hours)
+      tauri::async_runtime::spawn(async move {
+        let manager = dns_blocklist::BlocklistManager::instance();
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(43200));
+        interval.tick().await; // Skip the immediate first tick
+        loop {
+          interval.tick().await;
+          manager.refresh_all_stale().await;
+        }
+      });
+
      tauri::async_runtime::spawn(async move {
        let updater = app_auto_updater::AppAutoUpdater::instance();
        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(3 * 60 * 60));
@@ -1243,7 +1619,7 @@ pub fn run() {
      let _app_handle_cleanup = app.handle().clone();
      tauri::async_runtime::spawn(async move {
        let camoufox_manager = crate::camoufox_manager::CamoufoxManager::instance();
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(60));

        loop {
          interval.tick().await;
@@ -1317,19 +1693,27 @@ pub fn run() {
        }
      });

-      // Periodically broadcast browser running status to the frontend
+      // Periodically broadcast browser running status to the frontend.
+      // When no profiles have stored PIDs (nothing was ever launched this
+      // session), we use a long interval (30s) to avoid burning CPU on
+      // full process-table scans via sysinfo. Once any profile is running
+      // we switch to the fast interval (5s) for responsive UI updates.
      let app_handle_status = app.handle().clone();
      tauri::async_runtime::spawn(async move {
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        const FAST_INTERVAL_SECS: u64 = 5;
+        const IDLE_INTERVAL_SECS: u64 = 30;
+
+        let mut interval =
+          tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
        let mut last_running_states: std::collections::HashMap<String, bool> =
          std::collections::HashMap::new();
+        let mut current_interval_secs = FAST_INTERVAL_SECS;

        loop {
          interval.tick().await;

          let runner = crate::browser_runner::BrowserRunner::instance();
-          // If listing profiles fails, skip this tick
          let profiles = match runner.profile_manager.list_profiles() {
            Ok(p) => p,
            Err(e) => {
@@ -1338,6 +1722,30 @@ pub fn run() {
            }
          };

+          // If no profile has a stored PID and we have no previously-known
+          // running states, there's nothing to check — skip the expensive
+          // process scan entirely.
+          let any_has_pid = profiles.iter().any(|p| p.process_id.is_some());
+          let any_was_running = last_running_states.values().any(|&v| v);
+
+          if !any_has_pid && !any_was_running {
+            // Switch to the idle interval to reduce CPU
+            if current_interval_secs != IDLE_INTERVAL_SECS {
+              current_interval_secs = IDLE_INTERVAL_SECS;
+              interval =
+                tokio::time::interval(tokio::time::Duration::from_secs(IDLE_INTERVAL_SECS));
+              interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+            }
+            continue;
+          }
+
+          // At least one profile might be running — use the fast interval
+          if current_interval_secs != FAST_INTERVAL_SECS {
+            current_interval_secs = FAST_INTERVAL_SECS;
+            interval = tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
+            interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+          }
+
          for profile in profiles {
            // Check browser status and track changes
            match runner
@@ -1386,12 +1794,8 @@ pub fn run() {
                    if is_running {
                      scheduler.mark_profile_running(&profile_id).await;
                    } else {
+                      // Sync was queued at launch; mark_profile_stopped triggers it
                      scheduler.mark_profile_stopped(&profile_id).await;
-                      // Queue sync after profile stops (if sync is enabled)
-                      if profile.is_sync_enabled() {
-                        log::info!("Profile '{}' stopped, queuing sync", profile.name);
-                        scheduler.queue_profile_sync(profile_id.clone()).await;
-                      }
                    }
                  }

@@ -1499,7 +1903,7 @@ pub fn run() {
              }
            }
            Err(e) => {
-              log::debug!("Sync not configured, skipping missing profile check: {}", e);
+              log::warn!("Sync not configured, skipping missing profile check: {}", e);
            }
          }

@@ -1556,7 +1960,9 @@ pub fn run() {
      update_profile_vpn,
      update_profile_tags,
      update_profile_note,
+      update_profile_launch_hook,
      update_profile_proxy_bypass_rules,
+      update_profile_dns_blocklist,
      check_browser_status,
      kill_browser_profile,
      rename_profile,
@@ -1568,6 +1974,7 @@ pub fn run() {
      get_table_sorting_settings,
      save_table_sorting_settings,
      get_system_language,
+      get_system_info,
      dismiss_window_resize_warning,
      get_window_resize_warning_dismissed,
      clear_all_version_cache_and_refetch,
@@ -1661,7 +2068,14 @@ pub fn run() {
      stop_mcp_server,
      get_mcp_server_status,
      get_mcp_config,
+      is_mcp_in_claude_desktop,
+      add_mcp_to_claude_desktop,
+      remove_mcp_from_claude_desktop,
+      is_mcp_in_claude_code,
+      add_mcp_to_claude_code,
+      remove_mcp_from_claude_code,
      // VPN commands
+      get_vpn_dependency_status,
      import_vpn_config,
      list_vpn_configs,
      get_vpn_config,
@@ -1691,6 +2105,14 @@ pub fn run() {
      // Team lock commands
      team_lock::get_team_locks,
      team_lock::get_team_lock_status,
+      // Synchronizer commands
+      synchronizer::start_sync_session,
+      synchronizer::stop_sync_session,
+      synchronizer::remove_sync_follower,
+      synchronizer::get_sync_sessions,
+      // DNS blocklist commands
+      dns_blocklist::get_dns_blocklist_cache_status,
+      dns_blocklist::refresh_dns_blocklists,
    ])
    .build(tauri::generate_context!())
    .expect("error while building tauri application")
@@ -5,6 +5,7 @@ use std::process::Command;

 // Platform-specific modules
 #[cfg(target_os = "macos")]
+#[allow(dead_code)]
 pub mod macos {
  use super::*;
  use sysinfo::{Pid, System};
@@ -88,96 +89,17 @@ pub mod macos {
      }
    }

-    // Fallback: Use AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript fallback for Firefox-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!(
-          "Both Firefox remote command and AppleScript failed. AppleScript error: {error_msg}"
-        )
-        .into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Firefox `-new-tab` remote command failed. We intentionally do NOT
+    // fall back to an AppleScript `System Events` keystroke path: that would
+    // send Apple Events to another application and trigger the macOS TCC
+    // "<Donut> wants control of <Browser>" / "prevented from modifying other
+    // apps" prompts. Donut must never touch other apps on the user's Mac.
+    Err(
+      format!(
+        "Firefox remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }

  pub async fn kill_browser_process_impl(
@@ -377,97 +299,23 @@ end try
      }
    }

-    // Fallback to AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript for Chromium-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!("Failed to open URL in existing Chromium-based browser: {error_msg}").into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Chromium `--user-data-dir=<path> <url>` remote command failed.
+    // We intentionally do NOT fall back to an AppleScript `System Events`
+    // keystroke path: that would send Apple Events to another application
+    // and trigger the macOS TCC "<Donut> wants control of <Browser>" /
+    // "prevented from modifying other apps" prompts. Donut must never touch
+    // other apps on the user's Mac.
+    Err(
+      format!(
+        "Chromium remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }
 }

 #[cfg(target_os = "windows")]
+#[allow(dead_code)]
 pub mod windows {
  use super::*;

@@ -680,6 +528,7 @@ pub mod windows {
 }

 #[cfg(target_os = "linux")]
+#[allow(dead_code)]
 pub mod linux {
  use super::*;

@@ -10,6 +10,7 @@ use crate::wayfern_manager::WayfernConfig;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
 use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+use url::Url;

 pub struct ProfileManager {
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
@@ -36,6 +37,25 @@ impl ProfileManager {
    crate::app_dirs::binaries_dir()
  }

+  fn normalize_launch_hook(
+    launch_hook: Option<String>,
+  ) -> Result<Option<String>, Box<dyn std::error::Error>> {
+    let Some(raw) = launch_hook else {
+      return Ok(None);
+    };
+
+    let trimmed = raw.trim();
+    if trimmed.is_empty() {
+      return Ok(None);
+    }
+
+    let parsed = Url::parse(trimmed).map_err(|e| format!("Invalid launch hook URL: {e}"))?;
+    match parsed.scheme() {
+      "http" | "https" => Ok(Some(parsed.to_string())),
+      _ => Err("Launch hook URL must use http or https".into()),
+    }
+  }
+
  #[allow(clippy::too_many_arguments)]
  pub async fn create_profile_with_group(
    &self,
@@ -50,11 +70,15 @@ impl ProfileManager {
    wayfern_config: Option<WayfernConfig>,
    group_id: Option<String>,
    ephemeral: bool,
+    dns_blocklist: Option<String>,
+    launch_hook: Option<String>,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
    if proxy_id.is_some() && vpn_id.is_some() {
      return Err("Cannot set both proxy_id and vpn_id".into());
    }

+    let launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
    if let Some(ref pid) = proxy_id {
      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
@@ -94,29 +118,6 @@ impl ProfileManager {
        crate::camoufox_manager::CamoufoxConfig::default()
      });

-      // Always ensure executable_path is set to the user's binary location
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.get_binaries_dir();
-        browser_dir.push(browser);
-        browser_dir.push(version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Camoufox.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("camoufox");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("camoufox.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("camoufox");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-        log::info!("Set Camoufox executable path: {:?}", config.executable_path);
-      }
-
      // Pass upstream proxy information to config for fingerprint generation
      if let Some(proxy_id_ref) = &proxy_id {
        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
@@ -164,6 +165,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -181,6 +183,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -219,28 +222,6 @@ impl ProfileManager {
      });

      // Always ensure executable_path is set to the user's binary location
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.get_binaries_dir();
-        browser_dir.push(browser);
-        browser_dir.push(version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Chromium.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("Chromium");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("chrome.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("chrome");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-        log::info!("Set Wayfern executable path: {:?}", config.executable_path);
-      }
-
      // Pass upstream proxy information to config for fingerprint generation
      if let Some(proxy_id_ref) = &proxy_id {
        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
@@ -285,6 +266,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -302,6 +284,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -338,6 +321,7 @@ impl ProfileManager {
      version: version.to_string(),
      proxy_id: proxy_id.clone(),
      vpn_id: vpn_id.clone(),
+      launch_hook,
      process_id: None,
      last_launch: None,
      release_type: release_type.to_string(),
@@ -355,6 +339,7 @@ impl ProfileManager {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist,
    };

    // Save profile info
@@ -425,8 +410,21 @@ impl ProfileManager {
      if path.is_dir() {
        let metadata_file = path.join("metadata.json");
        if metadata_file.exists() {
-          let content = fs::read_to_string(metadata_file)?;
-          let profile: BrowserProfile = serde_json::from_str(&content)?;
+          let content = fs::read_to_string(&metadata_file)?;
+          let mut profile: BrowserProfile = serde_json::from_str(&content)?;
+
+          // Backfill host_os from browser config for profiles created before
+          // the field existed (or synced without it).
+          if profile.host_os.is_none() {
+            let inferred_os = profile.resolved_os().map(str::to_string);
+            if let Some(os) = inferred_os {
+              profile.host_os = Some(os);
+              if let Ok(json) = serde_json::to_string_pretty(&profile) {
+                let _ = fs::write(&metadata_file, json);
+              }
+            }
+          }
+
          profiles.push(profile);
        }
      }
@@ -566,6 +564,29 @@ impl ProfileManager {
    Ok(())
  }

+  /// Delete a profile from the local filesystem only, without triggering remote sync deletion.
+  /// Used when a profile was deleted on another device and the local copy should be cleaned up.
+  pub fn delete_profile_local_only(
+    &self,
+    profile_id: &str,
+  ) -> Result<(), Box<dyn std::error::Error>> {
+    let profiles_dir = self.get_profiles_dir();
+    let profile_dir = profiles_dir.join(profile_id);
+    if profile_dir.exists() {
+      fs::remove_dir_all(&profile_dir)?;
+      log::info!("Deleted local profile {} (tombstoned remotely)", profile_id);
+    }
+
+    if let Err(e) = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance()
+      .cleanup_unused_binaries()
+    {
+      log::warn!("Failed to cleanup binaries after tombstone deletion: {e}");
+    }
+
+    let _ = crate::events::emit_empty("profiles-changed");
+    Ok(())
+  }
+
  pub fn update_profile_version(
    &self,
    _app_handle: &tauri::AppHandle,
@@ -744,6 +765,35 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_launch_hook(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    launch_hook: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Warning: Failed to emit profile update event: {e}");
+    }
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn update_profile_proxy_bypass_rules(
    &self,
    _app_handle: &tauri::AppHandle,
@@ -769,6 +819,30 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_dns_blocklist(
+    &self,
+    profile_id: &str,
+    dns_blocklist: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.dns_blocklist = dns_blocklist;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -894,6 +968,7 @@ impl ProfileManager {
      version: source.version,
      proxy_id: source.proxy_id,
      vpn_id: source.vpn_id,
+      launch_hook: source.launch_hook,
      process_id: None,
      last_launch: None,
      release_type: source.release_type,
@@ -911,6 +986,7 @@ impl ProfileManager {
      proxy_bypass_rules: source.proxy_bypass_rules,
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: source.dns_blocklist,
    };

    self.save_profile(&new_profile)?;
@@ -1242,10 +1318,7 @@ impl ProfileManager {
        let profile_path_match = cmd.iter().any(|s| {
          let arg = s.to_str().unwrap_or("");
          // For Firefox-based browsers, check for exact profile path match
-          if profile.browser == "firefox"
-            || profile.browser == "firefox-developer"
-            || profile.browser == "zen"
-          {
+          if profile.browser == "camoufox" {
            arg == profile_data_path_str
              || arg == format!("-profile={profile_data_path_str}")
              || (arg == "-profile"
@@ -1253,7 +1326,7 @@ impl ProfileManager {
                  .iter()
                  .any(|s2| s2.to_str().unwrap_or("") == profile_data_path_str))
          } else {
-            // For Chromium-based browsers, check for user-data-dir
+            // For Chromium-based browsers (Wayfern), check for user-data-dir
            arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
              || arg == profile_data_path_str
          }
@@ -1262,7 +1335,6 @@ impl ProfileManager {
        if profile_path_match {
          is_running = true;
          found_pid = Some(pid);
-          // Found existing browser process
        }
      }
    }
@@ -1275,16 +1347,12 @@ impl ProfileManager {
          // Check if this is the right browser executable first
          let exe_name = process.name().to_string_lossy().to_lowercase();
          let is_correct_browser = match profile.browser.as_str() {
-            "firefox" => {
-              exe_name.contains("firefox")
-                && !exe_name.contains("developer")
-                && !exe_name.contains("camoufox")
+            "camoufox" => exe_name.contains("camoufox") || exe_name.contains("firefox"),
+            "wayfern" => {
+              exe_name.contains("wayfern")
+                || exe_name.contains("chromium")
+                || exe_name.contains("chrome")
            }
-            "firefox-developer" => exe_name.contains("firefox") && exe_name.contains("developer"),
-            "zen" => exe_name.contains("zen"),
-            "chromium" => exe_name.contains("chromium"),
-            "brave" => exe_name.contains("brave"),
-            // Camoufox is handled via CamoufoxManager, not PID-based checking
            _ => false,
          };

@@ -1300,13 +1368,6 @@ impl ProfileManager {
            let arg = s.to_str().unwrap_or("");
            // For Firefox-based browsers, check for exact profile path match
            if profile.browser == "camoufox" {
-              // Camoufox uses user_data_dir like Chromium browsers
-              arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
-                || arg == profile_data_path_str
-            } else if profile.browser == "firefox"
-              || profile.browser == "firefox-developer"
-              || profile.browser == "zen"
-            {
              arg == profile_data_path_str
                || arg == format!("-profile={profile_data_path_str}")
                || (arg == "-profile"
@@ -1314,7 +1375,7 @@ impl ProfileManager {
                    .iter()
                    .any(|s2| s2.to_str().unwrap_or("") == profile_data_path_str))
            } else {
-              // For Chromium-based browsers, check for user-data-dir
+              // For Chromium-based browsers (Wayfern), check for user-data-dir
              arg.contains(&format!("--user-data-dir={profile_data_path_str}"))
                || arg == profile_data_path_str
            }
@@ -1965,6 +2026,36 @@ mod tests {
      "PAC URL should percent-encode spaces: {pac_line}"
    );
  }
+
+  #[test]
+  fn test_normalize_launch_hook_accepts_http_and_https() {
+    let http =
+      ProfileManager::normalize_launch_hook(Some(" http://localhost:3000/hook ".to_string()))
+        .unwrap();
+    let https = ProfileManager::normalize_launch_hook(Some(
+      "https://example.com/hooks/profile-launch".to_string(),
+    ))
+    .unwrap();
+
+    assert_eq!(http.as_deref(), Some("http://localhost:3000/hook"));
+    assert_eq!(
+      https.as_deref(),
+      Some("https://example.com/hooks/profile-launch")
+    );
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_clears_empty_values() {
+    let result = ProfileManager::normalize_launch_hook(Some("   ".to_string())).unwrap();
+    assert!(result.is_none());
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_rejects_invalid_scheme() {
+    let err = ProfileManager::normalize_launch_hook(Some("ftp://example.com/hook".to_string()))
+      .unwrap_err();
+    assert!(err.to_string().contains("http or https"));
+  }
 }

 #[allow(clippy::too_many_arguments)]
@@ -1981,6 +2072,8 @@ pub async fn create_browser_profile_with_group(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: bool,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let profile_manager = ProfileManager::instance();
  profile_manager
@@ -1996,6 +2089,8 @@ pub async fn create_browser_profile_with_group(
      wayfern_config,
      group_id,
      ephemeral,
+      dns_blocklist,
+      launch_hook,
    )
    .await
    .map_err(|e| format!("Failed to create profile: {e}"))
@@ -2059,6 +2154,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_launch_hook(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  launch_hook: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_launch_hook(&app_handle, &profile_id, launch_hook)
+    .map_err(|e| format!("Failed to update profile launch hook: {e}"))
+}
+
 #[tauri::command]
 pub fn update_profile_proxy_bypass_rules(
  app_handle: tauri::AppHandle,
@@ -2071,6 +2178,17 @@ pub fn update_profile_proxy_bypass_rules(
    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_dns_blocklist(
+  profile_id: String,
+  dns_blocklist: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_dns_blocklist(&profile_id, dns_blocklist)
+    .map_err(|e| format!("Failed to update DNS blocklist: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -2109,6 +2227,8 @@ pub async fn create_browser_profile_new(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: Option<bool>,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let fingerprint_os = camoufox_config
    .as_ref()
@@ -2136,6 +2256,8 @@ pub async fn create_browser_profile_new(
    wayfern_config,
    group_id,
    ephemeral.unwrap_or(false),
+    dns_blocklist,
+    launch_hook,
  )
  .await
 }
@@ -21,7 +21,7 @@ pub enum SyncMode {
  Encrypted,
 }

-#[derive(Debug, Serialize, Deserialize, Clone)]
+#[derive(Debug, Serialize, Deserialize, Clone, Default)]
 pub struct BrowserProfile {
  pub id: uuid::Uuid,
  pub name: String,
@@ -32,6 +32,8 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub vpn_id: Option<String>, // Reference to stored VPN config
  #[serde(default)]
+  pub launch_hook: Option<String>,
+  #[serde(default)]
  pub process_id: Option<u32>,
  #[serde(default)]
  pub last_launch: Option<u64>,
@@ -65,6 +67,8 @@ pub struct BrowserProfile {
  pub created_by_id: Option<String>,
  #[serde(default)]
  pub created_by_email: Option<String>,
+  #[serde(default)]
+  pub dns_blocklist: Option<String>,
 }

 pub fn default_release_type() -> String {
@@ -87,11 +91,22 @@ impl BrowserProfile {
    profiles_dir.join(self.id.to_string()).join("profile")
  }

+  /// Resolve the OS this profile was created on. Checks `host_os` first,
+  /// then falls back to the fingerprint config's `os` field (for profiles
+  /// created before `host_os` was introduced or synced without it).
+  pub fn resolved_os(&self) -> Option<&str> {
+    self
+      .host_os
+      .as_deref()
+      .or_else(|| self.camoufox_config.as_ref().and_then(|c| c.os.as_deref()))
+      .or_else(|| self.wayfern_config.as_ref().and_then(|c| c.os.as_deref()))
+  }
+
  /// Returns true when the profile was created on a different OS than the current host.
-  /// Profiles without an `os` field (backward compat) are treated as native.
+  /// Checks `host_os` first, then falls back to the browser config's `os` field.
  pub fn is_cross_os(&self) -> bool {
-    match &self.host_os {
-      Some(host_os) => host_os != &get_host_os(),
+    match self.resolved_os() {
+      Some(os) => os != get_host_os(),
      None => false,
    }
  }
@@ -4,22 +4,38 @@ use std::collections::HashSet;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};

-use crate::browser::BrowserType;
+use crate::camoufox_manager::CamoufoxConfig;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
+use crate::profile::types::{get_host_os, BrowserProfile, SyncMode};
 use crate::profile::ProfileManager;
+use crate::proxy_manager::PROXY_MANAGER;
+use crate::wayfern_manager::WayfernConfig;

 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct DetectedProfile {
  pub browser: String,
+  pub mapped_browser: String,
  pub name: String,
  pub path: String,
  pub description: String,
 }

+fn map_browser_type(browser: &str) -> &str {
+  match browser {
+    "firefox" | "firefox-developer" | "zen" => "camoufox",
+    "chromium" | "brave" => "wayfern",
+    "camoufox" => "camoufox",
+    "wayfern" => "wayfern",
+    _ => "wayfern",
+  }
+}
+
 pub struct ProfileImporter {
  base_dirs: BaseDirs,
  downloaded_browsers_registry: &'static DownloadedBrowsersRegistry,
  profile_manager: &'static ProfileManager,
+  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
+  wayfern_manager: &'static crate::wayfern_manager::WayfernManager,
 }

 impl ProfileImporter {
@@ -28,6 +44,8 @@ impl ProfileImporter {
      base_dirs: BaseDirs::new().expect("Failed to get base directories"),
      downloaded_browsers_registry: DownloadedBrowsersRegistry::instance(),
      profile_manager: ProfileManager::instance(),
+      camoufox_manager: crate::camoufox_manager::CamoufoxManager::instance(),
+      wayfern_manager: crate::wayfern_manager::WayfernManager::instance(),
    }
  }

@@ -35,31 +53,18 @@ impl ProfileImporter {
    &PROFILE_IMPORTER
  }

-  /// Detect existing browser profiles on the system
  pub fn detect_existing_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut detected_profiles = Vec::new();

-    // Detect Firefox profiles
    detected_profiles.extend(self.detect_firefox_profiles()?);
-
-    // Detect Chrome profiles
    detected_profiles.extend(self.detect_chrome_profiles()?);
-
-    // Detect Brave profiles
    detected_profiles.extend(self.detect_brave_profiles()?);
-
-    // Detect Firefox Developer Edition profiles
    detected_profiles.extend(self.detect_firefox_developer_profiles()?);
-
-    // Detect Chromium profiles
    detected_profiles.extend(self.detect_chromium_profiles()?);
-
-    // Detect Zen Browser profiles
    detected_profiles.extend(self.detect_zen_browser_profiles()?);

-    // Remove duplicates based on path
    let mut seen_paths = HashSet::new();
    let unique_profiles: Vec<DetectedProfile> = detected_profiles
      .into_iter()
@@ -69,7 +74,6 @@ impl ProfileImporter {
    Ok(unique_profiles)
  }

-  /// Detect Firefox profiles
  fn detect_firefox_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -84,12 +88,10 @@ impl ProfileImporter {

    #[cfg(target_os = "windows")]
    {
-      // Primary location in AppData\Roaming
      let app_data = self.base_dirs.data_dir();
      let firefox_dir = app_data.join("Mozilla/Firefox/Profiles");
      profiles.extend(self.scan_firefox_profiles_dir(&firefox_dir, "firefox")?);

-      // Also check AppData\Local for portable installations
      let local_app_data = self.base_dirs.data_local_dir();
      let firefox_local_dir = local_app_data.join("Mozilla/Firefox/Profiles");
      if firefox_local_dir.exists() {
@@ -106,7 +108,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Firefox Developer Edition profiles
  fn detect_firefox_developer_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
@@ -114,13 +115,11 @@ impl ProfileImporter {

    #[cfg(target_os = "macos")]
    {
-      // Firefox Developer Edition on macOS uses separate profile directories
      let firefox_dev_alt_dir = self
        .base_dirs
        .home_dir()
        .join("Library/Application Support/Firefox Developer Edition/Profiles");

-      // Only scan the dedicated dev edition directory if it exists, otherwise skip to avoid duplicates
      if firefox_dev_alt_dir.exists() {
        profiles.extend(self.scan_firefox_profiles_dir(&firefox_dev_alt_dir, "firefox-developer")?);
      }
@@ -129,7 +128,6 @@ impl ProfileImporter {
    #[cfg(target_os = "windows")]
    {
      let app_data = self.base_dirs.data_dir();
-      // Firefox Developer Edition on Windows typically uses separate directories
      let firefox_dev_dir = app_data.join("Mozilla/Firefox Developer Edition/Profiles");
      if firefox_dev_dir.exists() {
        profiles.extend(self.scan_firefox_profiles_dir(&firefox_dev_dir, "firefox-developer")?);
@@ -138,7 +136,6 @@ impl ProfileImporter {

    #[cfg(target_os = "linux")]
    {
-      // Firefox Developer Edition on Linux uses separate directories
      let firefox_dev_dir = self
        .base_dirs
        .home_dir()
@@ -151,7 +148,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Chrome profiles
  fn detect_chrome_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -180,7 +176,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Chromium profiles
  fn detect_chromium_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -209,7 +204,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Brave profiles
  fn detect_brave_profiles(&self) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
    let mut profiles = Vec::new();

@@ -241,7 +235,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Detect Zen Browser profiles
  fn detect_zen_browser_profiles(
    &self,
  ) -> Result<Vec<DetectedProfile>, Box<dyn std::error::Error>> {
@@ -272,7 +265,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Scan Firefox-style profiles directory
  fn scan_firefox_profiles_dir(
    &self,
    profiles_dir: &Path,
@@ -284,7 +276,6 @@ impl ProfileImporter {
      return Ok(profiles);
    }

-    // Read profiles.ini file if it exists
    let profiles_ini = profiles_dir
      .parent()
      .unwrap_or(profiles_dir)
@@ -295,7 +286,6 @@ impl ProfileImporter {
      }
    }

-    // Also scan directory for any profile folders not in profiles.ini
    if let Ok(entries) = fs::read_dir(profiles_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
@@ -307,11 +297,11 @@ impl ProfileImporter {
              .and_then(|n| n.to_str())
              .unwrap_or("Unknown Profile");

-            // Check if this profile was already found in profiles.ini
            let already_added = profiles.iter().any(|p| p.path == path.to_string_lossy());
            if !already_added {
              profiles.push(DetectedProfile {
                browser: browser_type.to_string(),
+                mapped_browser: map_browser_type(browser_type).to_string(),
                name: format!(
                  "{} Profile - {}",
                  self.get_browser_display_name(browser_type),
@@ -329,7 +319,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Parse Firefox profiles.ini file
  fn parse_firefox_profiles_ini(
    &self,
    content: &str,
@@ -346,7 +335,6 @@ impl ProfileImporter {
      let line = line.trim();

      if line.starts_with('[') && line.ends_with(']') {
-        // Save previous profile if complete
        if !current_section.is_empty()
          && current_section.starts_with("Profile")
          && !profile_path.is_empty()
@@ -370,6 +358,7 @@ impl ProfileImporter {

            profiles.push(DetectedProfile {
              browser: browser_type.to_string(),
+              mapped_browser: map_browser_type(browser_type).to_string(),
              name: display_name,
              path: full_path.to_string_lossy().to_string(),
              description: format!("Profile: {profile_name}"),
@@ -377,7 +366,6 @@ impl ProfileImporter {
          }
        }

-        // Start new section
        current_section = line[1..line.len() - 1].to_string();
        profile_name.clear();
        profile_path.clear();
@@ -398,7 +386,6 @@ impl ProfileImporter {
      }
    }

-    // Handle last profile
    if !current_section.is_empty()
      && current_section.starts_with("Profile")
      && !profile_path.is_empty()
@@ -422,6 +409,7 @@ impl ProfileImporter {

        profiles.push(DetectedProfile {
          browser: browser_type.to_string(),
+          mapped_browser: map_browser_type(browser_type).to_string(),
          name: display_name,
          path: full_path.to_string_lossy().to_string(),
          description: format!("Profile: {profile_name}"),
@@ -432,7 +420,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Scan Chrome-style profiles directory
  fn scan_chrome_profiles_dir(
    &self,
    browser_dir: &Path,
@@ -444,11 +431,11 @@ impl ProfileImporter {
      return Ok(profiles);
    }

-    // Check for Default profile
    let default_profile = browser_dir.join("Default");
    if default_profile.exists() && default_profile.join("Preferences").exists() {
      profiles.push(DetectedProfile {
        browser: browser_type.to_string(),
+        mapped_browser: map_browser_type(browser_type).to_string(),
        name: format!(
          "{} - Default Profile",
          self.get_browser_display_name(browser_type)
@@ -458,7 +445,6 @@ impl ProfileImporter {
      });
    }

-    // Check for Profile X directories
    if let Ok(entries) = fs::read_dir(browser_dir) {
      for entry in entries.flatten() {
        let path = entry.path();
@@ -466,9 +452,10 @@ impl ProfileImporter {
          let dir_name = path.file_name().and_then(|n| n.to_str()).unwrap_or("");

          if dir_name.starts_with("Profile ") && path.join("Preferences").exists() {
-            let profile_number = &dir_name[8..]; // Remove "Profile " prefix
+            let profile_number = &dir_name[8..];
            profiles.push(DetectedProfile {
              browser: browser_type.to_string(),
+              mapped_browser: map_browser_type(browser_type).to_string(),
              name: format!(
                "{} - Profile {}",
                self.get_browser_display_name(browser_type),
@@ -485,7 +472,6 @@ impl ProfileImporter {
    Ok(profiles)
  }

-  /// Get browser display name
  fn get_browser_display_name(&self, browser_type: &str) -> &str {
    match browser_type {
      "firefox" => "Firefox",
@@ -493,28 +479,36 @@ impl ProfileImporter {
      "chromium" => "Chrome/Chromium",
      "brave" => "Brave",
      "zen" => "Zen Browser",
+      "camoufox" => "Camoufox",
+      "wayfern" => "Wayfern",
      _ => "Unknown Browser",
    }
  }

-  /// Import a profile from an existing browser profile
-  pub fn import_profile(
+  #[allow(clippy::too_many_arguments)]
+  pub async fn import_profile(
    &self,
+    app_handle: &tauri::AppHandle,
    source_path: &str,
    browser_type: &str,
    new_profile_name: &str,
+    proxy_id: Option<String>,
+    camoufox_config: Option<CamoufoxConfig>,
+    wayfern_config: Option<WayfernConfig>,
  ) -> Result<(), Box<dyn std::error::Error>> {
-    // Validate that source path exists
    let source_path = Path::new(source_path);
    if !source_path.exists() {
      return Err("Source profile path does not exist".into());
    }

-    // Validate browser type
-    let _browser_type = BrowserType::from_str(browser_type)
-      .map_err(|_| format!("Invalid browser type: {browser_type}"))?;
+    let mapped = map_browser_type(browser_type);
+
+    if let Some(ref pid) = proxy_id {
+      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
+        crate::cloud_auth::CLOUD_AUTH.sync_cloud_proxy().await;
+      }
+    }

-    // Check if a profile with this name already exists
    let existing_profiles = self.profile_manager.list_profiles()?;
    if existing_profiles
      .iter()
@@ -523,7 +517,6 @@ impl ProfileImporter {
      return Err(format!("Profile with name '{new_profile_name}' already exists").into());
    }

-    // Generate UUID for new profile and create the directory structure
    let profile_id = uuid::Uuid::new_v4();
    let profiles_dir = self.profile_manager.get_profiles_dir();
    let new_profile_uuid_dir = profiles_dir.join(profile_id.to_string());
@@ -532,40 +525,198 @@ impl ProfileImporter {
    create_dir_all(&new_profile_uuid_dir)?;
    create_dir_all(&new_profile_data_dir)?;

-    // Copy all files from source to destination profile subdirectory
    Self::copy_directory_recursive(source_path, &new_profile_data_dir)?;

-    // Create the profile metadata without overwriting the imported data
-    // We need to find a suitable version for this browser type
-    let available_versions = self.get_default_version_for_browser(browser_type)?;
+    let version = self.get_default_version_for_browser(mapped)?;

-    let profile = crate::profile::BrowserProfile {
+    let final_camoufox_config = if mapped == "camoufox" {
+      let mut config = camoufox_config.unwrap_or_default();
+
+      if let Some(ref proxy_id_val) = proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
+          let proxy_url = if let (Some(username), Some(password)) =
+            (&proxy_settings.username, &proxy_settings.password)
+          {
+            format!(
+              "{}://{}:{}@{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              username,
+              password,
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          } else {
+            format!(
+              "{}://{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          };
+          config.proxy = Some(proxy_url);
+        }
+      }
+
+      if config.fingerprint.is_none() {
+        let temp_profile = BrowserProfile {
+          id: uuid::Uuid::new_v4(),
+          name: new_profile_name.to_string(),
+          browser: mapped.to_string(),
+          version: version.clone(),
+          proxy_id: proxy_id.clone(),
+          vpn_id: None,
+          launch_hook: None,
+          process_id: None,
+          last_launch: None,
+          release_type: "stable".to_string(),
+          camoufox_config: None,
+          wayfern_config: None,
+          group_id: None,
+          tags: Vec::new(),
+          note: None,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
+          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
+          dns_blocklist: None,
+        };
+
+        match self
+          .camoufox_manager
+          .generate_fingerprint_config(app_handle, &temp_profile, &config)
+          .await
+        {
+          Ok(fp) => config.fingerprint = Some(fp),
+          Err(e) => {
+            return Err(
+              format!(
+                "Failed to generate fingerprint for imported profile '{new_profile_name}': {e}"
+              )
+              .into(),
+            );
+          }
+        }
+      }
+
+      config.proxy = None;
+      Some(config)
+    } else {
+      None
+    };
+
+    let final_wayfern_config = if mapped == "wayfern" {
+      let mut config = wayfern_config.unwrap_or_default();
+
+      if let Some(ref proxy_id_val) = proxy_id {
+        if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
+          let proxy_url = if let (Some(username), Some(password)) =
+            (&proxy_settings.username, &proxy_settings.password)
+          {
+            format!(
+              "{}://{}:{}@{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              username,
+              password,
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          } else {
+            format!(
+              "{}://{}:{}",
+              proxy_settings.proxy_type.to_lowercase(),
+              proxy_settings.host,
+              proxy_settings.port
+            )
+          };
+          config.proxy = Some(proxy_url);
+        }
+      }
+
+      if config.fingerprint.is_none() {
+        let temp_profile = BrowserProfile {
+          id: uuid::Uuid::new_v4(),
+          name: new_profile_name.to_string(),
+          browser: mapped.to_string(),
+          version: version.clone(),
+          proxy_id: proxy_id.clone(),
+          vpn_id: None,
+          launch_hook: None,
+          process_id: None,
+          last_launch: None,
+          release_type: "stable".to_string(),
+          camoufox_config: None,
+          wayfern_config: None,
+          group_id: None,
+          tags: Vec::new(),
+          note: None,
+          sync_mode: SyncMode::Disabled,
+          encryption_salt: None,
+          last_sync: None,
+          host_os: None,
+          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
+          dns_blocklist: None,
+        };
+
+        match self
+          .wayfern_manager
+          .generate_fingerprint_config(app_handle, &temp_profile, &config)
+          .await
+        {
+          Ok(fp) => config.fingerprint = Some(fp),
+          Err(e) => {
+            return Err(
+              format!(
+                "Failed to generate fingerprint for imported profile '{new_profile_name}': {e}"
+              )
+              .into(),
+            );
+          }
+        }
+      }
+
+      config.proxy = None;
+      Some(config)
+    } else {
+      None
+    };
+
+    let profile = BrowserProfile {
      id: profile_id,
      name: new_profile_name.to_string(),
-      browser: browser_type.to_string(),
-      version: available_versions,
-      proxy_id: None,
+      browser: mapped.to_string(),
+      version,
+      proxy_id,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
-      camoufox_config: None,
-      wayfern_config: None,
+      camoufox_config: final_camoufox_config,
+      wayfern_config: final_wayfern_config,
      group_id: None,
      tags: Vec::new(),
      note: None,
-      sync_mode: crate::profile::types::SyncMode::Disabled,
+      sync_mode: SyncMode::Disabled,
      encryption_salt: None,
      last_sync: None,
-      host_os: Some(crate::profile::types::get_host_os()),
+      host_os: Some(get_host_os()),
      ephemeral: false,
      extension_group_id: None,
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    };

-    // Save the profile metadata
    self.profile_manager.save_profile(&profile)?;

    log::info!(
@@ -577,12 +728,10 @@ impl ProfileImporter {
    Ok(())
  }

-  /// Get a default version for a browser type
  fn get_default_version_for_browser(
    &self,
    browser_type: &str,
  ) -> Result<String, Box<dyn std::error::Error>> {
-    // Check if any version of the browser is downloaded
    let downloaded_versions = self
      .downloaded_browsers_registry
      .get_downloaded_versions(browser_type);
@@ -591,15 +740,16 @@ impl ProfileImporter {
      return Ok(version.clone());
    }

-    // If no downloaded versions found, return an error
-    Err(format!(
-      "No downloaded versions found for browser '{}'. Please download a version of {} first before importing profiles.",
-      browser_type,
-      self.get_browser_display_name(browser_type)
-    ).into())
+    Err(
+      format!(
+        "No downloaded versions found for browser '{}'. Please download a version of {} first before importing profiles.",
+        browser_type,
+        self.get_browser_display_name(browser_type)
+      )
+      .into(),
+    )
  }

-  /// Recursively copy directory contents
  pub fn copy_directory_recursive(
    source: &Path,
    destination: &Path,
@@ -624,7 +774,6 @@ impl ProfileImporter {
  }
 }

-// Tauri commands
 #[tauri::command]
 pub async fn detect_existing_profiles() -> Result<Vec<DetectedProfile>, String> {
  let importer = ProfileImporter::instance();
@@ -635,17 +784,41 @@ pub async fn detect_existing_profiles() -> Result<Vec<DetectedProfile>, String>

 #[tauri::command]
 pub async fn import_browser_profile(
+  app_handle: tauri::AppHandle,
  source_path: String,
  browser_type: String,
  new_profile_name: String,
+  proxy_id: Option<String>,
+  camoufox_config: Option<CamoufoxConfig>,
+  wayfern_config: Option<WayfernConfig>,
 ) -> Result<(), String> {
+  let fingerprint_os = camoufox_config
+    .as_ref()
+    .and_then(|c| c.os.as_deref())
+    .or_else(|| wayfern_config.as_ref().and_then(|c| c.os.as_deref()));
+
+  if !crate::cloud_auth::CLOUD_AUTH
+    .is_fingerprint_os_allowed(fingerprint_os)
+    .await
+  {
+    return Err("Fingerprint OS spoofing requires an active Pro subscription".to_string());
+  }
+
  let importer = ProfileImporter::instance();
  importer
-    .import_profile(&source_path, &browser_type, &new_profile_name)
+    .import_profile(
+      &app_handle,
+      &source_path,
+      &browser_type,
+      &new_profile_name,
+      proxy_id,
+      camoufox_config,
+      wayfern_config,
+    )
+    .await
    .map_err(|e| format!("Failed to import profile: {e}"))
 }

-// Global singleton instance
 lazy_static::lazy_static! {
  static ref PROFILE_IMPORTER: ProfileImporter = ProfileImporter::new();
 }
@@ -658,10 +831,7 @@ mod tests {

  fn create_test_profile_importer() -> (ProfileImporter, TempDir) {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");
-
-    // Set up a temporary home directory for testing
    env::set_var("HOME", temp_dir.path());
-
    let importer = ProfileImporter::new();
    (importer, temp_dir)
  }
@@ -669,7 +839,6 @@ mod tests {
  #[test]
  fn test_profile_importer_creation() {
    let (_importer, _temp_dir) = create_test_profile_importer();
-    // Test passes if no panic occurs
  }

  #[test]
@@ -693,19 +862,25 @@ mod tests {
    );
  }

+  #[test]
+  fn test_map_browser_type() {
+    assert_eq!(map_browser_type("firefox"), "camoufox");
+    assert_eq!(map_browser_type("firefox-developer"), "camoufox");
+    assert_eq!(map_browser_type("zen"), "camoufox");
+    assert_eq!(map_browser_type("chromium"), "wayfern");
+    assert_eq!(map_browser_type("brave"), "wayfern");
+    assert_eq!(map_browser_type("camoufox"), "camoufox");
+    assert_eq!(map_browser_type("wayfern"), "wayfern");
+    assert_eq!(map_browser_type("something_else"), "wayfern");
+  }
+
  #[test]
  fn test_detect_existing_profiles_no_panic() {
    let (importer, _temp_dir) = create_test_profile_importer();

-    // This should not panic even if no browser profiles exist
    let result = importer.detect_existing_profiles();
    assert!(result.is_ok(), "detect_existing_profiles should not fail");
-
    let _profiles = result.unwrap();
-    // We can't assert specific profiles since they depend on the system
-    // but we can verify the result is a valid Vec
-    // We can't assert specific profiles since they depend on the system
-    // but we can verify the result is a valid Vec (length check is always true for Vec, but shows intent)
  }

  #[test]
@@ -764,12 +939,10 @@ mod tests {
  fn test_parse_firefox_profiles_ini_valid() {
    let (importer, temp_dir) = create_test_profile_importer();

-    // Create a mock profile directory
    let profiles_dir = temp_dir.path().join("profiles");
    let profile_dir = profiles_dir.join("test.profile");
    fs::create_dir_all(&profile_dir).expect("Should create profile directory");

-    // Create a prefs.js file to make it look like a valid profile
    let prefs_file = profile_dir.join("prefs.js");
    fs::write(&prefs_file, "// Firefox preferences").expect("Should create prefs.js");

@@ -788,31 +961,27 @@ Path=test.profile
    assert_eq!(profiles.len(), 1, "Should find one profile");
    assert_eq!(profiles[0].name, "Firefox - Test Profile");
    assert_eq!(profiles[0].browser, "firefox");
+    assert_eq!(profiles[0].mapped_browser, "camoufox");
  }

  #[test]
  fn test_copy_directory_recursive() {
    let temp_dir = TempDir::new().expect("Failed to create temp directory");

-    // Create source directory structure
    let source_dir = temp_dir.path().join("source");
    let source_subdir = source_dir.join("subdir");
    fs::create_dir_all(&source_subdir).expect("Should create source directories");

-    // Create some test files
    let source_file1 = source_dir.join("file1.txt");
    let source_file2 = source_subdir.join("file2.txt");
    fs::write(&source_file1, "content1").expect("Should create file1");
    fs::write(&source_file2, "content2").expect("Should create file2");

-    // Create destination directory
    let dest_dir = temp_dir.path().join("dest");

-    // Copy recursively
    let result = ProfileImporter::copy_directory_recursive(&source_dir, &dest_dir);
    assert!(result.is_ok(), "Should copy directory successfully");

-    // Verify files were copied
    let dest_file1 = dest_dir.join("file1.txt");
    let dest_file2 = dest_dir.join("subdir").join("file2.txt");

@@ -830,8 +999,9 @@ Path=test.profile
  fn test_get_default_version_for_browser_no_versions() {
    let (importer, _temp_dir) = create_test_profile_importer();

-    // This should fail since no versions are downloaded in test environment
-    let result = importer.get_default_version_for_browser("firefox");
+    // Use a browser name that is guaranteed to have no downloaded versions,
+    // since the global registry singleton may contain real data from the system.
+    let result = importer.get_default_version_for_browser("nonexistent_browser_xyz");
    assert!(
      result.is_err(),
      "Should fail when no versions are available"
@@ -77,6 +77,7 @@ pub struct ProxyInfo {
  pub local_port: u16,
  // Optional profile ID to which this proxy instance is logically tied
  pub profile_id: Option<String>,
+  pub blocklist_file: Option<String>,
 }

 // Proxy check result cache
@@ -117,6 +118,10 @@ pub struct StoredProxy {
  pub geo_city: Option<String>,
  #[serde(default)]
  pub geo_isp: Option<String>,
+  #[serde(default)]
+  pub dynamic_proxy_url: Option<String>,
+  #[serde(default)]
+  pub dynamic_proxy_format: Option<String>,
 }

 impl StoredProxy {
@@ -135,6 +140,8 @@ impl StoredProxy {
      geo_region: None,
      geo_city: None,
      geo_isp: None,
+      dynamic_proxy_url: None,
+      dynamic_proxy_format: None,
    }
  }

@@ -450,6 +457,8 @@ impl ProxyManager {
        geo_region: None,
        geo_city: None,
        geo_isp: None,
+        dynamic_proxy_url: None,
+        dynamic_proxy_format: None,
      };
      stored_proxies.insert(CLOUD_PROXY_ID.to_string(), cloud_proxy.clone());
      drop(stored_proxies);
@@ -639,6 +648,8 @@ impl ProxyManager {
      geo_region: region,
      geo_city: city,
      geo_isp: isp,
+      dynamic_proxy_url: None,
+      dynamic_proxy_format: None,
    };

    {
@@ -893,6 +904,63 @@ impl ProxyManager {
      .map(|p| p.proxy_settings.clone())
  }

+  fn classify_proxy_error(raw_error: &str, settings: &ProxySettings) -> String {
+    let err = raw_error.to_lowercase();
+    let proxy_addr = format!("{}:{}", settings.host, settings.port);
+
+    if err.contains("connection refused") {
+      return format!(
+        "Connection refused by {proxy_addr}. The proxy server is not accepting connections."
+      );
+    }
+    if err.contains("connection reset") {
+      return format!(
+        "Connection reset by {proxy_addr}. The proxy server closed the connection unexpectedly."
+      );
+    }
+    if err.contains("timed out") || err.contains("deadline has elapsed") {
+      return format!("Connection to {proxy_addr} timed out. The proxy server is not responding.");
+    }
+    if err.contains("no such host") || err.contains("dns") || err.contains("resolve") {
+      return format!(
+        "Could not resolve proxy host '{}'. Check that the hostname is correct.",
+        settings.host
+      );
+    }
+    if err.contains("authentication") || err.contains("407") || err.contains("proxy auth") {
+      return format!(
+        "Proxy authentication failed for {proxy_addr}. Check your username and password."
+      );
+    }
+    if err.contains("403") || err.contains("forbidden") {
+      return format!("Access denied by {proxy_addr} (403 Forbidden).");
+    }
+    if err.contains("402") {
+      return format!(
+        "Payment required by {proxy_addr} (402). Your proxy subscription may have expired."
+      );
+    }
+    if err.contains("502") || err.contains("bad gateway") {
+      return format!(
+        "Bad gateway from {proxy_addr} (502). The upstream proxy server may be down."
+      );
+    }
+    if err.contains("503") || err.contains("service unavailable") {
+      return format!("Proxy {proxy_addr} is temporarily unavailable (503).");
+    }
+    if err.contains("socks") && err.contains("unreachable") {
+      return format!("SOCKS proxy {proxy_addr} could not reach the target. The proxy server may not have internet access.");
+    }
+    if err.contains("invalid proxy") || err.contains("unsupported proxy") {
+      return format!(
+        "Invalid proxy configuration for {proxy_addr}. Check the proxy type and address."
+      );
+    }
+
+    // Generic fallback — still show the proxy address for context
+    format!("Proxy check failed for {proxy_addr}. Could not connect through the proxy.")
+  }
+
  // Build proxy URL string from ProxySettings
  fn build_proxy_url(proxy_settings: &ProxySettings) -> String {
    let mut url = format!("{}://", proxy_settings.proxy_type);
@@ -914,19 +982,57 @@ impl ProxyManager {
    url
  }

-  // Check if a proxy is valid by making HTTP requests through it
+  // Check if a proxy is valid by routing through a temporary donut-proxy process.
+  // This tests the exact same code path the browser uses.
+  // Falls back to direct reqwest check if the proxy worker fails to start.
  pub async fn check_proxy_validity(
    &self,
    proxy_id: &str,
    proxy_settings: &ProxySettings,
  ) -> Result<ProxyCheckResult, String> {
-    let proxy_url = Self::build_proxy_url(proxy_settings);
+    let upstream_url = Self::build_proxy_url(proxy_settings);

-    // Fetch public IP through the proxy using shared IP utilities
-    let ip = match ip_utils::fetch_public_ip(Some(&proxy_url)).await {
+    // Try process-based check first (identical to browser launch path)
+    // Try process-based check first (identical to browser launch path).
+    // If the proxy worker fails to start (e.g. Gatekeeper, antivirus, signing
+    // restrictions), fall back to a direct reqwest check.
+    let proxy_start_result =
+      crate::proxy_runner::start_proxy_process(Some(upstream_url.clone()), None)
+        .await
+        .map_err(|e| e.to_string());
+
+    let ip_result = match proxy_start_result {
+      Ok(proxy_config) => {
+        let local_url = format!("http://127.0.0.1:{}", proxy_config.local_port.unwrap_or(0));
+        let config_id = proxy_config.id.clone();
+        // Wrap in a timeout so the check worker doesn't stay alive indefinitely
+        // if the upstream is slow or unreachable.
+        let result = tokio::time::timeout(
+          std::time::Duration::from_secs(30),
+          ip_utils::fetch_public_ip(Some(&local_url)),
+        )
+        .await
+        .unwrap_or_else(|_| {
+          Err(ip_utils::IpError::Network(
+            "Proxy check timed out after 30s".to_string(),
+          ))
+        });
+        // Always stop the worker — even if the check failed or timed out
+        let _ = crate::proxy_runner::stop_proxy_process(&config_id).await;
+        result
+      }
+      Err(err_msg) => {
+        log::warn!(
+          "Proxy worker failed to start ({}), falling back to direct check",
+          err_msg
+        );
+        ip_utils::fetch_public_ip(Some(&upstream_url)).await
+      }
+    };
+
+    let ip = match ip_result {
      Ok(ip) => ip,
      Err(e) => {
-        // Save failed check result
        let failed_result = ProxyCheckResult {
          ip: String::new(),
          city: None,
@@ -936,7 +1042,10 @@ impl ProxyManager {
          is_valid: false,
        };
        let _ = self.save_proxy_check_cache(proxy_id, &failed_result);
-        return Err(format!("Failed to fetch public IP: {e}"));
+
+        let err_str = e.to_string();
+        let user_message = Self::classify_proxy_error(&err_str, proxy_settings);
+        return Err(user_message);
      }
    };

@@ -965,6 +1074,149 @@ impl ProxyManager {
    self.load_proxy_check_cache(proxy_id)
  }

+  pub async fn fetch_proxy_from_url(
+    &self,
+    url: &str,
+    timeout: std::time::Duration,
+  ) -> Result<Option<ProxySettings>, String> {
+    let client = reqwest::Client::builder()
+      .timeout(timeout)
+      .build()
+      .map_err(|e| format!("Failed to create HTTP client: {e}"))?;
+
+    let response = client
+      .get(url)
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch launch hook: {e}"))?;
+
+    if response.status() == reqwest::StatusCode::NO_CONTENT {
+      return Ok(None);
+    }
+
+    if !response.status().is_success() {
+      return Err(format!("Launch hook returned status {}", response.status()));
+    }
+
+    let body = response
+      .text()
+      .await
+      .map_err(|e| format!("Failed to read launch hook response: {e}"))?;
+
+    let body = body.trim();
+    if body.is_empty() {
+      return Err("Launch hook returned empty response".to_string());
+    }
+
+    if let Ok(settings) = Self::parse_dynamic_proxy_json(body) {
+      return Ok(Some(settings));
+    }
+
+    match Self::parse_dynamic_proxy_text(body) {
+      Ok(settings) => Ok(Some(settings)),
+      Err(text_error) => Err(format!(
+        "Failed to parse launch hook response: {text_error}"
+      )),
+    }
+  }
+
+  // Parse JSON proxy payload: { "ip"/"host": "...", "port": ..., "username": "...", "password": "..." }
+  fn parse_dynamic_proxy_json(body: &str) -> Result<ProxySettings, String> {
+    let json: serde_json::Value =
+      serde_json::from_str(body).map_err(|e| format!("Invalid JSON response: {e}"))?;
+
+    let obj = json
+      .as_object()
+      .ok_or_else(|| "JSON response is not an object".to_string())?;
+
+    let raw_host = obj
+      .get("ip")
+      .or_else(|| obj.get("host"))
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| "Missing 'ip' or 'host' field in JSON response".to_string())?;
+
+    // Strip protocol prefix from host if present (e.g. "socks5://1.2.3.4" -> "1.2.3.4")
+    // and extract the proxy type from it if no explicit type field is provided
+    let (host, protocol_from_host) = if let Some(rest) = raw_host.strip_prefix("://") {
+      (rest.to_string(), None)
+    } else if let Some((proto, rest)) = raw_host.split_once("://") {
+      (rest.to_string(), Some(proto.to_lowercase()))
+    } else {
+      (raw_host.to_string(), None)
+    };
+
+    let port = obj
+      .get("port")
+      .and_then(|v| {
+        v.as_u64()
+          .or_else(|| v.as_str().and_then(|s| s.parse().ok()))
+      })
+      .ok_or_else(|| "Missing or invalid 'port' field in JSON response".to_string())?
+      as u16;
+
+    let proxy_type = obj
+      .get("type")
+      .or_else(|| obj.get("proxy_type"))
+      .or_else(|| obj.get("protocol"))
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_lowercase())
+      .or(protocol_from_host)
+      .unwrap_or_else(|| "http".to_string());
+
+    let username = obj
+      .get("username")
+      .or_else(|| obj.get("user"))
+      .and_then(|v| v.as_str())
+      .filter(|s| !s.is_empty())
+      .map(|s| s.to_string());
+
+    let password = obj
+      .get("password")
+      .or_else(|| obj.get("pass"))
+      .and_then(|v| v.as_str())
+      .filter(|s| !s.is_empty())
+      .map(|s| s.to_string());
+
+    Ok(ProxySettings {
+      proxy_type,
+      host,
+      port,
+      username,
+      password,
+    })
+  }
+
+  // Parse plain text proxy payload using the same logic as proxy import
+  fn parse_dynamic_proxy_text(body: &str) -> Result<ProxySettings, String> {
+    let line = body
+      .lines()
+      .find(|l| !l.trim().is_empty())
+      .unwrap_or("")
+      .trim();
+    if line.is_empty() {
+      return Err("Empty text response".to_string());
+    }
+
+    match Self::parse_single_proxy_line(line) {
+      ProxyParseResult::Parsed(parsed) => Ok(ProxySettings {
+        proxy_type: parsed.proxy_type,
+        host: parsed.host,
+        port: parsed.port,
+        username: parsed.username,
+        password: parsed.password,
+      }),
+      ProxyParseResult::Ambiguous {
+        possible_formats, ..
+      } => Err(format!(
+        "Ambiguous proxy format. Could be: {}",
+        possible_formats.join(" or ")
+      )),
+      ProxyParseResult::Invalid { reason, .. } => {
+        Err(format!("Failed to parse proxy response: {reason}"))
+      }
+    }
+  }
+
  // Export all proxies as JSON
  pub fn export_proxies_json(&self) -> Result<String, String> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -1116,6 +1368,10 @@ impl ProxyManager {
      ("socks5", rest)
    } else if let Some(rest) = line.strip_prefix("socks://") {
      ("socks5", rest) // Default socks to socks5
+    } else if let Some(rest) = line.strip_prefix("ss://") {
+      ("ss", rest)
+    } else if let Some(rest) = line.strip_prefix("shadowsocks://") {
+      ("ss", rest)
    } else {
      return None;
    };
@@ -1301,6 +1557,7 @@ impl ProxyManager {
    browser_pid: u32,
    profile_id: Option<&str>,
    bypass_rules: Vec<String>,
+    blocklist_file: Option<String>,
  ) -> Result<ProxySettings, String> {
    if let Some(name) = profile_id {
      // Check if we have an active proxy recorded for this profile
@@ -1428,6 +1685,11 @@ impl ProxyManager {
      proxy_cmd = proxy_cmd.arg("--bypass-rules").arg(rules_json);
    }

+    // Add blocklist file path if provided
+    if let Some(ref path) = blocklist_file {
+      proxy_cmd = proxy_cmd.arg("--blocklist-file").arg(path);
+    }
+
    // Execute the command and wait for it to complete
    // The donut-proxy binary should start the worker and then exit
    let output = proxy_cmd
@@ -1473,6 +1735,7 @@ impl ProxyManager {
        .unwrap_or_else(|| "DIRECT".to_string()),
      local_port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: blocklist_file.clone(),
    };

    // Wait for the local proxy port to be ready to accept connections
@@ -1749,11 +2012,132 @@ impl ProxyManager {
        "Cleaning up orphaned proxy config: {} (proxy process is dead)",
        config.id
      );
-      // Just delete the config file - the process is already dead
      use crate::proxy_storage::delete_proxy_config;
      delete_proxy_config(&config.id);
    }

+    // Kill stale profileless proxy workers — these are check workers
+    // (from check_proxy_validity or similar) that were never cleaned up.
+    // Profile-associated proxies are left alone to avoid the regression
+    // where killing proxies for "dead" browsers on Linux also killed
+    // proxies for running browsers (due to launcher-vs-browser PID mismatch).
+    {
+      use crate::proxy_storage::{is_process_running, list_proxy_configs};
+      use std::time::{SystemTime, UNIX_EPOCH};
+
+      let now = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
+
+      let all_configs = list_proxy_configs();
+      for config in all_configs {
+        // Only target proxies WITHOUT a profile_id (check workers)
+        if config.profile_id.is_some() {
+          continue;
+        }
+
+        // Must have a running process to kill
+        let Some(pid) = config.pid else { continue };
+        if !is_process_running(pid) {
+          continue;
+        }
+
+        // Check age: only kill if older than 5 minutes
+        let proxy_age = config
+          .id
+          .strip_prefix("proxy_")
+          .and_then(|s| s.split('_').next())
+          .and_then(|s| s.parse::<u64>().ok())
+          .map(|created_at| now.saturating_sub(created_at))
+          .unwrap_or(0);
+
+        if proxy_age > 300 {
+          log::info!(
+            "Killing stale profileless proxy {} (PID {}, age {}s)",
+            config.id,
+            pid,
+            proxy_age
+          );
+          let _ = crate::proxy_runner::stop_proxy_process(&config.id).await;
+        }
+      }
+    }
+
+    // Kill proxy workers whose browser process has died.
+    //
+    // active_proxies is keyed by the EXACT browser PID that was recorded in
+    // update_proxy_pid(). Checking that PID against a single process-table
+    // snapshot is deterministic: either the PID refers to a live process or
+    // it doesn't. This avoids the fuzzy launcher-vs-browser detection used
+    // by check_browser_status (which historically had false negatives on
+    // Linux and was the reason profile-associated workers were left alone
+    // in the other cleanup branches).
+    //
+    // Without this, every time a user closes their browser via the window's
+    // X button (bypassing Donut's stop flow) or the browser crashes, the
+    // worker keeps running forever. On Windows users reported dozens of
+    // donut-proxy processes accumulating this way.
+    {
+      // Snapshot current active entries first so we don't hold the mutex
+      // while running the (expensive on Windows) sysinfo scan.
+      let snapshot: Vec<(u32, String, Option<String>)> = {
+        let proxies = self.active_proxies.lock().unwrap();
+        proxies
+          .iter()
+          .map(|(&browser_pid, info)| (browser_pid, info.id.clone(), info.profile_id.clone()))
+          .collect()
+      };
+
+      if !snapshot.is_empty() {
+        // One process-table scan for all candidates
+        let system = sysinfo::System::new_with_specifics(
+          sysinfo::RefreshKind::nothing().with_processes(sysinfo::ProcessRefreshKind::everything()),
+        );
+
+        let dead_browser_entries: Vec<(u32, String, Option<String>)> = snapshot
+          .into_iter()
+          .filter(|(browser_pid, _, _)| {
+            // The sentinel PID=0 is used as a placeholder during launch,
+            // before update_proxy_pid has recorded the real browser PID.
+            *browser_pid != 0
+              && system
+                .process(sysinfo::Pid::from_u32(*browser_pid))
+                .is_none()
+          })
+          .collect();
+
+        for (browser_pid, proxy_id, profile_id) in dead_browser_entries {
+          log::info!(
+            "Cleanup: browser PID {} is dead, stopping proxy worker {} (profile={:?})",
+            browser_pid,
+            proxy_id,
+            profile_id
+          );
+          {
+            let mut proxies = self.active_proxies.lock().unwrap();
+            // Re-check the entry still maps to the same proxy_id — another
+            // thread may have replaced it with a new proxy since we snapshotted.
+            if let Some(current) = proxies.get(&browser_pid) {
+              if current.id != proxy_id {
+                continue;
+              }
+            } else {
+              continue;
+            }
+            proxies.remove(&browser_pid);
+          }
+          if let Some(ref pid) = profile_id {
+            let mut map = self.profile_active_proxy_ids.lock().unwrap();
+            if map.get(pid) == Some(&proxy_id) {
+              map.remove(pid);
+            }
+          }
+          let _ = crate::proxy_runner::stop_proxy_process(&proxy_id).await;
+        }
+      }
+    }
+
    // Clean up orphaned VPN worker configs where the worker process is dead
    {
      use crate::proxy_storage::is_process_running;
@@ -1857,6 +2241,8 @@ mod tests {
  use hyper::Response;
  use hyper_util::rt::TokioIo;
  use tokio::net::TcpListener;
+  use wiremock::matchers::{method, path};
+  use wiremock::{Mock, MockServer, ResponseTemplate};

  // Helper function to build donut-proxy binary for testing
  async fn ensure_donut_proxy_binary() -> Result<PathBuf, Box<dyn std::error::Error>> {
@@ -1971,6 +2357,7 @@ mod tests {
          upstream_type: "http".to_string(),
          local_port: (8000 + i) as u16,
          profile_id: None,
+          blocklist_file: None,
        };

        // Add proxy
@@ -2297,6 +2684,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: None,
    }
  }

@@ -2439,17 +2827,19 @@ mod tests {
  fn test_process_running_detection_with_child_lifecycle() {
    use crate::proxy_storage::is_process_running;

-    // Spawn a long-lived child so we can check while it runs
-    let mut child = std::process::Command::new(if cfg!(windows) { "timeout" } else { "sleep" })
+    // Spawn a long-lived child so we can check while it runs.
+    // On Windows, `timeout` requires console input and exits immediately in
+    // non-interactive contexts, so use `ping` with a high count instead.
+    let mut child = std::process::Command::new(if cfg!(windows) { "ping" } else { "sleep" })
      .args(if cfg!(windows) {
-        vec!["/T", "10"]
+        vec!["-n", "100", "127.0.0.1"]
      } else {
        vec!["10"]
      })
      .stdout(std::process::Stdio::null())
      .stderr(std::process::Stdio::null())
      .spawn()
-      .expect("spawn sleep");
+      .expect("spawn long-lived child");

    let pid = child.id();

@@ -2522,6 +2912,7 @@ mod tests {
      pid: Some(live_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    let dead_config = ProxyConfig {
      id: dead_id.clone(),
@@ -2532,6 +2923,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };

    save_proxy_config(&live_config).unwrap();
@@ -2570,6 +2962,7 @@ mod tests {
      pid: Some(12345),
      profile_id: Some("prof_abc".to_string()),
      bypass_rules: vec!["*.local".to_string(), "192.168.*".to_string()],
+      blocklist_file: None,
    };

    // Save
@@ -2688,6 +3081,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9201,
      profile_id: Some("profile_alpha".to_string()),
+      blocklist_file: None,
    };
    let info_b = ProxyInfo {
      id: "px_shared_b".to_string(),
@@ -2697,6 +3091,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9202,
      profile_id: Some("profile_beta".to_string()),
+      blocklist_file: None,
    };

    pm.insert_active_proxy(3001, info_a);
@@ -2835,6 +3230,8 @@ mod tests {
      geo_region: None,
      geo_city: None,
      geo_isp: None,
+      dynamic_proxy_url: None,
+      dynamic_proxy_format: None,
    };

    // Before migration
@@ -2882,6 +3279,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    save_proxy_config(&config).unwrap();

@@ -3054,6 +3452,7 @@ mod tests {
        upstream_type: ptype.to_string(),
        local_port: 9300 + i as u16,
        profile_id: Some(format!("profile_{ptype}")),
+        blocklist_file: None,
      };
      pm.insert_active_proxy(4000 + i as u32, info);
    }
@@ -3112,4 +3511,263 @@ mod tests {

    delete_proxy_config(&id);
  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_standard_format() {
+    let body = r#"{"ip": "1.2.3.4", "port": 8080, "username": "user1", "password": "pass1"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.port, 8080);
+    assert_eq!(result.proxy_type, "http");
+    assert_eq!(result.username.as_deref(), Some("user1"));
+    assert_eq!(result.password.as_deref(), Some("pass1"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_host_alias() {
+    let body = r#"{"host": "proxy.example.com", "port": 3128}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 3128);
+    assert!(result.username.is_none());
+    assert!(result.password.is_none());
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_user_pass_aliases() {
+    let body = r#"{"ip": "10.0.0.1", "port": 1080, "user": "u", "pass": "p"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.username.as_deref(), Some("u"));
+    assert_eq!(result.password.as_deref(), Some("p"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_port_as_string() {
+    let body = r#"{"ip": "1.2.3.4", "port": "9090"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.port, 9090);
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_with_proxy_type() {
+    let body = r#"{"ip": "1.2.3.4", "port": 1080, "type": "socks5"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.proxy_type, "socks5");
+
+    let body2 = r#"{"ip": "1.2.3.4", "port": 1080, "proxy_type": "socks4"}"#;
+    let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
+    assert_eq!(result2.proxy_type, "socks4");
+
+    // "protocol" field alias
+    let body3 = r#"{"ip": "1.2.3.4", "port": 1080, "protocol": "socks5"}"#;
+    let result3 = ProxyManager::parse_dynamic_proxy_json(body3).unwrap();
+    assert_eq!(result3.proxy_type, "socks5");
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_normalizes_case() {
+    let body = r#"{"ip": "1.2.3.4", "port": 1080, "type": "SOCKS5"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.proxy_type, "socks5");
+
+    let body2 = r#"{"ip": "1.2.3.4", "port": 8080, "protocol": "HTTP"}"#;
+    let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
+    assert_eq!(result2.proxy_type, "http");
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_strips_protocol_from_host() {
+    // User's API returns "ip": "socks5://1.2.3.4" with protocol embedded in host
+    let body = r#"{"ip": "socks5://1.2.3.4", "port": 1080, "username": "u", "password": "p"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.port, 1080);
+
+    // Protocol in host should be used as proxy_type when no explicit type field
+    let body2 = r#"{"ip": "http://10.0.0.1", "port": 8080}"#;
+    let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
+    assert_eq!(result2.host, "10.0.0.1");
+    assert_eq!(result2.proxy_type, "http");
+
+    // Explicit type field takes precedence over protocol in host
+    let body3 = r#"{"ip": "http://10.0.0.1", "port": 1080, "type": "socks5"}"#;
+    let result3 = ProxyManager::parse_dynamic_proxy_json(body3).unwrap();
+    assert_eq!(result3.host, "10.0.0.1");
+    assert_eq!(result3.proxy_type, "socks5");
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_empty_credentials_treated_as_none() {
+    let body = r#"{"ip": "1.2.3.4", "port": 8080, "username": "", "password": ""}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert!(result.username.is_none());
+    assert!(result.password.is_none());
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_missing_ip() {
+    let body = r#"{"port": 8080}"#;
+    let err = ProxyManager::parse_dynamic_proxy_json(body).unwrap_err();
+    assert!(err.contains("ip") || err.contains("host"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_missing_port() {
+    let body = r#"{"ip": "1.2.3.4"}"#;
+    let err = ProxyManager::parse_dynamic_proxy_json(body).unwrap_err();
+    assert!(err.contains("port"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_invalid_json() {
+    let err = ProxyManager::parse_dynamic_proxy_json("not json").unwrap_err();
+    assert!(err.contains("Invalid JSON"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_not_object() {
+    let err = ProxyManager::parse_dynamic_proxy_json("[1,2,3]").unwrap_err();
+    assert!(err.contains("not an object"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_text_host_port_user_pass() {
+    let body = "proxy.example.com:8080:user1:pass1";
+    let result = ProxyManager::parse_dynamic_proxy_text(body).unwrap();
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 8080);
+    assert_eq!(result.username.as_deref(), Some("user1"));
+    assert_eq!(result.password.as_deref(), Some("pass1"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_text_protocol_url_format() {
+    let body = "http://user:pass@proxy.example.com:3128";
+    let result = ProxyManager::parse_dynamic_proxy_text(body).unwrap();
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 3128);
+    assert_eq!(result.proxy_type, "http");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_text_with_whitespace() {
+    let body = "  \n  proxy.example.com:8080:user:pass  \n  ";
+    let result = ProxyManager::parse_dynamic_proxy_text(body).unwrap();
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 8080);
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_text_empty() {
+    let err = ProxyManager::parse_dynamic_proxy_text("").unwrap_err();
+    assert!(err.contains("Empty"));
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_text_whitespace_only() {
+    let err = ProxyManager::parse_dynamic_proxy_text("   \n  \n  ").unwrap_err();
+    assert!(err.contains("Empty"));
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_parses_json_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200).set_body_string(
+          r#"{"host":"proxy.example.com","port":3128,"type":"socks5","username":"user","password":"pass"}"#,
+        ),
+      )
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();
+
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 3128);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_parses_text_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(200).set_body_string("socks5://user:pass@1.2.3.4:1080"))
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();
+
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.port, 1080);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_returns_none_for_no_content() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(204))
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap();
+
+    assert!(result.is_none());
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_respects_timeout() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200)
+          .set_delay(Duration::from_millis(200))
+          .set_body_string(r#"{"host":"1.2.3.4","port":8080}"#),
+      )
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let err = pm
+      .fetch_proxy_from_url(&format!("{}/hook", server.uri()), Duration::from_millis(50))
+      .await
+      .unwrap_err();
+
+    assert!(err.contains("Failed to fetch launch hook"));
+  }
 }
@@ -2,17 +2,166 @@ use crate::proxy_storage::{
  delete_proxy_config, generate_proxy_id, get_proxy_config, is_process_running, list_proxy_configs,
  save_proxy_config, ProxyConfig,
 };
+use std::path::{Path, PathBuf};
 use std::process::Stdio;
 lazy_static::lazy_static! {
  static ref PROXY_PROCESSES: std::sync::Mutex<std::collections::HashMap<String, u32>> =
    std::sync::Mutex::new(std::collections::HashMap::new());
 }

+fn target_binary_name(base_name: &str) -> Option<String> {
+  let target = std::env::var("TARGET").ok()?;
+
+  #[cfg(windows)]
+  {
+    Some(format!("{base_name}-{target}.exe"))
+  }
+
+  #[cfg(not(windows))]
+  {
+    Some(format!("{base_name}-{target}"))
+  }
+}
+
+fn unsuffixed_binary_name(base_name: &str) -> String {
+  #[cfg(windows)]
+  {
+    match base_name {
+      "donut-proxy" => "donut-proxy.exe".to_string(),
+      "donut-daemon" => "donut-daemon.exe".to_string(),
+      _ => String::new(),
+    }
+  }
+
+  #[cfg(not(windows))]
+  {
+    base_name.to_string()
+  }
+}
+
+fn binary_matches_prefix(path: &Path, base_name: &str) -> bool {
+  let Some(file_name) = path.file_name().and_then(|name| name.to_str()) else {
+    return false;
+  };
+
+  #[cfg(windows)]
+  {
+    file_name.starts_with(&format!("{base_name}-")) && file_name.ends_with(".exe")
+  }
+
+  #[cfg(not(windows))]
+  {
+    file_name.starts_with(&format!("{base_name}-"))
+  }
+}
+
+fn push_candidate_dir(dirs: &mut Vec<PathBuf>, dir: Option<PathBuf>) {
+  if let Some(dir) = dir {
+    if !dirs.iter().any(|existing| existing == &dir) {
+      dirs.push(dir);
+    }
+  }
+}
+
+pub(crate) fn find_sidecar_executable(
+  base_name: &str,
+) -> Result<PathBuf, Box<dyn std::error::Error>> {
+  let current_exe = std::env::current_exe()?;
+  let current_dir = current_exe
+    .parent()
+    .ok_or("Failed to get parent directory of current executable")?;
+
+  if current_exe
+    .file_stem()
+    .and_then(|stem| stem.to_str())
+    .is_some_and(|stem| stem == base_name)
+  {
+    return Ok(current_exe);
+  }
+
+  let manifest_dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+  let mut search_dirs = Vec::new();
+
+  push_candidate_dir(&mut search_dirs, Some(current_dir.to_path_buf()));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(std::path::Path::to_path_buf),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(Path::to_path_buf),
+  );
+  push_candidate_dir(&mut search_dirs, Some(current_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(&mut search_dirs, Some(manifest_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("debug")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("release")),
+  );
+
+  let mut exact_names = vec![unsuffixed_binary_name(base_name)];
+  if let Some(target_name) = target_binary_name(base_name) {
+    exact_names.push(target_name);
+  }
+
+  for dir in &search_dirs {
+    for name in &exact_names {
+      if name.is_empty() {
+        continue;
+      }
+
+      let candidate = dir.join(name);
+      if candidate.exists() {
+        return Ok(candidate);
+      }
+    }
+
+    if let Ok(entries) = std::fs::read_dir(dir) {
+      for entry in entries.flatten() {
+        let path = entry.path();
+        if path.is_file() && binary_matches_prefix(&path, base_name) {
+          return Ok(path);
+        }
+      }
+    }
+  }
+
+  Err(
+    format!(
+      "Failed to locate '{}' executable. Searched in: {}",
+      base_name,
+      search_dirs
+        .iter()
+        .map(|dir| dir.display().to_string())
+        .collect::<Vec<_>>()
+        .join(", ")
+    )
+    .into(),
+  )
+}
+
 pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new(), None).await
 }

 pub async fn start_proxy_process_with_profile(
@@ -20,6 +169,7 @@ pub async fn start_proxy_process_with_profile(
  port: Option<u16>,
  profile_id: Option<String>,
  bypass_rules: Vec<String>,
+  blocklist_file: Option<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -33,7 +183,8 @@ pub async fn start_proxy_process_with_profile(

  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
    .with_profile_id(profile_id.clone())
-    .with_bypass_rules(bypass_rules);
+    .with_bypass_rules(bypass_rules)
+    .with_blocklist_file(blocklist_file);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -45,7 +196,7 @@ pub async fn start_proxy_process_with_profile(

  // Spawn proxy worker process in the background using std::process::Command
  // This ensures proper process detachment on Unix systems
-  let exe = std::env::current_exe()?;
+  let exe = find_sidecar_executable("donut-proxy")?;

  #[cfg(unix)]
  {
@@ -7,6 +7,7 @@ use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
 use regex_lite::Regex;
+use std::collections::HashSet;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -17,6 +18,13 @@ use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf};
 use tokio::net::TcpListener;
 use tokio::net::TcpStream;
+
+/// Combined read+write trait for tunnel target streams, allowing
+/// `handle_connect_from_buffer` to handle plain TCP, SOCKS, and
+/// Shadowsocks through the same bidirectional-copy path.
+trait AsyncStream: AsyncRead + AsyncWrite + Unpin + Send {}
+impl<T: AsyncRead + AsyncWrite + Unpin + Send> AsyncStream for T {}
+type BoxedAsyncStream = Box<dyn AsyncStream>;
 use url::Url;

 enum CompiledRule {
@@ -51,6 +59,58 @@ impl BypassMatcher {
  }
 }

+#[derive(Clone)]
+pub struct BlocklistMatcher {
+  domains: Arc<HashSet<String>>,
+}
+
+impl Default for BlocklistMatcher {
+  fn default() -> Self {
+    Self::new()
+  }
+}
+
+impl BlocklistMatcher {
+  pub fn new() -> Self {
+    Self {
+      domains: Arc::new(HashSet::new()),
+    }
+  }
+
+  pub fn from_file(path: &str) -> Result<Self, Box<dyn std::error::Error>> {
+    let content = std::fs::read_to_string(path)?;
+    let domains: HashSet<String> = content
+      .lines()
+      .filter(|line| !line.starts_with('#') && !line.trim().is_empty())
+      .map(|line| line.trim().to_lowercase())
+      .collect();
+    log::info!("[blocklist] Loaded {} domains from {}", domains.len(), path);
+    Ok(Self {
+      domains: Arc::new(domains),
+    })
+  }
+
+  pub fn is_blocked(&self, host: &str) -> bool {
+    if self.domains.is_empty() {
+      return false;
+    }
+    let host_lower = host.to_lowercase();
+    // Exact match
+    if self.domains.contains(host_lower.as_str()) {
+      return true;
+    }
+    // Suffix matching: check parent domains (like uBlock)
+    let mut start = 0;
+    while let Some(dot_pos) = host_lower[start..].find('.') {
+      start += dot_pos + 1;
+      if self.domains.contains(&host_lower[start..]) {
+        return true;
+      }
+    }
+    false
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -167,20 +227,22 @@ async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url, bypass_matcher).await;
+    return handle_connect(req, upstream_url, bypass_matcher, blocklist_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url, bypass_matcher).await
+  handle_http(req, upstream_url, bypass_matcher, blocklist_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -196,6 +258,14 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

+    // Block if domain is in the DNS blocklist (before any connection)
+    if blocklist_matcher.is_blocked(target_host) {
+      log::debug!("[blocklist] Blocked CONNECT to {}", target_host);
+      let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+      *response.status_mut() = StatusCode::FORBIDDEN;
+      return Ok(response);
+    }
+
    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
@@ -707,10 +777,132 @@ async fn handle_http_via_socks4(
  Ok(hyper_response)
 }

+/// Handle plain HTTP requests through a Shadowsocks upstream.
+/// reqwest doesn't support SS natively, so we connect through the SS tunnel
+/// manually and forward the HTTP request/response.
+async fn handle_http_via_shadowsocks(
+  req: Request<hyper::body::Incoming>,
+  upstream: &Url,
+) -> Result<Response<Full<Bytes>>, Infallible> {
+  let domain = req
+    .uri()
+    .host()
+    .map(|h| h.to_string())
+    .unwrap_or_else(|| "unknown".to_string());
+  let port = req.uri().port_u16().unwrap_or(80);
+
+  let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+  let ss_port = upstream.port().unwrap_or(8388);
+  let method_str = urlencoding::decode(upstream.username())
+    .unwrap_or_default()
+    .to_string();
+  let password = urlencoding::decode(upstream.password().unwrap_or(""))
+    .unwrap_or_default()
+    .to_string();
+
+  let cipher = match method_str.parse::<shadowsocks::crypto::CipherKind>() {
+    Ok(c) => c,
+    Err(_) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!(
+        "Bad SS cipher: {method_str}"
+      ))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let context = shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+  let svr_cfg = match shadowsocks::config::ServerConfig::new(
+    shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+    &password,
+    cipher,
+  ) {
+    Ok(c) => c,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS config error: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let target_addr = shadowsocks::relay::Address::DomainNameAddress(domain.clone(), port);
+
+  let mut stream = match shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+    context,
+    &svr_cfg,
+    target_addr,
+  )
+  .await
+  {
+    Ok(s) => s,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS connect: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  // Build and send the HTTP request through the SS tunnel
+  let path = req
+    .uri()
+    .path_and_query()
+    .map(|pq| pq.as_str())
+    .unwrap_or("/");
+  let method = req.method().as_str();
+  let mut raw_req = format!("{method} {path} HTTP/1.1\r\nHost: {domain}\r\nConnection: close\r\n");
+  for (name, value) in req.headers() {
+    if name != "host" && name != "connection" {
+      raw_req.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
+    }
+  }
+  raw_req.push_str("\r\n");
+
+  use tokio::io::{AsyncReadExt, AsyncWriteExt};
+  if let Err(e) = stream.write_all(raw_req.as_bytes()).await {
+    let mut resp = Response::new(Full::new(Bytes::from(format!("SS write: {e}"))));
+    *resp.status_mut() = StatusCode::BAD_GATEWAY;
+    return Ok(resp);
+  }
+
+  let mut response_buf = Vec::new();
+  if let Err(e) = stream.read_to_end(&mut response_buf).await {
+    log::warn!("SS read error (may be partial): {e}");
+  }
+
+  if let Some(tracker) = get_traffic_tracker() {
+    tracker.record_request(&domain, raw_req.len() as u64, response_buf.len() as u64);
+  }
+
+  // Parse the raw HTTP response
+  let response_str = String::from_utf8_lossy(&response_buf);
+  let header_end = response_str.find("\r\n\r\n").unwrap_or(response_str.len());
+  let status_line = response_str
+    .lines()
+    .next()
+    .unwrap_or("HTTP/1.1 502 Bad Gateway");
+  let status_code: u16 = status_line
+    .split_whitespace()
+    .nth(1)
+    .and_then(|s| s.parse().ok())
+    .unwrap_or(502);
+  let body = if header_end + 4 < response_buf.len() {
+    &response_buf[header_end + 4..]
+  } else {
+    b""
+  };
+
+  let mut hyper_response = Response::new(Full::new(Bytes::from(body.to_vec())));
+  *hyper_response.status_mut() =
+    StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY);
+
+  Ok(hyper_response)
+}
+
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -719,6 +911,14 @@ async fn handle_http(
    .map(|h| h.to_string())
    .unwrap_or_else(|| "unknown".to_string());

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(&domain) {
+    log::debug!("[blocklist] Blocked HTTP request to {}", domain);
+    let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+    *response.status_mut() = StatusCode::FORBIDDEN;
+    return Ok(response);
+  }
+
  log::error!(
    "DEBUG: Handling HTTP request: {} {} (host: {:?})",
    req.method(),
@@ -728,14 +928,19 @@ async fn handle_http(

  let should_bypass = bypass_matcher.should_bypass(&domain);

-  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
+  // Handle proxy types that reqwest doesn't support natively
  if !should_bypass {
    if let Some(ref upstream) = upstream_url {
      if upstream != "DIRECT" {
        if let Ok(url) = Url::parse(upstream) {
-          if url.scheme() == "socks4" {
-            // Handle SOCKS4 manually for HTTP requests
-            return handle_http_via_socks4(req, upstream).await;
+          match url.scheme() {
+            "socks4" => {
+              return handle_http_via_socks4(req, upstream).await;
+            }
+            "ss" | "shadowsocks" => {
+              return handle_http_via_shadowsocks(req, &url).await;
+            }
+            _ => {}
          }
        }
      }
@@ -883,6 +1088,100 @@ fn build_reqwest_client_with_proxy(
  Ok(client_builder.proxy(proxy).build()?)
 }

+/// Handle a single proxy connection (used by both the proxy worker and in-process proxy checks).
+pub async fn handle_proxy_connection(
+  mut stream: tokio::net::TcpStream,
+  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
+) {
+  let _ = stream.set_nodelay(true);
+
+  if stream.readable().await.is_err() {
+    return;
+  }
+
+  let mut peek_buffer = [0u8; 16];
+  match stream.read(&mut peek_buffer).await {
+    Ok(0) => {}
+    Ok(n) => {
+      let request_start_upper = String::from_utf8_lossy(&peek_buffer[..n.min(7)]).to_uppercase();
+      let is_connect = request_start_upper.starts_with("CONNECT");
+
+      if is_connect {
+        let mut full_request = Vec::with_capacity(4096);
+        full_request.extend_from_slice(&peek_buffer[..n]);
+
+        let mut remaining = [0u8; 4096];
+        let mut total_read = n;
+        let max_reads = 100;
+        let mut reads = 0;
+
+        loop {
+          if reads >= max_reads {
+            break;
+          }
+          match stream.read(&mut remaining).await {
+            Ok(0) => {
+              if full_request.ends_with(b"\r\n\r\n")
+                || full_request.ends_with(b"\n\n")
+                || total_read > 0
+              {
+                break;
+              }
+              return;
+            }
+            Ok(m) => {
+              reads += 1;
+              total_read += m;
+              full_request.extend_from_slice(&remaining[..m]);
+              if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
+                break;
+              }
+            }
+            Err(_) => {
+              if total_read > 0 {
+                break;
+              }
+              return;
+            }
+          }
+        }
+
+        let _ = handle_connect_from_buffer(
+          stream,
+          full_request,
+          upstream_url,
+          bypass_matcher,
+          blocklist_matcher,
+        )
+        .await;
+        return;
+      }
+
+      // Non-CONNECT: prepend consumed bytes and pass to hyper
+      let prepended_bytes = peek_buffer[..n].to_vec();
+      let prepended_reader = PrependReader {
+        prepended: prepended_bytes,
+        prepended_pos: 0,
+        inner: stream,
+      };
+      let io = TokioIo::new(prepended_reader);
+      let service = service_fn(move |req| {
+        handle_request(
+          req,
+          upstream_url.clone(),
+          bypass_matcher.clone(),
+          blocklist_matcher.clone(),
+        )
+      });
+
+      let _ = http1::Builder::new().serve_connection(io, service).await;
+    }
+    Err(_) => {}
+  }
+}
+
 pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::error::Error>> {
  log::error!(
    "Proxy worker starting, looking for config id: {}",
@@ -1047,148 +1346,28 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
  });

  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+  let blocklist_matcher = if let Some(ref path) = config.blocklist_file {
+    match BlocklistMatcher::from_file(path) {
+      Ok(m) => m,
+      Err(e) => {
+        log::error!("[blocklist] Failed to load from {}: {}", path, e);
+        BlocklistMatcher::new()
+      }
+    }
+  } else {
+    BlocklistMatcher::new()
+  };

  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
  loop {
    match listener.accept().await {
-      Ok((mut stream, peer_addr)) => {
-        // Enable TCP_NODELAY to ensure small packets are sent immediately
-        // This is critical for CONNECT responses to be sent before tunneling begins
-        let _ = stream.set_nodelay(true);
-        log::error!("DEBUG: Accepted connection from {:?}", peer_addr);
-
+      Ok((stream, _peer_addr)) => {
        let upstream = upstream_url.clone();
        let matcher = bypass_matcher.clone();
-
+        let blocker = blocklist_matcher.clone();
        tokio::task::spawn(async move {
-          // Read first bytes to detect CONNECT requests
-          // CONNECT requests need special handling for tunneling
-          // Use a larger buffer to ensure we can detect CONNECT even with partial reads
-          let mut peek_buffer = [0u8; 16];
-          match stream.read(&mut peek_buffer).await {
-            Ok(0) => {
-              log::error!("DEBUG: Connection closed immediately (0 bytes read)");
-            }
-            Ok(n) => {
-              // Check if this looks like a CONNECT request
-              // Be more lenient - check if the first bytes match "CONNECT" (case-insensitive)
-              let request_start_upper =
-                String::from_utf8_lossy(&peek_buffer[..n.min(7)]).to_uppercase();
-              let is_connect = request_start_upper.starts_with("CONNECT");
-
-              log::error!(
-                "DEBUG: Read {} bytes, starts with: {:?}, is_connect: {}",
-                n,
-                String::from_utf8_lossy(&peek_buffer[..n.min(20)]),
-                is_connect
-              );
-
-              if is_connect {
-                // Handle CONNECT request manually for tunneling
-                let mut full_request = Vec::with_capacity(4096);
-                full_request.extend_from_slice(&peek_buffer[..n]);
-
-                // Read the rest of the CONNECT request until we have the full headers
-                // CONNECT requests end with \r\n\r\n (or \n\n)
-                let mut remaining = [0u8; 4096];
-                let mut total_read = n;
-                let max_reads = 100; // Prevent infinite loop
-                let mut reads = 0;
-
-                loop {
-                  if reads >= max_reads {
-                    log::error!("DEBUG: Max reads reached, breaking");
-                    break;
-                  }
-
-                  match stream.read(&mut remaining).await {
-                    Ok(0) => {
-                      // Connection closed, but we might have a complete request
-                      if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
-                        break;
-                      }
-                      // If we have some data, try to process it anyway
-                      if total_read > 0 {
-                        break;
-                      }
-                      return; // No data at all
-                    }
-                    Ok(m) => {
-                      reads += 1;
-                      total_read += m;
-                      full_request.extend_from_slice(&remaining[..m]);
-
-                      // Check if we have complete headers
-                      if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
-                        break;
-                      }
-
-                      // Also check if we have enough to parse (at least "CONNECT host:port HTTP/1.x")
-                      if total_read >= 20 {
-                        // Check if we have a newline that might indicate end of request line
-                        if let Some(pos) = full_request.iter().position(|&b| b == b'\n') {
-                          if pos < full_request.len() - 1 {
-                            // We have at least the request line, check if we have headers
-                            let request_str = String::from_utf8_lossy(&full_request);
-                            if request_str.contains("\r\n\r\n") || request_str.contains("\n\n") {
-                              break;
-                            }
-                          }
-                        }
-                      }
-                    }
-                    Err(e) => {
-                      log::error!("DEBUG: Error reading CONNECT request: {:?}", e);
-                      // If we have some data, try to process it
-                      if total_read > 0 {
-                        break;
-                      }
-                      return;
-                    }
-                  }
-                }
-
-                // Handle CONNECT manually
-                log::error!(
-                  "DEBUG: Handling CONNECT manually for: {}",
-                  String::from_utf8_lossy(&full_request[..full_request.len().min(200)])
-                );
-                if let Err(e) =
-                  handle_connect_from_buffer(stream, full_request, upstream, matcher).await
-                {
-                  log::error!("Error handling CONNECT request: {:?}", e);
-                } else {
-                  log::error!("DEBUG: CONNECT handled successfully");
-                }
-                return;
-              }
-
-              // Not CONNECT (or partial read) - reconstruct stream with consumed bytes prepended
-              // This is critical: we MUST prepend any bytes we consumed, even if < 7 bytes
-              log::error!(
-                "DEBUG: Non-CONNECT request, first {} bytes: {:?}",
-                n,
-                String::from_utf8_lossy(&peek_buffer[..n.min(50)])
-              );
-              let prepended_bytes = peek_buffer[..n].to_vec();
-              let prepended_reader = PrependReader {
-                prepended: prepended_bytes,
-                prepended_pos: 0,
-                inner: stream,
-              };
-              let io = TokioIo::new(prepended_reader);
-              let service =
-                service_fn(move |req| handle_request(req, upstream.clone(), matcher.clone()));
-
-              if let Err(err) = http1::Builder::new().serve_connection(io, service).await {
-                log::error!("Error serving connection: {:?}", err);
-              }
-            }
-            Err(e) => {
-              log::error!("Error reading from connection: {:?}", e);
-            }
-          }
+          handle_proxy_connection(stream, upstream, matcher, blocker).await;
        });
      }
      Err(e) => {
@@ -1206,6 +1385,7 @@ async fn handle_connect_from_buffer(
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1236,43 +1416,56 @@ async fn handle_connect_from_buffer(
    (target, 443)
  };

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(target_host) {
+    log::debug!("[blocklist] Blocked CONNECT tunnel to {}", target_host);
+    let _ = client_stream
+      .write_all(b"HTTP/1.1 403 Forbidden\r\nContent-Length: 24\r\n\r\nBlocked by DNS blocklist")
+      .await;
+    return Ok(());
+  }
+
  // Record domain access in traffic tracker
  let domain = target_host.to_string();
  if let Some(tracker) = get_traffic_tracker() {
    tracker.record_request(&domain, 0, 0);
  }

-  // Connect to target (directly or via upstream proxy)
+  // Connect to target (directly or via upstream proxy).
+  // Returns a BoxedAsyncStream so all upstream types (plain TCP, SOCKS,
+  // Shadowsocks) share the same bidirectional-copy tunnel code below.
  let should_bypass = bypass_matcher.should_bypass(target_host);
-  let target_stream = match upstream_url.as_ref() {
+  // Helper: configure outbound TCP to match browser TCP fingerprint
+  let configure_tcp = |stream: &TcpStream| {
+    let _ = stream.set_nodelay(true);
+  };
+  let target_stream: BoxedAsyncStream = match upstream_url.as_ref() {
    None => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(url) if url == "DIRECT" => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    _ if should_bypass => {
-      // Bypass rule matched - connect directly
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(upstream_url_str) => {
-      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
      let scheme = upstream.scheme();

      match scheme {
        "http" | "https" => {
-          // Connect via HTTP/HTTPS proxy CONNECT
-          // Note: HTTPS proxy URLs still use HTTP CONNECT method (CONNECT is always HTTP-based)
-          // For HTTPS proxies, reqwest handles TLS automatically in handle_http
-          // For manual CONNECT here, we use plain TCP - HTTPS proxy CONNECT typically works over plain TCP
          let proxy_host = upstream.host_str().unwrap_or("127.0.0.1");
          let proxy_port = upstream.port().unwrap_or(8080);
          let mut proxy_stream = TcpStream::connect((proxy_host, proxy_port)).await?;
+          configure_tcp(&proxy_stream);

-          // Add authentication if provided
          let mut connect_req = format!(
            "CONNECT {}:{} HTTP/1.1\r\nHost: {}:{}\r\n",
            target_host, target_port, target_host, target_port
@@ -1288,10 +1481,8 @@ async fn handle_connect_from_buffer(

          connect_req.push_str("\r\n");

-          // Send CONNECT request to upstream proxy
          proxy_stream.write_all(connect_req.as_bytes()).await?;

-          // Read response
          let mut buffer = [0u8; 4096];
          let n = proxy_stream.read(&mut buffer).await?;
          let response = String::from_utf8_lossy(&buffer[..n]);
@@ -1300,10 +1491,9 @@ async fn handle_connect_from_buffer(
            return Err(format!("Upstream proxy CONNECT failed: {}", response).into());
          }

-          proxy_stream
+          Box::new(proxy_stream)
        }
        "socks4" | "socks5" => {
-          // Connect via SOCKS proxy
          let socks_host = upstream.host_str().unwrap_or("127.0.0.1");
          let socks_port = upstream.port().unwrap_or(1080);
          let socks_addr = format!("{}:{}", socks_host, socks_port);
@@ -1311,7 +1501,7 @@ async fn handle_connect_from_buffer(
          let username = upstream.username();
          let password = upstream.password().unwrap_or("");

-          connect_via_socks(
+          let stream = connect_via_socks(
            &socks_addr,
            target_host,
            target_port,
@@ -1322,7 +1512,56 @@ async fn handle_connect_from_buffer(
              None
            },
          )
-          .await?
+          .await?;
+          Box::new(stream)
+        }
+        "ss" | "shadowsocks" => {
+          // Shadowsocks: URL format is ss://method:password@host:port
+          // where "method" is the cipher (e.g. aes-256-gcm, chacha20-ietf-poly1305)
+          // and "password" is the SS server password.
+          let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+          let ss_port = upstream.port().unwrap_or(8388);
+
+          // The "username" field carries the cipher method
+          let method_str = urlencoding::decode(upstream.username())
+            .unwrap_or_default()
+            .to_string();
+          let password = urlencoding::decode(upstream.password().unwrap_or(""))
+            .unwrap_or_default()
+            .to_string();
+
+          if method_str.is_empty() || password.is_empty() {
+            return Err(
+              "Shadowsocks requires method and password (URL: ss://method:password@host:port)"
+                .into(),
+            );
+          }
+
+          let cipher = method_str.parse::<shadowsocks::crypto::CipherKind>().map_err(|_| {
+            format!("Unsupported Shadowsocks cipher: {method_str}. Use e.g. aes-256-gcm, chacha20-ietf-poly1305, aes-128-gcm")
+          })?;
+
+          let context =
+            shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+          let svr_cfg = shadowsocks::config::ServerConfig::new(
+            shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+            &password,
+            cipher,
+          )
+          .map_err(|e| format!("Invalid Shadowsocks config: {e}"))?;
+
+          let target_addr =
+            shadowsocks::relay::Address::DomainNameAddress(target_host.to_string(), target_port);
+
+          let stream = shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+            context,
+            &svr_cfg,
+            target_addr,
+          )
+          .await
+          .map_err(|e| format!("Shadowsocks connection failed: {e}"))?;
+
+          Box::new(stream)
        }
        _ => {
          return Err(format!("Unsupported upstream proxy scheme: {}", scheme).into());
@@ -1331,8 +1570,9 @@ async fn handle_connect_from_buffer(
    }
  };

-  // Enable TCP_NODELAY on target stream for immediate data transfer
-  let _ = target_stream.set_nodelay(true);
+  // TCP_NODELAY is set per-stream where applicable (TcpStream paths).
+  // For encrypted streams (Shadowsocks), the underlying TCP connection
+  // is managed by the library and nodelay is handled internally.

  // Send 200 Connection Established response to client
  // CRITICAL: Must flush after writing to ensure response is sent before tunneling
@@ -1413,3 +1653,106 @@ async fn handle_connect_from_buffer(

  Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+  use std::io::Write;
+
+  #[test]
+  fn test_blocklist_exact_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    domains.insert("tracker.net".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("example.com"));
+    assert!(matcher.is_blocked("tracker.net"));
+    assert!(!matcher.is_blocked("safe.com"));
+  }
+
+  #[test]
+  fn test_blocklist_subdomain_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("foo.example.com"));
+    assert!(matcher.is_blocked("bar.baz.example.com"));
+    assert!(matcher.is_blocked("a.b.c.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_no_false_positives() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    // "notexample.com" should NOT match "example.com"
+    assert!(!matcher.is_blocked("notexample.com"));
+    assert!(!matcher.is_blocked("myexample.com"));
+    // But subdomain should
+    assert!(matcher.is_blocked("sub.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_empty_blocks_nothing() {
+    let matcher = BlocklistMatcher::new();
+    assert!(!matcher.is_blocked("anything.com"));
+    assert!(!matcher.is_blocked("example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_case_insensitive() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("EXAMPLE.COM"));
+    assert!(matcher.is_blocked("Example.Com"));
+    assert!(matcher.is_blocked("FOO.EXAMPLE.COM"));
+  }
+
+  #[test]
+  fn test_blocklist_from_file() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# This is a comment").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "tracker.example.com").unwrap();
+    writeln!(tmpfile, "ads.network.com").unwrap();
+    writeln!(tmpfile, "# Another comment").unwrap();
+    writeln!(tmpfile, "malware.site").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+
+    assert!(matcher.is_blocked("tracker.example.com"));
+    assert!(matcher.is_blocked("ads.network.com"));
+    assert!(matcher.is_blocked("malware.site"));
+    assert!(matcher.is_blocked("sub.malware.site"));
+    assert!(!matcher.is_blocked("safe.com"));
+    // Comments and empty lines should be skipped: 3 domains loaded
+    assert_eq!(matcher.domains.len(), 3);
+  }
+
+  #[test]
+  fn test_blocklist_comments_skipped() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# Title: HaGeZi's Light DNS Blocklist").unwrap();
+    writeln!(tmpfile, "# Description: test").unwrap();
+    writeln!(tmpfile, "# Version: 2026.0330.0928.01").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "domain1.com").unwrap();
+    writeln!(tmpfile, "domain2.com").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+    assert_eq!(matcher.domains.len(), 2);
+    assert!(matcher.is_blocked("domain1.com"));
+    assert!(matcher.is_blocked("domain2.com"));
+  }
+}
@@ -14,6 +14,8 @@ pub struct ProxyConfig {
  pub profile_id: Option<String>,
  #[serde(default)]
  pub bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub blocklist_file: Option<String>,
 }

 impl ProxyConfig {
@@ -27,6 +29,7 @@ impl ProxyConfig {
      pid: None,
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    }
  }

@@ -39,6 +42,11 @@ impl ProxyConfig {
    self.bypass_rules = bypass_rules;
    self
  }
+
+  pub fn with_blocklist_file(mut self, blocklist_file: Option<String>) -> Self {
+    self.blocklist_file = blocklist_file;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
@@ -178,10 +178,8 @@ impl SettingsManager {
  }

  pub fn should_show_launch_on_login_prompt(&self) -> Result<bool, Box<dyn std::error::Error>> {
-    let settings = self.load_settings()?;
-    // Show if: user has NOT declined AND autostart is NOT enabled
-    let autostart_enabled = crate::daemon::autostart::is_autostart_enabled();
-    Ok(!settings.launch_on_login_declined && !autostart_enabled)
+    // Daemon is currently disabled, never show this prompt
+    Ok(false)
  }

  pub fn decline_launch_on_login(&self) -> Result<(), Box<dyn std::error::Error>> {
@@ -200,7 +198,7 @@ impl SettingsManager {
  ) -> Result<String, Box<dyn std::error::Error>> {
    // Generate a secure random token (base64 encoded for URL safety)
    let token_bytes: [u8; 32] = {
-      use rand::RngCore;
+      use rand::Rng;
      let mut rng = rand::rng();
      let mut bytes = [0u8; 32];
      rng.fill_bytes(&mut bytes);
@@ -390,7 +388,7 @@ impl SettingsManager {
    app_handle: &tauri::AppHandle,
  ) -> Result<String, Box<dyn std::error::Error>> {
    let token_bytes: [u8; 32] = {
-      use rand::RngCore;
+      use rand::Rng;
      let mut rng = rand::rng();
      let mut bytes = [0u8; 32];
      rng.fill_bytes(&mut bytes);
@@ -734,11 +732,17 @@ pub async fn save_app_settings(
        .await
        .map_err(|e| format!("Failed to store API token: {e}"))?;
    } else {
-      let token = manager
-        .generate_api_token(&app_handle)
-        .await
-        .map_err(|e| format!("Failed to generate API token: {e}"))?;
-      settings.api_token = Some(token);
+      // Check if a token already exists on disk before generating a new one
+      let existing = manager.get_api_token(&app_handle).await.ok().flatten();
+      if let Some(t) = existing {
+        settings.api_token = Some(t);
+      } else {
+        let token = manager
+          .generate_api_token(&app_handle)
+          .await
+          .map_err(|e| format!("Failed to generate API token: {e}"))?;
+        settings.api_token = Some(token);
+      }
    }
  }

@@ -758,11 +762,17 @@ pub async fn save_app_settings(
        .await
        .map_err(|e| format!("Failed to store MCP token: {e}"))?;
    } else {
-      let token = manager
-        .generate_mcp_token(&app_handle)
-        .await
-        .map_err(|e| format!("Failed to generate MCP token: {e}"))?;
-      settings.mcp_token = Some(token);
+      // Check if a token already exists on disk before generating a new one
+      let existing = manager.get_mcp_token(&app_handle).await.ok().flatten();
+      if let Some(t) = existing {
+        settings.mcp_token = Some(t);
+      } else {
+        let token = manager
+          .generate_mcp_token(&app_handle)
+          .await
+          .map_err(|e| format!("Failed to generate MCP token: {e}"))?;
+        settings.mcp_token = Some(token);
+      }
    }
  }

@@ -935,6 +945,42 @@ pub fn get_system_language() -> String {
    .unwrap_or_else(|| "en".to_string())
 }

+#[derive(Debug, Serialize, Clone)]
+pub struct SystemInfo {
+  pub app_version: String,
+  pub os: String,
+  pub arch: String,
+  pub portable: bool,
+}
+
+#[tauri::command]
+pub fn get_system_info() -> SystemInfo {
+  let os = if cfg!(target_os = "macos") {
+    "macOS"
+  } else if cfg!(target_os = "windows") {
+    "Windows"
+  } else if cfg!(target_os = "linux") {
+    "Linux"
+  } else {
+    "Unknown"
+  };
+
+  let arch = if cfg!(target_arch = "x86_64") {
+    "x86_64"
+  } else if cfg!(target_arch = "aarch64") {
+    "aarch64"
+  } else {
+    "unknown"
+  };
+
+  SystemInfo {
+    app_version: crate::app_auto_updater::AppAutoUpdater::get_current_version(),
+    os: os.to_string(),
+    arch: arch.to_string(),
+    portable: crate::app_dirs::is_portable(),
+  }
+}
+
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref SETTINGS_MANAGER: SettingsManager = SettingsManager::new();
@@ -127,6 +127,14 @@ impl SyncClient {
  }

  pub async fn list(&self, prefix: &str) -> SyncResult<ListResponse> {
+    self.list_page(prefix, None).await
+  }
+
+  async fn list_page(
+    &self,
+    prefix: &str,
+    continuation_token: Option<String>,
+  ) -> SyncResult<ListResponse> {
    let response = self
      .client
      .post(self.url("list"))
@@ -134,7 +142,7 @@ impl SyncClient {
      .json(&ListRequest {
        prefix: prefix.to_string(),
        max_keys: Some(1000),
-        continuation_token: None,
+        continuation_token,
      })
      .send()
      .await
@@ -152,6 +160,27 @@ impl SyncClient {
      .map_err(|e| SyncError::SerializationError(e.to_string()))
  }

+  /// List all objects under a prefix, paginating through all results
+  pub async fn list_all(&self, prefix: &str) -> SyncResult<Vec<ListObject>> {
+    let mut all_objects = Vec::new();
+    let mut continuation_token: Option<String> = None;
+
+    loop {
+      let response = self.list_page(prefix, continuation_token).await?;
+      all_objects.extend(response.objects);
+
+      if !response.is_truncated {
+        break;
+      }
+      continuation_token = response.next_continuation_token;
+      if continuation_token.is_none() {
+        break;
+      }
+    }
+
+    Ok(all_objects)
+  }
+
  pub async fn upload_bytes(
    &self,
    presigned_url: &str,
@@ -9,7 +9,7 @@ use crate::settings_manager::SettingsManager;
 use chrono::{DateTime, Utc};
 use std::collections::{HashMap, HashSet};
 use std::fs;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
 use std::time::Instant;
@@ -49,6 +49,70 @@ fn is_critical_file(path: &str) -> bool {
    .any(|pattern| path.contains(pattern))
 }

+/// Checkpoint all SQLite WAL files in a profile directory.
+///
+/// When a browser crashes or is killed, SQLite WAL files may contain
+/// uncommitted data (e.g. cookies, login data). Since WAL files are
+/// excluded from sync, we must checkpoint them into the main database
+/// files before generating the manifest to avoid data loss.
+fn checkpoint_sqlite_wal_files(profile_dir: &Path) {
+  fn find_wal_files(dir: &Path, wal_files: &mut Vec<PathBuf>) {
+    let Ok(entries) = fs::read_dir(dir) else {
+      return;
+    };
+    for entry in entries.flatten() {
+      let path = entry.path();
+      if path.is_dir() {
+        find_wal_files(&path, wal_files);
+      } else if let Some(name) = path.file_name().and_then(|n| n.to_str()) {
+        if name.ends_with("-wal") {
+          wal_files.push(path);
+        }
+      }
+    }
+  }
+
+  let mut wal_files = Vec::new();
+  find_wal_files(profile_dir, &mut wal_files);
+
+  for wal_path in &wal_files {
+    // Only checkpoint non-empty WAL files
+    let is_non_empty = fs::metadata(wal_path).map(|m| m.len() > 0).unwrap_or(false);
+    if !is_non_empty {
+      continue;
+    }
+
+    // Derive the main database path by stripping the "-wal" suffix
+    let db_path_str = wal_path.to_string_lossy();
+    let db_path = PathBuf::from(db_path_str.strip_suffix("-wal").unwrap());
+
+    if !db_path.exists() {
+      continue;
+    }
+
+    match rusqlite::Connection::open(&db_path) {
+      Ok(conn) => match conn.pragma_update(None, "wal_checkpoint", "TRUNCATE") {
+        Ok(_) => {
+          log::info!(
+            "Checkpointed WAL for: {}",
+            db_path.file_name().unwrap_or_default().to_string_lossy()
+          );
+        }
+        Err(e) => {
+          log::warn!("Failed to checkpoint WAL for {}: {}", db_path.display(), e);
+        }
+      },
+      Err(e) => {
+        log::warn!(
+          "Failed to open DB for WAL checkpoint {}: {}",
+          db_path.display(),
+          e
+        );
+      }
+    }
+  }
+}
+
 /// Resume state persisted to disk so interrupted syncs can continue
 #[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 struct SyncResumeState {
@@ -166,11 +230,7 @@ impl SyncProgressTracker {
    let elapsed = self.start_time.elapsed().as_secs_f64().max(0.1);
    let speed = (completed_bytes as f64 / elapsed) as u64;
    let remaining_bytes = self.total_bytes.saturating_sub(completed_bytes);
-    let eta = if speed > 0 {
-      remaining_bytes / speed
-    } else {
-      0
-    };
+    let eta = remaining_bytes.checked_div(speed).unwrap_or(0);

    let _ = events::emit(
      "profile-sync-progress",
@@ -268,11 +328,11 @@ impl SyncEngine {
  ) -> SyncResult<()> {
    if profile.is_cross_os() {
      log::info!(
-        "Skipping file sync for cross-OS profile: {} ({})",
+        "Cross-OS profile: {} ({}) — syncing metadata only",
        profile.name,
        profile.id
      );
-      return Ok(());
+      return self.sync_cross_os_metadata(app_handle, profile).await;
    }

    // Skip team profiles for self-hosted sync
@@ -362,6 +422,10 @@ impl SyncEngine {
      ))
    })?;

+    // Checkpoint any SQLite WAL files to ensure all data is in the main DB
+    // before we generate the manifest (WAL files are excluded from sync)
+    checkpoint_sqlite_wal_files(&profile_dir);
+
    // Load or create hash cache
    let cache_path = get_cache_path(&profile_dir);
    let mut hash_cache = HashCache::load(&cache_path);
@@ -392,7 +456,9 @@ impl SyncEngine {

    // Try to download remote manifest
    let remote_manifest_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
-    let remote_manifest = self.download_manifest(&remote_manifest_key).await?;
+    let remote_manifest = self
+      .download_manifest(&remote_manifest_key, encryption_key.as_ref())
+      .await?;

    // Compute diff
    let diff = compute_diff(&local_manifest, remote_manifest.as_ref());
@@ -488,11 +554,29 @@ impl SyncEngine {
      .upload_profile_metadata(&profile_id, profile, &key_prefix)
      .await?;

+    // If we recovered from an empty local state (downloaded everything from remote),
+    // regenerate the manifest from the actual files now on disk so we don't
+    // overwrite the remote manifest with an empty one.
+    let final_manifest = if local_manifest.files.is_empty() && !diff.files_to_download.is_empty() {
+      let mut new_cache = HashCache::load(&cache_path);
+      let mut regenerated = generate_manifest(&profile_id, &profile_dir, &mut new_cache)?;
+      new_cache.save(&cache_path)?;
+      regenerated.encrypted = encryption_key.is_some();
+      regenerated
+    } else {
+      let mut m = local_manifest;
+      m.encrypted = encryption_key.is_some();
+      m
+    };
+
    // Upload manifest.json last for atomicity
-    let mut final_manifest = local_manifest;
-    final_manifest.encrypted = encryption_key.is_some();
    self
-      .upload_manifest(&profile_id, &final_manifest, &key_prefix)
+      .upload_manifest(
+        &profile_id,
+        &final_manifest,
+        encryption_key.as_ref(),
+        &key_prefix,
+      )
      .await?;

    // Sync completed successfully — clean up resume state
@@ -509,15 +593,35 @@ impl SyncEngine {
      let _ = self.sync_vpn(vpn_id, Some(app_handle)).await;
    }

-    // Update profile last_sync
-    let mut updated_profile = profile.clone();
-    updated_profile.last_sync = Some(
-      std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .unwrap()
-        .as_secs(),
-    );
-    let _ = profile_manager.save_profile(&updated_profile);
+    // Download remote metadata and merge changes (name, tags, notes, etc.)
+    let remote_metadata_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
+    if let Ok(remote_meta) = self.download_profile_metadata(&remote_metadata_key).await {
+      let mut updated_profile = profile.clone();
+      // Merge fields that can be changed on other devices
+      updated_profile.name = remote_meta.name;
+      updated_profile.tags = remote_meta.tags;
+      updated_profile.note = remote_meta.note;
+      updated_profile.proxy_id = remote_meta.proxy_id;
+      updated_profile.vpn_id = remote_meta.vpn_id;
+      updated_profile.group_id = remote_meta.group_id;
+      updated_profile.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated_profile);
+    } else {
+      // Fallback: just update last_sync
+      let mut updated_profile = profile.clone();
+      updated_profile.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated_profile);
+    }
    let _ = events::emit("profiles-changed", ());

    let _ = events::emit(
@@ -533,7 +637,11 @@ impl SyncEngine {
    Ok(())
  }

-  async fn download_manifest(&self, key: &str) -> SyncResult<Option<SyncManifest>> {
+  async fn download_manifest(
+    &self,
+    key: &str,
+    encryption_key: Option<&[u8; 32]>,
+  ) -> SyncResult<Option<SyncManifest>> {
    let stat = self.client.stat(key).await?;
    if !stat.exists {
      return Ok(None);
@@ -542,35 +650,136 @@ impl SyncEngine {
    let presign = self.client.presign_download(key).await?;
    let data = self.client.download_bytes(&presign.url).await?;

-    let manifest: SyncManifest = serde_json::from_slice(&data)
-      .map_err(|e| SyncError::SerializationError(format!("Failed to parse manifest: {e}")))?;
+    // Try parsing as plaintext JSON first (unencrypted or backwards-compatible)
+    if let Ok(manifest) = serde_json::from_slice::<SyncManifest>(&data) {
+      return Ok(Some(manifest));
+    }

-    Ok(Some(manifest))
+    // If plaintext parse failed and we have an encryption key, try decrypting
+    if let Some(key) = encryption_key {
+      let decrypted = encryption::decrypt_bytes(key, &data)
+        .map_err(|e| SyncError::InvalidData(format!("Failed to decrypt manifest: {e}")))?;
+      let manifest: SyncManifest = serde_json::from_slice(&decrypted).map_err(|e| {
+        SyncError::SerializationError(format!("Failed to parse decrypted manifest: {e}"))
+      })?;
+      return Ok(Some(manifest));
+    }
+
+    Err(SyncError::SerializationError(
+      "Failed to parse manifest (not valid JSON and no encryption key available)".to_string(),
+    ))
  }

  async fn upload_manifest(
    &self,
    profile_id: &str,
    manifest: &SyncManifest,
+    encryption_key: Option<&[u8; 32]>,
    key_prefix: &str,
  ) -> SyncResult<()> {
    let json = serde_json::to_string_pretty(manifest)
      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize manifest: {e}")))?;

+    let upload_data = if let Some(key) = encryption_key {
+      encryption::encrypt_bytes(key, json.as_bytes())
+        .map_err(|e| SyncError::InvalidData(format!("Failed to encrypt manifest: {e}")))?
+    } else {
+      json.into_bytes()
+    };
+
+    let content_type = if encryption_key.is_some() {
+      "application/octet-stream"
+    } else {
+      "application/json"
+    };
+
    let remote_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
    let presign = self
      .client
-      .presign_upload(&remote_key, Some("application/json"))
+      .presign_upload(&remote_key, Some(content_type))
      .await?;

    self
      .client
-      .upload_bytes(&presign.url, json.as_bytes(), Some("application/json"))
+      .upload_bytes(&presign.url, &upload_data, Some(content_type))
      .await?;

    Ok(())
  }

+  async fn download_profile_metadata(&self, key: &str) -> SyncResult<BrowserProfile> {
+    let stat = self.client.stat(key).await?;
+    if !stat.exists {
+      return Err(SyncError::InvalidData(
+        "Remote metadata not found".to_string(),
+      ));
+    }
+
+    let presign = self.client.presign_download(key).await?;
+    let data = self.client.download_bytes(&presign.url).await?;
+    let profile: BrowserProfile = serde_json::from_slice(&data)
+      .map_err(|e| SyncError::SerializationError(format!("Failed to parse metadata: {e}")))?;
+
+    Ok(profile)
+  }
+
+  /// Sync only metadata for cross-OS profiles (tags, notes, proxies, groups).
+  /// No browser files are synced.
+  async fn sync_cross_os_metadata(
+    &self,
+    app_handle: &tauri::AppHandle,
+    profile: &BrowserProfile,
+  ) -> SyncResult<()> {
+    let profile_id = profile.id.to_string();
+    let key_prefix = Self::get_team_key_prefix(profile).await;
+    let profile_manager = ProfileManager::instance();
+
+    // Upload our metadata
+    self
+      .upload_profile_metadata(&profile_id, profile, &key_prefix)
+      .await?;
+
+    // Download remote metadata and merge if remote has changes
+    let remote_metadata_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
+    if let Ok(remote_meta) = self.download_profile_metadata(&remote_metadata_key).await {
+      let mut updated = profile.clone();
+      updated.name = remote_meta.name;
+      updated.tags = remote_meta.tags;
+      updated.note = remote_meta.note;
+      updated.proxy_id = remote_meta.proxy_id;
+      updated.vpn_id = remote_meta.vpn_id;
+      updated.group_id = remote_meta.group_id;
+      updated.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated);
+    }
+
+    // Sync associated entities
+    if let Some(proxy_id) = &profile.proxy_id {
+      let _ = self.sync_proxy(proxy_id, Some(app_handle)).await;
+    }
+    if let Some(group_id) = &profile.group_id {
+      let _ = self.sync_group(group_id, Some(app_handle)).await;
+    }
+
+    let _ = events::emit("profiles-changed", ());
+    let _ = events::emit(
+      "profile-sync-status",
+      serde_json::json!({
+        "profile_id": profile_id,
+        "profile_name": profile.name,
+        "status": "synced"
+      }),
+    );
+
+    log::info!("Cross-OS profile {} metadata synced", profile_id);
+    Ok(())
+  }
+
  async fn upload_profile_metadata(
    &self,
    profile_id: &str,
@@ -580,6 +789,7 @@ impl SyncEngine {
    let mut sanitized = profile.clone();
    sanitized.process_id = None;
    sanitized.last_launch = None;
+    sanitized.last_sync = None; // Avoid triggering sync loop on timestamp change

    let json = serde_json::to_string_pretty(&sanitized)
      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize profile: {e}")))?;
@@ -2059,16 +2269,9 @@ impl SyncEngine {
      return Ok(true);
    }

-    // Download manifest
-    let manifest = self.download_manifest(&manifest_key).await?;
-    let Some(manifest) = manifest else {
-      return Err(SyncError::InvalidData(
-        "Remote manifest not found".to_string(),
-      ));
-    };
-
-    // If remote manifest is encrypted, we need the E2E password
-    let encryption_key = if manifest.encrypted {
+    // Derive encryption key before downloading manifest if profile uses encrypted sync.
+    // The manifest itself may be encrypted (new behavior) or plaintext (backwards compat).
+    let encryption_key = if profile.is_encrypted_sync() {
      let password = encryption::load_e2e_password()
        .map_err(|e| SyncError::InvalidData(format!("Failed to load E2E password: {e}")))?
        .ok_or_else(|| {
@@ -2087,6 +2290,16 @@ impl SyncEngine {
      None
    };

+    // Download manifest (may be encrypted for e2e profiles)
+    let manifest = self
+      .download_manifest(&manifest_key, encryption_key.as_ref())
+      .await?;
+    let Some(manifest) = manifest else {
+      return Err(SyncError::InvalidData(
+        "Remote manifest not found".to_string(),
+      ));
+    };
+
    // Ensure profile directory exists
    fs::create_dir_all(&profile_dir).map_err(|e| {
      SyncError::IoError(format!(
@@ -2125,6 +2338,53 @@ impl SyncEngine {
        .await?;
    }

+    // Verify critical files after download
+    let os_crypt_key_path = profile_dir.join("profile").join("os_crypt_key");
+    let cookies_path = {
+      let network = profile_dir
+        .join("profile")
+        .join("Default")
+        .join("Network")
+        .join("Cookies");
+      if network.exists() {
+        network
+      } else {
+        profile_dir.join("profile").join("Default").join("Cookies")
+      }
+    };
+    if os_crypt_key_path.exists() {
+      let key_data = fs::read(&os_crypt_key_path).unwrap_or_default();
+      log::info!(
+        "Profile {} sync: os_crypt_key present ({} bytes, sha256: {:x})",
+        profile_id,
+        key_data.len(),
+        {
+          use std::hash::{Hash, Hasher};
+          let mut h = std::collections::hash_map::DefaultHasher::new();
+          key_data.hash(&mut h);
+          h.finish()
+        }
+      );
+    } else {
+      log::warn!(
+        "Profile {} sync: os_crypt_key NOT FOUND after download",
+        profile_id
+      );
+    }
+    if cookies_path.exists() {
+      let cookies_meta = fs::metadata(&cookies_path).unwrap_or_else(|_| fs::metadata(".").unwrap());
+      log::info!(
+        "Profile {} sync: Cookies present ({} bytes)",
+        profile_id,
+        cookies_meta.len()
+      );
+    } else {
+      log::warn!(
+        "Profile {} sync: Cookies NOT FOUND after download",
+        profile_id
+      );
+    }
+
    // Set sync mode and save profile
    if profile.sync_mode == SyncMode::Disabled {
      profile.sync_mode = if manifest.encrypted {
@@ -2165,14 +2425,14 @@ impl SyncEngine {
  ) -> SyncResult<Vec<String>> {
    log::info!("Checking for missing synced profiles...");

-    // List personal profiles from S3
-    let list_response = self.client.list("profiles/").await?;
+    // List all personal profiles from S3 (paginated)
+    let all_objects = self.client.list_all("profiles/").await?;

    let mut downloaded: Vec<String> = Vec::new();

    // Extract unique profile IDs with their key prefix
    let mut profiles_to_check: HashMap<String, String> = HashMap::new();
-    for obj in list_response.objects {
+    for obj in all_objects {
      if obj.key.starts_with("profiles/") && obj.key.ends_with("/manifest.json") {
        if let Some(profile_id) = obj
          .key
@@ -2189,8 +2449,8 @@ impl SyncEngine {
      if let Some(team_id) = &auth.user.team_id {
        let team_prefix = format!("teams/{}/", team_id);
        let team_list_key = format!("{}profiles/", team_prefix);
-        if let Ok(team_list) = self.client.list(&team_list_key).await {
-          for obj in team_list.objects {
+        if let Ok(team_objects) = self.client.list_all(&team_list_key).await {
+          for obj in team_objects {
            if obj.key.starts_with("profiles/") && obj.key.ends_with("/manifest.json") {
              if let Some(profile_id) = obj
                .key
@@ -2238,6 +2498,54 @@ impl SyncEngine {
      log::info!("No missing profiles found");
    }

+    // Delete local synced profiles that have a remote tombstone (deleted on another device)
+    {
+      let profile_manager = ProfileManager::instance();
+      let local_synced: Vec<(String, Option<String>)> = profile_manager
+        .list_profiles()
+        .unwrap_or_default()
+        .iter()
+        .filter(|p| p.is_sync_enabled())
+        .map(|p| (p.id.to_string(), p.created_by_id.clone()))
+        .collect();
+
+      let team_prefix = if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+        auth.user.team_id.map(|tid| format!("teams/{}/", tid))
+      } else {
+        None
+      };
+
+      for (pid, created_by_id) in &local_synced {
+        // Check personal tombstone
+        let personal_tombstone = format!("tombstones/profiles/{}.json", pid);
+        let has_personal_tombstone = matches!(
+          self.client.stat(&personal_tombstone).await,
+          Ok(stat) if stat.exists
+        );
+
+        // Check team tombstone
+        let has_team_tombstone = if let (Some(tp), Some(_)) = (&team_prefix, created_by_id) {
+          let team_tombstone = format!("{}tombstones/profiles/{}.json", tp, pid);
+          matches!(
+            self.client.stat(&team_tombstone).await,
+            Ok(stat) if stat.exists
+          )
+        } else {
+          false
+        };
+
+        if has_personal_tombstone || has_team_tombstone {
+          log::info!(
+            "Profile {} has remote tombstone, deleting locally (deleted on another device)",
+            pid
+          );
+          if let Err(e) = profile_manager.delete_profile_local_only(pid) {
+            log::warn!("Failed to delete tombstoned profile {}: {}", pid, e);
+          }
+        }
+      }
+    }
+
    // Refresh metadata for local cross-OS profiles (propagate renames, tags, notes from originating device)
    let profile_manager = ProfileManager::instance();
    // Collect cross-OS profiles before async operations to avoid holding non-Send Result across await
@@ -2608,15 +2916,8 @@ pub async fn set_profile_sync_mode(
    }
  }

-  // If switching to Encrypted, verify eligibility, password, and generate salt
+  // If switching to Encrypted, verify password is set and generate salt
  if new_mode == SyncMode::Encrypted {
-    // Only pro users and team owners can enable encryption
-    if let Some(state) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
-      if state.user.plan == "team" && state.user.team_role.as_deref() != Some("owner") {
-        return Err("Profile encryption is available for Pro users and team owners.".to_string());
-      }
-    }
-
    if !encryption::has_e2e_password() {
      return Err("E2E password not set. Please set a password in Settings first.".to_string());
    }
@@ -3341,3 +3642,138 @@ pub async fn set_extension_group_sync_enabled(

  Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_checkpoint_sqlite_wal_files() {
+    let temp_dir = tempfile::TempDir::new().unwrap();
+    let db_path = temp_dir.path().join("test.db");
+
+    // Create a SQLite database in WAL mode and insert data.
+    // Use std::mem::forget to prevent the connection destructor from running,
+    // which simulates a browser crash where WAL is not checkpointed.
+    {
+      let conn = rusqlite::Connection::open(&db_path).unwrap();
+      conn.pragma_update(None, "journal_mode", "WAL").unwrap();
+      conn.pragma_update(None, "wal_autocheckpoint", "0").unwrap();
+      conn
+        .execute(
+          "CREATE TABLE cookies (id INTEGER PRIMARY KEY, value TEXT)",
+          [],
+        )
+        .unwrap();
+      conn
+        .execute(
+          "INSERT INTO cookies (value) VALUES ('session_token_123')",
+          [],
+        )
+        .unwrap();
+      // Leak the connection to prevent auto-checkpoint on drop
+      std::mem::forget(conn);
+    }
+
+    // Verify WAL file exists and has data
+    let wal_path = temp_dir.path().join("test.db-wal");
+    assert!(wal_path.exists(), "WAL file should exist");
+    let wal_size = fs::metadata(&wal_path).unwrap().len();
+    assert!(wal_size > 0, "WAL file should be non-empty");
+
+    // Run checkpoint
+    checkpoint_sqlite_wal_files(temp_dir.path());
+
+    // After checkpoint, WAL should be truncated (empty)
+    let wal_size_after = fs::metadata(&wal_path).map(|m| m.len()).unwrap_or(0);
+    assert_eq!(
+      wal_size_after, 0,
+      "WAL should be truncated after checkpoint"
+    );
+
+    // Verify data is still accessible from the main database
+    let conn = rusqlite::Connection::open(&db_path).unwrap();
+    let value: String = conn
+      .query_row("SELECT value FROM cookies WHERE id = 1", [], |row| {
+        row.get(0)
+      })
+      .unwrap();
+    assert_eq!(value, "session_token_123");
+  }
+
+  #[test]
+  fn test_checkpoint_handles_missing_db() {
+    let temp_dir = tempfile::TempDir::new().unwrap();
+
+    // Create a WAL file without a corresponding database
+    let wal_path = temp_dir.path().join("missing.db-wal");
+    fs::write(&wal_path, b"fake wal data").unwrap();
+
+    // Should not panic
+    checkpoint_sqlite_wal_files(temp_dir.path());
+  }
+
+  #[test]
+  fn test_checkpoint_skips_empty_wal() {
+    let temp_dir = tempfile::TempDir::new().unwrap();
+    let db_path = temp_dir.path().join("test.db");
+
+    // Create a database and checkpoint immediately (WAL is empty)
+    {
+      let conn = rusqlite::Connection::open(&db_path).unwrap();
+      conn.pragma_update(None, "journal_mode", "WAL").unwrap();
+      conn
+        .execute("CREATE TABLE t (id INTEGER PRIMARY KEY)", [])
+        .unwrap();
+    }
+
+    // Create an empty WAL file
+    let wal_path = temp_dir.path().join("test.db-wal");
+    fs::write(&wal_path, b"").unwrap();
+
+    // Should skip empty WAL without error
+    checkpoint_sqlite_wal_files(temp_dir.path());
+  }
+
+  #[test]
+  fn test_checkpoint_nested_directories() {
+    let temp_dir = tempfile::TempDir::new().unwrap();
+    let nested_dir = temp_dir.path().join("profile").join("Default");
+    fs::create_dir_all(&nested_dir).unwrap();
+
+    let db_path = nested_dir.join("Cookies");
+
+    // Create a database with WAL data, leak connection to simulate crash
+    {
+      let conn = rusqlite::Connection::open(&db_path).unwrap();
+      conn.pragma_update(None, "journal_mode", "WAL").unwrap();
+      conn.pragma_update(None, "wal_autocheckpoint", "0").unwrap();
+      conn
+        .execute(
+          "CREATE TABLE cookies (host_key TEXT, name TEXT, value TEXT)",
+          [],
+        )
+        .unwrap();
+      conn
+        .execute(
+          "INSERT INTO cookies VALUES ('.example.com', 'session', 'abc')",
+          [],
+        )
+        .unwrap();
+      std::mem::forget(conn);
+    }
+
+    let wal_path = nested_dir.join("Cookies-wal");
+    assert!(wal_path.exists());
+
+    // Checkpoint from the top-level directory
+    checkpoint_sqlite_wal_files(temp_dir.path());
+
+    // Verify data is in the main database
+    let conn = rusqlite::Connection::open(&db_path).unwrap();
+    let count: i64 = conn
+      .query_row("SELECT COUNT(*) FROM cookies", [], |row| row.get(0))
+      .unwrap();
+    assert_eq!(count, 1);
+  }
+}
@@ -8,12 +8,12 @@ use std::path::Path;
 use std::time::SystemTime;

 use super::types::{SyncError, SyncResult};
+use crate::profile::types::BrowserProfile;

 /// Default exclude patterns for volatile browser profile files.
 /// Patterns use `**/` prefix to match at any directory depth, since the sync
 /// engine scans from `profiles/{uuid}/` which contains `profile/Default/...`.
 pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
-  // Chromium caches (re-downloadable / re-generated)
  "**/Cache/**",
  "**/Code Cache/**",
  "**/GPUCache/**",
@@ -23,7 +23,6 @@ pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
  "**/DawnGraphiteCache/**",
  "**/Service Worker/CacheStorage/**",
  "**/Service Worker/ScriptCache/**",
-  // Chromium transient / volatile data
  "**/Session Storage/**",
  "**/blob_storage/**",
  "**/Crashpad/**",
@@ -32,21 +31,26 @@ pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
  "**/optimization_guide_model_store/**",
  "**/Safe Browsing/**",
  "**/component_crx_cache/**",
-  // Firefox/Camoufox caches (re-downloadable / re-generated)
  "**/cache2/**",
  "**/startupCache/**",
  "**/safebrowsing/**",
  "**/storage/temporary/**",
  "**/crashes/**",
  "**/minidumps/**",
-  // Common volatile files
-  "*.log",
  "*.tmp",
  "**/LOG",
  "**/LOG.old",
  "**/LOCK",
  "**/*-journal",
  "**/*-wal",
+  "**/SingletonLock",
+  "**/SingletonSocket",
+  "**/SingletonCookie",
+  "**/Secure Preferences",
+  "**/GraphiteDawnCache/**",
+  "**/DawnWebGPUCache/**",
+  "**/BrowserMetrics*",
+  "**/.DS_Store",
  ".donut-sync/**",
 ];

@@ -206,6 +210,39 @@ fn hash_file(path: &Path) -> Result<Option<String>, SyncError> {
  Ok(Some(hasher.finalize().to_hex().to_string()))
 }

+/// Compute blake3 hash of metadata.json after sanitizing volatile fields.
+/// This prevents infinite sync loops where updating last_sync triggers a new sync.
+fn hash_sanitized_metadata(path: &Path) -> Result<Option<String>, SyncError> {
+  let content = match fs::read_to_string(path) {
+    Ok(c) => c,
+    Err(e) if e.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+    Err(e) => {
+      return Err(SyncError::IoError(format!(
+        "Failed to read metadata at {}: {e}",
+        path.display()
+      )));
+    }
+  };
+
+  let mut profile: BrowserProfile = serde_json::from_str(&content).map_err(|e| {
+    SyncError::SerializationError(format!("Failed to parse metadata for hashing: {e}"))
+  })?;
+
+  // Sanitize volatile fields that should not trigger a re-sync
+  profile.last_sync = None;
+  profile.process_id = None;
+  profile.last_launch = None;
+
+  let sanitized_json = serde_json::to_string(&profile).map_err(|e| {
+    SyncError::SerializationError(format!("Failed to serialize sanitized metadata: {e}"))
+  })?;
+
+  let mut hasher = blake3::Hasher::new();
+  hasher.update(sanitized_json.as_bytes());
+
+  Ok(Some(hasher.finalize().to_hex().to_string()))
+}
+
 /// Get mtime as unix timestamp
 /// Returns None if the file doesn't exist (was deleted)
 fn get_mtime(path: &Path) -> Result<Option<i64>, SyncError> {
@@ -321,7 +358,19 @@ pub fn generate_manifest(
        *max_mtime = (*max_mtime).max(mtime);

        // Check cache for existing hash
-        let hash = if let Some(cached_hash) = cache.get(&relative_path, size, mtime) {
+        let hash = if relative_path == "metadata.json" {
+          // Special case: sanitize metadata.json before hashing to prevent sync loops
+          match hash_sanitized_metadata(&path)? {
+            Some(computed_hash) => computed_hash,
+            None => {
+              log::debug!(
+                "File disappeared during manifest generation, skipping: {}",
+                path.display()
+              );
+              continue;
+            }
+          }
+        } else if let Some(cached_hash) = cache.get(&relative_path, size, mtime) {
          cached_hash.to_string()
        } else {
          match hash_file(&path)? {
@@ -408,6 +457,19 @@ pub fn compute_diff(local: &SyncManifest, remote: Option<&SyncManifest>) -> Mani
  let remote_files: HashMap<&str, &ManifestFileEntry> =
    remote.files.iter().map(|f| (f.path.as_str(), f)).collect();

+  // Safety: if local is empty but remote has files, always download from remote.
+  // This prevents data loss when profile data files are deleted but metadata
+  // survives — the newly generated manifest would have updated_at=NOW, which
+  // would appear "newer" and cause all remote files to be deleted.
+  if local.files.is_empty() && !remote.files.is_empty() {
+    log::info!(
+      "Local manifest is empty but remote has {} files — downloading from remote to recover",
+      remote.files.len()
+    );
+    diff.files_to_download = remote.files.clone();
+    return diff;
+  }
+
  // Compare timestamps to determine direction
  let local_updated = local.updated_at_datetime();
  let remote_updated = remote.updated_at_datetime();
@@ -576,7 +638,12 @@ mod tests {
    fs::write(profile_dir.join("profile/Crashpad/report"), "exclude").unwrap();

    // metadata.json at root
-    fs::write(profile_dir.join("metadata.json"), "keep").unwrap();
+    let profile = BrowserProfile::default();
+    fs::write(
+      profile_dir.join("metadata.json"),
+      serde_json::to_string(&profile).unwrap(),
+    )
+    .unwrap();

    let mut cache = HashCache::default();
    let manifest = generate_manifest("test-profile", &profile_dir, &mut cache).unwrap();
@@ -738,4 +805,131 @@ mod tests {
    let deserialized: SyncManifest = serde_json::from_str(&serialized).unwrap();
    assert!(deserialized.encrypted);
  }
+
+  #[test]
+  fn test_compute_diff_empty_local_downloads_from_remote() {
+    // When local has no files but remote does, always download from remote.
+    // This prevents data loss when profile data is deleted but metadata survives.
+    let local = SyncManifest {
+      version: 1,
+      profile_id: "test".to_string(),
+      generated_at: Utc::now().to_rfc3339(),
+      updated_at: Utc::now().to_rfc3339(), // NOW — appears newer than remote
+      exclude_globs: vec![],
+      files: vec![],
+      encrypted: false,
+    };
+
+    let remote = SyncManifest {
+      version: 1,
+      profile_id: "test".to_string(),
+      generated_at: "2024-01-01T00:00:00Z".to_string(),
+      updated_at: "2024-01-01T00:00:00Z".to_string(),
+      exclude_globs: vec![],
+      files: vec![
+        ManifestFileEntry {
+          path: "Cookies".to_string(),
+          size: 100,
+          mtime: 1000,
+          hash: "abc".to_string(),
+        },
+        ManifestFileEntry {
+          path: "Local State".to_string(),
+          size: 200,
+          mtime: 1000,
+          hash: "def".to_string(),
+        },
+      ],
+      encrypted: false,
+    };
+
+    let diff = compute_diff(&local, Some(&remote));
+
+    // Must download all remote files, NOT delete them
+    assert_eq!(diff.files_to_download.len(), 2);
+    assert!(diff.files_to_upload.is_empty());
+    assert!(diff.files_to_delete_remote.is_empty());
+    assert!(diff.files_to_delete_local.is_empty());
+  }
+
+  #[test]
+  fn test_generate_manifest_sanitizes_metadata() {
+    let temp_dir = TempDir::new().unwrap();
+    let profile_dir = temp_dir.path().join("profile");
+    fs::create_dir_all(&profile_dir).unwrap();
+
+    let profile_id = uuid::Uuid::new_v4();
+    let metadata_path = profile_dir.join("metadata.json");
+
+    let profile = BrowserProfile {
+      id: profile_id,
+      name: "test-profile".to_string(),
+      last_sync: Some(100),
+      process_id: Some(1234),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile).unwrap()).unwrap();
+
+    let mut cache = HashCache::default();
+    let manifest1 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash1 = manifest1
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Update volatile fields
+    let profile2 = BrowserProfile {
+      id: profile_id,
+      name: "test-profile".to_string(),
+      last_sync: Some(200),
+      process_id: Some(5678),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile2).unwrap()).unwrap();
+
+    let manifest2 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash2 = manifest2
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Hash should be identical because volatile fields are sanitized
+    assert_eq!(
+      hash1, hash2,
+      "Metadata hash should be stable across last_sync/process_id updates"
+    );
+
+    // Change a non-volatile field
+    let profile3 = BrowserProfile {
+      id: profile_id,
+      name: "changed-name".to_string(),
+      last_sync: Some(200),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile3).unwrap()).unwrap();
+
+    let manifest3 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash3 = manifest3
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Hash should be different because name changed
+    assert_ne!(
+      hash1, hash3,
+      "Metadata hash should change when non-volatile fields change"
+    );
+  }
 }
--- a/Show More
+++ b/Show More