test: remove https tests

.github/workflows/issue-validation.yml

@@ -74,7 +74,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Check if first-time contributor
         id: check-first-time

.github/workflows/release.yml

@@ -273,10 +273,10 @@ jobs:
           R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
         run: |
           mkdir -p /tmp/repo
-          aws s3 sync "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
-            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
-          aws s3 sync "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
-            --endpoint-url "${R2_ENDPOINT}" --delete 2>/dev/null || true
+          aws s3 cp "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
+            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
+          aws s3 cp "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
+            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
 
       - name: Generate repository with repogen
         run: |
@@ -299,14 +299,14 @@ jobs:
           R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
           R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
         run: |
-          aws s3 sync /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
-            --endpoint-url "${R2_ENDPOINT}" --delete
-          aws s3 sync /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
-            --endpoint-url "${R2_ENDPOINT}"
-          aws s3 sync /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
-            --endpoint-url "${R2_ENDPOINT}" --delete
-          aws s3 sync /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
-            --endpoint-url "${R2_ENDPOINT}"
+          aws s3 cp /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
+          aws s3 cp /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
+            --endpoint-url "${R2_ENDPOINT}" --recursive
 
       - name: Verify upload
         env:
@@ -317,6 +317,6 @@ jobs:
           R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
         run: |
           echo "DEB repo:"
-          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}"
+          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"
           echo "RPM repo:"
-          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}"
+          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"

.husky/pre-push

@@ -0,0 +1,10 @@
+# Prevent pushing the 'nightly' tag — it is managed by CI
+if git rev-parse nightly >/dev/null 2>&1; then
+  LOCAL_NIGHTLY=$(git rev-parse nightly)
+  REMOTE_NIGHTLY=$(git ls-remote --tags origin refs/tags/nightly 2>/dev/null | awk '{print $1}')
+  if [ -n "$REMOTE_NIGHTLY" ] && [ "$LOCAL_NIGHTLY" != "$REMOTE_NIGHTLY" ]; then
+    echo "⚠ Skipping push of 'nightly' tag (managed by CI)"
+    # Delete the local nightly tag so --tags won't try to push it
+    git tag -d nightly >/dev/null 2>&1 || true
+  fi
+fi

package.json

@@ -2,7 +2,7 @@
   "name": "donutbrowser",
   "private": true,
   "license": "AGPL-3.0",
-  "version": "0.16.1",
+  "version": "0.17.1",
   "type": "module",
   "scripts": {
     "dev": "next dev --turbopack -p 12341",

src-tauri/Cargo.lock

@@ -843,15 +843,6 @@ dependencies = [
  "bzip2-sys",
 ]
 
-[[package]]
-name = "bzip2"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3a53fac24f34a81bc9954b5d6cfce0c21e18ec6959f44f56e8e90e4bb7c346c"
-dependencies = [
- "libbz2-rs-sys",
-]
-
 [[package]]
 name = "bzip2-sys"
 version = "0.1.13+1.0.8"
@@ -1726,7 +1717,7 @@ dependencies = [
 
 [[package]]
 name = "donutbrowser"
-version = "0.16.1"
+version = "0.17.1"
 dependencies = [
  "aes",
  "aes-gcm",
@@ -1737,7 +1728,7 @@ dependencies = [
  "base64 0.22.1",
  "blake3",
  "boringtun",
- "bzip2 0.6.1",
+ "bzip2",
  "cbc",
  "chrono",
  "chrono-tz",
@@ -3495,12 +3486,6 @@ dependencies = [
  "once_cell",
 ]
 
-[[package]]
-name = "libbz2-rs-sys"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c4a545a15244c7d945065b5d392b2d2d7f21526fba56ce51467b06ed445e8f7"
-
 [[package]]
 name = "libc"
 version = "0.2.183"
@@ -9038,7 +9023,7 @@ checksum = "fabe6324e908f85a1c52063ce7aa26b68dcb7eb6dbc83a2d148403c9bc3eba50"
 dependencies = [
  "aes",
  "arbitrary",
- "bzip2 0.5.2",
+ "bzip2",
  "constant_time_eq 0.3.1",
  "crc32fast",
  "crossbeam-utils",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.16.1"
+version = "0.17.1"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"

src-tauri/src/browser_runner.rs

@@ -2157,11 +2157,14 @@ impl BrowserRunner {
       .find(|p| p.id.to_string() == profile_id)
       .ok_or_else(|| format!("Profile '{profile_id}' not found"))?;
 
-    if profile.is_cross_os() {
+    if profile.is_cross_os()
+      && !crate::cloud_auth::CLOUD_AUTH
+        .is_fingerprint_os_allowed(profile.host_os.as_deref())
+        .await
+    {
       return Err(format!(
-        "Cannot open URL with profile '{}': it was created on {} and is not supported on this system",
+        "Cannot open URL with profile '{}': cross-OS fingerprints require a paid subscription",
         profile.name,
-        profile.host_os.as_deref().unwrap_or("unknown")
       ));
     }
 
@@ -2193,11 +2196,14 @@ pub async fn launch_browser_profile(
     profile.id
   );
 
-  if profile.is_cross_os() {
+  if profile.is_cross_os()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .is_fingerprint_os_allowed(profile.host_os.as_deref())
+      .await
+  {
     return Err(format!(
-      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      "Cannot launch profile '{}': cross-OS fingerprints require a paid subscription",
       profile.name,
-      profile.host_os.as_deref().unwrap_or("unknown")
     ));
   }
 
@@ -2510,11 +2516,14 @@ pub async fn launch_browser_profile_with_debugging(
   remote_debugging_port: Option<u16>,
   headless: bool,
 ) -> Result<BrowserProfile, String> {
-  if profile.is_cross_os() {
+  if profile.is_cross_os()
+    && !crate::cloud_auth::CLOUD_AUTH
+      .is_fingerprint_os_allowed(profile.host_os.as_deref())
+      .await
+  {
     return Err(format!(
-      "Cannot launch profile '{}': it was created on {} and is not supported on this system",
+      "Cannot launch profile '{}': cross-OS fingerprints require a paid subscription",
       profile.name,
-      profile.host_os.as_deref().unwrap_or("unknown")
     ));
   }
 

src-tauri/src/downloader.rs

@@ -308,12 +308,40 @@ impl Downloader {
       .resolve_download_url(browser_type.clone(), version, download_info)
       .await?;
 
-    // Determine if we have a partial file to resume
+    // Check existing file size — if it matches the expected size, skip download
     let mut existing_size: u64 = 0;
     if let Ok(meta) = std::fs::metadata(&file_path) {
       existing_size = meta.len();
     }
 
+    // Do a HEAD request to get the expected file size for skip/resume decisions
+    let head_response = self
+      .client
+      .head(&download_url)
+      .header(
+        "User-Agent",
+        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
+      )
+      .send()
+      .await
+      .ok();
+
+    let expected_size = head_response.as_ref().and_then(|r| r.content_length());
+
+    // If existing file matches expected size, skip download entirely
+    if existing_size > 0 {
+      if let Some(expected) = expected_size {
+        if existing_size == expected {
+          log::info!(
+            "Archive {} already exists with correct size ({} bytes), skipping download",
+            file_path.display(),
+            existing_size
+          );
+          return Ok(file_path);
+        }
+      }
+    }
+
     // Build request, add Range only if we have bytes. If the server responds with 416 (Range Not
     // Satisfiable), delete the partial file and retry once without the Range header.
     let response = {
@@ -683,11 +711,16 @@ impl Downloader {
           // Do not remove the archive here. We keep it until verification succeeds.
         }
         Err(e) => {
-          // Do not remove the archive or extracted files. Just drop the registry entry
-          // so it won't be reported as downloaded.
+          log::error!("Extraction failed for {browser_str} {version}: {e}");
+
+          // Delete the corrupt/invalid archive so a fresh download happens next time
+          if download_path.exists() {
+            log::info!("Deleting corrupt archive: {}", download_path.display());
+            let _ = std::fs::remove_file(&download_path);
+          }
+
           let _ = self.registry.remove_browser(&browser_str, &version);
           let _ = self.registry.save();
-          // Remove browser-version pair from downloading set on error
           {
             let mut downloading = DOWNLOADING_BROWSERS.lock().unwrap();
             downloading.remove(&download_key);
@@ -696,6 +729,20 @@ impl Downloader {
             let mut tokens = DOWNLOAD_CANCELLATION_TOKENS.lock().unwrap();
             tokens.remove(&download_key);
           }
+
+          // Emit error stage so the UI shows a toast
+          let progress = DownloadProgress {
+            browser: browser_str.clone(),
+            version: version.clone(),
+            downloaded_bytes: 0,
+            total_bytes: None,
+            percentage: 0.0,
+            speed_bytes_per_sec: 0.0,
+            eta_seconds: None,
+            stage: "error".to_string(),
+          };
+          let _ = events::emit("download-progress", &progress);
+
           return Err(format!("Failed to extract browser: {e}").into());
         }
       }

src-tauri/src/extraction.rs

@@ -7,7 +7,7 @@ use crate::downloader::DownloadProgress;
 use crate::events;
 
 #[cfg(target_os = "macos")]
-use std::process::Command;
+use tokio::process::Command;
 
 #[cfg(target_os = "macos")]
 use std::fs::create_dir_all;
@@ -232,17 +232,8 @@ impl Extractor {
     &self,
     file_path: &Path,
   ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    // First check file extension for DMG files since they're common on macOS
-    // and can have misleading magic numbers
-    if let Some(ext) = file_path.extension().and_then(|ext| ext.to_str()) {
-      if ext.to_lowercase() == "dmg" {
-        return Ok("dmg".to_string());
-      }
-      if ext.to_lowercase() == "msi" {
-        return Ok("msi".to_string());
-      }
-    }
-
+    // Always check magic bytes first — the file extension may be wrong
+    // (e.g. CDN serving a ZIP with .dmg extension)
     let mut file = File::open(file_path)?;
     let mut buffer = [0u8; 12]; // Read first 12 bytes for magic number detection
     file.read_exact(&mut buffer)?;
@@ -357,16 +348,20 @@ impl Extractor {
       .args([
         "attach",
         "-nobrowse",
+        "-noverify",
+        "-noautoopen",
         "-mountpoint",
         mount_point.to_str().unwrap(),
         dmg_path.to_str().unwrap(),
       ])
-      .output()?;
+      .stdin(std::process::Stdio::null())
+      .output()
+      .await?;
 
     if !output.status.success() {
       let stderr = String::from_utf8_lossy(&output.stderr);
       let stdout = String::from_utf8_lossy(&output.stdout);
-      log::info!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");
+      log::error!("Failed to mount DMG. stdout: {stdout}, stderr: {stderr}");
 
       // Clean up mount point before returning error
       let _ = fs::remove_dir_all(&mount_point);
@@ -382,12 +377,13 @@ impl Extractor {
     let app_entry = match app_result {
       Ok(app_path) => app_path,
       Err(e) => {
-        log::info!("Failed to find .app in mount point: {e}");
+        log::error!("Failed to find .app in mount point: {e}");
 
         // Try to unmount before returning error
         let _ = Command::new("hdiutil")
           .args(["detach", "-force", mount_point.to_str().unwrap()])
-          .output();
+          .output()
+          .await;
         let _ = fs::remove_dir_all(&mount_point);
 
         return Err("No .app found after extraction".into());
@@ -407,16 +403,18 @@ impl Extractor {
         app_entry.to_str().unwrap(),
         app_path.to_str().unwrap(),
       ])
-      .output()?;
+      .output()
+      .await?;
 
     if !output.status.success() {
       let stderr = String::from_utf8_lossy(&output.stderr);
-      log::info!("Failed to copy app: {stderr}");
+      log::error!("Failed to copy app: {stderr}");
 
       // Unmount before returning error
       let _ = Command::new("hdiutil")
         .args(["detach", "-force", mount_point.to_str().unwrap()])
-        .output();
+        .output()
+        .await;
       let _ = fs::remove_dir_all(&mount_point);
 
       return Err(format!("Failed to copy app: {stderr}").into());
@@ -427,18 +425,21 @@ impl Extractor {
     // Remove quarantine attributes
     let _ = Command::new("xattr")
       .args(["-dr", "com.apple.quarantine", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;
 
     let _ = Command::new("xattr")
       .args(["-cr", app_path.to_str().unwrap()])
-      .output();
+      .output()
+      .await;
 
     log::info!("Removed quarantine attributes");
 
     // Unmount the DMG
     let output = Command::new("hdiutil")
       .args(["detach", mount_point.to_str().unwrap()])
-      .output()?;
+      .output()
+      .await?;
 
     if !output.status.success() {
       let stderr = String::from_utf8_lossy(&output.stderr);

src-tauri/src/geoip_downloader.rs

@@ -174,6 +174,13 @@ impl GeoIPDownloader {
 
     let mmdb_path = Self::get_mmdb_file_path()?;
 
+    // Always download to a temp file first, then atomically rename.
+    // This prevents corruption if the app is closed mid-download.
+    let temp_path = mmdb_path.with_extension("mmdb.downloading");
+
+    // Remove any leftover temp file from a previous interrupted download
+    let _ = fs::remove_file(&temp_path).await;
+
     // Download the file
     let response = self.client.get(&download_url).send().await?;
 
@@ -189,7 +196,7 @@ impl GeoIPDownloader {
 
     let total_size = response.content_length().unwrap_or(0);
     let mut downloaded: u64 = 0;
-    let mut file = fs::File::create(&mmdb_path).await?;
+    let mut file = fs::File::create(&temp_path).await?;
     let mut stream = response.bytes_stream();
 
     use futures_util::StreamExt;
@@ -237,6 +244,10 @@ impl GeoIPDownloader {
     }
 
     file.flush().await?;
+    drop(file);
+
+    // Atomically replace the old database with the new one
+    fs::rename(&temp_path, &mmdb_path).await?;
 
     // Write download timestamp
     let timestamp_path = Self::get_timestamp_path();

src-tauri/src/lib.rs

@@ -293,9 +293,17 @@ async fn fetch_dynamic_proxy(
   url: String,
   format: String,
 ) -> Result<crate::browser::ProxySettings, String> {
-  crate::proxy_manager::PROXY_MANAGER
+  let settings = crate::proxy_manager::PROXY_MANAGER
     .fetch_dynamic_proxy(&url, &format)
+    .await?;
+
+  // Validate the proxy actually works by routing through a temporary local proxy
+  crate::proxy_manager::PROXY_MANAGER
+    .check_proxy_validity("_dynamic_test", &settings)
     .await
+    .map_err(|e| format!("Proxy resolved but connection failed: {e}"))?;
+
+  Ok(settings)
 }
 
 #[tauri::command]

src-tauri/src/proxy_manager.rs

@@ -928,19 +928,33 @@ impl ProxyManager {
     url
   }
 
-  // Check if a proxy is valid by making HTTP requests through it
+  // Check if a proxy is valid by routing through a temporary local donut-proxy.
+  // This tests the exact same code path the browser uses, ensuring that if the
+  // check passes, the browser connection will work too.
   pub async fn check_proxy_validity(
     &self,
     proxy_id: &str,
     proxy_settings: &ProxySettings,
   ) -> Result<ProxyCheckResult, String> {
-    let proxy_url = Self::build_proxy_url(proxy_settings);
+    let upstream_url = Self::build_proxy_url(proxy_settings);
 
-    // Fetch public IP through the proxy using shared IP utilities
-    let ip = match ip_utils::fetch_public_ip(Some(&proxy_url)).await {
+    // Start a temporary local proxy that tunnels through the upstream
+    let proxy_config = crate::proxy_runner::start_proxy_process(Some(upstream_url), None)
+      .await
+      .map_err(|e| format!("Failed to start test proxy: {e}"))?;
+
+    let local_url = format!("http://127.0.0.1:{}", proxy_config.local_port.unwrap_or(0));
+    let proxy_id_clone = proxy_config.id.clone();
+
+    // Fetch public IP through the local proxy (same path the browser uses)
+    let ip_result = ip_utils::fetch_public_ip(Some(&local_url)).await;
+
+    // Stop the temporary proxy regardless of result
+    let _ = crate::proxy_runner::stop_proxy_process(&proxy_id_clone).await;
+
+    let ip = match ip_result {
       Ok(ip) => ip,
       Err(e) => {
-        // Save failed check result
         let failed_result = ProxyCheckResult {
           ip: String::new(),
           city: None,
@@ -1054,9 +1068,10 @@ impl ProxyManager {
     let proxy_type = obj
       .get("type")
       .or_else(|| obj.get("proxy_type"))
+      .or_else(|| obj.get("protocol"))
       .and_then(|v| v.as_str())
       .unwrap_or("http")
-      .to_string();
+      .to_lowercase();
 
     let username = obj
       .get("username")
@@ -3437,6 +3452,22 @@ mod tests {
     let body2 = r#"{"ip": "1.2.3.4", "port": 1080, "proxy_type": "socks4"}"#;
     let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
     assert_eq!(result2.proxy_type, "socks4");
+
+    // "protocol" field alias
+    let body3 = r#"{"ip": "1.2.3.4", "port": 1080, "protocol": "socks5"}"#;
+    let result3 = ProxyManager::parse_dynamic_proxy_json(body3).unwrap();
+    assert_eq!(result3.proxy_type, "socks5");
+  }
+
+  #[test]
+  fn test_parse_dynamic_proxy_json_normalizes_case() {
+    let body = r#"{"ip": "1.2.3.4", "port": 1080, "type": "SOCKS5"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.proxy_type, "socks5");
+
+    let body2 = r#"{"ip": "1.2.3.4", "port": 8080, "protocol": "HTTP"}"#;
+    let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
+    assert_eq!(result2.proxy_type, "http");
   }
 
   #[test]

src-tauri/src/proxy_server.rs

@@ -1062,14 +1062,16 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
         let matcher = bypass_matcher.clone();
 
         tokio::task::spawn(async move {
-          // Read first bytes to detect CONNECT requests
-          // CONNECT requests need special handling for tunneling
-          // Use a larger buffer to ensure we can detect CONNECT even with partial reads
+          // Wait for the stream to have readable data before attempting to read.
+          // This prevents read() from returning 0 on a fresh connection before
+          // the client's data arrives.
+          if stream.readable().await.is_err() {
+            return;
+          }
+
           let mut peek_buffer = [0u8; 16];
           match stream.read(&mut peek_buffer).await {
-            Ok(0) => {
-              log::error!("DEBUG: Connection closed immediately (0 bytes read)");
-            }
+            Ok(0) => {}
             Ok(n) => {
               // Check if this looks like a CONNECT request
               // Be more lenient - check if the first bytes match "CONNECT" (case-insensitive)

src-tauri/src/sync/engine.rs

@@ -460,7 +460,9 @@ impl SyncEngine {
 
     // Try to download remote manifest
     let remote_manifest_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
-    let remote_manifest = self.download_manifest(&remote_manifest_key).await?;
+    let remote_manifest = self
+      .download_manifest(&remote_manifest_key, encryption_key.as_ref())
+      .await?;
 
     // Compute diff
     let diff = compute_diff(&local_manifest, remote_manifest.as_ref());
@@ -573,7 +575,12 @@ impl SyncEngine {
 
     // Upload manifest.json last for atomicity
     self
-      .upload_manifest(&profile_id, &final_manifest, &key_prefix)
+      .upload_manifest(
+        &profile_id,
+        &final_manifest,
+        encryption_key.as_ref(),
+        &key_prefix,
+      )
       .await?;
 
     // Sync completed successfully — clean up resume state
@@ -614,7 +621,11 @@ impl SyncEngine {
     Ok(())
   }
 
-  async fn download_manifest(&self, key: &str) -> SyncResult<Option<SyncManifest>> {
+  async fn download_manifest(
+    &self,
+    key: &str,
+    encryption_key: Option<&[u8; 32]>,
+  ) -> SyncResult<Option<SyncManifest>> {
     let stat = self.client.stat(key).await?;
     if !stat.exists {
       return Ok(None);
@@ -623,30 +634,58 @@ impl SyncEngine {
     let presign = self.client.presign_download(key).await?;
     let data = self.client.download_bytes(&presign.url).await?;
 
-    let manifest: SyncManifest = serde_json::from_slice(&data)
-      .map_err(|e| SyncError::SerializationError(format!("Failed to parse manifest: {e}")))?;
+    // Try parsing as plaintext JSON first (unencrypted or backwards-compatible)
+    if let Ok(manifest) = serde_json::from_slice::<SyncManifest>(&data) {
+      return Ok(Some(manifest));
+    }
 
-    Ok(Some(manifest))
+    // If plaintext parse failed and we have an encryption key, try decrypting
+    if let Some(key) = encryption_key {
+      let decrypted = encryption::decrypt_bytes(key, &data)
+        .map_err(|e| SyncError::InvalidData(format!("Failed to decrypt manifest: {e}")))?;
+      let manifest: SyncManifest = serde_json::from_slice(&decrypted).map_err(|e| {
+        SyncError::SerializationError(format!("Failed to parse decrypted manifest: {e}"))
+      })?;
+      return Ok(Some(manifest));
+    }
+
+    Err(SyncError::SerializationError(
+      "Failed to parse manifest (not valid JSON and no encryption key available)".to_string(),
+    ))
   }
 
   async fn upload_manifest(
     &self,
     profile_id: &str,
     manifest: &SyncManifest,
+    encryption_key: Option<&[u8; 32]>,
     key_prefix: &str,
   ) -> SyncResult<()> {
     let json = serde_json::to_string_pretty(manifest)
       .map_err(|e| SyncError::SerializationError(format!("Failed to serialize manifest: {e}")))?;
 
+    let upload_data = if let Some(key) = encryption_key {
+      encryption::encrypt_bytes(key, json.as_bytes())
+        .map_err(|e| SyncError::InvalidData(format!("Failed to encrypt manifest: {e}")))?
+    } else {
+      json.into_bytes()
+    };
+
+    let content_type = if encryption_key.is_some() {
+      "application/octet-stream"
+    } else {
+      "application/json"
+    };
+
     let remote_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
     let presign = self
       .client
-      .presign_upload(&remote_key, Some("application/json"))
+      .presign_upload(&remote_key, Some(content_type))
       .await?;
 
     self
       .client
-      .upload_bytes(&presign.url, json.as_bytes(), Some("application/json"))
+      .upload_bytes(&presign.url, &upload_data, Some(content_type))
       .await?;
 
     Ok(())
@@ -2140,16 +2179,9 @@ impl SyncEngine {
       return Ok(true);
     }
 
-    // Download manifest
-    let manifest = self.download_manifest(&manifest_key).await?;
-    let Some(manifest) = manifest else {
-      return Err(SyncError::InvalidData(
-        "Remote manifest not found".to_string(),
-      ));
-    };
-
-    // If remote manifest is encrypted, we need the E2E password
-    let encryption_key = if manifest.encrypted {
+    // Derive encryption key before downloading manifest if profile uses encrypted sync.
+    // The manifest itself may be encrypted (new behavior) or plaintext (backwards compat).
+    let encryption_key = if profile.is_encrypted_sync() {
       let password = encryption::load_e2e_password()
         .map_err(|e| SyncError::InvalidData(format!("Failed to load E2E password: {e}")))?
         .ok_or_else(|| {
@@ -2168,6 +2200,16 @@ impl SyncEngine {
       None
     };
 
+    // Download manifest (may be encrypted for e2e profiles)
+    let manifest = self
+      .download_manifest(&manifest_key, encryption_key.as_ref())
+      .await?;
+    let Some(manifest) = manifest else {
+      return Err(SyncError::InvalidData(
+        "Remote manifest not found".to_string(),
+      ));
+    };
+
     // Ensure profile directory exists
     fs::create_dir_all(&profile_dir).map_err(|e| {
       SyncError::IoError(format!(

src-tauri/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "Donut",
-  "version": "0.16.1",
+  "version": "0.17.1",
   "identifier": "com.donutbrowser",
   "build": {
     "beforeDevCommand": "pnpm copy-proxy-binary && pnpm dev",

src-tauri/tests/donut_proxy_integration.rs

@@ -1121,3 +1121,180 @@ async fn test_no_bypass_rules_all_through_upstream(
 
   Ok(())
 }
+
+/// Start a minimal SOCKS5 proxy that tunnels connections to the real destination.
+/// Returns (port, JoinHandle).
+async fn start_mock_socks5_server() -> (u16, tokio::task::JoinHandle<()>) {
+  let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+  let port = listener.local_addr().unwrap().port();
+
+  let handle = tokio::spawn(async move {
+    while let Ok((mut client, _)) = listener.accept().await {
+      tokio::spawn(async move {
+        use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+        // SOCKS5 handshake: client sends version + methods
+        let mut buf = [0u8; 256];
+        let n = client.read(&mut buf).await.unwrap_or(0);
+        if n < 2 || buf[0] != 0x05 {
+          return;
+        }
+
+        // Reply: version 5, no auth required
+        client.write_all(&[0x05, 0x00]).await.ok();
+
+        // Read connect request: VER CMD RSV ATYP DST.ADDR DST.PORT
+        let n = client.read(&mut buf).await.unwrap_or(0);
+        if n < 7 || buf[1] != 0x01 {
+          client
+            .write_all(&[0x05, 0x07, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+            .await
+            .ok();
+          return;
+        }
+
+        let (target_host, target_port) = match buf[3] {
+          0x01 => {
+            // IPv4
+            if n < 10 {
+              return;
+            }
+            let ip = format!("{}.{}.{}.{}", buf[4], buf[5], buf[6], buf[7]);
+            let port = u16::from_be_bytes([buf[8], buf[9]]);
+            (ip, port)
+          }
+          0x03 => {
+            // Domain
+            let domain_len = buf[4] as usize;
+            if n < 5 + domain_len + 2 {
+              return;
+            }
+            let domain = String::from_utf8_lossy(&buf[5..5 + domain_len]).to_string();
+            let port = u16::from_be_bytes([buf[5 + domain_len], buf[6 + domain_len]]);
+            (domain, port)
+          }
+          _ => return,
+        };
+
+        // Connect to target
+        let target =
+          match tokio::net::TcpStream::connect(format!("{}:{}", target_host, target_port)).await {
+            Ok(t) => t,
+            Err(_) => {
+              client
+                .write_all(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+                .await
+                .ok();
+              return;
+            }
+          };
+
+        // Success reply
+        client
+          .write_all(&[0x05, 0x00, 0x00, 0x01, 127, 0, 0, 1, 0, 0])
+          .await
+          .ok();
+
+        // Bidirectional relay
+        let (mut cr, mut cw) = tokio::io::split(client);
+        let (mut tr, mut tw) = tokio::io::split(target);
+        tokio::select! {
+          _ = tokio::io::copy(&mut cr, &mut tw) => {}
+          _ = tokio::io::copy(&mut tr, &mut cw) => {}
+        }
+      });
+    }
+  });
+
+  sleep(Duration::from_millis(100)).await;
+  (port, handle)
+}
+
+/// Test that a SOCKS5 upstream proxy works end-to-end through donut-proxy.
+/// Starts a mock SOCKS5 server, a mock HTTP target server,
+/// then routes requests through donut-proxy -> SOCKS5 -> target.
+#[tokio::test]
+#[serial]
+async fn test_local_proxy_with_socks5_upstream(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  // Start a mock HTTP server as the final destination
+  let (target_port, target_handle) = start_mock_http_server("SOCKS5-TARGET-RESPONSE").await;
+  println!("Mock target HTTP server on port {target_port}");
+
+  // Start a mock SOCKS5 proxy
+  let (socks_port, socks_handle) = start_mock_socks5_server().await;
+  println!("Mock SOCKS5 server on port {socks_port}");
+
+  // Helper to start a socks5 proxy
+  async fn start_socks5_proxy(
+    binary_path: &std::path::PathBuf,
+    socks_port: u16,
+  ) -> Result<(String, u16), Box<dyn std::error::Error + Send + Sync>> {
+    let output = TestUtils::execute_command(
+      binary_path,
+      &[
+        "proxy",
+        "start",
+        "--host",
+        "127.0.0.1",
+        "--proxy-port",
+        &socks_port.to_string(),
+        "--type",
+        "socks5",
+      ],
+    )
+    .await?;
+    if !output.status.success() {
+      let stderr = String::from_utf8_lossy(&output.stderr);
+      return Err(format!("Proxy start failed: {stderr}").into());
+    }
+    let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+    let id = config["id"].as_str().unwrap().to_string();
+    let port = config["localPort"].as_u64().unwrap() as u16;
+
+    // Wait for proxy to be fully ready by verifying it accepts and responds
+    for _ in 0..20 {
+      sleep(Duration::from_millis(100)).await;
+      if TcpStream::connect(("127.0.0.1", port)).await.is_ok() {
+        break;
+      }
+    }
+    // Extra settle time for the accept loop to be fully initialized
+    sleep(Duration::from_millis(200)).await;
+
+    Ok((id, port))
+  }
+
+  // Test 1: HTTP request through donut-proxy -> SOCKS5 -> target
+  let (proxy_id, local_port) = start_socks5_proxy(&binary_path, socks_port).await?;
+  tracker.track_proxy(proxy_id);
+
+  let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+  let request = format!(
+    "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+  );
+  stream.write_all(request.as_bytes()).await?;
+
+  let mut response = vec![0u8; 8192];
+  let n = tokio::time::timeout(Duration::from_secs(10), stream.read(&mut response))
+    .await
+    .map_err(|_| "HTTP request through SOCKS5 timed out")?
+    .map_err(|e| format!("Read error: {e}"))?;
+  let response_str = String::from_utf8_lossy(&response[..n]);
+
+  assert!(
+    response_str.contains("SOCKS5-TARGET-RESPONSE"),
+    "HTTP request should be tunneled through SOCKS5 to target, got: {}",
+    &response_str[..response_str.len().min(500)]
+  );
+  println!("SOCKS5 upstream proxy test passed");
+
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  socks_handle.abort();
+
+  Ok(())
+}

src-tauri/tests/sync_e2e.rs

@@ -841,3 +841,210 @@ async fn test_profile_bypass_rules_sync() {
   client.delete(&test_key, None).await.unwrap();
   client.delete(&empty_key, None).await.unwrap();
 }
+
+#[tokio::test]
+async fn test_encrypted_profile_sync() {
+  use donutbrowser_lib::sync::encryption::{
+    decrypt_bytes, derive_profile_key, encrypt_bytes, generate_salt,
+  };
+
+  ensure_sync_server_available().await;
+  let client = TestClient::new();
+  let temp_dir = TempDir::new().unwrap();
+  let profile_id = uuid::Uuid::new_v4().to_string();
+  let test_key = format!("profiles/{}.tar.gz.enc", profile_id);
+
+  let bundle = create_test_profile_bundle(temp_dir.path());
+
+  let salt = generate_salt();
+  let password = "test-e2e-encryption-password";
+  let key = derive_profile_key(password, &salt).unwrap();
+
+  let encrypted = encrypt_bytes(&key, &bundle).unwrap();
+  assert_ne!(
+    encrypted, bundle,
+    "Encrypted data should differ from plaintext"
+  );
+  assert!(
+    encrypted.len() > bundle.len(),
+    "Encrypted data includes nonce + auth tag overhead"
+  );
+
+  let presign = client
+    .presign_upload(&test_key, "application/octet-stream")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign.url, &encrypted, "application/octet-stream")
+    .await
+    .unwrap();
+
+  let stat = client.stat(&test_key).await.unwrap();
+  assert!(stat.exists);
+  assert_eq!(stat.size, Some(encrypted.len() as u64));
+
+  let download_presign = client.presign_download(&test_key).await.unwrap();
+  let downloaded = client.download_bytes(&download_presign.url).await.unwrap();
+  assert_eq!(downloaded.len(), encrypted.len());
+
+  let decrypted = decrypt_bytes(&key, &downloaded).unwrap();
+  assert_eq!(
+    decrypted, bundle,
+    "Decrypted content should match original bundle"
+  );
+
+  let extract_dir = temp_dir.path().join("extracted");
+  fs::create_dir_all(&extract_dir).unwrap();
+  let metadata = extract_bundle(&decrypted, &extract_dir);
+
+  assert_eq!(metadata["id"], "test-profile-id");
+  assert_eq!(metadata["name"], "Test Profile");
+  assert_eq!(metadata["browser"], "chromium");
+  assert_eq!(metadata["version"], "120.0.0");
+  assert!(metadata["sync_enabled"].as_bool().unwrap());
+  let tags = metadata["tags"].as_array().unwrap();
+  assert_eq!(tags.len(), 2);
+  assert_eq!(tags[0], "test");
+  assert_eq!(tags[1], "e2e");
+
+  let test_file = extract_dir.join("profile").join("test_file.txt");
+  assert!(test_file.exists());
+  assert_eq!(fs::read_to_string(test_file).unwrap(), "test content");
+
+  let wrong_key = derive_profile_key("wrong-password", &salt).unwrap();
+  assert!(
+    decrypt_bytes(&wrong_key, &downloaded).is_err(),
+    "Decryption with wrong key should fail"
+  );
+
+  let different_salt = generate_salt();
+  let wrong_salt_key = derive_profile_key(password, &different_salt).unwrap();
+  assert!(
+    decrypt_bytes(&wrong_salt_key, &downloaded).is_err(),
+    "Decryption with key derived from wrong salt should fail"
+  );
+
+  client.delete(&test_key, None).await.unwrap();
+  let final_stat = client.stat(&test_key).await.unwrap();
+  assert!(!final_stat.exists);
+}
+
+#[tokio::test]
+async fn test_encrypted_delta_sync() {
+  use donutbrowser_lib::sync::encryption::{
+    decrypt_bytes, derive_profile_key, encrypt_bytes, generate_salt,
+  };
+
+  ensure_sync_server_available().await;
+  let client = TestClient::new();
+  let profile_id = uuid::Uuid::new_v4().to_string();
+
+  let salt = generate_salt();
+  let password = "delta-sync-test-password";
+  let key = derive_profile_key(password, &salt).unwrap();
+
+  let file1_key = format!("profiles/{}/files/file1.txt.enc", profile_id);
+  let file2_key = format!("profiles/{}/files/file2.txt.enc", profile_id);
+  let file3_key = format!("profiles/{}/files/file3.txt.enc", profile_id);
+
+  let content1 = b"file one content";
+  let content2 = b"file two content";
+  let content3 = b"file three content";
+
+  let encrypted1 = encrypt_bytes(&key, content1).unwrap();
+  let encrypted2 = encrypt_bytes(&key, content2).unwrap();
+  let encrypted3 = encrypt_bytes(&key, content3).unwrap();
+
+  let presign1 = client
+    .presign_upload(&file1_key, "application/octet-stream")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign1.url, &encrypted1, "application/octet-stream")
+    .await
+    .unwrap();
+
+  let presign2 = client
+    .presign_upload(&file2_key, "application/octet-stream")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign2.url, &encrypted2, "application/octet-stream")
+    .await
+    .unwrap();
+
+  let presign3 = client
+    .presign_upload(&file3_key, "application/octet-stream")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign3.url, &encrypted3, "application/octet-stream")
+    .await
+    .unwrap();
+
+  for (file_key, expected_content) in [
+    (&file1_key, content1.as_slice()),
+    (&file2_key, content2.as_slice()),
+    (&file3_key, content3.as_slice()),
+  ] {
+    let dl_presign = client.presign_download(file_key).await.unwrap();
+    let downloaded = client.download_bytes(&dl_presign.url).await.unwrap();
+    let decrypted = decrypt_bytes(&key, &downloaded).unwrap();
+    assert_eq!(
+      decrypted, expected_content,
+      "Decrypted content mismatch for {file_key}"
+    );
+  }
+
+  let stat1_before = client.stat(&file1_key).await.unwrap();
+  let stat2_before = client.stat(&file2_key).await.unwrap();
+  let stat3_before = client.stat(&file3_key).await.unwrap();
+
+  tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+
+  let updated_content2 = b"file two content -- updated with new data";
+  let encrypted2_updated = encrypt_bytes(&key, updated_content2).unwrap();
+
+  let presign2_update = client
+    .presign_upload(&file2_key, "application/octet-stream")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(
+      &presign2_update.url,
+      &encrypted2_updated,
+      "application/octet-stream",
+    )
+    .await
+    .unwrap();
+
+  let stat2_after = client.stat(&file2_key).await.unwrap();
+  assert_ne!(
+    stat2_before.size, stat2_after.size,
+    "File2 size should have changed after update"
+  );
+
+  let stat1_after = client.stat(&file1_key).await.unwrap();
+  let stat3_after = client.stat(&file3_key).await.unwrap();
+  assert_eq!(
+    stat1_before.size, stat1_after.size,
+    "File1 should be unchanged"
+  );
+  assert_eq!(
+    stat3_before.size, stat3_after.size,
+    "File3 should be unchanged"
+  );
+
+  let dl_presign2 = client.presign_download(&file2_key).await.unwrap();
+  let downloaded2 = client.download_bytes(&dl_presign2.url).await.unwrap();
+  let decrypted2 = decrypt_bytes(&key, &downloaded2).unwrap();
+  assert_eq!(
+    decrypted2,
+    updated_content2.to_vec(),
+    "Updated file2 should decrypt to new content"
+  );
+
+  client.delete(&file1_key, None).await.unwrap();
+  client.delete(&file2_key, None).await.unwrap();
+  client.delete(&file3_key, None).await.unwrap();
+}

src/components/profile-data-table.tsx

@@ -1100,6 +1100,7 @@ export function ProfilesDataTable({
     isUpdating,
     launchingProfiles,
     stoppingProfiles,
+    crossOsUnlocked,
   );
 
   // Listen for sync status events
@@ -2016,12 +2017,13 @@ export function ProfilesDataTable({
             );
 
           const isCrossOs = isCrossOsProfile(profile);
+          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
           const isStopping = meta.stoppingProfiles.has(profile.id);
           const isDisabled =
-            isRunning || isLaunching || isStopping || isCrossOs;
+            isRunning || isLaunching || isStopping || isCrossOsBlocked;
           const lockedEmail = meta.getProfileLockEmail(profile.id);
           const isLocked = meta.isProfileLockedByAnother(profile.id);
 
@@ -2076,12 +2078,13 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
+          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
           const isStopping = meta.stoppingProfiles.has(profile.id);
           const isDisabled =
-            isRunning || isLaunching || isStopping || isCrossOs;
+            isRunning || isLaunching || isStopping || isCrossOsBlocked;
 
           return (
             <TagsCell
@@ -2104,12 +2107,13 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
+          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
           const isStopping = meta.stoppingProfiles.has(profile.id);
           const isDisabled =
-            isRunning || isLaunching || isStopping || isCrossOs;
+            isRunning || isLaunching || isStopping || isCrossOsBlocked;
 
           return (
             <NoteCell
@@ -2130,12 +2134,13 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
+          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
           const isStopping = meta.stoppingProfiles.has(profile.id);
           const isDisabled =
-            isRunning || isLaunching || isStopping || isCrossOs;
+            isRunning || isLaunching || isStopping || isCrossOsBlocked;
 
           const hasProxyOverride = Object.hasOwn(
             meta.proxyOverrides,

src/hooks/use-browser-download.ts

@@ -335,6 +335,23 @@ export function useBrowserDownload() {
                 `download-${browserName.toLowerCase()}-${progress.version}`,
               );
               setDownloadProgress(null);
+            } else if (progress.stage === "error") {
+              setDownloadingBrowsers((prev) => {
+                const next = new Set(prev);
+                next.delete(progress.browser);
+                return next;
+              });
+              dismissToast(
+                `download-${browserName.toLowerCase()}-${progress.version}`,
+              );
+              setDownloadProgress(null);
+              showErrorToast(
+                `${browserName} ${progress.version}: extraction failed`,
+                {
+                  description:
+                    "The corrupt file was deleted. It will be re-downloaded on next attempt.",
+                },
+              );
             } else if (progress.stage === "completed") {
               setDownloadingBrowsers((prev) => {
                 const next = new Set(prev);

src/hooks/use-browser-state.ts

@@ -15,6 +15,7 @@ export function useBrowserState(
   _isUpdating: (browser: string) => boolean,
   launchingProfiles: Set<string>,
   stoppingProfiles: Set<string>,
+  crossOsUnlocked = false,
 ) {
   const [isClient, setIsClient] = useState(false);
 
@@ -52,7 +53,7 @@ export function useBrowserState(
     (profile: BrowserProfile): boolean => {
       if (!isClient) return false;
 
-      if (isCrossOsProfile(profile)) return false;
+      if (isCrossOsProfile(profile) && !crossOsUnlocked) return false;
 
       const isRunning = runningProfiles.has(profile.id);
       const isLaunching = launchingProfiles.has(profile.id);
@@ -80,6 +81,7 @@ export function useBrowserState(
       isAnyInstanceRunning,
       launchingProfiles,
       stoppingProfiles,
+      crossOsUnlocked,
     ],
   );
 
@@ -157,8 +159,10 @@ export function useBrowserState(
       if (!isClient) return "Loading...";
 
       if (isCrossOsProfile(profile) && profile.host_os) {
-        const osName = getOSDisplayName(profile.host_os);
-        return `This profile was created on ${osName} and is not supported on this system`;
+        if (!crossOsUnlocked) {
+          const osName = getOSDisplayName(profile.host_os);
+          return `This profile was created on ${osName}. A paid subscription is required to launch cross-OS profiles.`;
+        }
       }
 
       const isRunning = runningProfiles.has(profile.id);
@@ -193,6 +197,7 @@ export function useBrowserState(
       canLaunchProfile,
       launchingProfiles,
       stoppingProfiles,
+      crossOsUnlocked,
     ],
   );
 

src/i18n/locales/en.json

@@ -296,8 +296,8 @@
       "formatTextHint": "Expects text like: host:port:username:password or protocol://user:pass@host:port",
       "testUrl": "Test URL",
       "testing": "Testing...",
-      "testSuccess": "Dynamic proxy resolved to {{host}}:{{port}}",
-      "testFailed": "Failed to fetch proxy: {{error}}",
+      "testSuccess": "Proxy working: {{host}}:{{port}}",
+      "testFailed": "Proxy test failed: {{error}}",
       "fetchFailed": "Failed to fetch dynamic proxy: {{error}}"
     },
     "check": {

src/i18n/locales/es.json

@@ -296,8 +296,8 @@
       "formatTextHint": "Espera texto como: host:port:username:password o protocol://user:pass@host:port",
       "testUrl": "Probar URL",
       "testing": "Probando...",
-      "testSuccess": "El proxy dinámico se resolvió a {{host}}:{{port}}",
-      "testFailed": "Error al obtener el proxy: {{error}}",
+      "testSuccess": "Proxy funcionando: {{host}}:{{port}}",
+      "testFailed": "Prueba de proxy fallida: {{error}}",
       "fetchFailed": "Error al obtener el proxy dinámico: {{error}}"
     },
     "check": {

src/i18n/locales/fr.json

@@ -296,8 +296,8 @@
       "formatTextHint": "Attend du texte comme : host:port:username:password ou protocol://user:pass@host:port",
       "testUrl": "Tester l'URL",
       "testing": "Test en cours...",
-      "testSuccess": "Le proxy dynamique a été résolu en {{host}}:{{port}}",
-      "testFailed": "Échec de la récupération du proxy : {{error}}",
+      "testSuccess": "Proxy fonctionnel : {{host}}:{{port}}",
+      "testFailed": "Échec du test de proxy : {{error}}",
       "fetchFailed": "Échec de la récupération du proxy dynamique : {{error}}"
     },
     "check": {

src/i18n/locales/ja.json

@@ -296,8 +296,8 @@
       "formatTextHint": "テキスト形式: host:port:username:password または protocol://user:pass@host:port",
       "testUrl": "URLをテスト",
       "testing": "テスト中...",
-      "testSuccess": "ダイナミックプロキシは {{host}}:{{port}} に解決されました",
-      "testFailed": "プロキシの取得に失敗しました: {{error}}",
+      "testSuccess": "プロキシ動作中: {{host}}:{{port}}",
+      "testFailed": "プロキシテスト失敗: {{error}}",
       "fetchFailed": "ダイナミックプロキシの取得に失敗しました: {{error}}"
     },
     "check": {

src/i18n/locales/pt.json

@@ -296,8 +296,8 @@
       "formatTextHint": "Espera texto como: host:port:username:password ou protocol://user:pass@host:port",
       "testUrl": "Testar URL",
       "testing": "Testando...",
-      "testSuccess": "O proxy dinâmico foi resolvido para {{host}}:{{port}}",
-      "testFailed": "Falha ao obter o proxy: {{error}}",
+      "testSuccess": "Proxy funcionando: {{host}}:{{port}}",
+      "testFailed": "Falha no teste de proxy: {{error}}",
       "fetchFailed": "Falha ao obter o proxy dinâmico: {{error}}"
     },
     "check": {

src/i18n/locales/ru.json

@@ -296,8 +296,8 @@
       "formatTextHint": "Ожидается текст вида: host:port:username:password или protocol://user:pass@host:port",
       "testUrl": "Проверить URL",
       "testing": "Проверка...",
-      "testSuccess": "Динамический прокси разрешён в {{host}}:{{port}}",
-      "testFailed": "Не удалось получить прокси: {{error}}",
+      "testSuccess": "Прокси работает: {{host}}:{{port}}",
+      "testFailed": "Тест прокси не пройден: {{error}}",
       "fetchFailed": "Не удалось получить динамический прокси: {{error}}"
     },
     "check": {

src/i18n/locales/zh.json

@@ -296,8 +296,8 @@
       "formatTextHint": "期望文本格式: host:port:username:password 或 protocol://user:pass@host:port",
       "testUrl": "测试URL",
       "testing": "测试中...",
-      "testSuccess": "动态代理已解析为 {{host}}:{{port}}",
-      "testFailed": "获取代理失败: {{error}}",
+      "testSuccess": "代理正常运行: {{host}}:{{port}}",
+      "testFailed": "代理测试失败: {{error}}",
       "fetchFailed": "获取动态代理失败: {{error}}"
     },
     "check": {